Data Protection
Introduction

This Privacy Policy has been developed taking into account the provisions of the Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), as well as by Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the circulation of such data, hereinafter GDPR.

This Privacy Policy aims to inform the holders of personal data, in respect of which information is being collected, the specific aspects related to the processing of your data, among other things, the purposes of the treatments, contact details for exercising your rights, retention periods and security measures, among other things.

Controller

In terms of data protection HOTEL PARQUE DE ALCEDA S.A., you must be considered Data Controller, in relation to the processing operations identified in this policy, specifically in the Data Processing section.

The identifiers of the owner of this website are as follows:

Data Controller: HOTEL PARQUE DE ALCEDA S.A.
Postal address: CARRETERA DEL BALNEARIO S/N 39680 ALCEDA CANTABRIA.
E-mail address: direccion@hotelparquedealceda.com.

Data processing The personal data requested, if any, will consist only of those strictly necessary to identify and respond to the request made by the holder of the data, henceforth the interested party. Moreover, personal data will be collected for specific explicit and legitimate purposes, not being further processed in a manner incompatible with those purposes.

The data collected from each data subject shall be adequate, relevant and not excessive in relation to the corresponding purposes for each case, and shall be updated whenever necessary.

The data subject shall be informed, prior to the collection of his data, of the general points in this policy so that he can give the express, precise and unequivocal consent for the processing of his data, according to the following aspects.

Purposes of treatment

The explicit purposes for which each treatment is carried out are contained in the informative clauses incorporated in each of the data collection channels (web forms, paper forms, locutions or posters and information notes).

However, the personal data of the data subject will be processed for the sole purpose of providing them with an effective response and responding to the requests made by the user, specified together with the option, service, form or data collection system used by the holder.

Legitimation

As a general rule, prior to the processing of personal data, the Data Controller obtains express and unequivocal consent from the data subject, by incorporating clauses of informed consent in the different systems of information collection.

However, in the event that the consent of the data subject is not required, the legitimate basis of the processing under which the Data Controller is protected is the existence of a specific law or rule that authorizes or requires the processing of data subject.

Recipients

As a general rule, the Data Controller does not transfer or communicate data to third parties, except those legally required, however, if necessary, such transfers or communications of data are informed to the data subject through clauses of informed consent contained in the different ways of collection of personal data.

Provenance

As a general rule, personal data are always collected directly from the data subject, however, in certain exceptions, data may be collected through third parties, entities or services other than the data subject. In this sense, this will be transferred to the interested party through the clauses of informed consent contained in the different ways of collecting information and within a reasonable time, once the data is obtained, and at the latest within a month.

Retention periods

The information collected from the data subject will be kept as long as it is necessary to fulfill the purpose for which the personal data were collected, so that, once the purpose is fulfilled, the data will be cancelled. Such cancellation will result in the blocking of the data being kept only at the disposal of the AAPP, Judges and Courts, to meet the possible responsibilities arising from the processing, during the limitation period of the latter, the destruction of the information shall take place within that period.

For information, the following legal data are collected on the retention of information in relation to different subjects:

DOCUMENT

TERM

REF. LEGAL

Employment or social security related documentation

4 years

Article 21 of Royal Legislative Decree 5/2000, of August 4, approving the consolidated text of the Law on Violations and Sanctions in the Social Order

Accounting and tax documentation for commercial purposes

6 years

Art. 30 Commercial Code

Accounting and tax documentation for tax purposes

4 years

Articles 66 to 70 General Tax Law

Building access control

1 month

AEPD Instruction 1/1996

Video surveillance

1 month

AEPD Instruction 1/2006
Organic Law 4/1997

Resumes of applicants and candidates

Until the completion of the initial selection process for those who fail the process.
for resumes that have passed to the job board for up to 2 years if they have not been updated since delivery.



Navigation data

In relation to browsing data that may be processed through the website, in case data subject to the regulations are collected, it is recommended to consult the Cookie Policy published on our website.

Rights of interested parties

The data protection regulations grant a number of rights to data subjects or data subjects, users of the website or users of the Data Controller’s social media profiles.

These rights are the following: - right of access: right to obtain information on whether their own data are being processed, the purpose of the processing being carried out, the categories of data concerned, the recipients or categories of recipients, the period of retention and the origin of such data.

- Right of rectification: right to obtain rectification of inaccurate or incomplete personal data.

- Right to erasure: right to obtain erasure in the following cases: o When the data are no longer necessary for the purpose for which they were collected.
o When consent is withdrawn by the holder.
o Where the data subject objects to the treatment.
o When to be deleted in compliance with a legal obligation.
o Where the data have been obtained under an information society service on the basis of art. 8 apdo. 1 of the European Data Protection Regulation.

- Right of opposition: right to object to a given processing based on the consent of the data subject.

- Right of limitation: right to obtain the limitation of the data processing when one of the following cases occurs: o Where the data subject disputes the accuracy of the personal data, for a period that allows the entity to verify the accuracy of the personal data.
o Where the processing is lawful and the data subject objects to the deletion of the data.
o When the entity no longer needs the data for the purposes for which they were collected, but the interested party needs them for the formulation, exercise or defense of claims.
o Where the data subject has objected to the processing while verifying whether the legitimate grounds of the entity prevail over those of the data subject.

- Right to portability: the right to obtain data in a structured, commonly used and machine-readable format and to transmit them to another controller when: o Treatment is based on consent.
o Processing is carried out by automated means.

- Right to complain to the competent supervisory authority.

Interested parties may exercise the rights indicated by contacting the Data Controller in writing, sent to the following address: direccion@hotelparquedealceda.com in the Subject line the right you wish to exercise.

In this regard, the Data Controller will respond to your request as soon as possible and taking into account the deadlines provided for in the data protection regulations.

Safety The security measures adopted by the Data Controller are those required, in accordance with the provisions of article 32 of the GDPR. In this regard, the Data Controller, taking into account the state of the art, the application costs and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and seriousness to the rights and freedoms of natural persons, appropriate technical and organisational measures are in place to ensure the level of security appropriate to the existing risk.

In any case, the Data Controller has implemented sufficient mechanisms to:

a) Ensure continued confidentiality, integrity, availability and resilience of treatment systems and services.
b) Restore availability and access to personal data quickly in the event of a physical or technical incident.
c) Verify, evaluate and evaluate, on a regular basis, the effectiveness of the technical and organisational measures put in place to ensure the safety of treatment.
d) Pseudonymize and encrypt personal data, where applicable.