GENERAL DATA PROTECTION REGULATION
A. GENERAL INFORMATION
This document is part of a set of regulations concerning TheVagar’s personal data protection in accordance with the General Data Protection Regulation (2016/679), herein referred to as GDPR.
In the future, whenever this document is subject to updates, a new version will become immediately available after its approval.
The enforcement of this policy will be ensured by the evaluation of control indicators and/or audits (internal or external) at regular intervals, or in the event of significant changes.
Scope and Purpose
This policy was implemented to demonstrate TheVagar’s full commitment to and respect for privacy regulations and personal data protection.
This policy is established in order to disclose TheVagar’s general rules concerning privacy and personal data processing. We collect and handle this information with great respect and always in line with national and European legislation on this subject.
TheVagar is committed to the best practices in terms of security and personal data protection. Consequently, it has approved a strict programme to safeguard all data that is made available to TheVagar by all those who, in some way, are associated with it.
This policy applies solely to personal data collected and processed by TheVagar.
This policy is addressed to the general public and to TheVagar clients in particular, and establishes obligations for all TheVagar’s staff members.
Personal Data – All information about an identified or identifiable individual; individuals are identifiable when they may be directly or indirectly identified, through data such as name, ID number, place of residence, computerised data, but also by one or more specific elements regarding their identity in terms of physique, physiology, genetics, mind, economics, culture or social status.
Special categories – Personal data that reveals race or ethnicity, political opinions, religious or philosophical convictions, trade union affiliations, as well as processing data concerning genetic information, biometrics, health, sex life or sexual orientation.
Processing – The operation, or set of operations, by which personal data, or sets of personal data, are handled by automated or non-automated means, such as the collection, registration, organisation, structuring, conservation, adaptation or alteration, recovery, consultation, usage, dissemination, comparison or interconnection, shortening, deletion or destruction of information.
Liable party – An individual or group of individuals, authority, agency or any other body which, individually or in association with others, establishes the purpose and means to process personal data; whenever the purpose and means of processing are legally determined by the European Union or by a member-state, the appointment of such a party may be contemplated in the European Union or member-state’s law.
Violation of Personal Data – An accidental or unlawful security breach that results in the unauthorised destruction, loss, change, disclosure or access to personal data was transferred, stored or subjected to any other type of processing.
Outsourcing – An individual or group of individuals, authority, agency or any other body that treats personal data according to instructions issued by the person responsible for the data in question.
Third Party – An individual or group of individuals, authority, service or body that, although not the subjects or bodies responsible for processing the data, are authorised to act under the direct authority of the body in charge of processing.
Personal Data Collection and Processing
TheVagar’s activity involves the collection, registration, organisation, archive, use and consultation of personal data. This may also involve other operations that, according to the General Data Protection Regulation, are called “personal data processing”.
Personal data collection regards staff members but also suppliers, clients and others.
TheVagar collects personal data, namely data that is necessary for reservations and invoicing, as well as personal data from staff members to comply with legal employment requirements.
Upon collecting personal data, TheVagar will supply data subjects with detailed information regarding the nature of the data collected and the use and processing it will entail, as well as information mentioned above regarding the right to access one’s personal data.
Regarding personal data processing, TheVagar may outsource this activity to third parties that will process personal data on its behalf, and according to the instructions provided, in strict compliance with the law and this policy.
These outsourced entities cannot release or disclose data without TheVagar’s prior and written authorisation. They are also forbidden to outsource other entities without TheVagar’s prior authorisation.
TheVagar shall only outsource data processing to entities that offer the best guarantees in the implementation of adequate technical and organisational procedures, in order to ensure the protection of data subjects’ rights. All outsourced entities will remain legally bound by a written contract that establishes the purpose, duration, nature of processing, type of personal data and data categories, as well as the rights and obligations of both parties.
Upon collecting personal data, TheVagar will provide data subjects with information regarding the outsourced entity that, in each specific case, is authorised to process the data on its behalf.
Data Collection Channels
TheVagar may collect data directly (i.e. directly from the subject) or indirectly (i.e. through partners or third parties). Data can be collected using the following channels:
Direct collection: in person, by telephone or email
Indirect collection: via partners or reservation companies, as well as official bodies.
General Principles of Personal Data Processing
Regarding the general principles of personal data processing, TheVagar ensures that the data processed will be:
the subject of lawful, legal and transparent processing;
collected for specific, explicit and legitimate ends, and shall never be subsequently misused;
adequate, pertinent and restricted to what is strictly necessary for the purpose for which it is being treated;
precise and updated whenever necessary, taking all adequate measures to ensure that inaccurate data, considering the purposes for which it is processed, is immediately deleted or corrected;
stored in a manner that only enables identification of data subjects during the period strictly required for that purpose;
processed in a manner that ensures its security, including protection from unauthorised or unlawful processing, as well as preventing loss, destruction or accidental damage, applying all adequate technical and organisational measures;
Data processing by TheVagar is lawful when at least one of the following situations occurs:
The data subject has explicitly authorised the processing of his/her data for one, or more, specific purpose(s);
Data processing is necessary to perform a contract where the data subject is one of the parties, or for pre-contractual diligences at the subject’s request;
Data processing is required to fulfil a legal obligation by which TheVagar is bound;
Data processing is necessary to protect the vital interests of the subject or any other individual;
Data processing is necessary to pursue the legitimate interests of TheVagar or any third parties, (unless the interests or fundamental rights and freedoms of data subjects prevail over the data processing).
TheVagar ensures that data processing is only carried out under the circumstances mentioned above and in full compliance with the principles laid out.
When data processing is based on the subject’s consent, he/she also has the right to withdraw consent at any time. However, the withdrawal of consent does not jeopardise the lawfulness of data processed by TheVagar under the subject’s previous authorisation.
The length of time during which the data is stored depends on the purpose for which it is processed.
There are legal requirements stating that data must be stored for a minimum period of time. Therefore, and provided there are no specific legal requirements, data will only be stored for the minimum period of time necessary to achieve the purposes for which it was collected and subsequently processed. At the end of this period, the data will be deleted.
Use and Purpose of Personal Data Processing
Overall, TheVagar uses personal data for purposes such as invoicing and billing of clients, marketing, human resources management and staff recruitment.
Personal data collected by TheVagar will not be shared with third parties, unless it has received the subject’s prior consent, with the exception of the situations mentioned below. However, in case the subject hires services provided by other entities other than TheVagar, the subject’s data may be consulted and accessed by these entities, inasmuch as this is necessary to provide the requested services.
TheVagar is legally permitted to convey or divulge personal data to other entities, in case this is necessary to perform a contract, or for pre-contractual diligences at the subject’s request, if this is required to fulfil a legal obligation that binds TheVagar, or if it is necessary to achieve TheVagar’s (or a third party’s) legitimate interests. If personal data is shared with a third party, TheVagar will ensure this entity shall use the data according to this policy.
Technical, Organisational and Security Procedures
In order to guarantee personal data protection, TheVagar agrees to use it according to security and confidentiality policies and internal procedures. This information shall be updated on a regular basis, according to needs and pursuant to the legally established terms and conditions.
Given the nature, scope, context and purposes of data processing, and considering the risks this operation may entail regarding the subjects’ legal rights and freedoms, TheVagar agree to apply the adequate legal technical and organisational procedures for personal data protection, both at the time when processing procedures are set in place, as well as during the processing itself.
TheVagar also agrees to ensure that, by default, only the necessary data for each specific purpose is processed and that this data cannot be made available, without human intervention, to an unlimited number of people.
As such, TheVagar adopts the following general procedures:
Regular audits to assess the quality of the implemented procedures;
The general awareness and training of staff members involved in data processing;
Mechanisms that ensure the constant confidentiality, availability and resilience of TheVagar’s information systems;
Mechanisms that can recover information systems as well as access to personal data in a timely fashion, in case of a physical or technical incident.
Data Transfer Outside the European Union
Personal data collected and used by TheVagar is not made available to third parties outside the European Union. If, in the future, the status quo changes and transfers take place, then TheVagar will ensure that the transfer observes all legal requirements, namely the other country’s adequate legal framework concerning data protection, as well as the requirements for such transfers.
B. RIGHTS OF DATA SUBJECTS
Right to Information
The information provided by TheVagar is listed below:
TheVagar’s identity and contacts and, whenever possible, the name of the person in charge of data processing;
Purposes of the data processing and, if applicable, the legal grounds for this operation;
If data processing is based on TheVagar’s legitimate interests, or those of a third party, these interests must be specified;
If applicable, the recipient, or categories of recipients of the personal data;
If applicable, the indication that personal data will be transferred to a foreign country, or to an international organisation, as well as the existence, or non-existence, of a EU adjustment decision or reference to appropriate and adequate transfer guarantees;
Personal data retention period;
The right to access one’s personal data, and in so doing, the right to order its correction, deletion or limitation; as well as the right to oppose data processing and the right to data portability;
If data processing is based on the subject’s consent, the right to withdraw this consent at any time, without jeopardising the lawfulness of processing carried out based on previously given consent;
The right to lodge a complaint with the CNPD (Comissão Nacional de Protecção de Dados) or any other authority;
The right to be informed if imparting personal data is, or is not, a legal or binding obligation or a prerequisite to perform a contract, as well as whether the subject is obliged to supply his/her personal data and the likely consequences of not supplying such data;
If applicable, the existence of automated decisions, including the definition of a profile and its underlying logic, as well as the importance and likely consequences of such processing;
Aside from the information mentioned above, if personal data is obtained from sources other than the data subject, TheVagar is obliged to inform the subject of the different personal data categories subject to processing, their origin, and if they may derive from sources available to the general public;
If TheVagar intends to process personal data for purposes other than those for which data was been collected, before the operation takes place the hotel will supply the subject with information in that regard, as well as any other relevant information, in the abovementioned terms.
Procedures and measures implemented to comply with the right to information:
The information mentioned above shall be supplied in writing (including electronically) by TheVagar before processing personal data. According to Portuguese law, TheVagar is not obliged to supply this information to the data subject when, and to the extent that, the subject is already aware of it.
Information provided by TheVagar is not subject to payment.
Right to Access One’s Personal Data
TheVagar will ensure the means by which data subjects can access their personal data.
Data subjects have the right to obtain information about the processing, or non-processing, of their personal data and, as such, the right to access their personal data and the following information:
The purposes of processing personal data;
The different categories of the personal data in question;
The recipients or categories of recipients with whom the personal data was or shall be shared, namely recipients in other countries or belonging to international organisations;
Personal data retention period;
The right to request the correction, deletion or limitation of personal data, as well as the right to oppose processing;
The right to lodge a complaint with the CNPD or any other authority;
The right to be informed of the data’s origin if it was not collected from the subject;
The right to be informed of automated decisions, including profile definition, and information regarding the underlying logic, as well as the importance and likely consequences of such processing;
The right to be informed of the adequate guarantees associated with data transfer to foreign countries or international organisations.
If requested, TheVagar will provide the subject with a copy of the data that is being processed. Other copies may incur administrative costs.
Right to Correct One’s Personal Data
Data subjects have the right to request the correction of their personal data, as well as the completion of any incomplete personal data, by supplying an additional statement.
In case of data correction, TheVagar will share this information with data recipient, unless this reporting is impossible or implies an unreasonable effort by the hotel.
Right to Delete One’s Personal Data (“Right to be Forgotten”)
Data subjects have the right to request that TheVagar deletes their data whenever one of the following situations takes place:
The subject’s data is no longer necessary for the purpose determined in its collection or processing;
The subject withdraws his/her consent, and there are no legal grounds to justify the operation;
The subject refuses data processing based on his/her right to oppose this operation and the lack of prevailing legitimate interests to justify the processing;
In case the data is unlawfully processed;
If the data must be deleted to fulfil a legal obligation to which TheVagar is bound.
According to the applicable law, TheVagar is not obliged to delete subjects’ data if processing is necessary to fulfil a legal provision or for the purpose of a statement, exercise or defence of a right in court.
If data is deleted, TheVagar will inform each recipient/entity to whom the data was transferred to delete such data as well, unless this reporting is impossible or implies an unreasonable effort by TheVagar.
When TheVagar has made the data available to the public and is subsequently forced to delete it, under the subject’s right to have it deleted, TheVagar will ensure all the necessary procedures, including technical ones, considering the available technology and costs to apply it, to inform those in charge of data processing that the subject has requested his/her data be deleted, as well as any copies or reproductions.
Right to Limit the Use of One’s Personal Data
Data subjects have the right to limit TheVagar’s data processing if one of the following situations takes place (this limitation consists in including a mark/sign in the personal data kept by TheVagar to restrict the use of this data in the future):
If accuracy of the personal data is contested within a period that enables TheVagar to verify its accuracy;
If data processing is unlawful and the data subject opposes deletion data, requesting, in return, the limitation of its use:
If TheVagar no longer needs the data for processing purposes, but the data is requested by the subject to be used as a statement, exercise or defence of a right in court;
If the subject has opposed the data processing, but TheVagar’s legitimate reasons prevail over those of the subject.
When data processing has been limited, except for storage purposes, it can only be treated with the subject’s consent. It may also be used as a statement, exercise or defence of a right in court, to defend the rights of another person or entity, or for reasons of public interest.
Subjects who have limited data processing in the cases described above, will be informed by TheVagar before the request to limit processing is overruled.
In case data processing is limited, TheVagar will inform each recipient to whom the data was transferred of this limitation, unless this reporting is impossible or implies an unreasonable effort by TheVagar.
Right of Portability of One’s Personal Data
The data subject has the right to obtain his/her personal data from TheVagar. This data must be delivered in a manner that is organised, easy to use and uncomplicated to read, and the subject has the right to transfer this data to another agent responsible for data processing if:
This processing is based on the subject’s consent or on a contract where the subject is one of the parties;
The processing is performed using a computer.
The right to portability does not include inferred or derived data, i.e. personal data that may be issued by TheVagar as a consequence or resulting from data processing analysis.
The data subject has the right to request that his/her personal data be directly communicated to the entities responsible for processing, whenever this is technically possible.
Right to Oppose Personal Data Processing
Data subjects have the right to oppose their personal data processing whenever they wish, provided the reasons are associated with a specific situation, to the processing of data that is based on the exercise of TheVagar’s legitimate interests, or when the processing is performed for purposes other than those for which the data was collected, including profile definition or use for statistics.
TheVagar will cease personal data processing, unless there are imperative and legitimate reasons for processing that prevail over the interests, rights and freedoms of the subjects, or for the statement, exercise or defence of TheVagar’s rights in court.
When the subject’s data is treated for direct marketing, he/she has the right to oppose this use at any time, including for profile definition to the extent that this is associated with direct marketing. If this is the case, TheVagar will immediately cease to use the data for that purpose.
The data subject is also entitled to oppose any automated decision, including profile definition, which may affect the judicial sphere or similar, unless the decision:
Is necessary for to perform or conclude a contract between the subject and TheVagar;
Has been authorised due to legislation affecting TheVagar;
Is based on the data subject’s explicit consent.
Procedures on How to Exercise One’s Rights
The right to access, correct, delete, limit, transfer and oppose data processing may be exercised by the subject by filling out a form addressed to TheVagar.
TheVagar will reply in writing (including via computer) within 1 month (max) after the receiving the request, except in very complex cases, where this deadline may be extended for an additional month (2 months in total).
If requests are clearly unfounded or excessive, namely if they are repetitive, TheVagar reserves the right to charge administrative costs or refuse to pursue the matter.
Personal Data Violation
In case of personal data violation and if this violation may involve a high risk for the fundamental rights and freedoms of the subject, TheVagar will notify the CNPD within the 72 hours following detection of the incident.
According to law, this notification is not necessary in the following situations:
If TheVagar has put in place all the adequate protection procedures, both technical and organisational, and these procedures have been applied to the personal data that has been violated, especially procedures which render personal data incomprehensible to anyone without authorization to access this data, such as encryption;
In case TheVagar has taken subsequent measures in order to ensure that the subject’s fundamental rights and freedoms are no longer affected;
In case informing the subject involves an unreasonable effort. In this case, TheVagar will issue a public statement or apply a similar measure through which the data subject will be informed.
C. FINAL CONSIDERATIONS
Law and Jurisdiction