INDEX
1. Objective of the Privacy Policy
2. Definitions
3. Identity of the Data Controller
4. Applicable laws and regulations
5. Principles applicable to the processing of personal data
6. Data processing activities carried out
7. Necessary and updated information
8. Personal data of minors
9. Technical and organizational security measures
10. Rights of interested parties
11. Complaints to the Control Authority
12. Acceptance and changes to the Privacy Policy
1.- OBJECTIVE OF THE PRIVACY POLICY
The purpose of this "Privacy and Data Protection Policy" is to disclose the conditions governing the collection and processing of personal data by Rosaleda del Mijares SL, making every effort to safeguard the fundamental rights, honour and freedoms of the persons whose personal data is processed, in compliance with the regulations and laws in force that govern the Protection of Personal Data according to the European Union and the Spanish Member State and, specifically, those expressed in the "Processing Activities" section of this Privacy Policy.
For all of the above, in this Privacy and Data Protection Policy, users of the Website https://www.hotelrosaledadelmijares.com are informed of all the details of interest to them regarding how these processes are carried out, for what purposes, what other entities may have access to their data and what the rights of the users are.
2.- DEFINITIONS
"Personal data": any information relating to an identified or identifiable natural person ("Website User"); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Restriction of processing" means the marking of stored personal data with the aim of limiting their processing in the future.
'Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
"File": any structured collection of personal data accessible according to specified criteria, whether centralised, decentralised or distributed on a functional or geographical basis.
'Controller' or 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
"Data processor" or "processor": the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
"Recipient" means a natural or legal person, public authority, agency or other body, to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the data protection rules applicable to the purposes of the processing.
"Third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
"Consent of the data subject": any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"Personal data breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration of, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
'Genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about that natural person's physiology or health, obtained in particular from analysis of a biological sample from that natural person.
'Biometric data' means personal data obtained through specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
'Health data' means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the health status of a natural person.
‘main establishment’: (a) in respect of a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing are taken at another establishment of the controller in the Union and that latter establishment has the power to enforce those decisions, in which case the establishment which has taken those decisions shall be deemed to be the main establishment; (b) in respect of a processor with establishments in more than one Member State, the place of its central administration in the Union or, if there is no such central administration, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor are carried out to the extent that the processor is subject to specific obligations under this Regulation.
'Representative' means a natural or legal person established in the Union who, designated in writing by the controller or processor in accordance with Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation.
"Enterprise": a natural or legal person engaged in an economic activity, regardless of its legal form, including companies or associations that regularly carry out an economic activity.
‘Supervisory Authority’ means the independent public authority established by a Member State pursuant to Article 51 of the GDPR. In the case of Spain, this is the Spanish Data Protection Agency.
'Cross-border processing' means: (a) processing of personal data which is carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State; or (b) processing of personal data which is carried out in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
'Information society service' means any information society service, meaning any service provided, normally in exchange for remuneration, at a distance, by electronic means and at the individual request of a recipient of the services.
3.- IDENTITY OF THE PERSON RESPONSIBLE FOR THE PROCESSING
The Data Controller is the natural or legal person, public or private, or administrative body, which alone or jointly with others determines the purposes and means of the processing of personal data; in the event that the purposes and means of the processing are determined by the Law of the European Union or of the Spanish Member State.
In the aspects expressed in this Data Protection Policy, the identity and contact details of the Data Controller are:
Mijares Rose Garden SL - CIF B12286258
Tales Road, No. 28. 12448, Montanejos (Castellón), Spain
• Email: mijares@gruporosaleda.com
• Telephone: 964 131 079
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter GDPR.
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD/GDD.
• Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The personal data collected and processed through this website will be treated in accordance with the following principles:
• Principle of legality, loyalty and transparency: All processing of personal data carried out through this Website will be lawful and fair, and it will be completely clear to the user when personal data concerning him or her is being collected, used, consulted or processed. Information regarding the processing carried out will be transmitted in advance, in an easily accessible and easy-to-understand manner, in simple and clear language.
• Principle of purpose limitation: All data will be collected for specific, explicit and legitimate purposes, and will not be subsequently processed in a manner incompatible with the purposes for which they were collected.
• Data minimisation principle: The data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy principle: The data will be accurate and, if necessary, updated, adopting all reasonable measures to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.
• Principle of limitation of the conservation period: The data will be kept in a way that allows the identification of the interested parties for no longer than necessary for the purposes of processing the personal data.
• Principle of integrity and confidentiality: The data will be treated in a way that guarantees adequate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss or damage, through the application of appropriate technical and organizational measures.
• Principle of proactive responsibility: The entity that owns the Website will be responsible for compliance with the principles set out in this section and will be able to demonstrate this.
6.- DATA PROCESSING ACTIVITIES
Below are the data processing activities carried out through the Website, specifying each of the following sections:
• Activity: Name of the data processing activity
• Purposes: Each of the uses and treatments carried out with the data collected
• Legal basis: The legal basis that legitimizes the processing of the data
• Data processed: Types of data processed
• Origin: Where the data is obtained from
• Conservation: Period during which the data is kept
• Recipients: Third parties or entities to whom the data is provided
• International transfers: Cross-border transfers of data outside the European Union
6.1 MAIN TREATMENT ACTIVITIES
These are data processing activities whose purposes are necessary and essential for the provision of services.
6.2 OPTIONAL PROCESSING ACTIVITIES (if the user has indicated his/her acceptance)
These are personal data processing activities whose purposes are not essential for the provision of the service and which are only carried out if the user has checked YES in the consent for the performance of these activities.
Website Consultations
Legal basis Explicit consent of the interested party
Purposes Response to queries received through the electronic form on the website
Data categories and groups Web contacts (Identification data)
Data source The interested party or his/her legal representative
Category of recipients Not provided for
International transfer Not planned
Conservation period For a period of 1 year from the last confirmation of interest
Job board
Legal basis Explicit consent of the interested party
Purposes Staff selection
Data categories and groups Job candidates (Identification data; Academic and professional; Personal characteristics; Social circumstances; Employment details)
Data source The interested party or his/her legal representative
Category of recipients Not provided for
International transfer Not planned
Conservation period For a period of 1 year from the last confirmation of interest
Commercial communications
Legal basis Explicit consent of the interested party
Purposes Marketing, advertising and commercial prospecting
Data categories and groups Clients (Identification data). Potential clients (Identification data)
Data source The interested party or his/her legal representative
Category of recipients Not provided for
International transfer Not planned
Conservation period As long as its deletion is not requested by the interested party
Ecommerce customer management
Legal basis Explicit consent of the interested party
Purposes Electronic commerce
Data categories and groups Ecommerce Clients (Identification data; Economic, financial and insurance data; Transactions of goods and services)
Data source The interested party or his/her legal representative
Category of recipients Tax Administration; Banks, savings banks and rural banks
International transfer Not planned
Conservation period For a period of 5 years from the last confirmation of interest
BE ROSALEDA loyalty program
Legal basis Explicit consent of the interested party
Purposes of the BE ROSALEDA loyalty program
Data categories and groups Subscribers (Identification data)
Data source The interested party or his/her legal representative
Category of recipients Not provided for
International transfer Not planned
Conservation period As long as its deletion is not requested by the interested party
Subscriber Management
Legal basis Explicit consent of the interested party
Purposes Marketing, advertising and commercial prospecting
Data categories and groups Subscribers (Identification data)
Data source The interested party or his/her legal representative
Category of recipients Not provided for
International transfer Not planned
Conservation period As long as its deletion is not requested by the interested party
Commercial communications
Legal basis Explicit consent of the interested party
Purposes Marketing, advertising and commercial prospecting
Data categories and groups Clients (Identification data)
Data source The interested party or his/her legal representative
Category of recipients Not provided for
International transfer Not planned
Conservation period As long as its deletion is not requested by the interested party
7.- NECESSARY AND UPDATED INFORMATION
All fields marked with an asterisk (*) on the Website forms must be completed, so that the omission of any of them could result in the impossibility of providing you with the requested services or information.
You must provide truthful information so that the information provided is always up-to-date and does not contain errors. You must notify the Data Controller as soon as possible of any changes or corrections to your personal data by sending an email to the following address: mijares@gruporosaleda.com.
Likewise, by clicking on the “I accept” button (or equivalent) included in the aforementioned forms, you declare that the information and data you have provided in them are accurate and truthful, and that you understand and accept this Privacy Policy.
8.- DATA OF MINORS
In compliance with the provisions of article 8 of the GDPR and article 7 of the LOPD/GDD, only those over 14 years of age may give their consent for the processing of their personal data in a legal manner by Rosaleda del Mijares SL
For the above reasons, minors under 14 years of age may not use the services available through the Website without the prior authorization of their parents, guardians or legal representatives, who will be solely responsible for all acts carried out through the Website by minors under their care, including the completion of electronic forms with the personal data of said minors and the marking, where applicable, of the accompanying boxes.
9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Controller adopts the necessary organisational and technical measures to guarantee the security and privacy of your data, to prevent its alteration, loss, processing or unauthorised access, depending on the state of the technology, the nature of the data stored and the risks to which they are exposed.
Among others, the following measures stand out:
• Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
• Restore availability and access to personal data quickly, in the event of a physical or technical incident.
• Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
• Pseudonymize and encrypt personal data, if it is sensitive data.
On the other hand, the Data Controller has made the decision to manage the information systems in accordance with the following principles:
• Principle of regulatory compliance: All information systems will comply with the applicable legal and sectoral regulations that affect information security, especially those related to the protection of personal data, system security, data, communications and electronic services.
• Risk management principle: Risks should be minimized to acceptable levels and a balance should be sought between security controls and the nature of the information. Security objectives should be established, reviewed and consistent with the security aspects of the information.
• Principle of awareness and training: Training, awareness-raising programmes and awareness campaigns will be organised for all users with access to information, in terms of information security.
• Principle of proportionality: The implementation of controls that mitigate the security risks of assets will be carried out by seeking a balance between security measures, nature and information and risk.
• Principle of responsibility: All members of the Data Controller will be responsible for their conduct regarding information security, complying with the established standards and controls.
• Principle of continuous improvement: The degree of effectiveness of the security controls implemented in the organization will be reviewed on a recurring basis to increase the capacity to adapt to the constant evolution of risk and the technological environment.
10.- RIGHTS OF INTERESTED PARTIES
Current data protection regulations protect users with a series of rights in relation to the use of their data. Each and every one of these rights are personal and non-transferable, meaning that they can only be exercised by the data owner, after verifying their identity.
The rights of Website users are detailed below:
• Right of access: This is the right of the Website user to obtain confirmation of whether or not the Data Controller is processing their personal data and, if so, to obtain information about their specific personal data and the processing that the Data Controller has carried out or is carrying out, as well as, among others, the information available about the origin of said data and the recipients of the communications made or planned therein.
• Right to rectification: This is the right that the Website user has to have his or her personal data modified if it is found to be inaccurate or, taking into account the purposes of the processing, incomplete.
• Right to erasure: This is usually known as the "right to be forgotten" and is the right that the Website user has, unless current legislation establishes otherwise, to obtain the erasure of his or her personal data when these are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn his or her consent to the processing and there is no other legal basis for this; the User objects to the processing and there is no other legitimate reason to continue with it; the personal data have been processed unlawfully; the personal data have been obtained as a result of a direct offer of information society services to a minor under 14 years of age. In addition to erasing the data, the Data Controller, taking into account the available technology and the cost of its application, will adopt reasonable measures to inform other potential controllers who are processing the personal data of the interested party's request to erase any link to said personal data.
• Right to data restriction: This is the right of the Website User to limit the processing of his or her personal data. The Website User has the right to obtain the restriction of processing when he or she contests the accuracy of his or her personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the User needs it to make claims; and when the Website User has objected to the processing.
• Right to data portability: In cases where processing is carried out by automated means, the Website User shall have the right to receive from the Data Controller his/her personal data in a structured, commonly used and machine-readable format, and to transmit them to another data controller. Whenever technically possible, the Data Controller will directly transmit the data to that other Controller.
• Right to object: This is the User's right to prevent the processing of their personal data or to stop the processing of their personal data by the Data Controller.
• Right not to be subject to automated decisions and/or profiling: The right of the Website User not to be subject to an individualized decision based solely on the automated processing of their personal data, including profiling, unless otherwise provided by current legislation.
• Right to revoke consent: This is the right of the Website User to withdraw, at any time, the consent given for the processing of their data.
The Website user may exercise any of the aforementioned rights by contacting the Data Controller and after identifying the User using the following contact information:
• Responsible: Rosaleda del Mijares SL
• Address: Carretera de Tales, Nº28. 12448, Montanejos (Castellón), Spain
• Telephone: 964 131 079
• Email: mijares@gruporosaleda.com
• Website: https://www.hotelrosaledadelmijares.com
11.- RIGHT TO COMPLAIN TO THE CONTROL AUTHORITY
The user is informed of his/her right to file a complaint with the Spanish Data Protection Agency if he/she considers that a violation of data protection legislation has been committed with respect to the processing of his/her personal data.
Contact information of the supervisory authority:
Spanish Data Protection Agency
Email: info@aepd.es
Telephone: 912663517
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
12.- ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY
It is necessary that the Website user has read and agrees to the data protection conditions contained in this Privacy Policy, as well as accepting the processing of his/her personal data so that the Data Controller can proceed with it in the manner, timeframes and purposes indicated.
The Data Controller reserves the right to modify this Privacy Policy at its own discretion or as a result of a legislative, jurisprudential or doctrinal change by the Spanish Data Protection Agency. Any changes or updates made to this Privacy Policy that affect the purposes, retention periods, transfers of data to third parties, international data transfers, as well as any rights of the Website User, will be explicitly communicated to the user.
Version of November 28, 2022
