The personal data controller is the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of the processing. In this case, the details of the data controller are:
Identity: HORISA, S.L.
Company Tax no.: B17087099
Postal Address: Llorer, 16 E-17310 LLORET DE MAR
Telephone: +34 972 364250
Email address: info @xaine.com
Hotel Xaine Park / Horisa, s.l. as the data controller and person responsible for the website, in accordance with the legislation in force, and specifically, what is laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (GDPR), as well as Spanish Law 34/2002, of 11 July, on information Society Services and Electronic Commerce (LSSICE), you are informed that we have implemented appropriate technical and organisational measures in accordance with the state of the art and the cost of their implementation with regards to the risks and nature of the personal data processed to guarantee and protect the confidentiality, integrity and availability of the personal data.
Personal data is any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. There is a wide range of information that can be classed as personal data, for example: name, contact details, identification number, computer IP adress, etc. For further details about this information, you can consult the website of the Spanish Data Protection Agency (http://www.agpd.es) or the website of the Catalan Data Protection Authority (http://www.apdcat.gencat.cat), among others.
"Processing" is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Purpose of processing of data:
Why do we process personal data?
Personal data provided by data subjects will be processed for the following purposes:
- Booking, registering and contracting products: Managing and executing the provision of the services and/or products contracted or requested by data subjects, as well as the actions required to carry out the contractual relationship with the data subject, including informing, processing, managing, modifying and any other operation needed to manage the booking or purchase as well as subsequent billing and payment. Usage analysis may be carried out based on a data subject's purchase and booking history. Automated decisions that have legal effects may not be made under any circumstances.
- Registration book for travellers in hotel establishments: Collecting, managing and submitting the information established by the legislation in force regarding the registration book for travellers in totel establishments.
- Consultations: To answer, respond to and follow up consultations and requests made by the data subjects and/or provide formation requested by the user.
- Accessing the private "my booking" area: Managing the booking and allowing access to the information that appears on the website relating to the status of your booking, as well as the general administration of your account, which enables you to modify the details of your booking and maintain, monitor, manage and cancel it, if you have registered as a user.
- Advertising our products and services: Sending commercial publicity communications (newsletters) relating to our products and services by any means (email, post or telephone), including promotions and discounts, invitations to events organised by the company, etc. if the data subject has accepted and consented to receiving commercial communications by registering and subscribing to the newsletter.
- Finalising unfinished bookings: Contacting the user by any means (email or telephone) if the booking has not been completed, in order to discover why it has not been completed.
- Statistics: Carrying out market studies and preparing statistics for our products and services, without automated decision-making being performed in any case.
The company informs you that it will not process your personal data for any purpose other than those listed in this section, except where there is a legal obligation or injunction. Personal data will not be subject to automated decision-making that produces legal effects for the data subject.
How long will we keep your personal data?
The personal data you provide will be stored for the time required to provide the service requested or contracted and for a maximum period of 5 years from the last confirmation by you of the existence of an interest in us keeping your data. This is without prejudice to possible longer retention for the purpose of compliance with possible legal obligations and for the exercise and monitoring of any legal and judicial actions that might be relevant. After the periods mentioned have elapsed, we will delete the personal data.
Basis for processing of data
- Booking, registering and hiring products: The legal basis for the processing of your personal data is the contractual relationship and, where appropriate, the precontractual one, established between the parties for the supply of the services and/or products contracted or requested by the data subjects, and specifically, to execute the booking of our establishment's services and products that you have made, in accordance with the terms and conditions stated in the Terms and Conditions section, and to comply with the corresponding commercial, tax and accounting obligations. All of this is based on what is laid down in points (a) and (b) of Article 6 (1) of the GDPR. Refusal to provide the personal data requested for the booking will, therefore, make it impossible to complete the contract or booking requested. For more information about contracting our products and services, consult the Terms and Conditions of Contracting section. Once the booking has been made, the data subject will receive a confirmation email with the details of the booking.
- Registration book for travellers in hotel establishments: The legal basis for the processing of your personal data is the legal obligation established concerning the collection, management and referral to the competent security agencies established in Spanish Organic Law 4/2015, of 30 March on the Protection of Citizens' Security and other implementing regulations. This is based on what is laid down in Article 6 (1) c) of the GDPR. Refusal to provide the personal data requested will, therefore, make it impossible to stay in the establishment.
- Questions: The legal basis for the processing your personal data is the possibility of responding to questions freely asked by data subjects. This processing is based on what is laid down in parts (a) and (b) of Article 6 (1) of the GDPR.
- Accessing the private "my booking" area: If the data subject has registered as a user to be able to access, consult, modify or cancel the status of "my bookings" from the website, the legal basis for the processing of his or her data is the contractual or precontractual relationship between the parties and to allow access to the information on the website relating to the status of his or her booking and modifying its details or cancelling it if the data subject has registered as a user, and his or her free and express acceptance and consent for processing of his or her data. This processing is lawful based on what is laid down in points (a) and (b) or Article 6 (1) of the GDPR. Refusal to provide the personal data requested will make it impossible to access this information through the website.
- Advertising our products and services: If the data subject has marked the box corresponding to agreeing to receive commercial publicity communications (newsletters), the legal basis for sending advertising for products and services is the data subject's own free and express consent, which he or she may withdraw at any time, without the withdrawal of consent for this purpose affecting the execution of the room booking contract where appropriate. This processing of data is based on what is laid down in point (a) of Article 6(1) of the GDPR. Refusal to provide the personal data requested will, therefore, make it impossible to sign up for the newsletter or receive commercial communications with information about our products or services. You have the right to withdraw your consent, see the "Data subjects' rights" section.
- Finalising unfinished bookings: The legal basis for processing data in this case is the data subject's acceptance and express consent for this processing so that the company can contact him or her if a technical incedent occurs when making the booking or entering into the contract. This processing of data is based on what is laid down in point (a) of Article 6(1) of the GDPR. Refusal to provide the personal data requested for the booking will, therefore, make it impossible to sign and execute the contract or booking requested.
-Statistics: The legal basis for processing data to carry out market studies and preparing statistics about our products and services, without automated decision-making being performed in any case, is the free acceptance and consent of the data subject for this processing, based on what is laid down in point (a) of Article 6.1 of the GDPR. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you want to withdraw your consent, see the "Data subjects' rights" section.
Recipients of data transfers
Personal data will be shared with other companies in the group of under takings for purposes connected to the processing of the personal data of clients or users. In order to better deliver the services requested from us, we provide certain data to processors with which we have signed the corresponding contracts regarding data protection. In these cases the data provided is only that strictly necessary for the specific activity to be performed. Services which can be processors include but are not limited to: suppliers of IT services, security companies, tax or legal advice, etc. This list is provided as an example and the company may use services from companies from other business sectors in order to provide quality services. Outside of these cases, no data transfer within or without the EU is foreseen. Information will also be provided to third parties if this is required by the regulations in force or when there is an injunction (public authorities, courts and tribunals, law enforcement agencies and security services, tax agency, etc.)
Rights of data subjects
As a data subject you have the following rights:
- Right to access: any person has the right to know and obtain information on the personal data we process.
- Right to rectification: data subjects have the right to request the rectification, completion and/or correction of inaccurate, incorrect or incomplete data.
- Right to erasure (also known as "right to be forgotten"): data subjects, if they wish, will have the right to request the erasure of the personal data concerning them, among other reasons, when the data are no longer necessary for the purposes for which they were collected.
- Right to cancellation: data subjects can request the cancellation of their data.
- Right to object: data subjects can object to the processing of their data for marketing purposes, including profiling, and in the other cases specified in Article 21 of the GDPR. If you request it, the company will stop processing your data, unless there are compelling legitimate grounds or to bring or defend possible claims.
- Right to restrict processing: in certain circumstances laid down in Article 18 GDPR, data subjects can request restriction of the processing of their data. In this case, we will only store it to bring or defend possible claims. Specifically, you have the right to limit processing in cases in which:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests te restriction of its use instead.
- The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject, for reasons relating to his or her particular situation, has objected to the processing of his or her personal data based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, pending verification of whether the legitimate grounds of the controller override those of the data subject.
- Right to data portability: The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machinereadable format and have the right to transmit those data to another controller, pursuant to article 20 of the GDPR.
- Right not to be subject to automated individual decision making: data subjects have the right not to be subject to a decision based on the automated processing of his or her data which produces legal effects.
- Right to withdraw previously-given consent: data subjects have the right to withdraw consent previously-given consent at any time. Withdrawal of consent will not affect the legality of processing carried out before the withdrawal of consent.
Data subjects can obtain additional information about their rights from the website of the Spanish Data Protection Agency (http://www.agpd.es) or the website of the Catalan Data Protection Authority (http://apdcat.gencat.cat)
How can you exercise your rights?
You can exercise your rights by writing to the postal address C/ Llorer, 16 17310 Lloret de Mar or the email address firstname.lastname@example.org with the subject "Personal Data", attaching a photocopy of your identity document or any similar method established in law.
What complaint procedures are available?
If the data subject believes his or her rights have not been appropriately respected, he or she has the right to present a claim with the Spanish Data Protection Agency or any competent supervisory authority.
Information processed. What categories of personal data do we process?
Our company can process the following categories of personal data:
- Identifying data: name and surname(s), identification number, country, etc..Postal and email addresses and telephone numbers.
- Economic and financial information for managin bookings and the subsequent invoicing and billing of the service requested.
- Data relating to the products and services booked.
- Access codes and identificaion keys if the data subject has registered as a user in the "My bookings" section.
- Academic data and employment information, in case you have signed up for a job offer or have sent us your CV.
- Website navigational information. For more information, see the cookies section.
- These are not specially protected data or special categories of data.
Personal data we collect automatically.
When de data subject visits our web pages, we collect certain information automatically, including whether he or she makes a booking or hires a service in the end. This information may include the IP address, the date and time when our services were accessed, information about the hardware, software or web browser used and the language selected, among others. This information allows us to improve the services and user experience of our website, and identify potential fraudulent use and attacks on the security of our website, as well as preparing statistics on the use and effectiveness of the website. This data will not be kept unless fraudulent use or an attack on the security of the website is detected. In no case will automated decision-making based on this information which produces legal effects for the user be used. For more information, see the cookies section.
Whenever the data subject makes a booking or contracts a service or product, he or she will be sent an email confirming the booking or contracting and giving information about it. In addition, we may contact the data subject for the purpose of informing him or her of any modification or news relating to it. Furthermore, the company may send commercial communications relating to the products or services it offers on condition that the data subject has expressly and specifically given consent for this by ticking the box provided for this purpose or by any express statement of consent for it. The data subject may withdraw his or her consent to receive any type of commercial communication at any time by sending a message in the terms stated in the "Rights of data subjects" section. In addition, this option will also be offered to the data subject in every commercial communication he or she receives via email or SMS.
Provision of personal data by minors
The services offered through this website are only available to persons of legal age. Persons who are not of legal age must not provide personal data in the website.
Links to third-party websites
Our company uses social networks to publicise its services and products and share information and expreriences with users and followers.
Questions and doubts