THE HOTI HOTÉIS GROUP had adopted the best privacy practices and shall only use the Personal Data of its customers (physical and online, whether actual or potential customers) for clearly identified purposes and if permission is obtained to do so through an act that clearly expresses free, specific, informed and unequivocal permission to process the Personal Data in question.
The entities that are part of the HOTI HOTÉIS GROUP, are hereby represented by the HOTI – HOTÉIS, SGPS, S.A. holding, with head office at Avenida D. João II, lote 1.16.02.B, 1990-083 Lisbon, and registered at Lisbon Commercial Registry Office under the single registration and tax identification No. 504.762.982, and operate in the hotel industry as hotel proprietors, operators or managers, using their own brands or others for the purpose.
Currently, the HOTI HOTÉIS Group operates and manages the following hotels:
• MELIÁ MADEIRA MARE *****
• MELIÁ BRAGA *****
• MELIÁ RIA ****
• MELIÁ SETÚBAL ****
• MELIÁ MAPUTO SKY ****
• TRYP LISBOA ORIENTE ****
• TRYP LISBOA AEROPORTO ****
• TRYP LISBOA CAPARICA MAR ****
• TRYP PORTO EXPO ****
• TRYP PORTO CENTRO ***
• TRYP COLINA DO CASTELO ****
• TRYP LEIRIA ****
• STAR INN LISBON ***
• STAR INN PORTO ***
• STAR INN PENICHE ***
• HOTEL DA MÚSICA ****
• MADEIRA GOLDEN RESIDENCE ****
2. PERSONAL DATA
Personal Data is all information, of any nature and regardless of its form, about an individual who is directly or indirectly identified or identifiable (owner of the Personal Data).
3. DATA COLLECTION
in undertaking its business, the hoti hotéis group requests its customers, whether actual or potential customers, for the following personal data by telephone, e-mail or through its websites:
• Number, Issuer and Expiry Date of the Civil Identification Document
• Date of Birth
• Mobile phone
• Tax Identification Number (for invoicing)
• Credit Card Details (for charging)
The aforementioned Personal Data may be obtained through partners, associated companies or official entities, and to obtain them the respective owners must give permission for the transfer of such data.
4. DATA PROCESSING
The Personal Data collected by the HOTI HOTÉIS GROUP is processed in compliance with the applicable laws in an honest and transparent manner to guarantee the privacy of the data for the respective owners.
The data shall be processed for clearly identified, objective and legitimate purposes for which the owners of the Personal Data have given their permission through an act that clearly expresses their free, specific, informed and unequivocal permission to process their Personal Data. These data shall not be processed at a later date for any other purposes.
The owners of the Personal Data may withdraw their permission, although this does not compromise the legality of the processing based on the permission initially given.
The Personal Data may be processed without the need for permission from the respective owners if if the HOTI HOTÉIS GROUP has to comply with legal obligations to fulfil a contract when the owners are one of the parties, for pre-contractual procedures requested by the owners or to defend other essential rights of the owners or third parties.
The processing of Personal Data includes its:
5. PURPOSE OF THE DATA PROCESSING
The Personal Data requested from customers shall be processed for the purpose of:
• Complying with the hoti hotéis group’s legal obligations as a business supplying hotel services, including the supply of information to the relevant authorities(Foreigners and Borders Service, Tax Authority and National Statistics Institute, among others);
• Fulfilling pre-contractual procedures requested by the customers;
• Establishing contractual relationships;
• Providing a range of hotel services such as accommodation, restaurant, laundry, car parking, health club, SPA treatment and tourist services, among others that are commonly provided by hotels;
• Guiding the services on offer to match the customer preferences;
• Invoicing and charging the customers for the services provided;
• Contacting customers by telephone, post, e-mail or another means of communication;
• Informing the customers about new products and services, offers, campaigns, promotions, updated information or other content, including newsletters and opinion surveys, as well as general marketing initiatives of the HOTI HOTÉIS GROUP and its hotels;
• Improving the navigation experience of the websites of the HOTI HOTÉIS GROUP;
• Registering the user on websites of the HOTI HOTÉIS GROUP'S domain;
• Allowing access to the restricted areas of the websites of the HOTI HOTÉIS GROUP;
• Managing customer membership or loyalty clubs or cards;
• Recording telephone calls for any of the purposes listed above.
In websites with its own domain, the HOTI HOTÉIS GROUP also collects information about the users’ hardware device and their browser/software, and information about the pages of the websites visited.
The users of these websites will be asked for permission to create and save a text file (Cookie) in their respective computers to allow easier and faster access to the websites, as well as the customisation in accordance with the user preferences.
Most browsers accept Cookies, but the users may delete them or define their settings to block them. Check the “Help” menu of your respective browser to define these settings.
If the users do not allow Cookies to be used, some of the functionalities of the websites may not be available.
6. DATA STORAGE TERM
The time period during which the Personal Data is stored varies depending on the purpose for which the information is processed, with legal requirements making it mandatory to store the data for a minimum time period.
Whenever there is no specific legal obligation, the Personal Data shall be stored only for the minimum period necessary for the purposes for which they were collected or are being processed, and shall then be deleted.
7. DATA TRANSFER
The Personal Data collected by the Hoti Hotéis Group are not shared with third parties without the permission of the respective owners, unless:
• Such is necessary to comply with a legal obligation the HOTI HOTÉIS Group is subject to;
• It becomes necessary to defend other essential interests of the owners of the Personal Data or third parties;
• the owners acquire services through HOTI HOTÉIS provided by other entities responsible for processing the Personal Data, whereby these entities may consult or access such data insofar as necessary for the provision of the aforementioned services;
• With the due applicable legal limits, the communication or transmission of Personal Data is necessary for the fulfilment of the contract established between the respective owners and the Hoti Hotéis Group or for pre-contractual procedures requested by the owners.
The personal data collected and used by the HOTI HOTÉIS GROUP are not supplied to third parties outside the European Union. However, if in the future such a transfer occurs for any reason, the HOTI HOTÉIS GROUP undertakes to ensure it complies with the applicable legal stipulations, namely as regards ascertaining that the country in question provides suitable protection of Personal Data and has requirements in place concerning such transfers, in addition to making sure the entity or subcontractor responsible for the data processing complies with the General Data Protection Regulation.
8. SUBCONTRACTED ENTITIES
These subcontractors may not transmit the Personal Data to other entities without the HOTI HOTÉIS GROUP first giving its written permission to do so, and they are also forbidden from outsourcing this task to other entities without prior permission from the HOTI HOTÉIS GROUP.
THE HOTI HOTÉIS Group undertakes to subcontract only the entities who provide maximum security in terms of their technical and organisational resources, to guarantee the rights of the owners of the Personal Data are safeguarded.
All the entities subcontracted by the HOTI HOTÉIS Group are legally bound to the Group through a written contract that regulates the object, duration, nature and purpose of the processing, the kind of Personal Data in question, the categories of the owners of the data and the rights and obligations of the parties.
After collecting the Personal Data, the Hoti Hotéis Group will provide the owners of the Personal Data with information about the categories of entities subcontracted which, in this specific case, may affect the processing of data in the name of the HOTI HOTÉIS GROUP.
In the case of individuals or companies, public authorities, agencies or other entities that process Personal Data on behalf of THE HOTI HOTÉIS GROUP, the entities subcontracted have been assessed and the respective contracts reviewed, and the prior assessment of new subcontractors will be carried out, whereby a regime of joint liability specifically stipulated in the contract shall be implemented.
9. RIGHTS OF THE DATA OWNERS
The owners of the Personal Data have the following rights:
• Right to information
The owners of the Personal Data are entitled to be informed about:
• The identity and contacts of the hoti hotéis group, the entity/person responsible for processing the personal data, and if applicable, its representative;;
• The contacts of the Data Protection Officer or confirmation that the company does not employ a DPO,
• The purposes of processing the Personal Data, and if applicable the legal reasons for this processing;
• If the processing of the Personal Data is based on the legitimate interests of the HOTI HOTÉIS GROUP or a third party, what these interests are;
• If applicable, the receivers or categories of receivers of the Personal Data;
• If applicable, an indication that the Personal Data will be transferred to a third country or an international organisation and whether or not the European Commission has issued an opinion about its suitability, or reference to guarantees of appropriate or suitable transfer methods;
• The Personal Data storage term;
• The right to request the hoti hotéis group for permission to the personal data, as well as their rectification, deletion or limitation, the right to oppose their processing and the right to access to the data;
• If the processing of the Personal Data is based on permission granted by the owner, the right to withdraw this permission at any time, without compromising the legality of the processing based on the permission given beforehand;
• The right to make a complaint to the National Data Protection Commission or regulatory authority;
• Indication of whether the communication of Personal Data comprises a legal or contractual obligation or not, or is a requirement needed to sign a contract, as well as whether the owner is obliged to supply the Personal Data and any consequences of not supplying these data;
• If applicable, the existence of automatic decisions, including the definition of profiles, and basic concept information, as well as the importance and consequences of such processing for the owner of the Personal Data;
• If the Personal Data are not being collected directly by the HOTI HOTÉIS GROUP from the respective owner, as well as the information mentioned above, the owner must be informed about the categories of Personal Data that will be processed, and about the origin of the data, and possibly if the sources are accessible to the public;
• if the hoti hotéis group intends to process the personal data subsequently for a purpose different to the purpose for which the data were collected, before doing so the HOTI HOTÉIS GROUP shall inform the owner about this purpose and any other information of interest, under the terms outlined above.
• Right of Access
THE HOTI HOTÉIS GROUP guarantees it has the resources to allow the owner of the Personal Data to check the data.
The owners are entitled to obtain confirmation from the HOTI HOTÉIS GROUP about whether their Personal Data is being processed, and if so the owners have the right to access their Personal Data and to have the following information:
• The purposes of processing the data;
• The categories of the Personal Data in question;
• The receivers or categories of receivers the Personal Data have been or will be disclosed to, especially the receivers based in third countries or belonging to international organisations;
• The Personal Data storage term;
• If the data have not be collected from the owner, the information available about the origin of these data;
• The existence of automatic decisions, including the definition of profiles, information relative to the underlying logic, as well as the importance and consequences of such processing for the data owner;
• Suitable guarantees regarding the transfer of data to third countries or international organisations;
Upon request, the HOTI HOTÉIS GROUP will supply the owners with a copy of their Personal Data that is being processed free of charge.
The supply of extra copies requested by the owner may require the payment of administrative costs.
• Right to Rectification
The owners are entitled to request rectification of their Personal Data at any time, as well as completion of their incomplete Personal Data, including through an additional declaration.
In the case of rectification of the data, the HOTI HOTÉIS GROUP will communicate the rectified data to each receiver of the data, unless such communication is deemed impossible or implies an unreasonable effort for the HOTI HOTÉIS GROUP.
• Right to Deletion
The owners are entitled to request the HOTI HOTÉIS GROUP to delete their Personal Data in any of the following cases:
• The Personal Data are no longer needed for the purpose that led to their collection or processing;
• The owner withdraws permission to process the Personal Data and there are no other legal grounds to justify the data processing;
• The owners exercise their right to oppose the processing of the data and there are no prevailing legitimate interests that justify the processing;
• If the Personal Data are processed illegally;
• If the Personal Data have to be deleted to comply with a legal obligation the HOTI HOTÉIS GROUP is subject to;
Under the applicable legal terms, the HOTI HOTÉIS GROUP has no obligation to eliminate the personal data if this processing is necessary to comply with a legal obligation that the HOTI HOTÉIS GROUP is subject to or for the purposes of declaring, exercising or defending a right of the HOTI HOTÉIS GROUP in a judicial action.
In the case of deletion of the data, the HOTI HOTÉIS GROUP will communicate that the data has been eliminated to each receiver of the data, unless such communication is deemed impossible or implies an unreasonable effort for the HOTI HOTÉIS GROUP.
When the hoti hotéis group has made the personal data public and is required to delete them in fulfilment of the owner’s right to delete the data, the hoti hotéis group undertakes to ensure reasonable measures are implemented, including of a technical nature, taking into consideration the technology available and the cost of its application, to inform the entities responsible for processing the Personal Data that the owner requested the elimination of the links to these Personal Data, as well as any copies or reproductions.
• Right to Limitation
Limitation comprises inserting a mark in the Personal Data stored to limit its processing in the future.
The owners are entitled to request the HOTI HOTÉIS GROUP to limit the processing of their Personal Data in any of the following instances:
• If the owners dispute the preciseness of the Personal Data for a period that allows the Hoti Hotéis Group to check its preciseness;
• If the processing is illicit and the owner opposes the elimination of the data, requesting instead limitation to its use;
• If the HOTI HOTÉIS GROUP no longer need to process the Personal Data, but these data are required by the owner for the purpose of declaring, exercising or defending a right in a judicial action;
• If the owner has opposed the processing, until the legitimate reasons of the Hoti Hotéis Group prevail over the owner's reasons;
• When the owner’s Personal Data is limited, the data may only, apart from the storage, be processed after permission is granted by the owner or for the purposes of declaring, exercising or defending a right in a judicial action, defending the rights of another individual or company, or for legally stipulated reasons of public interest.
Owners who have stipulated limitation in the processing of their Personal Data in the aforementioned cases will be informed by the HOTI HOTÉIS GROUP before the limitation is lifted.
In the case of limitation of the Personal Data, the HOTI HOTÉIS GROUP will communicate the respective limitation to each receiver of the data, unless such communication is deemed impossible or implies an unreasonable effort for the HOTI HOTÉIS GROUP.
• Right to Opposition
Owners of the Personal Data have the right to oppose the processing of their Personal Data by the HOTI HOTÉIS GROUP based on the legitimate interests of the Group, or when the data is processed for purposes other than those for which the Personal Data was collected, including the definition of profiles, or when the Personal Data is processed for statistical purposes.
In this case, the HOTI HOTÉIS GROUP will stop processing the Personal Data, unless it presents urgent and legitimate reasons for why this data processing prevails over the interests, rights and liberties of the owner, or for the purposes of declaring, exercising or defending a right of the HOTI HOTÉIS GROUP in a judicial action.
When the Personal Data is processed for the purposes of direct marketing (Marketing or Telemarketing), the owners are entitled to oppose the processing of their data at any time, which includes the definition of profiles related to direct marketing.
If the owners oppose the processing of their Personal Data for direct marketing, the HOTI HOTÉIS GROUP will stop processing the data for this purpose.
The owners also have the right not to be subject to any decision taken exclusively based on automatic processing, including the definition of profiles, which has legal effects or which significantly affects the owners in a similar way, unless such decision:
• Is necessary to sign or fulfil a contract between the owner and the HOTI HOTÉIS GROUP;
• Is authorised by the law that the Hoti Hotéis Group is subject to;
• Is based on the explicit permission of the owner.
• Right to Portability
The owners have the right to receive the Personal Data which they have supplied to the HOTI HOTÉIS GROUP in a structured, currently used and automatically readable format, as well as the right to transmit these data to another entity responsible for processing the data if this processing is based on the permission granted or on a contract that the owner has signed or if the processing is automatic.
The right to portability does not include inferred data or derived data, i.e. Personal Data generated by the HOTI HOTÉIS GROUP as a consequence of or resulting from analysis of the data that is being processed.
The owners have the right for their Personal Data to be directly transmitted between entities responsible for the processing, whenever it is technically possible to do so.
• Right to Make a Complaint
The owners of the Personal Data have the right to make a complaint to the Regulatory Authority (National Data Protection Commission), through the site www.cnpd.pt.
The right to access, right to rectification, right to deletion, right to limitation, right to portability and right to opposition may be exercised by the owner by contacting the Data Protection Officer of the HOTI HOTÉIS GROUP using the following e-mail firstname.lastname@example.org.
THE HOTI HOTÉIS GROUP will respond in writing (including through electronic means) upon request from the owner within a maximum deadline of one month counting from when the request is received, apart from especially complex cases, in which this deadline may be extended to two months.
If the requests made by the owners are manifestly unjustified or excessive, especially owing to their repetitive nature, the Hoti Hotéis Group reserves the right to charge administrative costs or to refuse the request.
10. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES IMPLEMENTED
To guarantee the security of the Personal Data and its maximum confidentiality, the HOTI HOTÉIS GROUP processes the information in a strictly confidential manner, in line with its internal security and confidentiality policies and procedures, which are updated regularly whenever needed, and in compliance with the legal terms and conditions.
In line with the nature, scope, context and purposes of the processing of the Personal Data, as well as the risks deriving from processing them in terms of the owners’ rights and liberties, THE HOTI HOTÉIS GROUP undertakes to apply the necessary and appropriate technical and organisational measures to protect the Personal Data and comply with the legal regulations when defining the processing methods and when actually processing the data.
It also undertakes to ensure, through default, that only the data needed for each specific purpose is processed and that these data are not available without human intervention to unauthorised people.
Communication between the owners of the Personal Data and the websites of the HOTI HOTÉIS GROUP takes place through secure and communication channels that use the HTTPS protocol and SSL security standard.
With a view to guaranteeing the privacy and security of its customers and staff’s Personal Data, the HOTI HOTÉIS GROUP has implemented the following technical and organisational security measures:
• The Personal Data collected are appropriate, justified and limited to what is strictly necessary for the purposes for which they are processed;
• The Personal Data are exact and updated whenever necessary, implementing all the measures necessary to ensure the data are exact, taking into account the purposes for which they are processed, and are deleted and rectified immediately;
• The Personal Data are stored in a way that allows the identification of the owners only for the period needed for the purposes for which the data are processed;
• The Personal Data are processed using methods that guarantee their security, including protection against their unauthorised or illegal processing and against their unexpected loss, destruction or damage;
• Carry out the risk assessment by mapping the data flows and carrying out impact assessments;
• Adoption of internal rules that ensue the rapid and effective exercising of the rights of the Personal Data owners and the implementation of procedures for this purposes that are free of charge for the owners;
• Use of pseudonymisation of the Personal Data, i.e. the Personal Data is processed using methods that do not allow them to be attributed to a specific owner without supplementary information, whereby this supplementary information is stored separately and subject to technical and organisational measures to make sure that the Personal Data cannot be attributed to an identified or identifiable individual;
• Encrypt the Personal Data;
• Guarantee permanent confidentiality, integrity, availability and resilience of the processing systems and services;
• Guarantee the capacity to promptly re-establish the availability and access to the Personal Data in the event of a physical or technical incident;
• Implement a process that enables the regular testing and assessment of the measures adopted to guarantee the security of the processing;
• Protect the data from the moment of their conception, i.e. take the risk of privacy into account throughout the process to create a new product or service, instead of considering questions of privacy afterwards;
• Carefully assess and implement appropriate technical and organisational measures and procedures from the start to guarantee the processing is in compliance with the legislation in force and protect the rights of the data owners;
• Protect the data by default, i.e. make sure that mechanisms are in place to guarantee that, through default, only the quantity necessary of Personal Data for each task shall be collected, used and stored. This obligation applies to all the processing, length of storage and accessibility of the data.
11. BREACH OF PERSONAL DATA
In the event of a breach of the data that leads to a high risk for the rights and liberties of the owner, THE HOTI HOTÉIS GROUP undertakes to communicate this breach of Personal Data to the owner in question within seventy-two hours of detecting the incident.
THE HOTI HOTÉIS GROUP undertakes to notify the Regulatory Authority as soon as possible, with no unjustified delay, within seventy-two hours of learning about the breach of data.
The HOTI HOTÉIS GROUP has created internal mechanisms to detect and communicate any security breaches that allow swift action to be taken, namely as regards discovering the kind of breach of data, which data were lost, destroyed, disclosed, changed or accessed improperly, and notification to the Regulatory Authority and how to communicate the incident to the owners of the data.
Under the legal terms, communication to the owner is not required in the following cases:
• If the HOTI HOTÉIS GROUP has applied appropriate measures of protection, both in technical and organisational terms, and if these measures have been applied to the Personal Data affected by the breach of Personal Data, especially measures that make the Personal Data incomprehensible to any person not authorised to access these data, such as encryption;
• If the HOTI HOTÉIS GROUP has taken subsequent measures that ensure the high risk of breach of the rights and liberties of the owner does not come to pass;
• If communication to the owner implies an unreasonable effort by the HOTI HOTÉIS GROUP, in which case the HOTI HOTÉIS GROUP will make a public announcement or take similar measures through which the owner shall be informed.
12. DATA PROTECTION OFFICER (DPO)
No DPO was appointed given that the Hoti Hotéis Group is not a public authority or entity, and does not regularly and systematically monitor the owners of the Personal Data on a large scale and does not process sensitive Personal Data on a large scale.
If the changes are substantial, a notice will be issued in the websites of the HOTI HOTÉIS GROUP.
14. APPLICABLE LAW AND COURT