Aimia Explotación SA
Spanish fiscal ID: A07007966
C/Santa maria del camí, 1
07108 Port de Sóller
Listed in the mercantile register of Palma de mallorca, Volume 2690, Folio 9, Sheet PM-80429, inscription 1 dated 10th of January 2017.
AIMIA EXPLOTACIÓN S.A. reserves the right to modify this Policy in order to adapt it to new legislation, jurisprudence, sector practices, and/or in the interests of the company. Any modifications to the same will be announced with due warning in order to ensure your adequate knowledge of the content.
The data controller is AIMIA EXPLOTACIÓN S.A. with address for these purposes at: Calle Santa Maria del Camí, 1, 07108 Sóller - Mallorca (Baleares).
1.2 DPD contact details
The contact details of the DPD appointed by the data controllers are as follows: firstname.lastname@example.org
1.3 PROCESSING PURPOSE
The purposes of collecting and processing personal data, through the various forms that are owned by the data controller and made available to Users, is as follows, depending on the specific case:
• Booking management: to manage the booking made via the website, by phone or through a third party at one of our hotels.
• Customer management: to manage your stay in our hotels and offer you the best service we can in each one. AIMIA EXPLOTACIÓN S.A. will manage your stay to offer you the best possible care based on your indications. Our goal is to provide you with the best possible service in any of our hotels, based on the processing of data for statistical purposes.
• To take into consideration the products and services you have contracted and enjoyed in order to offer you products and services that may be of interest to you, based on statistical data developed by us.
• To manage online check-ins: data controllers may email the data subject so that they can voluntarily make preliminary arrangements online in relation to their check-in at the hotel.
• Manage your contact requests through the channels provided for it.
• Get feedback from customers via satisfaction surveys.
• To provide information and, where applicable, registration services at conferences or events that are organised or in which the data controller participates.
• Manage job applications through the collection of CVs, for the purposes of being able to contact applicants and proceed with the selection process.
• To send commercial communications by any means (including electronic ones) to inform you about news, events, and our products or services that may be of interest to you.
• To send "abandoned basket" reminders: the data controller may send the data subject communications to remind them that they have not completed a contract or booking process that they had started. The information included by the user on the website will be taken into account. This will only be done if the user has expressly consented to it
1.4 STORAGE PERIOD
The personal data provided will be stored for the appropriate period to comply with legal obligations to during the period that may be required by a judge or magistrate’s court. Data based on consent will be stored as long as consent is not withdrawn or handling opposed. Additionally, with the aim of improving your experience for future stays in our hotels, we will maintain the data related with your past stays during a period of seven years, unless you would communicate the contrary. In that case it will be maintained the period according to legal obligations and during the period that may be required by a judge or magistrate’s court. CV data received as part of recruitment processes will be stored for a period of four years.
1.5 DATA LOCKING
In accordance with article 32 of Organic Act 3/2018 on Personal Data Protection and the Guarantee of Digital Rights, data controllers will proceed to block data when it is corrected or deleted.
The data lock consists of identifying and reserving the data in question, adopting technical and organisational measures to prevent it from being processed, except for to make the data available to the competent judges and courts, Public Prosecutor's Office or Public Administrations, and data protection authorities in particular, based on the requirements of potential obligations arising from the processing of the data and only for the limitation period required in these cases.
The data controller is legitimately entitled to process personal data, on the basis of the following:
• If this has been requested, in accordance with the consent granted by the interested party for one of several specific purposes as set out in article 6.1 a) of the General Regulations for Personal Data Protection when they complete the forms and mark the box provided for that purpose.
• In order to execute a service provision contract, as set out in article 6.1 b) of the General Regulations for Personal Data Protection.
• In order to comply with a legal obligation imposed on the data controller, in accordance with Article 6.1.c) of the General Data Protection Regulation.
• On the basis of a legitimate interest for security and access control purposes in accordance with article 6.1 f) of the General Regulations for Personal Data Protection. An assessment will be made of the extent to which this is proportionate and pertinent to the rights of the interested parties.
1.7 DATA SOURCE
The personal data is obtained from the booking made by the data subject or from the forms they fill in which have been made available by the data controller.
If the data does not come directly from the data subject, it will have come from the booking made by the data subject through a third party (such as a travel agency or a travel booking website)
1.8 DATA ACCURACY
On the other hand, in order for the data present in our files, whether in electronic or paper format, to always correspond to reality, they will need to be kept up to date. To this end, the User should make any necessary changes, either directly when this option is enabled or by informing the data controller's corresponding division or department by a reliable and traceable means.
The personal data you provide to the data controller, may be passed on to the following types of addressees:
• Third parties to whom the company is obliged to supply information, such as public authorities, for the purpose of complying with the requirements of such authorities and with applicable legislation.
• The companies that own the hotels, in order to make the reservation in them. The legitimate basis for processing the data in this case is the execution of a contract or pre-contractual measures (Art. 6.1.b of the GDPR)
AIMIA EXPLOTACIÓN S.A. does not market, sell or perform any other similar activity using your personal data. Your personal data will only be processed for the purposes indicated above and will only be used by the data controller.
The data controller uses service providers with access to the personal data (data processors). Among these service providers are companies located outside the European Economic Area, and as such there is the possibility of international transfers of data being made. This will, in all cases, be done in compliance with the relevant guarantees as per Articles 44 onwards of the GDPR. Suppliers of data controllers located in the USA are members of the Privacy Shield agreement
1.10 USER´S RIGHTS
However, the person to whom the personal data belongs may in any case exercise the rights granted to them by the General Regulations for Data Protection, namely:
• The right to request access to their own personal data
• The right to request rectification or deletion
• The right to request the limitation of their handling
• The right to oppose handling
• The right to data portability
The interested party may exercise these rights by issuing a written request accompanied by a copy of their national identity document, specifying which of the above rights they wish to exercise and sent to the following address: AIMIA EXPLOTACIÓN S.A. - Calle Santa Maria del Camí, 1, 07108 Sóller - Mallorca (Baleares) or by sending an e-mail to email@example.com
In the event the interested party considers their right to personal data protection to have been breached, they may send a complaint to the Spanish Data Protection Agency (www.agpd.es).