Introduction

The Privacy Policy has been developed to support Aires da Serra Hotel in adapting its activity to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”).

This policy is complemented by other security policies which are relevant to the company’s business and together describe the Aires da Serra Hotel’s approach to information security and privacy.

This policy applies to all Aires da Serra Hotel Professionals and Partners and, when identified, to third parties who access the company’s assets.

The terms ‘Privacy’, ‘Data Privacy’ and ‘Data Protection’ can be used in the same sense because they are associated with a complex set of legal requirements that apply to Personal Data, which goes beyond data security and confidentiality. For example, it includes requirements on the transparency of data use and data retention.

Compliance with this policy is mandatory and therefore all Professionals and Partners have an individual responsibility to ensure that they comply with it and, if necessary, ask their team leaders for clarification.

It is the responsibility of Aires da Serra Hotel to define the appropriate mechanisms to achieve compliance with this policy, with the responsibility for operational implementation resting with the teams, with the support of the Privacy Officer.

Compliance with this policy can be monitored through inspections, audits and/or requests for written confirmations of compliance, and all areas are responsible for regularly assessing their compliance with it within their area of responsibility.

Accordingly, any employee who has violated this policy is subject to disciplinary action.

This policy is based on the principles set out in the GDPR. However, there are national differences in the applicability of Aires da Serra Hotel’s data protection and privacy when processing personal data outside the EU, when receiving personal data from outside the EU or when processing personal data of non-EU citizens.

If you have any questions, please contact the Privacy Officer.

Data Protection Principles

As part of our business, we process Personal Data: whether we receive personal data in the course of our business opportunities, our customer engagements, marketing activities or a range of other related and supporting activities. Data may be received directly from a Data Subject (e.g. in person, via post, email, telephone or from other sources), including from our customers, partners, subcontractors, joint Controllers, support service providers and credit reference agencies.

All professionals and partners should only request personal data from a Data Subject that is relevant and necessary to fulfill a certain business purpose and task.

Aires da Serra Hotel undertakes to comply with the principles of personal data protection defined by the GDPR:

• Lawfulness, fairness and transparency: this means that we must have a legitimate reason for processing Personal Data, e.g. consent of the Data Subject, compliance with a legal obligation to which we are subject. It also means that we must clearly inform the Data Subject about the processing;
• Purpose Limitation: we must only request Personal Data for specific, explicit and legitimate purposes and not process it beyond the purpose for which it was requested;
• Data minimization: the Personal Data processed must be adequate, relevant and limited to what is necessary;
• Accuracy: we have an obligation to ensure that Personal Data is accurate and to update it whenever necessary;
• Limitation of retention: we shall not retain Personal Data for longer than is necessary for the purposes for which it is processed, although we may retain some for historical and statistical purposes;
• Integrity and Confidentiality: we must have adequate security controls in place to protect data against unauthorized and unlawful processing, loss, destruction or damage, including technical and organizational measures such as defined processes, training and awareness;
• Lawful transfer outside the European Economic Area: we only transfer Personal Data outside the EEA provided there are adequate safeguards in place, such as a contractual basis;
  Data Subject Rights: Data Subjects have various rights which we must respect (for example, the right to access a copy of the data we store and the right to withdraw consent given for direct marketing purposes).

Lawful and fair treatment

Whenever Personal Data is collected, it is necessary to have a legal basis for the processing. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:

• Consent: The Data Subject has given consent for the Data to be processed for one or more specific purposes;
• Contractual: Processing is necessary for the performance of a contract to which the Data Subject is a party or for pre-contractual procedures;
• Legal: Processing is necessary to comply with a legal obligation to which the Controller is subject;
• Vital interests: Processing is necessary to protect the vital interests of the Data Subject;
• Public interest: The treatment is necessary for the performance of a task carried out in the public interest;
• Legitimate interests: Processing is necessary for the legitimate interests of the Controller, except where the interests or fundamental rights and freedoms of the Data Subject are overridden.

When we act as Data Controller, we must ensure that we have a legitimate basis for collecting and processing Personal Data.

In some situations, we may act as a Processor on behalf of our client, in which case it is their responsibility to ensure that they have a proper reason for processing the Personal Data, which they must share with us. However, we must take steps to ensure that our contract is clear about our responsibilities in this regard and that, if we collect Personal Data directly from Data Subjects on behalf of the client, we have the grounds to do so legitimately.

When a Special Category of Data is processed there is an additional set of conditions that must be met. Please contact the Privacy Officer for further guidance.

The GDPR requires us to provide Data Subjects with information about the processing in order to guarantee fair and transparent processing. Whenever we collect Personal Data we must ensure that we properly explain why we need the information and how we will process it. When information is gathered through our website this information is given through a ‘Privacy Notice’.

Any other information to be provided when collecting personal data must also be provided on the internet. See the ‘Privacy Policy’ and ‘Cookie Policy’ for more information or contact the Privacy Officer.

Processing for specific purposes only

Whenever we collect and process Personal Data, we must ensure that we only use it for the specific purposes that have been communicated to the data subject.

Aires da Serra Hotel should never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be clear about the purpose of the processing and should we understand the purposes for which our clients may have collected the Personal Data.

Adequate, relevant and limited treatment

When we collect and process Personal Data, we must follow the principle of data minimization. This means that we should collect only the minimum Personal Data necessary to perform a specific task.

In addition, we must ensure that we have an adequate amount of personal data to carry out a specific task properly. For example, collecting the data necessary only to identify a person.

This also applies to any sharing and other processing activities. It is important to minimize the data held and processed; we must ensure that if we share data internally or externally or use it in activities such as testing, we should only use/share the minimum amount in each case.

Accuracy of personal data

We have an obligation to ensure that Personal Data is kept accurate and up-to-date. We must ensure that adequate processes are in place to maintain accurate data where necessary (for example, of professionals or current and potential clients held by the relevant areas).

When acting as Data Controller in relation to a client, we will not be obliged to implement mechanisms to keep this data up to date; this will be the responsibility of the Data Controller, i.e. our client.

Retention of Personal Data

Personal Data should not be kept for longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data we process and implement processes to erase them when they expire. Therefore, the following retention periods may apply: (i) for as long as is necessary for the relevant activity or services; (ii) any retention period required by law; (iii) the end of the period in which disputes or investigations may arise in relation to the services; or (iv) for the minimum period provided for in the contract.

Data Subject Rights

The GDPR requires us to inform individuals about the Personal Data we collect and the purposes and means by which it is processed. This information is given in the form of a ‘Privacy Notice’.

a) Right of Access

• The Data Subject has the right to ask to see the Personal Data we hold about him/her, the purpose of the processing and the categories of data concerned.
• We must notify the Data Subject of the recipients with whom we are going to share their data, especially if the recipient is in another country or belongs to an international organization.
• Whenever possible, we will define the data retention period to meet the business objectives.
• We must inform the Data Subject of the existence of their right to object to processing and their right to rectification and erasure.
• We must inform the Data Subject of their right to complain to a supervisory authority.
• When data is collected from someone other than the Data Subject, we must inform the Data Subject of the source of the data.
• We must ensure that we have processes in place to identify and respond to Data Subject access issues without undue delay and within a maximum of one month.

b) Right to rectification

• Data subjects have the right to rectify inaccurate data, and Aires da Serra Hotel will make every effort to do so immediately.

c) Right to erasure

• The Data Subject has the right to obtain from the Data Controller the erasure of his/her data (‘right to be forgotten’). It is the responsibility of Aires da Serra Hotel to do everything possible to immediately delete the data held, except when there is a legal requirement to retain it. If you receive a request from a Data Subject, please contact the Privacy Officer first before deleting any data.

d) Children’s rights

• All individuals, including children, are protected by the GDPR. For children under the age of 13, we shall not process their Personal Data on the basis of their consent, unless authorized by the respective holders of parental responsibility.

e) Marketing

• We may sometimes send our clients and partners marketing material to inform them of services, upcoming events or other activities of interest to them, in which case we must indicate the right to withdraw consent at any time if they wish not to be contacted again under these terms.
• We must also ensure that we have processes in place to guarantee that all participation preferences are registered and respected.

For all questions concerning the rights of Data Subjects, please contact the Privacy Officer.

Security of Retained Data

Aires da Serra Hotel will maintain data security by protecting the confidentiality, integrity and availability of personal data:

• Confidentiality means that only authorized persons can access the data;
• Integrity means that Personal Data must be accurate and suitable for the purposes for which it is processed;
• Availability means that authorized users must be able to access the data if they need it for the authorized purposes.

For more complete information on our security policies, please contact the Privacy Officer.

Data disclosure

All professionals and partners must avoid any inappropriate disclosure of Personal Data and comply with our general duties regarding Confidentiality.

It is allowed:

a) Disclose Personal Data to third parties only on instruction or when we have a legitimate basis for doing so, and there are no restrictions in place.

b) Disclose Personal Data to third parties in the event that we sell or buy any business or assets, or when we are a Joint Controller as part of a joint venture.

c) Sharing Personal Data with a third party who is processing data on our behalf, which may include transferring data to a third country.

Generally, Personal Data can be disclosed:

a) Professionals or agents so that they can carry out their duties as such.

b) In cases where non-disclosure would jeopardize the prevention or detection of crime, the bringing of charges against offenders, or the assessment or collection of any tax or fee. Aires da Serra Hotel must have adequate grounds to disclose data under this category in order to avoid criminal prosecution. All disclosures must be justified and documented.

For legal purposes, data may be disclosed if:

a) Required by law, statute or court order.

b) For the purpose of obtaining legal advice;

c) In the context of or for the purposes of legal proceedings or when necessary for the defense of a legal right.

d) To safeguard national security.

International transfer of personal data

Aires da Serra Hotel may transfer any Personal Data to a third country or international organization. The Personal Data we hold may also be processed by employees operating in a third country or for one of our suppliers.

We must ensure that at least one of the following conditions applies:

a) The country to which the Personal Data is transferred guarantees an adequate level of protection for the rights and freedoms of the Data Subjects, by decision of the EU Commission.

b) Appropriate safeguards are provided (e.g. data protection clauses).

c) The Data Subject has given explicit consent to the transfer after having been informed of the possible risks.

d) The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between Aires da Serra Hotel and the Data Subject, or protection of the Data Subject’s vital interests.

e) The transfer is legally required for important reasons of public interest or in order to bring legal proceedings or defend against them

Log information, cookies and web beacons

The Aires da Serra Hotel website uses cookies to distinguish its users. Aires da Serra Hotel collects standard Internet log information, including the user’s IP address, browser type and language, access times and the addresses of referring websites.

To ensure that our website is well managed and to facilitate navigation, Aires da Serra Hotel or its service providers may also use cookies (small text files stored in the user’s browser) or web beacons (electronic images that allow our website to count visitors accessing a site and certain cookies) to collect aggregate data.

Professional Information

Collection and Conservation

• Aires da Serra Hotel, as an employer, collects, processes and stores the personal data of employees, contractors, consultants and candidates. The Human Resources Department and other departments that process professionals’ personal data must check and document the legal basis for the processing they carry out. The Personal Data of professionals should only be processed when there is a valid and legitimate purpose for doing so.
• The collection of personal data relating to our employees takes place through various channels and formats, such as: application forms; electronic web forms, (e.g. during the recruitment process); data records; CCTV images; staff photographs, including ID cards; data from other sources (e.g. previous employers); credit checks and security checks; etc.
• The creation and storage of personal data relating to our professionals takes place through various channels and formats, such as: pay slips; appraisal records; employment contracts; e-mails; sickness records; etc.

Training and Awareness

• We are committed to providing adequate training on personal data protection to all professionals. If necessary, we will provide personalized training and awareness-raising for people taking into account their roles.

Process design and change

• For all proposed new systems and business procedures involving Personal Data, consideration should be given to whether an assessment of the impact on privacy and information security is required in order to identify risks and controls.

To this end, all professionals and partners should contact the Privacy Officer before adopting new procedures.