Updated October 10, 2020
Data Protection PrinciplesAs part of our activity, we process Personal Data: whether when we receive personal data in the course of our business opportunities, our customer engagements, marketing activities or a series of other related and support activities. Data may be received directly from a Data Subject (for example, in person, via post, email, telephone or from other sources), namely from our customers, partners, subcontractors, joint controllers, support service providers and credit reference agencies. All professionals and partners should only request personal data from a Data Subject that is relevant and necessary to fulfill a certain purpose and business task. Aires da Serra Hotel is committed to complying with the principles of personal data protection defined by the GDPR, namely:
- Legality, loyalty and transparency: means that we must have a legitimate reason by virtue of which we process Personal Data, for example, consent of the Data Subject, compliance with a legal obligation to which we are subject. It also means that we must clearly inform the Data Subject about the treatment;
- Limitation of Purposes: we must only request Personal Data for specific, explicit and legitimate purposes and not process it beyond the purpose for which it was requested;
- Data minimization: the Personal Data being processed must be adequate, relevant and limited to what is necessary;
- Accuracy: we have an obligation to ensure that Personal Data is accurate and to update it whenever necessary;
- Limitation on retention: we must not retain Personal Data longer than necessary for the purposes for which it is processed, although we may retain some for historical and statistical purposes;
- Integrity and Confidentiality: we must have adequate security controls in place to protect data against unauthorized and illegal processing, loss, destruction or damage, including technical and organizational measures such as defined processes , training and awareness;
- Legal transfer outside the European Economic Area: we only transfer Personal Data outside the EEA provided there are adequate safeguards in place, such as a contractual basis; Data Subject Rights: Data Subjects have a number of rights that we must respect (for example, the right to access a copy of the data we archive and the right to withdraw consent given for direct marketing purposes).
Legality and loyalty in treatmentWhenever Personal Data is collected, it is necessary to have a legal basis for the inherent treatment. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:
- Consent: The Data Subject has given consent for the data to be processed for one or more specific purposes;
- Contractual: Processing is necessary for the performance of a contract to which the Data Subject is a party or for pre-contractual steps;
- Legal: Processing is necessary to comply with a legal obligation to which the Data Controller is subject;
- Vital interests: The processing is necessary to protect the vital interests of the Data Subject;
- Public interest: Processing is necessary for the performance of a task performed in the public interest;
- Legitimate interests: The processing is necessary for the legitimate interests of the Data Controller, except when interests or fundamental rights and freedoms of the Data Subject prevail.
Treatment for specific purposes onlyWhenever we collect and process Personal Data, we must ensure that we only use it for the specific purposes that were communicated to the respective holder. Aires da Serra Hotel must never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be clear about the purpose of the treatment and we must understand the purposes for which our customers may have collected Personal Data.
Appropriate, relevant and limited treatmentWhen we collect and process Personal Data, we must follow the principle of data minimization. This means that we must collect only the minimum Personal Data necessary to carry out a specific task. Additionally, we must ensure that we have an adequate amount of personal data to carry out a specific task properly. For example, collecting the data necessary only to identify a person. This also applies to any sharing and other processing activities. It is important to minimize the data held and processed; we must ensure that if we share data internally or externally or if we use it in activities such as testing, we must only use/share the minimum amount in each case.
Accuracy of personal dataWe have an obligation to ensure that Personal Data is kept accurate and up to date. We must ensure that adequate processes are in place to maintain accurate data where necessary (e.g. from professionals or current and potential clients maintained by relevant areas). When acting as Data Controller in relation to a customer, we will not be obliged to implement mechanisms to keep this data up to date; this will be the responsibility of the person responsible for the treatment, that is, our client.
Retention of Personal DataPersonal Data must not be kept longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data we process and implement processes to erase them upon their expiry. Therefore, the following conservation periods may apply: (i) for as long as necessary for the relevant activity or services; (ii) any retention period required by law; (iii) the end of the period in which disputes or investigations may arise in relation to the Services; or (iv) for the minimum period provided for in the contract. Rights of Data Subjects The GDPR requires us to inform people about the Personal Data we collect, the purposes and means for which they are processed. Such information is given in the form of a ‘Privacy Notice’. a) Right of Access
- The Data Subject has the right to request to see the Personal Data we hold about him, the purpose of the processing and the categories of data in question.
- We must notify the Data Subject of the recipients with whom we will share their data, especially if the recipient is in another country or belongs to an international organization.
- Where possible, we will define the data retention period to meet our business objectives.
- We must inform the Data Subject of the existence of the right to object to the processing and of his right to rectification and erasure.
- We must inform the Data Subject of the existence of his right to complain to a Control Authority.
- When data is collected from someone other than the Data Subject, we must inform the Data Subject of the source of this data.
- We must ensure that we have processes in place to identify and respond to Data Subject access questions, without undue delay, and within a maximum period of one month.
- Data Subjects have the right to rectify inaccurate data, and Aires da Serra Hotel will make every effort to do so immediately.
- The Data Subject has the right to obtain from the Data Controller the erasure of their data (‘right to be forgotten’). It is up to Aires da Serra Hotel to do everything possible to immediately delete the data held, except when there is a legal requirement for its conservation. If you receive a request from a Data Subject, please contact the Privacy Officer first before erasing any data.
- All individuals, including children, are protected by the GDPR. For children under the age of 13, we must not process their Personal Data based on their consent, unless authorized by the respective holders of parental responsibilities.
- We may sometimes send our customers and partners marketing material to inform them of services, upcoming events or other activities of interest to them, in which case we must indicate the right to withdraw consent at any time if they wish not to return to be contacted on these terms.
- We must also ensure that we have processes in place to ensure that all participation preferences are recorded and respected.
Security of Retained DataAires da Serra Hotel will maintain data security by protecting the Confidentiality, Integrity and Availability of Personal Data, provided that:
- Confidentiality means that only authorized persons can access the data;
- Integrity means that Personal Data must be accurate and adequate for the purposes inherent to the treatment;
- Availability means authorized users must be able to access data if they need it for the authorized purposes.
Data DisclosureAll professionals and partners must avoid any inappropriate disclosure of Personal Data and comply with our general duties regarding Confidentiality. It’s allowed: a) Disclose Personal Data to third parties only on instruction or when we have a legitimate basis for doing so, and there are no restrictions in place. b) Disclose Personal Data to third parties in the event that we sell or buy any business or assets, or when we are a joint Controller, as part of a joint venture. c) Sharing Personal Data with a third party who is processing data on our behalf, which may include transferring data to a third country. Generally, Personal Data may be disclosed: a) Professionals or agents so that they can perform their duties as such. b) In cases where non-disclosure may impair the prevention or detection of crimes, the prosecution of offenders, or the assessment or collection of any tax or fee. Aires da Serra Hotel must have adequate grounds for disclosing data under this category in order to avoid criminal prosecution. All disclosures must be justified and documented. For legal purposes, data may be disclosed if: a) Required by law, statute or court order. b) For the purpose of obtaining legal advice; c) Within the scope or for the purposes of a judicial process or when necessary for the defense of a legal right. d) To safeguard national security.
International Transfer of Personal DataAires da Serra Hote may transfer any Personal Data to a third country or international organization. The Personal Data we hold may also be processed by employees operating in a third country or for one of our suppliers. We must ensure that at least one of the following conditions applies: a) The country to which the Personal Data is transferred guarantees an adequate level of protection for the rights and freedoms of Data Subjects, by decision of the EU Commission. b) Appropriate safeguards are provided (eg data protection standard clauses). c) The Data Subject has given explicit consent to the transfer after being informed of the possible risks. d) The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between Aires da Serra Hotel and the Data Subject, or protection of the Data Subject’s vital interests. e) The transfer is legally required for important reasons of public interest or for the filing of legal actions or defense within the scope thereof
Information from ProfessionalsCollection and Conservation
- Aires da Serra Hotel, as an employer, collects, processes and stores personal data from employees, contractors, consultants and candidates. The Human Resources Department and other departments that process Personal Data of professionals must verify and document the legal basis inherent to the treatment they carry out. The Personal Data of professionals should only be processed when there is a valid and legitimate purpose for this purpose.
- The collection of personal data related to our employees takes place through different channels and formats, such as: registration forms; electronic web forms, (eg during the recruitment process); data records; CCTV images; Team photographs, including ID cards; data from other sources (eg previous employers); credit checks and security checks; etc.
- The creation and storage of personal data related to our professionals takes place through various channels and formats, such as: payment receipts; evaluation records; Employment contracts; emails; illness records; etc.
- We are committed to providing adequate training on personal data protection to all professionals. If necessary we will provide personalized training and awareness for people taking into account their roles.
- For all proposed new systems and business procedures involving Personal Data, consideration should be given to whether an impact assessment on privacy and information security is required to identify risks and controls.