Privacy, Security and Data Protection Policy
I – PRIVACY COMMITMENT
The Neya Hotels Group appreciates the trust placed and is committed to protect the privacy of all our users of the different websites and digital platforms that we have available and are owners. In this context, we drew up this Privacy, Security and Data Protection Policy, in order to guarantee its commitment and respect for the rules of privacy and protection of personal data.
II – RESPONSIBILITY FOR THE PROCESSING OF PERSONAL DATA
In accordance with and for the purpose of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Regulation on Data Protection, hereinafter „GDPR“) and Law No. 58/2019, of 8th of August (Law for the implementation of the GDPR in the Portuguese legal system, hereinafter “LPDP”), the joint Responsible for the processing of personal data is:
- AZAD, Sociedade de Investimentos Turisticos e Hoteleiros, Unipessoal, Lda, VAT no. 508774942, headquartered at Rua D. Estefânia, 71-77, 1150-132 Lisboa, as holder and operator of NEYA Lisboa Hotel located at Rua D Estefânia 71-77, 1150- 132 Lisbon
- NEYA – Empreendimentos Hoteleiros e Turísticos, Unipessoal, Lda, VAT no. 508561779, headquartered at Praça de Londres, no. 3, 4th Esq, 1000 – 191 Lisbon, as the holder and operator of NEYA Porto Hotel located at Rua de Monchique, nº 35-41, 4050 – 394 Porto
III -Definition of personal data
Personal Data is any information, regardless of nature and support, relating to an identified or identifiable natural person. It is considered identifiable the person that can be identified, directly or indirectly, by any element that allows to reach its identification.
IV – DEFINITION OF PERSONAL DATA HOLDER
The holder of the personal data is a customer / user / supplier / subcontractor, a natural person, to whom the data relates. In this case, the person who hires / accesses the site / uses the services or products of the Data controllers is included as a client / user.
V- RIGHTS OF DATA HOLDERS
Under the terms of the GDPR and the PDPA, the data subject is guaranteed the exercise of all legally permitted rights, as long as there is a processing of personal data by the Data controllers
– Right of access– The right to obtain confirmation of which personal data is being processed and having this information available.
– Right to amend – The right to request the rectification of your personal data that is wrong / outdated or to request that those when incomplete is completed.
– Right to erase data or “right to be forgotten” – It’s the right to have your personal data deleted, if there are no valid and / or legitimate grounds by those responsible for processing for their conservation.
– Right to portability – The right to receive the data you have provided in a digital format in common use and automatic reading, or to request the direct transmission of your data to another entity that becomes the new responsible for your personal data.
–Right to withdraw consent or right of opposition – The right to oppose or withdraw consent, at any time, to a data processing, provided that there are no valid and / or legitimate grounds by the Data controllers for non-acceptance of the exercise of this right.
– Right of limitation -The right to request the processing limitation of your personal data, in the form of suspension of treatment or limitation of the scope of treatment to certain categories of data or processing purposes.
– Right to complain – The right to complain to the relevant supervisory authority, when it’s considered that there has been a violation of your rights. In Portugal, this authority is the National Data Protection Commission (hereinafter “NDPC”). More information about NDPC is available at www.cnpd.pt.
VI- CONSENT INFORMATION
By accepting this Privacy Notice, the Holder of personal data is informed and gives his express, unambiguous, free and informed consent for the processing of personal data that will be provided through the website www.neyahotels.com (the “Website”) to be treated by Data controllers in the future.
VII – STATEMENT OF THE RIGHTS OF PERSONAL DATA HOLDERS
Data controllers undertake to respond to the exercise of rights by the holders of personal data, within a maximum period of 30 (thirty) days, unless it is a particularly extensive or complex request.
The exercise of rights tends to be free of charge, unless it is a manifestly unfounded or excessive request, in which case a reasonable fee may be charged considering the costs.
Note that the exercise of any of the rights must always be provided in writing, in person or by electronic means.
To exercise your personal data protection rights or ask any questions about the use of your personal data, the assignees can use the following email address: [email protected].
VIII – PURPOSE OF DATA OBTAINMENT
The data obtained within the scope of the digital and physical presence of those responsible for the treatment is intended to ensure the correct provision of our services, and to ensure the navigation and availability of content on our websites. Among other things, this serve the purpose of:
- Fulfil obligations to our customers;
- Manage the accommodation reservation: Creation, storage and treatment of legal documents as well as personal data, in accordance with the GDPR and the LPDP;
- Manage your stay: Monitoring the use of services for exclusive debit purposes (telephone, bar, pay TV, etc.); Manage access to rooms;
- Improvement of the service provided: Adaptation of our products and services to better serve customers‘ needs;
- Customer relationship management: Management of loyalty programs; Segmentation of operations based on the client’s reservation history; Development of internal statistics and reports; Sending and managing newsletters, promotions, service offers and satisfaction questionnaires;
- Use of third party services in the analysis and mapping of personal data, at the time of booking and / or during the stay, to determine the customer’s profile;
- Compliance with local legislation (for instance, when storing the client’s official documents).
IX – TYPES OF COLLECTED PERSONAL DATA
Those responsible for processing through their websites and / or hotel units do not process personal data belonging to special categories within the meaning of Article 9 of EU Regulation 2016/679. Through their website, messages or in person, Data controllers can obtain and process the following personal data:
- Specific data:
– Contact details (first name, last name, phone number and email);
– Personal Information (Date of birth, nationality, city, country)
– Children’s information (first name, last name, age and date of birth);
– Credit card number (for billing / bank transaction purposes);
– Arrival and departure date;
– Your preferences (preferred floor, type of bed, interests, limitations, etc.)
- Any information provided by you through the website or by messages, either by filling out forms or sent in free text. This information includes the one that is provided when registering for receipt of the newsletter, contact request, accommodation reservations and other complementary services. The information you provide when you participate in any area that involves your registration or provision of your content or when you interact with Data controllers such as when sending an email requesting information to any of the addresses belonging to the domains from which Data controllers can be treated as well.
- Information regarding your visits to the website including IP addresses, page visit time, and type of navigation program (browser), for system administration and to facilitate navigation and return to the website later. In general, this data will be treated only for statistical purposes on the actions and navigation patterns of the website users and do not allow the identification of any individual. However, when the user provides other information, these data may allow for their identification and will be treated in accordance with the GDPR and the LPDP;
- Information regarding access to the Internet through WIFI and Ethernet by its electronic devices, namely the Internet Protocol address (namely “IP”), Media Access Control address (namely “MAC”), the time of use of the service and activity associated with the device. For more information please see the Terms and Conditions for WIFI and Ethernet.
Please also be informed that the personal data collected by the Data controllers are limited to what is strictly necessary for the pursuit of the purposes for which they were requested.
When personal data is provided, Data controllers provide all the information legally required for the processing of such data and require the consent of their data subjects when this is required by law and when there is no legitimate interest on the part of Data controllers or third parties, such as the processing data for, quality of service improvement, detection of fraud and protection of revenue, and when our reasons for its use should prevail over your data protection rights.
X – PERSONAL DATA GATHERING POINTS
The places designated below are those that can usually request access to the customer’s personal data:
- a) Website:
– Contact request;
– Information request;
– Request for booking accommodation and / or complementary services;
- b) Hotel activities:
– Room reservation;
– Payment and check-in;
– Places that offer foodstuff (Food and Beverage);
– Requests, complaints and compliments;
- c) Participation in marketing campaigns:
– Registration in loyalty programs;
– Participation in surveys (namely the satisfaction survey);
– Subscription of services complementary to the hotel’s activity;
XI – DEADLINES FOR DATA CONSERVATION
The period of time during which the data will be stored and preserved has only to do with the period necessary for the accomplishment of the defined purpose or, whichever is applicable, until you exercise your right of opposition, right to be forgotten or withdraw your consent, varying according to the purpose for which the information is used.
Usually personal data relating to hired accommodation and those provided in the accommodation bulletin will be stored for 2 (two) years after the term of the contract (that is, two years after the client’s check-out).
The billing and payment data are kept for 10 (ten) years, under the terms of the Value Added Tax Code (CIVA).
The data relating to complaints will be kept for a period of 3 (three) years, pursuant to Article 3 (1) (d) of Decree-Law No. 156/2005 of 15 September.
In newsletters, the period for the preservation and treatment of personal data provided begins at the moment the applicant submits the subscription form and ends at the moment when the subscription is cancelled. You can cancel your subscription at any time using a dedicated link available in all our newsletters. When removing the subscription, the data subject will receive an email notification and, subject to the terms of the applicable legislation, your data will be removed from our newsletter sending list.
All other services that are not detailed above will store your information only for the maximum legal term and, in the event that it is indefinite, until you exercise your right of opposition, right to be forgotten or withdraw your consent.
Please notice that NEYA Hotels uses the following entities as subcontractors for specific purposes:
– Maintenance of Property Management System software: Host Hotel Systems, based in: Rua Ana Maria Bastos, Edifício Ponte Nova, 5 Escritório 2 2560-306 Torres Vedras (hereinafter “HOST”), as a subcontractor;
– Maintenance of Channel Manager software: D-Edge S.A.S Portugal, based in: R. Torcato José Clavine n. º 9 CV Esq, 2800-710 Almada (hereinafter “AvailPro”), as a subcontractor;
– Guest Review software maintenance: Trust You, com sede em: Streinerst. 15 81369 Munic, Germany, (hereinafter “Trust you”, as a subcontractor;
– Maintenance Point of Sale software: Host Hotel Systems, based in: Rua Ana Maria Bastos, Edificio Ponte Nova, 5 Escritório 2 2560-306 Torres Vedras (hereinafter “HOST”), as a subcontractor;
– Consultancy on the Software Property Management System and Food & Beverage: Host Hotel Systems, with headquarters at: : Rua Ana Maria Bastos, Edificio Ponte Nova, 5 Escritório 2 2560-306 Torres Vedras (hereinafter “HOST”), as a subcontractor;
– Maintenance of web and reservation platform: ROIBACK, with VAT no. B-57.667.586 and headquarters at Av. da Quinta Grande, 53 7A Edifício Prime 2610-156 Amadora, Portugal , número de identificação fiscal B-57.667.586 (hereinafter “Roiback ”), as a subcontractor;
– Maintenance of graphic content: High Communication – Brand & Media Consulting, Lda, VAT number 500035300, with headquarters at: Praça de Londres, nº 3, 4º direito, 1000-191 Lisboa (hereinafter “Hicom”), as a subcontractor;
– Computer systems maintenance: NewAlliance IT Solutions, Lda, VAT number 513749489, based in: Praça de Londres nº3 4ºEsq, 1000-191 Lisboa (hereinafter “NewAlliance IT”), as a subcontractor;
– Registration and sending of newsletters: MailChimp – Rocket Science Group LLC, VAT no. 582554149, based at: 675 Ponce de Leon Ave NE, Suite 5000, 30308 Atlanta (hereinafter “Mailchimp”), as a subcontractor;
– Access control and monitoring of the video surveillance system: Líder – Serviços Gerais de Vigilância, Lda, VAT no. 508649773, based at: Rua Central de Vila Verde nº115, 4475-216 Maia, (hereinafter “Líder Segurança”), as a subcontractor;
– Consultancy on the PHC Software: Winsig – Soluções de Gestão S.A, VAT number 508722977, based at: Rotunda Eng. Edgar Cardoso, 23 – 14H Tower Plaza, 4400-676 Vila Nova de Gaia, (hereinafter “Winsig”), as a subcontractor.
The Host, Availpro, Trust You, Roiback, Hicom, NewAlliance IT, MailChimp, Líder Segurança and Winsig act on behalf of and in the interest of NEYA Hotels in accordance with the provisions of the GDPR, specifically with Article 45 of Chapter IV, relating to the Data Controller and subcontractor.
XII -DATA PROCESSING POINT
Data processing takes place at the above-mentioned facilities of the Data controllers and is handled only by technical staff of the data subject responsible for its processing, however there may be transfers of personal data to the USA and the EU:
In what concerns Trust You and Mailchimp, the data processing location is located in the USA, so NEYA Hotels works together with their teams, at the headquarters of the companies, self-certified according to the provisions of paragraph 6 of the chapter III of Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the level of protection provided by the EU-US Privacy Protection Shield, applied pursuant to article 45 of the GDPR.
For all the other subcontractors referred to above, the data processing location is located in the EU, so NEYA Hotels acts together with their teams, at the headquarters of the companies, self-certified in accordance with the provisions of the law of the company. Union and national law, and ensured by articles 17, 18, 19 and 20 of Framework Decision 2008/977 / JHA, applied pursuant to article 13 of the GDPR.
XIII – INFORMATION TRACKING
XIV – PRIVACY OF MINORS
Personal data relating to minors can only be made available, physically or on the website of the people responsible for the treatment, by the holders of parental responsibilities and within the legal parameters.
In such cases, controllers shall make every effort to verify that consent has been given or authorized by the holder of the child’s parental responsible, taking into account the available technology.
Data controllers cannot be held responsible for the lack of law regarding personal data processing provided by people who commit fraud in what concerns their identity and / or other elements of identification.
XV – RESPONSIBILITY OF THE PERSONAL DATA HOLDER
The holder of personal data using the computer platforms made available by the data controllers guarantees that he is over 18 (eighteen) years old and that the data provided is true, accurate, complete and up-to-date, taking responsibility for the veracity of all the data disclosed and keeping the information provided duly updated.
When the holder of personal data provides his data to third parties, with the aim of contracting the services made available by the Data controllers, these third parties must ensure that they have obtained the authorization of the data subject so that they could be provided to the Data controllers for the purposes indicated.
The Personal Data Holder or any third party acting on his behalf and representation will be responsible for false or inaccurate information provided on the website and for direct or indirect damage caused to the Data Controller or third parties.
XVI – VIDEO SURVEILLANCE
The means of the Responsible for the treatment are equipped with video surveillance systems and image recording, with the purpose of protecting people and goods, aiming to pursue the legitimate interest of security within their facilities. The data through the video surveillance systems collected are intended to be exclusively used and communicated under the terms of the criminal procedural law, however, the subcontracted private security entity may be in charge of its processing.
The Data Subject may exercise the right of access in relation to data concerning him, which may not involve access to third party images, which will be hidden or anonymized. Those responsible for treatment may, at any time, limit or remove the video surveillance system from their establishments, and there may be periods when they are not in operation, namely due to maintenance needs, technical reasons or power cuts.
The data collected within the scope of video surveillance systems will be stored for 30 days.
XVII – PROTECTION OF THE PERSONAL DATA HOLDRES
In accordance with the legislation and taking into account the available technology, Data controllers provide an adequate level of protection of your personal data, namely through the implementation of the technical and organizational measures necessary to protect your personal data against your accidental destruction, loss or modification, as well as against access and other unauthorized processes, namely:
– Logical security requirements and measures, such as the use of firewall, Virtual LAN and intrusion detection systems in your systems.
– Physical security measures, among which stand out a strict access control to the physical facilities of the Data controllers.
– Data protection using technical means such as encryption, pseudonymization and anonymization of personal data.
– Scrutiny, audit and control mechanisms to ensure compliance with security and privacy policies.
-Information and training program for employees and partners of the Responsible for Information and Data Treatment;
– Access rules for customers / users to certain products or services, such as a second opt-in level for subscribing to services on the platform and the introduction of a password whenever an employee accesses, directly or indirectly, any database of controllers in order to reinforce control and security mechanisms.
However, controllers report that no security system can guarantee absolute protection.
We remain at your disposal for any question or observation regarding the confidentiality and security of your personal data.
Lisbon, 25th May 2018.
Policy translated on March 18th, 2020.
Policy updated on December 21, 2020.