Privacy Policy
We are making this Privacy Policy available in order to give you detailed information about how we handle your personal data, and how we protect your personal privacy and the information you provide to us.
If, in the future, we make changes to this Privacy Policy, we will advise you via this website, or by some other means, so that you can familiarise yourself with the new privacy terms we have adopted.
Below, you will find information, in a question-and-answer format, on the terms under which our organisation handles your personal data:
Who is responsible for the handling of your data?
Identity: GESTIÓN ATLÁNTICA SL. CIF [Tax number] B16699159.
Postal address: c/ Timanfaya 1, 1º – 35,510 – Tías – Las Palmas – Spain.
Telephone: (0034) 928 81 60 00.
Email: lopd@rosahotels.com
Hereafter, this entity will be referred to as “the hotel”.
For what purposes do we handle your personal details?
We handle personal data for the following purposes:
- The management of our relationship with the customer and of invoicing and charging for services. The provision of data by our customers for this purpose is obligatory, as we would otherwise be unable to fulfil the contract.
- To manage bookings requested by users. The provision of the data requested is obligatory, as we would otherwise be unable to process bookings or to deliver the services requested.
- The management of relationships with our suppliers, such as invoicing and payment for services. In this case, it is obligatory for the supplier to provide their data, as otherwise they would not be able to fulfil the contract.
- To process registration for events and activities in which users wish to participate. In this case, images or videos taken of participants during these activities can be published (with the participants’ prior consent) on the organisation’s website, on its social networks, in corporate magazines, on message boards, or via any other similar means of communication owned by the company, in order to promote such activities or events. The provision of data is voluntary, both in terms of registering for the event and for the making of images and videos, although if they are not provided, users will not be allowed to register for the events, nor to use the images and videos for the purposes specified.
- To channel requests for information, suggestions and complaints that we may receive, to contact the sender of the information, to respond to their order or query and to follow it up. The provision of the data for this purpose is voluntary, although if it is not provided, we will be unable to respond to the request, query or complaint. Therefore, the provision of your data for these purposes is necessary if we are to respond to your requests.
- The sending out of marketing communications for out services. By means of these communications, we will inform users about the different services offered by the hotel, and by other entities operating under the Rosa Group brand, as well as about events organised by the same. The entities that make up Rosa Group, all of which work in the hotel sector, are: Gestión Atlántica S.L., Hotel Los Fariones S.A., Hotel Princesa Yaiza S.A., Hotel Aguere S.L., Centro Deportivo Fariones S.L., B.T.L Lanzarote S.L., Finca de Uga S.L., Playa Blanca Gestión S.L., Room 214 S.L. and Donna Shop S.L.
If the addressee is a customer of ours, we will send out these communications unless or until the customer refuses them, either by ticking the appropriate box when they supply their data, or subsequently, by informing us via any channel.
Conversely, if you do not contract our services, we will not send you marketing information about the hotel, unless you expressly authorise us to do so. Likewise, even if you are a customer of ours, we will not send you marketing communications from the other entities operating under the Rosa Group brands unless you consent to us doing so. Such consent is voluntary, and the only negative consequence of you refusing consent will be that you will not receive marketing information about our products and services.
In relation to sending out such communications, on the basis of the information provided, we can prepare marketing profiles, in order to offer you the products and services best suited to your interests.
- If you send us your CV, we will endeavour to handle information from people who wish to undertake work experience and/or to gain employment with us with the aim of completing the processes required for the selection of staff.
- If you become a ‘friend’ or a follower of ours on social networks, we will handle your data in order to keep you informed of our activities and special offers via the said channels. The kinds of data we typically handle for this purpose are identification details.
For how long will we store your data?
We only store your data for the period of time necessary to complete the purpose for which it was gathered, to fulfil legal obligations that we may be subject to, and to fulfil any responsibilities that may derive from completing the purpose for which the data was gathered.
Data for the management of our relationship with customers and suppliers, and for invoicing and charging for services, will be kept while the contract is in existence. Once the contractual relationship has come to an end, the data can be stored for the length of time required by current legislation, and until any responsibilities that may derive from the contract have elapsed.
The data from bookings will be stored until the end of your stay, and until any requested services have been delivered and, even afterwards, for the length of time required by current legislation, and until any responsibilities that may derive from the contract have elapsed. In order to fulfil the documentary record requirements set out in protection of public safety regulations, users’ registration data will be stored for a period of 3 years counting from the end of the contracted service.
Data for the processing of registration for events and activities, including that for any photographs or videos taken, can be stored whilst the event or activity is in progress, or while is is being promoted, and even subsequently, in order to fulfil any possible legal responsibilities deriving from the same.
Data that is handled in order to process applications, orders, queries or complaints will be stored for the time required to respond to them, and to finally resolve them. Subsequently, they may be archived for one year, unless you request they be deleted before that time.
Data used for sending out marketing communications will be stored indefinitely, until either you request their cancellation or tell us that you wish to stop receiving them. Data from potential customers who do not ultimately contract our products or services, and who do not wish to receive marketing materials, will be deleted when it is confirmed that the contract will not take effect. In the event that any responsibilities may derive from the previous relationship between the parties, although it was not completed, the data will be stored until these responsibilities lapse.
The data you supply to us, or that we obtain, in order to take part in a specific open staff selection process will be stored until the said process has been completed. They will then be deleted, unless the candidate is selected, in which case they will be incorporated into his/her staff file. If the candidates who are not selected wish us to keep their CVs for future selection processes, they must expressly request this via email. Where this is the case (just as if you send us your unsolicited CV, so that we can bear it in mind for future selection processes), the data will be stored for a maximum period of one year from the last previous update. You need to keep updated the personal data that you provide to us, in particular information relating to training and professional experience.
Occasionally, during selection processes, we may access employment portals to search for candidates who fit the professional profiles that interest us, subject to the Privacy Policies of the said platforms. The categories of personal data handled in these cases are as follows: identification data, data relating to personal characteristics, employment data, academic and professional data and any other information that the candidate may have published on the employment portal or included in their CV.
Data provided via social networks will be stored while you remain a ‘friend’ or follower of ours on the platform concerned.
What is the legal basis for our handling of your data?
The legal basis for the handling of customers’ and suppliers’ data is the execution of the contractual relationship, as is the handling of data for the management of bookings. If a guest has any allergy or health problem and provides us with information about it, we will handle that information on the basis of their consent (demonstrated by their provision of the information to us) for the purpose of supplying services in accordance with their needs. Customers are not obliged to provide us with details about their health, but that could result in us supplying services that are not adapted to their needs.
Data supplied for the processing of registration for events and activities, including the capture of images and videos, will be handled on the legal basis of consent by the person providing the said details.
The handling of personal data in order to deal with requests for information, other requests, queries and complaints has as its basis the consent of the person concerned.
The prospective offer of service to our customers has as its legal basis the satisfaction of a legitimate business interest that consists of being able to offer them the opportunity to contract other goods and services and thus secure their loyalty. The said legitimate interest is recognised by the applicable regulation (General Regulation on Data Protection), which expressly permits the handling of personal data on this legal basis for the purposes of direct marketing. Nevertheless, we would remind you that you have the right to oppose this handling of your data; you can do this using any of the methods described in this clause.
The prospective offer of services from the rest of the hotels that operate under the Rosa Group brand, as well as the sending out of marketing communications for the services of the hotel in which individuals have shown an interest (whether or not they have become our customers) has as its basis the consent of the person concerned. Such consent can be revoked at any time, and there are no consequences apart from the fact that the individual concerned will stop receiving marketing materials; this will not affect the handling of data previously gathered.
The legitimising basis of the handling of any CV that you might send us, or which we might obtain from employment platforms for a specific, open selection process, is the existence of a precontractual relationship. In addition, during interviews or selection processes, further data may be gathered, the handling of which will have the same legal basis.
The legal basis for the handling of data included in your CV, when you have asked us to retain it after a selection process or if you have sent it to us unsolicited, is your consent which can be revoked at any time.
The legal basis for handling data supplied to us via social networks is that of consent.
The categories of data handled are those requested in each case by a form or contract via which you provide your data to us.
To whom will the data be passed?
The data will be passed to the following entities:
The relevant Public Authorities, including judges and courts, in cases covered by the Law and for the purposes defined therein.
The financial entities through which charges and payments are administered.
Businesses with which services in addition to accommodation have been contracted (for example, excursions, vehicle hire, visits, and so on).
Government Law Enforcement Authorities to comply with the laws on Public Safety.
Other entities within the Rosa Group brand which operate within the hotel sector (Gestión Atlántica S.L., Hotel Los Fariones S.A., Hotel Princesa Yaiza S.A., Hotel Aguere S.L., Centro Deportivo Fariones S.L., B.T.L Lanzarote S.L., Finca de Uga S.L., Playa Blanca Gestión S.L., Room 214 S.L. and Donna Shop S.L.) for the proper administration of services requested from and offered by those entities.
Although it does not constitute a transfer of data, it may be that third-party companies, acting as our suppliers, may access your information in order to deliver a service. These entities follow our instructions when accessing your data, and cannot use them for any other purpose — and they must maintain the strictest confidentiality on the basis of a contract by which they undertake to comply with the requirements of the current regulations in relation to the protection of personal data.
What are your rights when you provide your personal data to us?
Any person has the right to obtain confirmation as to whether or not we are handling their personal data. Interested parties have the right to access their personal data, and request that their data be rectified if it is incorrect, or that data be deleted when (amongst other reasons) the data is no longer necessary for the purpose for which it was originally gathered.
Under the General Regulations for the Protection of Data, in certain circumstances, interested parties can apply for a limitation on the handling of their data, or for its portability, in which case the data will only be stored for the purpose of making or defending claims.Under certain circumstances, and for reasons relating to their particular circumstances, interested parties can equally oppose the handling of their data. If you have granted consent for a particular purpose, you have the right to withdraw your consent at any time, without this affecting the legitimacy of the data handing that took place, based on the consent prior to its withdrawal. In such cases, we will cease to handle the data, or will we cease to handle it for that specific purpose, except for overriding legal requirements or for the execution or defence of potential claims.
In addition, the regulations governing data protection allow you to oppose being the subject to decisions based solely on the automated handling of your data, when this occurs.
The rights referred to above are characterised as follows:
- They are free to exercise, except when they are manifestly groundless or excessive (for example, if they are repetitive), in which case you may face a charge of an amount proportional to the administrative costs involved, or a refusal to act.
- You can exercise your rights either directly, or through your legal or voluntary representative.
- You must receive a response to your application within one month, although if the application is especially complex or consists of a number of applications, this period can by extended by another two months.
- We are obliged to inform you about the means by which you can exercise these rights. The means must be accessible, and we must not deny you the exercise of your rights simply because you choose to use some other means. If the application is presented electronically, the information will be made available by this medium wherever possible, unless you ask us to send it in some other way.
- If, for whatever reason, we do not progress the application, we will inform you, within a maximum period of one month, of the reasons for this, and of the possibility of claiming via a Supervisory Authority.
In order to facilitate the exercise of the rights referred to, we have provided below the links to the application form for each of these Authorities.
- Form to exercise the right of access
- Form to exercise the right of rectification
- Form to exercise the right of opposition
- Form to exercise the right of deletion (right ‘to be forgotten’)
- Form to exercise the right of limitation of the data handling
- Form to exercise the right of portability
- Form to exercise the right not to be the subject of individual automated decisions
All the rights mentioned can be exercised via any of the media listed at the beginning of this clause.
In the event of any infringement of your rights, and particularly if you have not obtained a satisfactory outcome in exercising them, you can make a claim to the Spanish Data Protection Agency (contact details available at www.aepd.es), or any other competent authority. You can also obtain further information about the rights that apply when you contact these organisations.
How do we protest your personal data?
We have a firm commitment to protest the personal data that we handle. We use reasonably reliable and effective, physical, organisational and technological measures, controls and procedures aimed at preserving the integrity and security of your data and at guaranteeing your privacy.
In addition, all staff with access to personal data have been trained and are aware of their obligations in relation to the handling of your personal data.In the case of contracts that we underwrite with our suppliers, we include clauses requiring them to comply with their duty to keep confidential any personal data that that may have had access to by virtue of the order they have fulfilled, and to put into place the technical and organisational measure needed to guarantee the confidentiality, integrity, availability and permanent resilience of the systems and services they use to handle personal data.
All these security measures are reviewed periodically to guarantee their suitability and effectiveness.
However, absolute security cannot be guaranteed, and an impenetrable security system does not exist, therefore if any information that is being handled by us, under our control is compromised due to a security breach, we will take the proper measures required to investigate the incident, by notifying the Supervisory Authority and, if appropriate, notifying those users who may have been affected so that they can take appropriate measures.
What is your responsibility as the owner of the data?
Any person providing us with their personal data must guarantee that they are over the age of 14, and that the data they provide is true, accurate, complete and up to date.
Thus, the interested party is responsible for the veracity o their data, and must keep it updated so that if reflects their actual situation. They must bear responsibility for any false or inaccurate data that they may provide, and for any harm or damage, whether direct or indirect, that may derive from such inaccuracy.
If you are providing data relating to a third party, you are responsible to informing them beforehand of everything covered by Article 14 of the General Regulation on the Protection of Data, under the considerations established therein.
How have we obtained your data?
In cases where the user has registered via social networks, the personal data that we handle will come form the social network concerned, to which the user will have supplied the said data for the purposes set down in its corresponding privacy policies. The categories of data that we gather from the social network are those that appear on our registration form, and that you will have already have provided to the social network concerned. If, in order to proceed to register with our website, more details are required than are available on the social network, you will need to supply these additional details on our registration form, and they will be subject to the privacy conditions set out in this Policy.