Privacy Policy

Introduction
This Privacy Policy has been developed in accordance with the provisions of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, hereinafter referred to as the GDPR.
The purpose of this Privacy Policy is to inform the holders of personal data—whose information is being collected—about specific aspects related to the processing of their data, including but not limited to: the purposes of the processing, contact details for exercising their rights, data retention periods, and applicable security measures.

Data Controller
For the purposes of data protection, LAURA MUÑOZ VELA (HOTEL RURAL SUR DE LA BAHÍA) is considered the Data Controller with respect to the data processing activities identified in this policy, specifically in the section “Data Processing.”
The identification details of the owner of this website are as follows:
Data Controller: LAURA MUÑOZ VELA (HOTEL RURAL SUR DE LA BAHÍA)
Postal Address: CARRETERA CA-141 KM 8, 39130, ELECHAS-PEDREÑA (CANTABRIA), SPAIN
Email Address: hotelrural@surdelabahia.es

Data Processing

Personal data that may be requested will be strictly limited to what is necessary to identify and respond to the request made by the data subject (hereinafter, the “user”). Additionally, personal data will only be collected for specific, explicit, and legitimate purposes and will not be further processed in any way incompatible with those purposes.
The data collected will be adequate, relevant, and not excessive in relation to the stated purposes and will be updated whenever necessary.
Before collecting personal data, users will be informed of the general conditions outlined in this policy to provide their explicit, informed, and unequivocal consent for the processing of their data, according to the following points.

Purpose of Processing

The specific purposes for each type of data processing are detailed in the information clauses associated with each method of data collection (web forms, paper forms, voice recordings, posters, and informational notes).
However, the sole purpose of processing personal data is to provide an effective response to user requests, as specified in the service, form, or data collection system being used.

Legal Basis

As a general rule, express and unequivocal consent from the user is obtained before processing their personal data, via informed consent clauses in the data collection systems.
However, if consent is not required, the legal basis for processing will be the existence of a specific law or regulation that authorizes or requires the processing of the user’s personal data.

Recipients

As a general rule, the Data Controller does not disclose or transfer data to third parties, unless legally required. If data sharing is necessary, it will be communicated to the user via informed consent clauses included in the relevant data collection systems.

Source of Data

As a general rule, personal data is collected directly from the user. However, in certain cases, data may be obtained from third parties, entities, or services. In such cases, this will be disclosed to the user via the informed consent clauses in the relevant data collection systems within a reasonable period and no later than one month after the data is obtained.

Data Retention Period

The collected data will be retained only as long as necessary to fulfill the purpose for which it was gathered. Once that purpose is fulfilled, the data will be canceled and blocked, remaining available only to public authorities, judges, and courts for potential liabilities, for the legally prescribed period. After this period, the data will be destroyed.
As an informative reference, here are legal retention periods for different types of documents:

DOCUMENT TYPE RETENTION PERIOD LEGAL REFERENCE
Employment or Social Security-related documentation 4 years Article 21, Royal Legislative Decree 5/2000
Accounting and tax documentation (for commercial use) 6 years Article 30, Commercial Code
Accounting and tax documentation (for tax purposes) 4 years Articles 66 to 70, General Tax Law
Access control to buildings 1 month Instruction 1/1996, Spanish Data Protection Agency (AEPD)
Video surveillance 1 month Instruction 1/2006, AEPD; Organic Law 4/1997
Job applicant resumes Until selection ends Up to 2 years if added to job pool and not updated

Browsing Data

Regarding browsing data collected through the website, if such data is subject to data protection regulations, users are advised to review the Cookie Policy available on our website.

User Rights

Data protection regulations grant users (data subjects) a number of rights regarding their personal data, including users of the website and social media profiles managed by the Data Controller. These rights include:

  • Right of Access: To know if their data is being processed, for what purposes, the categories of data, recipients, retention periods, and data source.

  • Right to Rectification: To correct inaccurate or incomplete personal data.

  • Right to Erasure: To request deletion of their data when:

    • Data is no longer needed for its intended purpose.

    • Consent is withdrawn.

    • The user objects to the processing.

    • The data must be deleted to comply with a legal obligation.

    • The data was obtained through an information society service (per Art. 8.1 GDPR).

  • Right to Object: To oppose processing based on their consent.

  • Right to Restriction: To restrict data processing when:

    • The user contests the data’s accuracy.

    • Processing is lawful but deletion is opposed.

    • Data is no longer needed by the controller but required by the user for legal claims.

    • Processing is contested pending verification of legitimate grounds.

  • Right to Data Portability: To receive their data in a structured, commonly used, machine-readable format and transmit it to another controller, if:

    • Processing is based on consent.

    • Processing is done by automated means.

  • Right to File a Complaint: With the appropriate data protection authority.

Users may exercise their rights by contacting the Data Controller via email at hotelrural@surdelabahia.es, indicating the right they wish to exercise in the subject line.
The Data Controller will respond as promptly as possible, within the timeframes established by applicable data protection laws.

Security

The security measures adopted by the Data Controller comply with Article 32 of the GDPR. Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, and the varying risks to the rights and freedoms of individuals, appropriate technical and organizational measures have been established to ensure an adequate level of security.
In any case, the Data Controller has implemented sufficient mechanisms to:

  • Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

  • Quickly restore availability and access to personal data in the event of a physical or technical incident.

  • Regularly test, assess, and evaluate the effectiveness of technical and organizational measures.

  • Pseudonymize and encrypt personal data, where appropriate.

Close
Close
×
Cookies
Usamos cookies. Si te parece bien, simplemente haz clic en «Aceptar todo». También puedes elegir qué tipo de cookies quieres haciendo clic en «Ajustes». Lee nuestra política de cookies
Configuración de cookies Rechazar las cookies Aceptar las cookies
Cookies
Elige qué tipo de cookies aceptar. Tu elección será guardada durante un año. Lee nuestra política de cookies
Guardar Rechazar las cookies Aceptar las cookies