1.- RIGHT TO INFORMATION
In accordance with the provisions of Article 11 of the Data Protection and Digital Rights Guarantee Act 3/2018, of 5 December, (hereinafter referred to as LOPDGDD), and Article 13 of the General Data Protection Regulation 2016/679, we hereby inform you of the following:
1.1.- Identity of the Controllers:
The data that you send to us on this website may be processed by the following controllers:
LUTX CORPORACIÓ, SL. With offices on Carrer del Consell de Cent 357, 2º, Barcelona.
When you interact with any of our hotels, the hotel that received the reservation shall also be deemed to be a controller. Hotels: HCC St. Moritz, HCC Regente, HCC Montblanc, HCC Lugano, HCC Taber, the address for all of which for notices is Carrer del Consell de Cent 357, 2º.
The company data protection officer is CIPDI tratamiento de la información SL, with address on Carrer de Sant Agustí 1 1º1ª, Mataró (08301). Email address dpd@cipdi.com.
2.1.2.- Purposes of Processing, Legal Basis and Storage Period.
Purpose Legal Basis Storage
Provision of services Contractual relationship 5 years
Sending commercial information Consent and authorisation (Article 21.2 of the Information Society Services Act) Until consent is revoked or rights are exercised
Labour management Contractual relationship and legal authorisation 5 years
CVs Contractual relationship and consent 1 year
CCTV Legitimate interest. Security maintenance in the hotel 30 days
1.3.- Categories of Recipient.
In compliance with the aforementioned purposes, the following people shall have access to your data:
Staff who have been duly authorised by the controller’s management.
The necessary suppliers to meet your request, including but not limited to:
- Consultants.
- Financial institutions.
- Software maintenance firms.
- Hardware maintenance firms.
- Advertising and marketing firms.
- Accommodation booking platforms.
- Auxiliary services.
The Public Authorities within the scope of its competence. In accordance with Royal Decree 933/2021, of 26 October, which stipulated the obligations to register documents and information for natural or legal persons who run accommodation or motor vehicle rental businesses, the data collated must be accessible for the police and the Public Authorities within the scope of their respective competences assigned thereto in the field of crime prevention, detection and investigation.
The hotels in the group listed in section 1.1 of this document.
1.4.- International Data Transfer.
To carry out its functions, the processor may store data with:
a.- Google Systems. The controller has signed an agreement with Google, which is in accordance with the ruling of the Spanish Data Protection Agency dated 22 June 2017. You can find more information on the G-Suite privacy policies on the following links:
https://policies.google.com/privacy?hl=es / https://support.google.com/a/answer/2888485?hl=es
b.- Microsoft. You can find more information on their privacy policy on: https://privacy.microsoft.com/es-ES/
With the aforementioned companies, standard data protection clauses have been signed as adopted by the Commission in accordance with the provisions of Article 46 of the General Data Protection Regulation (EU) 2016/649 (GDPR).
1.5.- Rights as a Data Subject
Right to Access. This is regulated in Article 15 of the GDPR 2016/679 of 27 April 2016. This involves asking the controller to provide all of the information they have, free of charge, on the personal data, the communications sent or those that are scheduled to be sent.
Right to Rectification: This is regulated in Article 16 of the GDPR. This involves asking the controller to change the content of the information about the person and their data, following the instructions of the data subject.
Right to Erasure: This is regulated in Article 17 of the GDPR 2016/679. This involves asking the controller to delete any information about the data subject. Erasure involves locking all data and storing them so that they will be available for the public authorities during the term stipulated for the statute of limitation to expire for filing any lawsuits.
Right to Processing Limitation: This is regulated in Article 18 of the GDPR 2016/679 of 27 April 2016. This involves asking the controller to limit the processing of the data subject’s data when any of the following conditions are met:
- i.- the personal data is not exact;
- ii.- the processing is not legal;
- iii.- the controller does not need to process the data anymore;
- iv.- when the rights to stop processing the data alleged by the data subject prevail over the controller’s rights.
- Right to Data Portability. This is in Article 20 of the GDPR 2016/679 of 27 April 2016. This involves asking the controller to provide all of the data subject’s personal data in a structured, commonly used and machine-readable format, so that they can be sent to a different controller when the processing is done through automated means and is based on express consent.
- Right to Object. This is regulated in Article 21 of the GDPR 2016/679 of 27 April 2016. This involves asking the controller to process the data following the instructions stipulated by the data subject.
- Right to Withdraw Consent. This is regulated in Article 13.2.c) of the GDPR 2016/679 of 27 April 2016. This is an order that the data subject sends to the controller notifying them that they withdraw their consent as granted for the processing of their data.
- Right to not Be Subject to Automated Individual Decision-Making. This is a request sent to the controller asking that all of the decisions with legal effect not be made exclusively by machines.
To exercise the aforementioned rights, you can write to the addresses of the Data Processing Officer, or send an email to (…) with the text “DATA PROTECTION” in the subject line attaching a scan of your National ID Card (DNI), Foreigner’s ID Card (NIE) or passport to the email.
1.6.- Right to Claim.
You can contact the internal Data Protection Officer using the claims channel that you can find on the website (https://denuncias.cipdi.com/grup-lutx/es/)
The competent body for hearing claims regarding the correct application of the data processing legislation is the Spanish Data Protection Agency, with offices on Calle de Jorge Juan 6, Madrid.
1.7.- Obligations for the Data Subject.
The data subject must provide truthful and up-to-date information in all of the data collection processes; the data subject shall be held solely liable for a breach of this obligation.
The data collection forms contain fields that are marked as mandatory, depending on the request made by the data subject. Failure to provide such data could mean that it will not be possible to take part in the activity or provide the service requested.
1.8.- Profiling.
This does not take place.
2. USER CONSENT
It is deemed that the user accepts the conditions stipulated if they press the ‘ACCEPT’ button on all of the data collection forms or if they send a message via email.
The personal data is stored in the company’s general administration database; in any case, it guarantees technical and organisational measures to preserve the integrity and security of the information in question.
3. SECURITY
The general database has the mandatory security document, and we have put all of the technical measures available to us in place to avoid the data you provide being lost, misused, tampered with or stolen or any unauthorised access. The data processing is in line with the regulations established in the Data Protection and Digital Rights Guarantee Act 3/2018 and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016.
4. USE OF IP ADDRESSES
To make it easier to look up resources that may be of interest to you, you can find links to other websites on this one.
This privacy policy is only applicable to this website. The controller does not guarantee that the other websites comply with this policy, nor can it be held liable for access via links from this website.