PRIVACY POLICY

1. GENERAL PART

 

1.1. COLLECTION AND PROCESSING OF USER DATA

Within the scope of the availability of the website hosted at www.magicspa.pt (“Site”), the conclusion of any contracts (namely, massages, treatments and Spa products), the provision of information and content (together, the “Services”) to its users (“User”), M&J PESTANA – SOCIEDADE DE TURISMO DA MADEIRA, SA, headquartered at Largo António Nobre, 9004-531 Funchal and with the Identification Number of Legal Entity 511008872 (hereinafter “Pestana”) may request to the User who provides personal data, that is, information provided by the User that allows Pestana to identify and/or contact him (“Personal Data”).

 

As a rule, Personal Data is requested when the User registers on the Site, subscribes to a certain Service (eg, pre-booking for massages and treatments), purchases a product (eg, purchases vouchers and products from the online store) or establishes a contractual relationship with Pestana (eg, applications for job opportunities).

 

When collecting Personal Data, Pestana provides the User with detailed information about the nature of the data collected and about the purpose and treatment that will be carried out in relation to Personal Data, as well as the information mentioned in clause 7.

 

Pestana also collects and processes information about its hardware and software, as well as information about the pages visited by the User within the Site. This information may include: your browser type, domain name, access times and the links through which the User accessed the Site (“Usability Information”). We use this information only to improve the quality of your visit to our Site.

 

Usability Information and Personal Data are referred to in this Privacy Policy as “User Data”.

 

1.2. SUBCONTRACTED ENTITIES

In the scope of the processing of User Data, Pestana uses or may resort to third parties, which it subcontracts, to, on behalf of Pestana, and in accordance with the instructions given by it, process the User Data, in strict compliance with the law and this Privacy Policy.

These subcontracted entities may not transmit User Data to other entities without Pestana having previously given written authorization to do so, and are also prevented from contracting other entities without Pestana's prior authorization.

Pestana undertakes to subcontract only entities that provide sufficient guarantees for the execution of the appropriate technical and organizational measures, in order to ensure the defense of the User's rights. All entities subcontracted by Pestana are bound to the latter through a written contract which regulates, namely, the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties.

When collecting personal data, Pestana provides the User with information about the categories of subcontracted entities that, in the specific case, may process data on behalf of Pestana.

 

1.3. DATA COLLECTION CHANNELS

Pestana can collect data directly (ie, directly from the User) or indirectly (ie, through partner entities or third parties). The collection can be done through the following channels:

Direct collection: in person, by phone, by email and through the Site;

Indirect collection: through partners or group companies and official entities.

 

2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA

In terms of general principles relating to the processing of personal data, Pestana undertakes to ensure that the User Data it processes is:

 

  • Object of lawful, fair and transparent treatment in relation to the User;

 

  • Collected for specific, explicit and legitimate purposes, not being further processed in a way that is incompatible with those purposes;

 

  • Adequate, relevant and limited to what is necessary for the purposes for which they are treated;

 

  • Accurate and updated whenever necessary, with all appropriate measures being taken so that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;

 

  • Kept in a way that allows the identification of the User only for the period necessary for the purposes for which the data are processed;

 

  • Treated in a way that ensures your safety, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, with appropriate technical or organizational measures being adopted.

The data processing performed by Pestana is lawful when at least one of the following situations occurs:

  • The User has given his explicit consent to the processing of User Data for one or more specific purposes;

 

  • The processing is necessary for the performance of a contract to which the User is a party, or for pre-contractual measures at the User's request;

 

  • The treatment is necessary for the fulfillment of a legal obligation to which Pestana is subject;

 

  • The processing is necessary for the defense of the vital interests of the User or another natural person;

 

  • The processing is necessary for the purpose of legitimate interests pursued by Pestana or by third parties (unless the interests or fundamental rights and freedoms of the User that require the protection of personal data prevail).

Pestana undertakes to ensure that the processing of User Data is only carried out under the conditions listed above and with respect for the aforementioned principles.

When the processing of User Data is carried out by Pestana based on the User's consent, the User has the right to withdraw his consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the treatment carried out by Pestana based on the consent previously given by the User.

The period of time for which data is stored and preserved varies according to the purpose for which the information is processed.

Effectively, there are legal requirements that oblige you to keep the data for a minimum period of time. Thus, and whenever there is no specific legal requirement, the data will be stored and kept only for the minimum period necessary for the purposes that motivated its collection or subsequent processing, after which it will be eliminated.

 

 

3. USE AND PURPOSES OF PROCESSING USER DATA

In general terms, Pestana uses User Data for the following purposes:

  • Provision of Spa services (eg, treatments, massages, etc.);

 

  • Invoicing and charging the User;

 

  • Allow pre-reservations for massages, treatments, vouchers or associated services;

 

  • Recruitment and selection;

 

  • Inform the User, who has requested, of new products and services made available on the Site, special offers and campaigns, updated information on Pestana's activity and, in general, for Pestana's marketing purposes, through any means of communication , including electronic support;

 

  • Allow access to restricted areas of the Site, in accordance with previously established terms;

 

  • Ensuring that the Site meets the User's needs, through the development and publication of content that is as adapted as possible to the requests and type of User, the improvement of the Site's search capabilities and functionalities and the obtaining of aggregated or statistical information regarding the User's typical profile (analysis of consumption profiles);

 

  • Provision of Services, and other services, such as newsletters, opinion surveys, or other information or products requested or purchased by the User;

 

  • Pestana may combine Usability Information with anonymous demographic information for research purposes, and may use the result of that combination to provide more relevant content on the Site. In certain restricted areas of the Site, Pestana may combine Personal Data with Usability Information to provide the User with more personalized content.

The User Data collected by Pestana are not shared with third parties without the User's consent, with the exception of the situations referred to in the paragraph below. However, in the event that the User contracts with Pestana services that are provided by other entities responsible for the processing of personal data, the User Data may be consulted or accessed by these entities, insofar as this is necessary for the provision of said services.

Under the applicable legal terms, Pestana may transmit or communicate User Data to other entities in case such transmission or communication is necessary for the execution of the contract established between the User and Pestana, or for pre-contractual measures at the User's request , in case it is necessary for the fulfillment of a legal obligation to which Pestana is subject or if it is necessary for the purpose of pursuing the legitimate interests of Pestana or a third party. In the event of a transmission of User Data to third parties, reasonable efforts will be made for the transferee to use the User Data transmitted in accordance with this Privacy Policy.

 

 

4. TECHNICAL, ORGANIZATION AND SAFETY MEASURES IMPLEMENTED

To ensure the security of User Data and maximum confidentiality, Pestana treats the information you have provided us absolutely confidential, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated as necessary, as well as per the legally prescribed terms and conditions.

Depending on the nature, scope, context and purposes of data processing, as well as the risks arising from the processing for the rights and freedoms of the User, Pestana undertakes to apply, both at the time of defining the means of processing as at the time of the processing itself, the technical and organizational measures necessary and adequate to protect the User's Data and comply with legal requirements.

It also undertakes to ensure that, by default, only the data that are necessary for each specific purpose of the processing are processed and that these data are not made available without human intervention to an indeterminate number of people.

In terms of general measures, Pestana adopts the following:

  • Regular audits to assess the effectiveness of the technical and organizational measures implemented;

 

  • Raising awareness and training of personnel involved in data processing operations;

 

  • Pseudonimization and encryption of personal data;

 

  • Mechanisms capable of ensuring the confidentiality, availability and permanent resilience of information systems;

 

  • Mechanisms that ensure the restoration of information systems and timely access to personal data in the event of a physical or technical incident;

 

 

5. DATA TRANSFER OUTSIDE THE EUROPEAN UNION

The personal data collected and used by Pestana are not made available to third parties established outside the European Union. If, in the future, this transfer happens for the reasons mentioned above, Pestana undertakes to ensure that the transfer complies with the applicable legal provisions, namely regarding the determination of the suitability of such country with regard to data protection and the requirements applicable to such transfers.

 

USER RIGHTS (DATA HOLDERS)

 

6. RIGHT TO INFORMATION

6.1.  Information provided to the User by Pestana (when the data is collected directly from the User):

  • The identity and contacts of Pestana, the person responsible for the treatment and, if applicable, of its representative;

 

  • The Data Protection Officer's contacts;

 

  • The purposes of the processing for which the personal data are intended, as well as, if applicable, the legal basis for the processing;

 

  • If the processing of data is based on the legitimate interests of Pestana or a third party, an indication of such interests;

 

  • If applicable, the recipients or categories of recipients of the personal data;

 

  • If applicable, an indication that the personal data will be transferred to a third country or an international organization, and the existence or not of an adequacy decision adopted by the Commission or reference to appropriate or adequate transfer guarantees;

 

  • Period of retention of personal data;

 

  • The right to request Pestana access to personal data, as well as its rectification, erasure or limitation, the right to object to the processing and the right to data portability;

 

  • If the processing of data is based on the User's consent, the right to withdraw the consent at any time, without compromising the lawfulness of the processing carried out based on the consent previously given;

 

  • The right to file a complaint with the CNPD or other supervisory authority;

 

  • Indication of whether or not the communication of personal data constitutes a legal or contractual obligation, or a necessary requirement to enter into a contract, as well as whether the holder is obliged to provide personal data and the possible consequences of not providing such data;

 

  • If applicable, the existence of automated decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such processing for the data subject.

 

  • In the event that User Data is not collected directly by Pestana from the User, in addition to the information mentioned above, the User is additionally informed about the categories of personal data being processed, as well as about the origin of the data and, eventually, , if they come from publicly accessible sources.

 

  • If Pestana intends to proceed with the further processing of User Data for a purpose other than the one for which the data were collected, before such processing Pestana will provide the User with information about that purpose and any other pertinent information, as mentioned above.

6.2  Procedures and measures implemented to fulfill the right to information.

The information referred to in 7.1. is provided in writing (including by electronic means) by Pestana to the User prior to the processing of personal data in question. Pursuant to applicable law, Pestana is not obliged to provide the User with the information mentioned in 7.1 when and to the extent that the User is already aware of it.

The information is provided by Pestana free of charge.

 

7. RIGHT OF ACCESS TO PERSONAL DATA

Pestana guarantees the means that allow the User to access their Personal Data.

The User has the right to obtain from Pestana confirmation that the personal data concerning him are or are not the object of processing and, if applicable, the right to access his personal data and the following information:

  • The purposes of data processing;

 

  • The categories of personal data in question;

 

  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, namely recipients established in third countries or belonging to international organisations;

 

  • The period of retention of personal data;

 

  • Right to request Pestana to rectify, erase or limit the processing of personal data, or the right to oppose such processing;

 

  • Right to file a complaint with the CNPD or other supervisory authority;

 

  • If the data has not been collected from the User, the information available on the origin of that data;

 

  • The existence of automated decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such processing for the data subject;

 

  • Right to be informed about the appropriate safeguards associated with transferring data to third countries or international organisations.

 

Upon request, Pestana will provide the User, free of charge, with a copy of the User Data that is in the process of being processed. The provision of other copies requested by the User may incur administrative costs.

 

8. RIGHT TO CORRECT PERSONAL DATA

The User has the right to request, at any time, the rectification of his Personal Data, as well as the right to have his personal data incomplete, including by means of an additional declaration.

In case of data rectification, Pestana communicates to each recipient to whom the data have been transmitted the respective rectification, unless such communication proves impossible or implies a disproportionate effort for Pestana.

 

9. RIGHT TO DELETE PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)

The User has the right to obtain, on the part of Pestana, the deletion of their data when one of the following reasons applies:

  • User Data is no longer necessary for the purpose for which it was collected or processed;

 

  • The User withdraws the consent on which the data processing is based and there is no other legal basis for such processing;

 

  • The User opposes the processing under the right to object and there are no prevailing legitimate interests that justify the processing;

 

  • If User Data is treated unlawfully;

 

  • If the User Data has to be erased in order to fulfill a legal obligation to which Pestana is subject;

 

Under the applicable legal terms, Pestana has no obligation to delete User Data to the extent that the processing proves necessary to comply with a legal obligation to which Pestana is subject or for the purposes of declaration, exercise or defense of a right Pestana in a court case.

In case of data deletion, Pestana communicates to each recipient/entity to whom the data has been transmitted the respective deletion, unless such communication proves impossible or implies a disproportionate effort for Pestana.

When Pestana has made the User's Data public and is obliged to erase them under the right to erasure, Pestana undertakes to ensure reasonable measures, including technical ones, taking into account the available technology and the costs of its application, to inform those responsible for the effective processing of personal data that the User has asked them to delete the links to such personal data, as well as copies or reproductions thereof.

 

10. RIGHT TO LIMIT THE PROCESSING OF PERSONAL DATA

The User has the right to obtain, on the part of Pestana, the limitation of the processing of User Data, if one of the following situations applies (the limitation consists of inserting a mark in the personal data kept in order to limit its processing in the future):

  • If you dispute the accuracy of the personal data, for a period that allows Pestana to verify its accuracy;

 

  • If the processing is unlawful and the User opposes the deletion of the data, requesting, in return, the limitation of its use;

 

  • If Pestana no longer needs the User Data for processing purposes, but these data are requested by the User for the purposes of declaration, exercise or defense of a right in a legal proceeding;

 

  • If the User has opposed the treatment, until it is verified that Pestana's legitimate reasons prevail over the User's.

When User Data are subject to limitation, they may only, with the exception of conservation, be processed with the User's consent or for the purposes of declaration, exercise or defense of a right in a legal proceeding, defense of the rights of another natural person or collective, or for reasons of public interest provided for by law.

The User who has obtained the limitation of the processing of his/her data in the above mentioned cases will be informed by Pestana before the limitation of the treatment is cancelled.

In case of limitation of data processing, Pestana will communicate to each recipient to whom the data have been transmitted the respective limitation, unless such communication proves impossible or implies a disproportionate effort for Pestana.

 

11. RIGHT TO PORTABILITY OF PERSONAL DATA

The User has the right to receive the personal data concerning him/her which he/she has provided to Pestana, in a structured format, commonly used and automatically read, and the right to transmit this data to another data controller, if:

  • Processing is based on consent or a contract to which the User is a party;

 

and

 

  • The treatment is carried out by automated means.

The portability right does not include inferred data or derived data, ie, personal data that are generated by Pestana as a consequence or result of the analysis of the data being processed.

The User has the right to have personal data transmitted directly between the data controllers, whenever this is technically possible.

 

12. RIGHT OF OPPOSITION TO TREATMENT

The User has the right to oppose at any time, for reasons related to his particular situation, the processing of personal data concerning him that is based on the exercise of legitimate interests pursued by Pestana or when the processing is carried out for purposes other than whether those for which personal data has been collected, including profiling, or where personal data is processed for statistical purposes.

Pestana will cease the processing of User Data, unless it presents compelling and legitimate reasons for such processing that prevail over the interests, rights and freedoms of the User, or for the purposes of declaration, exercise or defense of a right of Pestana in a legal proceeding.

When User Data are processed for the purposes of direct marketing (marketing), the User has the right at any time to object to the processing of data concerning him for the purposes of said marketing, which includes the definition of profiles in the insofar as it is related to direct marketing. If the User opposes the processing of their data for the purposes of direct marketing, Pestana will stop processing the data for that purpose.

The User also has the right not to be subject to any decision taken solely on the basis of automated processing, including the definition of profiles, that produces effects in its legal sphere or that significantly affects it in a similar way, unless the decision:

  • It is necessary for the conclusion or execution of a contract between the User and Pestana;

 

  • Is authorized by legislation to which Pestana is subject; or

 

  • It is based on the User's explicit consent.

 

13. PROCEDURES FOR THE EXERCISE OF RIGHTS BY THE USER

The right of access, the right of rectification, the right of deletion, the right to limitation, the right to portability and the right to object can be exercised by the User through the platform available at the following link:

https://pestanahotelgroup.atlassian.net/servicedesk/customer/portal/5 .

Pestana will respond in writing (including by electronic means) to the User's request within a maximum period of one month from receipt of the request, except in cases of special complexity, in which this period can be extended up to two months.

If the requests submitted by the User are manifestly unfounded or excessive, namely due to their repetitive nature, Pestana reserves the right to charge administrative costs or refuse to comply with the request.

For more information on data protection privacy, please contact via email  dpo@pestana.com .

 

14. PERSONAL DATA VIOLATIONS

In case of data breach and to the extent that such breach is likely to imply a high risk to the rights and freedoms of the User, Pestana undertakes to communicate the breach of personal data to the User concerned within 72 hours to tell of knowledge of the incident.

Under legal terms, communication to the User is not required in the following cases:

  • If Pestana has applied adequate protection measures, both technical and organizational, and these measures have been applied to personal data affected by the breach of personal data, especially measures that make the personal data incomprehensible to any person not authorized to access such data, such as encryption;

 

  • If Pestana has taken subsequent measures to ensure that the high risk to the User's rights and freedoms is no longer likely to materialise; or

 

  • If communication to the User implies a disproportionate effort for Pestana. In this case, Pestana will make a public communication or take a similar measure through which the User will be informed.

 

END

 

15. CHANGES TO THE PRIVACY POLICY

Pestana reserves the right to change this Privacy Policy at any time. In case of modification of the Privacy Policy, the date of the last modification, available at the top of this page, is also updated. If the change is substantial, a notice will be posted on the Site.

 

16. APPLICABLE LAW AND JURISDICTION

The Privacy Policy, as well as the collection, processing or transmission of User Data, are governed by the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of April 27, 2016 and by applicable laws and regulations in Portugal.

Any disputes arising from the validity, interpretation or execution of the Privacy Policy, or which are related to the collection, processing or transmission of User Data, must be submitted exclusively to the jurisdiction of the judicial courts of the district of Lisbon, without prejudice to legal rules applicable imperatives.