Legal notice
LEGAL NOTICE
1. Identification of the Holder
In compliance with Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce, the User is informed that the owner of the website www.onahotels.com is the company CLUBOTEL LA DORADA, S.L. and its identification details are as follows:
Company Name: CLUBOTEL LA DORADA, S.L - hereinafter “Ona Hotels & Apartments”.
Tax ID (NIF): B61502035
Address: C/ Calabria 129, entresuelo, 08015, Barcelona
Email: info@onahotels.com
Registration details: the company is registered in the Barcelona Companies Register, in Volume 30,215, folio 64, and on sheet number B-168866.
2. Accessing the website
The legal notice regulates Users' access to and use of the website and aims to make known the services of the entity and allow general access for all internet users.
Access to and/or use of the Website grants visitors the status of User and entails the acceptance, without reservations of any kind, of each and every one of these general conditions, as well as any other specific conditions which, if applicable, govern the use of the Website or the services linked to it.
Users must carefully read the Legal Notice and the Privacy and Cookie Policies when they intend to use the Website, as Ona Hotels & Apartments reserves the right to make, at any time and without the need for prior notice, modifications to or update the content and services, of these access and use provisions and, in general, of all the elements that make up the design and layout of its Website. If you do not accept the conditions of access and use, please refrain from making use of the website and its content.
3. Using the website
The User undertakes to make careful use of the Website, as well as of the information relating to its services and activities, in full compliance with the applicable regulations, as well as with generally accepted morals, good customs and public order, the conditions of access and use, and any other conditions established in relation to the Website.
Furthermore, the user undertakes to abstain from using any of the content for illicit purposes or effects, prohibited in this text, those harmful to the rights and interests of third parties, or which in any way may damage, render useless, overload, deteriorate, or impede the normal use of the content, other Users, or any internet user (hardware and software).
4. Functioning of the website
In the event of non-compliance with the conditions of the Legal Notice, or the Privacy and Cookie Policies, Ona Hotels & Apartments reserves the right to limit, suspend, and/or exclude access to its Website, adopting any technical measures necessary to ensure compliance. Ona Hotels & Apartments will do everything possible to keep the website in good working order, avoiding errors or fixing them and keeping the content updated. However, Ona Hotels & Apartments does not guarantee the continued availability and continuity of access to the Website or the absence of errors in its content.
5. Liability
The User is solely liable for the use that may be made of any information or mechanism on the Website.
Ona Hotels & Apartments shall not be liable for any damage to the User's hardware and/or software arising from access to and use of the Website. Likewise, neither shall it be liable for any damages and/or losses that may be caused by access to and/or use of the information on the Website, and specifically for those that may occur in IT systems or those caused by viruses and/or computer attacks, crashes, outages, faults, or defects in communications and/or the internet.
The User shall be liable for any damages and/or losses that Ona Hotels & Apartments may suffer as a result of non-compliance with any of the obligations to which they are subject through this Legal Notice, the applicable regulations and the Privacy Policy and Cookie Policy.
6. Policy on Links (Linking and Linked Websites)
6.1 Linking website:
Third parties who intend to include a link to this website on a web page must comply with current legislation and may not host content that is inappropriate, illicit, pornographic, violent, etc.
Under no circumstances shall Ona Hotels & Apartments be held responsible for the content of the Website in question, nor does it promote, guarantee, supervise, or recommend its content.
If the linking website breaches any of the above provisions, it shall be obliged to remove the link immediately.
6.2 Linked website
This Website may include links to third-party websites that allow the User to access them. However, Ona Hotels & Apartments shall not be held responsible for the content of these linked websites, and it shall be the User's responsibility to accept and check the links each time they access them.
Any such links or mentions are for purposes that do not entail support, approval, commercialisation, or any relationship between the website and the persons or entities that own the sites where they are present.
7. Intellectual and industrial property over the content
All intellectual property rights of the Content of the Website and its graphic design are the exclusive property of Ona Hotels & Apartments, or of the third party that has authorised their use, and it is therefore Ona Hotels & Apartments that can exclusively exercise the rights to exploit them. Therefore, and by virtue of the provisions of the applicable legislation on Intellectual and Industrial Property Rights.
Ona Hotels & Apartments does not grant any licence or authorisation of use of any kind over its intellectual and industrial property rights or over any other property or right related to the Website, or the Services or the Content offered on it.
The reproduction and temporary storage of the content of the Website are permitted to the extent strictly necessary to use and view the Website on a personal device.
The legal basis of the intellectual or industrial property rights corresponding to the Content provided by users is the sole responsibility of the users themselves, and the User shall therefore hold Ona Hotels & Apartments harmless from any claim by third parties deriving from the illicit use of Content on the Website.
8. Advertising
Advertising or sponsored content may be hosted on the Website. Advertisers or sponsors are solely responsible for ensuring that the material submitted for inclusion on the Website complies with the laws that may be applicable in each case.
Ona Hotels Apartments shall not be liable for any error, inaccuracy, or irregularity that may be present in the advertising content or that provided by sponsors.
9. Applicable law
The Legal Notice shall be governed by and interpreted in accordance with Spanish law.
For the resolution of any conflict that may arise from accessing the website, the relevant courts shall be competent in accordance with consumer and user regulations.
10. Contact
If you have any questions or comments about this legal notice, please contact us by email at info@onahotels.com.
DATA PROTECTION POLICY
Documentation control:
Revision index:
1. Introduction
The purpose of this Policy is to set out the guidelines that should be followed at all levels of the Companies within the Ona Hotels & Apartments Group in regard to the Protection of Personal Data.
This Policy contains a description of the key human, organisational, technological and documentary components that the Companies must apply to protect personal data and prevent any infringement of the rights and freedoms of data subjects. Specifically, this Policy aims to guarantee the fundamental right to data protection for all individuals who interact with the Companies belonging to the Group, ensuring respect for the right to honour and privacy during the processing of different types of personal data from any source and for any purpose.
The Companies will ensure the real and effective application of the guidelines set out in this Data Protection Policy at all levels, thereby constituting a system of self-regulation that will eliminate any conduct that may jeopardise the personal data processed by the Company.
2. Scope of application
Corporate Scope. - This Policy shall apply to all the companies in the Group, identified here as CLUBOTEL LA DORADA, S.L., the parent company of the Ona Hotels & Apartments Group, the brand under which the entities operate in the market.
·Personal scope. - This Policy shall apply to all levels of the Ona Hotels & Apartments Group, including management bodies, management positions, supervisory bodies and all staff.
·Relational Scope. - The scope of application of this Policy shall extend, to the extent possible, to the Companies' suppliers, advisers, customers and other third parties.
·Geographical Scope. - This Policy shall apply to the public and private relationships that the Companies establish in any geographical area.
3. Applicable regulations
This Policy is compliant with the following regulations:
· The EU General Data Protection Regulation (GDPR)
· Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights
· Law 34/2002, of 11 July, on Information Society Services and e-commerce
· Organic Law 1/1982, of 5 May, on the Civil Protection of the Right to Honour, Personal and Family Privacy and Personal Image Protection
This Policy will be adapted as necessary in accordance with any legislative changes that may occur, as well as the criteria established in:
-The guides, reports and resolutions of the Spanish Data Protection Agency
-The guides, reports and resolutions of the supervisory authorities of the other Member States of the European Union
-The Article 29 Working Party
-Rulings of the European Court of Justice
-Rulings of Spain’s National Court, Supreme Court and Constitutional Court
4. Business risks in the area of data protection
The Companies provide hotel tourism services.
The particular nature of the personal data, the complexity of the applicable regulations, and the magnitude of the penalties established therein generate risks such as unauthorised access, unauthorised copying, disclosure or transfer to third parties and other infringements provided for in the GDPR and local regulations.
The risks arising from non-compliance with the legal obligations established in the field of data protection are as follows:
1) Administrative sanctions
2) Privacy offences
3) Compensation for damages
4) Reputational damage
The protection of personal data is one of Ona Hotels & Apartments' values and a priority objective for the Companies. It requires a series of legal, technical and organisational measures that are summarised in this Policy and detailed in the Companies’ own rules and procedures.
5. Data protection objectives
Ona Hotels & Apartments' data protection objectives are aligned with its business objectives, giving priority to compliance with the legal obligations applicable its activity.
Given the hotel services provided by Ona Hotels & Apartments, protecting the privacy and data of its guests is of vital importance, which is why it is considered a priority objective to comply with the General Data Protection Regulation of the European Union and the Organic Law on Personal Data Protection and Guarantee of Digital Rights.
At all levels of the Company, there will be a commitment to comply with the objectives established in the area of data protection and the principles and obligations set out in this Policy.
The Company may draw up rules and procedures that implement, specify and detail this Policy.
6. Data Protection Principles
Ona Hotels & Apartments will comply with the principles described below:
-Principle of lawfulness: the processing of personal data is lawful if it is based on the data subject's consent, or any other legitimate basis established by law.
-Principle of transparency: the data subject should be informed of all circumstances relating to the processing.
-Principle of fairness: personal data should not be processed in circumstances other than those notified.
-Principle of purpose limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
-Principle of data minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This principle and the previous one are further developed in the principles of necessity and proportionality that apply to impact assessments.
-Principle of accuracy: Personal data should be accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
-Principle of storage limitation: Personal data should only be kept in a form which permits the identification of data subjects for as long as is necessary for the purposes for which the personal data are processed.
-Principle of integrity and confidentiality: Personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful access and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Personal data should only be accessible to the users authorised to access them and may not be disclosed to third parties without the relevant consent.
-Principle of proactive accountability: The Companies are responsible for, and must be able to demonstrate, compliance with the provisions of data protection regulations.
-Data protection by design and by default: new processing, projects, services and products will undergo a prior assessment of their impact on data protection.
7. Roles and responsibilities
All roles and responsibilities will be differentiated and, as far as possible, individually assigned in the job description. In addition to this individualised assignment, all persons employed by Ona Hotels & Apartments, regardless of their level, will be obliged to comply with the rules, procedures and controls established in the area of information security.
Ultimate responsibility for the supervision of data protection will lie with the person in charge of Data Protection, who has been appointed externally.
Ona Hotels & Apartments has rules and procedures that set out the obligations of personnel with regard to data protection.
The Companies will adopt the necessary measures to ensure that their personnel are made aware, in an easily comprehensible manner, of the data protection obligations that apply to the performance of their duties, as well as the consequences of non-compliance with these obligations.
8. Register of Processing Activities
The Companies will keep a register of processing activities in which the details of the processing they are authorised to carry out as Data Controllers will be recorded. In addition, they will keep another register in which the processing they conduct as Data Processors on behalf of the entities for which they act as managers under the corresponding management contracts will be recorded.
In accordance with the principle of privacy by design and by default, and given that the supervisory bodies cannot keep track of all the personal data activities carried out in each department, each new processing operation, or any processing operation that modifies the attributes and characteristics assigned to it in the register of processing must be disclosed to the Data Protection Officer for assessment and, if it does not pose a risk to the rights and freedoms of the data subjects, subsequent authorisation.
Furthermore, the Companies must inform all data subjects of the processing of personal data by means of information and consent clauses in accordance with Arts. 13 and 14 of the GDPR.
9. Risk analysis
All processing operations subject to this Security Policy shall undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated periodically.
Ona Hotels & Apartments will regularly carry out an analysis of the risks and threats affecting data protection.
The risk analysis will be conducted using an inherent risk map to assess the gross risks existing prior to the implementation of prevention, detection and mitigation controls, followed by a residual risk map to automatically assess the net risks remaining after the implementation of the controls.
9.1. Standards to minimise risks
To manage and minimise risks, Ona Hotels & Apartments uses physical, administrative, human resources, and network security measures including:
· Logical access security: Ona Hotels & Apartments must apply security measures to protect logical accesses.
· Logical access to computer systems by individuals: Ona Hotels & Apartments must use a two-factor authentication system. Initially, the System Administrator will assign a username, and the user will assign their own password. The user will then receive a code to validate the authentication mechanism.
The password will always be unintelligible, even to the Administrator. If necessary (e.g., the user has forgotten it), the System Administrator can force a password change process for the user without the need for the previous password.
· Control of access to data and resources: Ona Hotels & Apartments must draw up rules and procedures to implement, specify and detail the control measures outlined in this section.
· Operating systems: All the operating systems used in the Company's IT systems must require validation and authentication before they can be accessed and used.
· Viruses and malware: All Ona Hotels & Apartments computers must have anti-virus and anti-malware software installed and regularly updated. Firewalls must also be in place to control network traffic and detect unauthorised intrusions.
Users must be regularly informed of the basic measures to take in order to prevent the entry of viruses and malware.
· User Management: The list of all the Network users authorised to access the Information System must be kept up to date, and their access levels must be delimited to guarantee its confidentiality and integrity. Similarly, Ona Hotels & Apartments will conduct access checks and monitor the IT systems available to employees to protect the information.
· Access limitations: To access the IT resources, users must have a previously assigned user account and be registered on the domain servers. The access authorisation will establish the appropriate profile, which will be used to configure the functionalities and privileges available in the applications in accordance with the competencies of the user, adopting a policy of assigning the minimum privileges necessary to carry out the functions entrusted to them. Furthermore, access to the domain servers will require two-factor authentication.
· Wi-fi and wireless network security: The Company must implement appropriate measures to prevent improper access to the entity's wi-fi.
· Servers and hardware: As a rule, all confidential information and personal data must be stored on external servers that have adequate security measures in place to comply with data protection and information security requirements.
· Backups: All backups must cover all the information necessary to recover the service in case of corruption or loss of information (data, programmes, configuration files and even the image of some servers). In addition, there must be protocols for data backup and recovery.
Security standards must be defined for all relevant systems, including the following information as a minimum: frequency of backups, backup storage periods, location of backup hardware, information recovery procedures, restoration procedures and verification of the integrity of the backed-up information.
· Authentication: User codes and passwords must be personal and non-transferable, and the User is solely responsible for any consequences that may arise from their misuse, disclosure or loss.
· Security in the workplace: Employees must be informed of the Company's rules in relation to workplace security, which include the automatic locking of devices requiring password activation after a specified number of minutes of inactivity, as well as the implementation of a zero-paper policy at work desks.
· Mobile devices: The Company must establish appropriate security measures for corporate mobile devices.
Users assigned corporate mobile devices must comply with the specific rules governing their use and apply the corresponding security measures.
10. Contractual obligations
In addition to complying with the legal requirements concerning data protection, Ona Hotels & Apartments is also obliged to comply with the specific data protection requirements of its customers and suppliers in regard to the personal data to which it has access by virtue of its contractual dealings with them.
Ona Hotels & Apartments will pay special attention to the contractual obligations arising from the processing of personal data.
Ona Hotels & Apartments will create and keep an updated register in which it will identify and prioritise the obligations associated with protecting the personal data it accesses or processes.
Ona Hotels & Apartments will periodically check that the contractual obligations assumed in connection with data protection are known at all levels of the Group.
11. Supplier oversight from a privacy point of view
Ona Hotels & Apartments will draw up a register of all the suppliers who process personal data on behalf of the Companies in the Group or have direct or indirect access to the personal data they manage.
Should it be necessary to contract a new service that requires data processing, the Company will conduct a supplier selection and evaluation process, taking into account the guarantees required by the Law on data protection.
In this evaluation, priority will be given to those suppliers that offer the best guarantees in terms of data protection.
The relationship with suppliers that process or have direct or indirect access to personal data must always be regulated in a contract, which shall include a specific section on the obligations to be fulfilled by the supplier. These obligations shall include, as a minimum, those set out in Article 28 of the GDPR.
12. Data retention periods
Ona Hotels & Apartments will only retain personal data in a form that allows the identification of data subjects for the time necessary to fulfil the purposes of processing said data. For this reason, the Company will draw up and regularly update a table that specifies the retention period for the data that it must or deems appropriate to keep.
In drawing up this table, the statute of limitations for infringements and the restrictions laid down in the GDPR and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights must be taken into account. Legal, sectoral and contractual obligations that may require more extended retention periods must also be considered.
Ona Hotels & Apartments will also take into account the deadlines communicated to the data subjects at the time of informing them of their rights.
With regard to the destruction of documentation, it shall be carried out in such a way as to guarantee confidentiality throughout the process.
13. Management of security breaches and incidents
Any situation that could compromise the confidentiality, integrity, availability, authenticity or traceability of the Company's information shall be considered a security breach.
Therefore, the Company should take appropriate cybersecurity measures, including protection against threats emanating from communications networks, such as cyber-attacks, denial of service attacks, unauthorised access and ransomware, among others.
Anyone who suspects or has knowledge of any incident that could affect data protection must immediately report it through the channels provided for that purpose.
If the breach or security incident could pose a risk to the rights and freedoms of individuals, the competent supervisory authority, i.e., the Spanish Data Protection Agency, must be notified no later than 72 hours after it becomes known.
Ona Hotels & Apartments has a protocol that defines the procedure followed by the Entity for reporting and managing security incidents and vulnerabilities in order to ensure that any security incidents and weaknesses associated with the information systems are recorded and dealt with appropriately through repair and resolution actions and the restoration of normal operating levels for the affected services, with the possibility of adopting corrective measures to eliminate their causes and prevent their reoccurrence in the future.
14. Training and Awareness
All Ona Hotels & Apartments personnel are obliged to be informed of and comply with the Data Protection Policy. For this reason, Ona Hotels & Apartments will promote ongoing data protection training and awareness-raising activities at all levels of the Company.
The training may take the form of face-to-face sessions or e-learning courses.
The awareness-raising may take the form of any communication and training materials or tools that can help raise awareness of the risks of infringement all levels of the Company.
All employees are individually responsible for complying with this Policy and the protocols arising from it, depending on their position, and for reporting any security incidents they detect.
15. Prevention of Infringements
The primary objective that Ona Hotels & Apartments hopes to meet with this Policy and the rules, procedures and controls that implement it is to prevent violations of the rights and freedoms of data subjects and comply with the regulations on personal data protection.
In seeking to meet this objective, the main framework of reference will be the GDPR, which establishes two groups of infringements: less severe and more severe.
For less severe infringements, fines of up to 10 million euros or 2% of the Company's worldwide annual revenue may be imposed. This group includes, for example, inadequate technical or organisational measures, hiring of data processors without sufficient safeguards, failure to notify a data breach, etc. For more severe infringements, fines of up to 20 million euros or 4% of the Company's worldwide annual revenue may be imposed. This category includes cases of unlawful processing, unlawful consent, breach of the duty of confidentiality, etc.
16. Updates and improvements to this Policy
This Policy will be updated periodically to reflect changes and improvements in data protection. Ona Hotels & Apartments will periodically verify the application of the prevention and control measures and propose any necessary modifications in the event of detecting relevant breaches of this Policy, significant changes, or changes in the entity's information systems.
1. Identification of the Holder
In compliance with Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce, the User is informed that the owner of the website www.onahotels.com is the company CLUBOTEL LA DORADA, S.L. and its identification details are as follows:
Company Name: CLUBOTEL LA DORADA, S.L - hereinafter “Ona Hotels & Apartments”.
Tax ID (NIF): B61502035
Address: C/ Calabria 129, entresuelo, 08015, Barcelona
Email: info@onahotels.com
Registration details: the company is registered in the Barcelona Companies Register, in Volume 30,215, folio 64, and on sheet number B-168866.
2. Accessing the website
The legal notice regulates Users' access to and use of the website and aims to make known the services of the entity and allow general access for all internet users.
Access to and/or use of the Website grants visitors the status of User and entails the acceptance, without reservations of any kind, of each and every one of these general conditions, as well as any other specific conditions which, if applicable, govern the use of the Website or the services linked to it.
Users must carefully read the Legal Notice and the Privacy and Cookie Policies when they intend to use the Website, as Ona Hotels & Apartments reserves the right to make, at any time and without the need for prior notice, modifications to or update the content and services, of these access and use provisions and, in general, of all the elements that make up the design and layout of its Website. If you do not accept the conditions of access and use, please refrain from making use of the website and its content.
3. Using the website
The User undertakes to make careful use of the Website, as well as of the information relating to its services and activities, in full compliance with the applicable regulations, as well as with generally accepted morals, good customs and public order, the conditions of access and use, and any other conditions established in relation to the Website.
Furthermore, the user undertakes to abstain from using any of the content for illicit purposes or effects, prohibited in this text, those harmful to the rights and interests of third parties, or which in any way may damage, render useless, overload, deteriorate, or impede the normal use of the content, other Users, or any internet user (hardware and software).
4. Functioning of the website
In the event of non-compliance with the conditions of the Legal Notice, or the Privacy and Cookie Policies, Ona Hotels & Apartments reserves the right to limit, suspend, and/or exclude access to its Website, adopting any technical measures necessary to ensure compliance. Ona Hotels & Apartments will do everything possible to keep the website in good working order, avoiding errors or fixing them and keeping the content updated. However, Ona Hotels & Apartments does not guarantee the continued availability and continuity of access to the Website or the absence of errors in its content.
5. Liability
The User is solely liable for the use that may be made of any information or mechanism on the Website.
Ona Hotels & Apartments shall not be liable for any damage to the User's hardware and/or software arising from access to and use of the Website. Likewise, neither shall it be liable for any damages and/or losses that may be caused by access to and/or use of the information on the Website, and specifically for those that may occur in IT systems or those caused by viruses and/or computer attacks, crashes, outages, faults, or defects in communications and/or the internet.
The User shall be liable for any damages and/or losses that Ona Hotels & Apartments may suffer as a result of non-compliance with any of the obligations to which they are subject through this Legal Notice, the applicable regulations and the Privacy Policy and Cookie Policy.
6. Policy on Links (Linking and Linked Websites)
6.1 Linking website:
Third parties who intend to include a link to this website on a web page must comply with current legislation and may not host content that is inappropriate, illicit, pornographic, violent, etc.
Under no circumstances shall Ona Hotels & Apartments be held responsible for the content of the Website in question, nor does it promote, guarantee, supervise, or recommend its content.
If the linking website breaches any of the above provisions, it shall be obliged to remove the link immediately.
6.2 Linked website
This Website may include links to third-party websites that allow the User to access them. However, Ona Hotels & Apartments shall not be held responsible for the content of these linked websites, and it shall be the User's responsibility to accept and check the links each time they access them.
Any such links or mentions are for purposes that do not entail support, approval, commercialisation, or any relationship between the website and the persons or entities that own the sites where they are present.
7. Intellectual and industrial property over the content
All intellectual property rights of the Content of the Website and its graphic design are the exclusive property of Ona Hotels & Apartments, or of the third party that has authorised their use, and it is therefore Ona Hotels & Apartments that can exclusively exercise the rights to exploit them. Therefore, and by virtue of the provisions of the applicable legislation on Intellectual and Industrial Property Rights.
Ona Hotels & Apartments does not grant any licence or authorisation of use of any kind over its intellectual and industrial property rights or over any other property or right related to the Website, or the Services or the Content offered on it.
The reproduction and temporary storage of the content of the Website are permitted to the extent strictly necessary to use and view the Website on a personal device.
The legal basis of the intellectual or industrial property rights corresponding to the Content provided by users is the sole responsibility of the users themselves, and the User shall therefore hold Ona Hotels & Apartments harmless from any claim by third parties deriving from the illicit use of Content on the Website.
8. Advertising
Advertising or sponsored content may be hosted on the Website. Advertisers or sponsors are solely responsible for ensuring that the material submitted for inclusion on the Website complies with the laws that may be applicable in each case.
Ona Hotels Apartments shall not be liable for any error, inaccuracy, or irregularity that may be present in the advertising content or that provided by sponsors.
9. Applicable law
The Legal Notice shall be governed by and interpreted in accordance with Spanish law.
For the resolution of any conflict that may arise from accessing the website, the relevant courts shall be competent in accordance with consumer and user regulations.
10. Contact
If you have any questions or comments about this legal notice, please contact us by email at info@onahotels.com.
DATA PROTECTION POLICY
Documentation control:
| Department: | ||
| Created: | TARINAS-VILADRICH ADVOCATS I PROCURADORS SLP | ITC department |
| Modified: | ||
| Revised | ||
| Approved: |
| Rev. no. | Reason | Issue |
| 0 | Document creation | 01/2024 |
The purpose of this Policy is to set out the guidelines that should be followed at all levels of the Companies within the Ona Hotels & Apartments Group in regard to the Protection of Personal Data.
This Policy contains a description of the key human, organisational, technological and documentary components that the Companies must apply to protect personal data and prevent any infringement of the rights and freedoms of data subjects. Specifically, this Policy aims to guarantee the fundamental right to data protection for all individuals who interact with the Companies belonging to the Group, ensuring respect for the right to honour and privacy during the processing of different types of personal data from any source and for any purpose.
The Companies will ensure the real and effective application of the guidelines set out in this Data Protection Policy at all levels, thereby constituting a system of self-regulation that will eliminate any conduct that may jeopardise the personal data processed by the Company.
2. Scope of application
Corporate Scope. - This Policy shall apply to all the companies in the Group, identified here as CLUBOTEL LA DORADA, S.L., the parent company of the Ona Hotels & Apartments Group, the brand under which the entities operate in the market.
·Personal scope. - This Policy shall apply to all levels of the Ona Hotels & Apartments Group, including management bodies, management positions, supervisory bodies and all staff.
·Relational Scope. - The scope of application of this Policy shall extend, to the extent possible, to the Companies' suppliers, advisers, customers and other third parties.
·Geographical Scope. - This Policy shall apply to the public and private relationships that the Companies establish in any geographical area.
3. Applicable regulations
This Policy is compliant with the following regulations:
· The EU General Data Protection Regulation (GDPR)
· Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights
· Law 34/2002, of 11 July, on Information Society Services and e-commerce
· Organic Law 1/1982, of 5 May, on the Civil Protection of the Right to Honour, Personal and Family Privacy and Personal Image Protection
This Policy will be adapted as necessary in accordance with any legislative changes that may occur, as well as the criteria established in:
-The guides, reports and resolutions of the Spanish Data Protection Agency
-The guides, reports and resolutions of the supervisory authorities of the other Member States of the European Union
-The Article 29 Working Party
-Rulings of the European Court of Justice
-Rulings of Spain’s National Court, Supreme Court and Constitutional Court
4. Business risks in the area of data protection
The Companies provide hotel tourism services.
The particular nature of the personal data, the complexity of the applicable regulations, and the magnitude of the penalties established therein generate risks such as unauthorised access, unauthorised copying, disclosure or transfer to third parties and other infringements provided for in the GDPR and local regulations.
The risks arising from non-compliance with the legal obligations established in the field of data protection are as follows:
1) Administrative sanctions
2) Privacy offences
3) Compensation for damages
4) Reputational damage
The protection of personal data is one of Ona Hotels & Apartments' values and a priority objective for the Companies. It requires a series of legal, technical and organisational measures that are summarised in this Policy and detailed in the Companies’ own rules and procedures.
5. Data protection objectives
Ona Hotels & Apartments' data protection objectives are aligned with its business objectives, giving priority to compliance with the legal obligations applicable its activity.
Given the hotel services provided by Ona Hotels & Apartments, protecting the privacy and data of its guests is of vital importance, which is why it is considered a priority objective to comply with the General Data Protection Regulation of the European Union and the Organic Law on Personal Data Protection and Guarantee of Digital Rights.
At all levels of the Company, there will be a commitment to comply with the objectives established in the area of data protection and the principles and obligations set out in this Policy.
The Company may draw up rules and procedures that implement, specify and detail this Policy.
6. Data Protection Principles
Ona Hotels & Apartments will comply with the principles described below:
-Principle of lawfulness: the processing of personal data is lawful if it is based on the data subject's consent, or any other legitimate basis established by law.
-Principle of transparency: the data subject should be informed of all circumstances relating to the processing.
-Principle of fairness: personal data should not be processed in circumstances other than those notified.
-Principle of purpose limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
-Principle of data minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This principle and the previous one are further developed in the principles of necessity and proportionality that apply to impact assessments.
-Principle of accuracy: Personal data should be accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
-Principle of storage limitation: Personal data should only be kept in a form which permits the identification of data subjects for as long as is necessary for the purposes for which the personal data are processed.
-Principle of integrity and confidentiality: Personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful access and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Personal data should only be accessible to the users authorised to access them and may not be disclosed to third parties without the relevant consent.
-Principle of proactive accountability: The Companies are responsible for, and must be able to demonstrate, compliance with the provisions of data protection regulations.
-Data protection by design and by default: new processing, projects, services and products will undergo a prior assessment of their impact on data protection.
7. Roles and responsibilities
All roles and responsibilities will be differentiated and, as far as possible, individually assigned in the job description. In addition to this individualised assignment, all persons employed by Ona Hotels & Apartments, regardless of their level, will be obliged to comply with the rules, procedures and controls established in the area of information security.
Ultimate responsibility for the supervision of data protection will lie with the person in charge of Data Protection, who has been appointed externally.
Ona Hotels & Apartments has rules and procedures that set out the obligations of personnel with regard to data protection.
The Companies will adopt the necessary measures to ensure that their personnel are made aware, in an easily comprehensible manner, of the data protection obligations that apply to the performance of their duties, as well as the consequences of non-compliance with these obligations.
8. Register of Processing Activities
The Companies will keep a register of processing activities in which the details of the processing they are authorised to carry out as Data Controllers will be recorded. In addition, they will keep another register in which the processing they conduct as Data Processors on behalf of the entities for which they act as managers under the corresponding management contracts will be recorded.
In accordance with the principle of privacy by design and by default, and given that the supervisory bodies cannot keep track of all the personal data activities carried out in each department, each new processing operation, or any processing operation that modifies the attributes and characteristics assigned to it in the register of processing must be disclosed to the Data Protection Officer for assessment and, if it does not pose a risk to the rights and freedoms of the data subjects, subsequent authorisation.
Furthermore, the Companies must inform all data subjects of the processing of personal data by means of information and consent clauses in accordance with Arts. 13 and 14 of the GDPR.
9. Risk analysis
All processing operations subject to this Security Policy shall undergo a risk analysis, assessing the threats and risks to which they are exposed. This analysis will be repeated periodically.
Ona Hotels & Apartments will regularly carry out an analysis of the risks and threats affecting data protection.
The risk analysis will be conducted using an inherent risk map to assess the gross risks existing prior to the implementation of prevention, detection and mitigation controls, followed by a residual risk map to automatically assess the net risks remaining after the implementation of the controls.
9.1. Standards to minimise risks
To manage and minimise risks, Ona Hotels & Apartments uses physical, administrative, human resources, and network security measures including:
· Logical access security: Ona Hotels & Apartments must apply security measures to protect logical accesses.
· Logical access to computer systems by individuals: Ona Hotels & Apartments must use a two-factor authentication system. Initially, the System Administrator will assign a username, and the user will assign their own password. The user will then receive a code to validate the authentication mechanism.
The password will always be unintelligible, even to the Administrator. If necessary (e.g., the user has forgotten it), the System Administrator can force a password change process for the user without the need for the previous password.
· Control of access to data and resources: Ona Hotels & Apartments must draw up rules and procedures to implement, specify and detail the control measures outlined in this section.
· Operating systems: All the operating systems used in the Company's IT systems must require validation and authentication before they can be accessed and used.
· Viruses and malware: All Ona Hotels & Apartments computers must have anti-virus and anti-malware software installed and regularly updated. Firewalls must also be in place to control network traffic and detect unauthorised intrusions.
Users must be regularly informed of the basic measures to take in order to prevent the entry of viruses and malware.
· User Management: The list of all the Network users authorised to access the Information System must be kept up to date, and their access levels must be delimited to guarantee its confidentiality and integrity. Similarly, Ona Hotels & Apartments will conduct access checks and monitor the IT systems available to employees to protect the information.
· Access limitations: To access the IT resources, users must have a previously assigned user account and be registered on the domain servers. The access authorisation will establish the appropriate profile, which will be used to configure the functionalities and privileges available in the applications in accordance with the competencies of the user, adopting a policy of assigning the minimum privileges necessary to carry out the functions entrusted to them. Furthermore, access to the domain servers will require two-factor authentication.
· Wi-fi and wireless network security: The Company must implement appropriate measures to prevent improper access to the entity's wi-fi.
· Servers and hardware: As a rule, all confidential information and personal data must be stored on external servers that have adequate security measures in place to comply with data protection and information security requirements.
· Backups: All backups must cover all the information necessary to recover the service in case of corruption or loss of information (data, programmes, configuration files and even the image of some servers). In addition, there must be protocols for data backup and recovery.
Security standards must be defined for all relevant systems, including the following information as a minimum: frequency of backups, backup storage periods, location of backup hardware, information recovery procedures, restoration procedures and verification of the integrity of the backed-up information.
· Authentication: User codes and passwords must be personal and non-transferable, and the User is solely responsible for any consequences that may arise from their misuse, disclosure or loss.
· Security in the workplace: Employees must be informed of the Company's rules in relation to workplace security, which include the automatic locking of devices requiring password activation after a specified number of minutes of inactivity, as well as the implementation of a zero-paper policy at work desks.
· Mobile devices: The Company must establish appropriate security measures for corporate mobile devices.
Users assigned corporate mobile devices must comply with the specific rules governing their use and apply the corresponding security measures.
10. Contractual obligations
In addition to complying with the legal requirements concerning data protection, Ona Hotels & Apartments is also obliged to comply with the specific data protection requirements of its customers and suppliers in regard to the personal data to which it has access by virtue of its contractual dealings with them.
Ona Hotels & Apartments will pay special attention to the contractual obligations arising from the processing of personal data.
Ona Hotels & Apartments will create and keep an updated register in which it will identify and prioritise the obligations associated with protecting the personal data it accesses or processes.
Ona Hotels & Apartments will periodically check that the contractual obligations assumed in connection with data protection are known at all levels of the Group.
11. Supplier oversight from a privacy point of view
Ona Hotels & Apartments will draw up a register of all the suppliers who process personal data on behalf of the Companies in the Group or have direct or indirect access to the personal data they manage.
Should it be necessary to contract a new service that requires data processing, the Company will conduct a supplier selection and evaluation process, taking into account the guarantees required by the Law on data protection.
In this evaluation, priority will be given to those suppliers that offer the best guarantees in terms of data protection.
The relationship with suppliers that process or have direct or indirect access to personal data must always be regulated in a contract, which shall include a specific section on the obligations to be fulfilled by the supplier. These obligations shall include, as a minimum, those set out in Article 28 of the GDPR.
12. Data retention periods
Ona Hotels & Apartments will only retain personal data in a form that allows the identification of data subjects for the time necessary to fulfil the purposes of processing said data. For this reason, the Company will draw up and regularly update a table that specifies the retention period for the data that it must or deems appropriate to keep.
In drawing up this table, the statute of limitations for infringements and the restrictions laid down in the GDPR and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights must be taken into account. Legal, sectoral and contractual obligations that may require more extended retention periods must also be considered.
Ona Hotels & Apartments will also take into account the deadlines communicated to the data subjects at the time of informing them of their rights.
With regard to the destruction of documentation, it shall be carried out in such a way as to guarantee confidentiality throughout the process.
13. Management of security breaches and incidents
Any situation that could compromise the confidentiality, integrity, availability, authenticity or traceability of the Company's information shall be considered a security breach.
Therefore, the Company should take appropriate cybersecurity measures, including protection against threats emanating from communications networks, such as cyber-attacks, denial of service attacks, unauthorised access and ransomware, among others.
Anyone who suspects or has knowledge of any incident that could affect data protection must immediately report it through the channels provided for that purpose.
If the breach or security incident could pose a risk to the rights and freedoms of individuals, the competent supervisory authority, i.e., the Spanish Data Protection Agency, must be notified no later than 72 hours after it becomes known.
Ona Hotels & Apartments has a protocol that defines the procedure followed by the Entity for reporting and managing security incidents and vulnerabilities in order to ensure that any security incidents and weaknesses associated with the information systems are recorded and dealt with appropriately through repair and resolution actions and the restoration of normal operating levels for the affected services, with the possibility of adopting corrective measures to eliminate their causes and prevent their reoccurrence in the future.
14. Training and Awareness
All Ona Hotels & Apartments personnel are obliged to be informed of and comply with the Data Protection Policy. For this reason, Ona Hotels & Apartments will promote ongoing data protection training and awareness-raising activities at all levels of the Company.
The training may take the form of face-to-face sessions or e-learning courses.
The awareness-raising may take the form of any communication and training materials or tools that can help raise awareness of the risks of infringement all levels of the Company.
All employees are individually responsible for complying with this Policy and the protocols arising from it, depending on their position, and for reporting any security incidents they detect.
15. Prevention of Infringements
The primary objective that Ona Hotels & Apartments hopes to meet with this Policy and the rules, procedures and controls that implement it is to prevent violations of the rights and freedoms of data subjects and comply with the regulations on personal data protection.
In seeking to meet this objective, the main framework of reference will be the GDPR, which establishes two groups of infringements: less severe and more severe.
For less severe infringements, fines of up to 10 million euros or 2% of the Company's worldwide annual revenue may be imposed. This group includes, for example, inadequate technical or organisational measures, hiring of data processors without sufficient safeguards, failure to notify a data breach, etc. For more severe infringements, fines of up to 20 million euros or 4% of the Company's worldwide annual revenue may be imposed. This category includes cases of unlawful processing, unlawful consent, breach of the duty of confidentiality, etc.
16. Updates and improvements to this Policy
This Policy will be updated periodically to reflect changes and improvements in data protection. Ona Hotels & Apartments will periodically verify the application of the prevention and control measures and propose any necessary modifications in the event of detecting relevant breaches of this Policy, significant changes, or changes in the entity's information systems.
