1. GENERAL PART
1.1. COLLECTION AND PROCESSING OF USER DATA
Within the scope of the availability of the website hosted at www.artsoulgroup.com (“Site”), the conclusion of any contracts (namely hotel services, vouchers, Spa treatments and products), the provision of information, contents, including the newsletter, login areas or any telephone contacts (collectively the “Services”) to its users (“User”) and other related entities, the entity ART AND SOUL Group (Grupo ART AND SOUL) (hereinafter the “ART AND SOUL Group”) may request the User to provide personal data, that is, information provided by the User that allows the Lux Hotels Group to identify and/or contact you (“Personal Data”).
As a rule, Personal Data is requested when the User registers on the Site, requests a contact and/or the sending of newsletters, subscribes to a certain service, provides or requests information, acquires a product or establishes a contractual relationship with the ART AND SOUL Group.
The Personal Data collected and processed consists of the information regarding the name, gender, date of birth, telephone, mobile phone, email, address, country of residence, tax identification number and credit card data (collected only for billing purposes) although other Personal Data may be collected if necessary or convenient for the provision or billing of Services by the ART AND SOUL Group.
Upon the collection of Personal Data, the ART AND SOUL Group provides the User with detailed information on the nature of the data collected and the purpose and processing that will be carried out with respect to the Personal Data.
The ART AND SOUL Group also collects and processes information on the characteristics of your hardware device and the browser/software features, as well as information about the pages visited by the User within the Site. This information may include your browser type, domain name, access times and links through which the User has accessed the Site (“Usability Information”). We use this information only to improve the quality of your visit to our Site.
1.2. SUBCONTRACTED ENTITIES
These subcontracted entities shall not transmit the User Data to other entities without the prior authorization of the ART AND SOUL Group, being also prevented from contracting other entities without the prior authorization of the ART AND SOUL Group.
The ART AND SOUL Group undertakes to subcontract only entities that offer maximum security in the execution of the appropriate technical and organizational measures, in order to guarantee the defense of the User’s rights. All entities subcontracted by the ART AND SOUL Group are bound to the latter a written contract which governs, in particular, the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data holders and the rights and obligations of the parties.
After the collection of personal data, the ART AND SOUL Group shall provide the User with information on the categories of the subcontracted entities that, in this case, can process data on behalf of the Lux Hotels Group.
1.3. DATA COLLECTION CHANNELS
The ART AND SOUL Group may collect data directly (that is, directly from the User) or indirectly (that is, from partner entities or third parties). The collection can be carried out through the following channels:
• Direct collection: in person, by phone, by e-mail and through the Site;
• Indirect collection: through partners or companies of the group and official entities.
2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles regarding the processing of personal data, the ART AND SOUL Group undertakes to ensure that the User Data processed by it shall be:
• Processed in accordance with the law and fair and transparent to the User;
• Collected for specific, objective and legitimate purposes, not being further processed in a way contrary to such purposes;
• Adequate, justified and limited to what is necessary for the purposes of the processing;
• Accurate and updated whenever necessary, taking all necessary measures to ensure that inaccurate data (regarding the purposes for which it is processed) is erased or corrected without delay;
• Preserved in a manner that allows the identification of the User only during the period necessary for the purposes for which the data is processed;
• Processed in a manner that guarantees its security, including protection against the unauthorized or illegal processing and against its loss, destruction or unforeseen damage, taking the appropriate technical or organizational measures;
• The data processing carried out by the ART AND SOUL Group is allowed and legal when at least one of the following situations occurs:
• The User has, without any doubt, given consent to the processing of the User Data for one or more specific purposes;
• Processing is necessary for the execution of a contract in which the User is a party, or for pre-contractual procedures at the request of the User;
• Processing is necessary for the fulfilment of a legal obligation to which the ART AND SOULGroup is subject;
• Processing is necessary to defend the fundamental interests of the User or another individual;
• Processing is necessary for the legal interests pursued by the ART AND SOUL Group or by third parties (except if prevailing any User’s interests or fundamental rights and freedoms that require protection of personal data).
TheART AND SOUL Group undertakes to ensure that the processing of User Data is only carried out under the terms listed above and complying with the above mentioned principles.
When User Data processing is carried out by the ART AND SOUL Group based on the consent of the User, the latter has the right to withdraw such consent at any time. However, the withdrawal of the consent does not compromise the legality of the processing made by the ART AND SOUL Group based on the consent previously given by the User.
The period of time during which the data is stored and kept varies according to the purpose for which the information is processed.
Effectively, there are legal requirements that require storing the data for a minimum period of time. Thus, and where there is no specific legal obligation, data shall be stored and kept only for the minimum period necessary for the purposes that motivated its collection or its subsequent processing, being the data deleted upon ending such purpose.
3. USE AND PURPOSE OF THE USER DATA PROCESSING
In general terms, the ART AND SOUL Group uses the User Data for the following purposes:
• Provision of hotel services and associated services (restaurants, bars and SPA);
• Management of contacts with the User;
• Invoicing and billing to the User;
• Inform the User, upon request, on new products and services made available on the Website and/or at the hotel units, special offers and campaigns, updated information on the ART AND SOUL Group activity and, generally, for marketing purposes of the ART AND SOUL Group and its hotel units, by any means of communication, including electronic support;
• Ensure that the Site meets the User’s needs by developing and publishing content that is best adapted to the requests and type of User, improving the search feature capabilities and features of the Site and obtaining associated or statistical information in relation to the user’s profile type (analysis of consumption profiles);
• Provision of Services, and other services such as newsletters, opinion surveys or other information or products requested or purchased by the User;
• Sending Satisfaction Surveys;
• The ART AND SOUL Group may combine Usability Information with anonymous demographic information for research purposes, and may use the result of such combination to provide more relevant content on the Site. In specific restricted areas of the Site, the ART AND SOUL Group may combine Personal Data with Usability Information to provide a more personalized content to the User.
The User Data collected by the Lux Hotels Group is not shared with third parties without the consent of the User, except for the situations mentioned in the following paragraph. However, if the User contracts with the ART AND SOUL Group services provided by other entities responsible for the processing of personal data, the User Data may be consulted or accessed by such entities to the extent that it is necessary for the provision of said services and the User shall be informed thereof.
4. TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES IMPLEMENTED
In order to ensure the security of the User Data and maximum confidentiality, the ART AND SOUL Group processes the information that you provided in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, updated periodically as needed, and under the terms and conditions provided by law.
Depending on the nature, scope, context and purpose of the data processing and on the risks arising from such processing regarding the User’s rights and freedoms, the ART AND SOUL Group undertakes to apply, both when defining the means and when processing, the technical and organizational measures necessary and appropriate for the protection of User Data and compliance with all legal obligations.
It also undertakes to ensure that by default only the data necessary for each specific purpose shall be processed and that such data shall not be made available to an indeterminate number of people without human intervention.
Communication between the User’s device and the ART AND SOUL Group Site is carried out through secure channels and communications using the HTTPS protocol and the SSL security standard.
Nonetheless, the ART AND SOUL Group adopts the following general measures:
• Regular audits aimed at identifying the capability of the technical and organizational measures implemented;
• Sensitization and training of personnel involved in data processing operations;
• Pseudonymization and codification of personal data;
• Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
• Mechanisms to ensure the reset of information systems and quick access to personal in the event of a physical or technical incident.
5. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION
The Site does not transfer your personal data to recipients located in countries outside the European Union.
When you visit our site, a small text file (Cookie) is created and saved on your computer’s disk. Consequently, when you browse the Site you are accepting the installation of this text file on your device. This file will allow you greater ease and speed in accessing the Site, as well as customizing it according to your preferences.
By browsing our Site you are allowing the collection and storage of small text files called cookies, which contain information and are downloaded to the User’s computer or other devices through a server. These text files shall allow a more personalized and efficient browsing experience. At each visit to the Site, your Internet browser sends these cookies back to the Site, allowing the recognition and memorization of the Users’ identity, as well as the respective use preferences.
I- What are Cookies?
“Cookies” are small software files that are stored on your device through the browser, retaining your information regarding the browsing status and recording the User’s browsing activity. They may also be used to recall information on the User that was previously entered on the website.
II- What are the types of Cookies used?
Cookies required to:
i) Allow browsing on the Site;
ii) Enjoy its functionalities, namely, accessing secure areas and contents of exclusive access for registered Users.
Functional cookies to:
i) Record information on our Users’ options;
ii) Allow customizing our Website to their needs, namely, memorizing the language of origin.
Performance cookies to:
i) Monitor how Users individually access our Site and how regularly.
Used for the reservation process, since these types of cookies are more secure and cannot be manipulated by third parties.
We also use direct or indirect analytical services to assess the effectiveness of our content and the preferences of Users, which contribute to optimize the functioning of this Site.
We also use web beacons or tracking pixels to count the number of visitors to our Site, anonymously and without identifying any particular User.
III- Browser controls:
The vast majority of browsers allow users to view hosted cookies as well as delete or block them.
Whenever there is a deletion of cookies, some features of the Site may be affected.
If you want to know more about how Cookies work, you can consult the Sites AboutCookies.org or Cookiecentral.com.
IV- Cookies Security:
Since Cookies can be intercepted or changed, the following security actions are taken:
Sensitive information such as passwords or personal data such as the customer’s address or telephone number is not stored;
There shall be no sending of non-secure (HTTP) requests where cookies are sent to the browser in plain text and can be intercepted.
7. TOOLS USED BY THE WEBSITE FOR STATISTICAL AND BEHAVIOUR READING OF THE USER
The Site uses Google Analytics, a network analysis service provided by Google. Cookies that provide information on the use and browsing on the Site will be stored. This data, including the User’s IP address, is transmitted to Google’s servers but is not related with any other data held by Google.
You can disable the tool by downloading and installing a browser add-on available in Google: https://tools.google.com/dlpage/gaoptout?hl=en
Facebook and Instagram
The Site interacts with Facebook and Instagram through a connection to the servers of these social networks. This will allow to identify the website that the user is visiting and possibly store other data, such as the IP address. If you have your Facebook and/or Instagram session open, data shall be associated to your accounts. To prevent this, the User must logout on Facebook and Instagram before visiting the page.
The information regarding the processing of data carried out by these social networks is available at:
8. USERS’ RIGHTS (DATA HOLDERS)
8.1. RIGHT TO INFORMATION
8.1.1. Information provided to the User by the ART AND SOUL Group (when data is collected directly from the User):
• The identity and contacts of the ART AND SOUL Group and the person in charge of the processing;
• The contacts of the Data Protection Officer;
• The purposes of the personal data processing, as well as, if applicable, the legal reasons for the processing;
• If the data processing is based on the legitimate interests of the ART AND SOUL Group or of a third party, the indication of such interests;
• Where applicable, the recipients or categories of recipients of the personal data;
• Where applicable, indication that personal data shall be transferred to a third country or an international organization, and whether there is a compliance decision adopted by the Commission or any reference to suitable or appropriate transfer guarantees;
• The deadline for retaining the personal data;
• The right to request the ART AND SOUL Group to allow [N.T. Necessita esclarecimento. Possível lapso no original, na palavra “permissão”] personal data, as well as its correction, elimination or limitation, the right to object to the processing and the right to access the data;
• If the data processing is based on the consent of the User, the right to withdraw it at any time without compromising the legality of the processing carried out based on the consent previously given;
• The right to file a complaint with the CNPD or other supervisory authority;
• Indication whether the disclosure of personal data constitutes a legal or contractual obligation, or a requirement to conclude a contract, as well as whether the holder is required to provide the personal data and the possible consequences of not providing such data;
• Where applicable, the existence of automated decisions, including profile definition, and information regarding the basic concept, as well as the importance and expected consequences of such processing for the data holder.
Is the User Data is not collected directly by the ART AND SOUL Group from the User, in addition to the information referred to above, the User shall also be informed on the categories of the personal data being processed, as well as the origin of the data and if it comes from sources accessible to the public.
In case the ART AND SOUL Group intends to proceed with the further processing of the User
Data for a purpose other than that for which the data was collected prior to such processing, the ART AND SOUL Group shall provide the User with information on such purpose and any other information of interest, in the terms referred to above.
8.2. Procedures and measures implemented to fulfil the right to information.
The information referred to in 8.1. is provided in writing (including by electronic means) by the ART AND SOUL Group to the User prior to the processing of the relevant personal data. In accordance with the applicable law, the ART AND SOUL Group is under no obligation to provide the User with the information mentioned in 8.1 when and to the extent that the User is already aware of it.
The information is provided by the Lux Hotels Group at no cost.
9. RIGHT TO ACCESS THE PERSONAL DATA
The ART AND SOUL Group guarantees the means by which the User can consult his Personal Data. The User has the right to obtain from the ART AND SOUL Group the confirmation whether the personal data is being processed or not and, if applicable, the right to access the respective personal data and the following information:
• The purposes of the data processing;
• The categories of the relevant personal data;
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular to recipients in third countries or belonging to international organizations;
• The term to retain the personal data;
• The right to request the ART AND SOUL Group to rectify, delete or limit the processing of personal data, or the right to prevent such processing;
• The right to file a complaint with the CNPD or other supervisory authority;
• If the data has not been collected from the User, the available information on the origin of such data;
• The existence of automated decisions, including the profile definition, and information on the underlying logic, as well as the importance and expected consequences of such processing for the data holder;
• The right to be informed on the appropriate guarantees associated with the transfer of data to third countries or international organizations.
Upon request, the ART AND SOUL Group shall provide the User, free of charge, with a copy of the User Data that is being processed. The provision of other copies requested by the User may entail administrative costs.
10. RIGHT TO RECTIFY THE PERSONAL DATA
The User has the right to request at any time the rectification of the respective Personal Data, as well as the right to have completed any incomplete personal data, including by means of an additional declaration.
In case of data rectification, the ART AND SOUL Group shall communicate such rectification to each recipient to whom the data has been transmitted, unless such communication is rendered impossible or involves a disproportionate effort for the ART AND SOUL Group.
11. RIGHT TO DELETE PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
The User has the right to obtain from ART AND SOUL Group the elimination of the respective data when one of the following reasons applies:
• User Data is no longer required for the purpose for which it was collected or processed;
• The User withdraws the consent on which the data processing is based and there is no other legal basis for such processing;
• The User opposes to processing under the right of opposition and there are no prevailing legitimate interests justifying the processing;
• If User Data is treated illegally;
• If User Data must be deleted in order to comply with a legal obligation to which the ART AND SOUL Group is subject;
• Under the applicable legal terms, the ART AND SOUL Group is under no obligation to delete the User Data to the extent that the processing proves necessary to fulfil a legal obligation to which the ART AND SOUL Group is subject or for the purposes of declaration, exercising or defending a right of the ART AND SOUL Group in a judicial proceeding.
In the event of data deletion, the ART AND SOUL Group shall communicate such deletion to each recipient/entity to whom the data has been forwarded, unless such communication proves impossible or involves a disproportionate effort for the ART AND SOUL Group.
When the ART AND SOUL Group has made the User Data public and is obliged to delete it under the right of such deletion, the ART AND SOUL Group undertakes to ensure reasonable measures, including of a technical nature and taking into account the technology available and its application costs, to inform those responsible for the effective processing of personal data that the User has requested the deletion of the links to such personal data as well as any copies or reproductions thereof.
12. RIGHT TO LIMIT THE PROCESSING OF PERSONAL DATA
The User has the right to limit the processing of User Data by the ART AND SOUL Group if one of the following situations applies (the limitation consists in inserting a mark in the personal data retained with the purpose of limiting its processing in the future):
• If the Users contests the accuracy of personal data for a period that allows the ART AND SOUL Group to verify its accuracy;
• If the processing is unlawful and the User opposes to the deletion of the data, requesting the limitation of its use;
• If the ART AND SOUL Group no longer needs the User Data for processing purposes but such data is required by the User for the purposes of declaration, exercising or defending a right in a legal proceeding;
• If the User has opposed to the processing, until it is verified that the legitimate reasons of the ART AND SOUL Group prevail over those of the User.
Except for retention of data, where the User Data is subject to limitation, it may only be processed with the consent of the User or for the purposes of declaration, exercising or defending a right in a judicial process, to defend the rights of another natural legal person or for reasons of public interest legally provided for.
The User who has obtained the limitation of the respective data processing in the above cases shall be informed by the ART AND SOUL Group before the processing limitation is annulled.
In the event of data processing limitation, the ART AND SOUL Group shall notify each recipient to whom the data has been transmitted, unless this communication proves impossible or involves a disproportionate effort for the ART AND SOUL Group.
13. RIGHT OF PORTABILITY OF PERSONAL DATA
The User has the right to receive the respective personal data provided to the ART AND SOUL Group in a structured, current and automatic reading format and the right to transmit such data to another person responsible for its processing if:
• The processing is based on the consent or on a contract in which the User is a party; and
• The processing is carried out by automated means.
The right of portability does not include inferred data or derived data, that is, personal data generated by the ART AND SOUL Group as a consequence or in result of the analysis of the data being processed.
The User is entitled to have the respective personal data transmitted directly between those responsible for the processing, whenever this is technically possible.
14. RIGHT TO OPPOSITION OF THE PROCESSING
The User shall have the right at any time to oppose, on grounds relating to his/her particular situation, to the processing of the personal data based on the exercise of legitimate interests pursued by the ART AND SOUL Group or when the processing is carried out for purposes other than those for which the personal data has been collected, including the profile definition, or when personal data is processed for statistical purposes.
The ART AND SOUL Group shall terminate the User Data processing unless it presents urgent and legitimate reasons for such processing that prevail over the User’s interests, rights and freedoms or for the purposes of declaration, exercising or defending a right of the ART AND SOUL Hotels in legal proceedings.
When User Data is processed for the purposes of direct marketing, the User has the right to oppose at any time to the data processing for the purposes of said marketing action, including profile definition to the extent it relates to direct marketing. Should the User oppose the data processing for the purposes of direct marketing, the ART AND SOUL Group ceases the data processing for this purpose.
The User also has the right not to be subject to any decision made solely on the basis of automated processing, including profile definition, that has effects the User’s legal scope or significantly affects him/her in a similar way, except if the decision:
• Is necessary for entering into or executing a contract between the User and the ART AND SOUL Group;
• Is authorized by legislation to which theART AND SOUL Group is subject, or
• Is based on the explicit consent of the User.
15. PROCEDURES WITH A VIEW TO THE EXERCISE OF THE RIGHTS BY THE USER
The right of access, right of rectification, right of deletion, right to limitation, right of portability and right to opposition may be exercised by the User by contacting the Data Protection Officer of the ART AND SOUL Group by email firstname.lastname@example.org or by letter addressed to the DPD of the at: Rua Jacinto Marto, 91, 2495-450 Fátima.
The ART AND SOUL Group will answer in writing (including by electronic means) to the User’s request within a maximum of one month from the receipt of the request, except in cases of special complexity, where this period may be extended up to two months.
If the requests presented by the User are clearly unjustified or excessive, in particular due to their repetitive nature, the ART AND SOUL Group reserves the right to charge administrative costs or refuse to comply with the request.
16. VIOLATION OF PERSONAL DATA
In the event of data violation and to the extent that such violation is likely to pose a high risk to the rights and freedoms of the User, the ART AND SOUL Group undertakes to notify the User on the violation of personal data within 72 hours of being aware of the incident.
According to the legal provisions, communication to the User is not required in the following cases:
If the ART AND SOUL Group has implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data affected by the violation, in particular measures that make personal data incomprehensible to any unauthorized person accessing them, such as encryption;
If the ART AND SOUL Group has taken subsequent measures to ensure that the high risk to the rights and freedoms of the User is no longer likely to materialize; or
If communication to the User implies a disproportionate effort for the ART AND SOUL Group. In this case, the ART AND SOUL Group shall make a public communication or take a similar action through which the User will be informed.
17. FINAL PART
18. APPLICABLE LAW AND JURISDICTION