The entity in charge of your information is Barceló Gestión Hotelera, S.L. (hereinafter referred to as "BGH" or "Barceló") with registered office at c/ Josep Rover Motta, 27, 07006, Palma de Mallorca. If you have any questions regarding data protection, please contact the Barceló Group's Data Protection Office at dpo@barcelo.com.

Web Page: Privacy Policy | Barcelo.com

In accordance with the provisions of European General Regulation 2016/679 ("GDPR") and Organic Law 3/2018, of December 5, on Data Protection ("LOPD"), at Barceló, we will process the personal information of users in the "Barceló Hotel Group" app, whether or not they are customers of Barceló and its hotels, as set out below.

Since we will not use all of your personal information for each and every one of our activities, throughout this document we inform you of the type of personal information we will need to process in each case:

1. Identification and contact information. Name and surnames, gender, postal, telephone and email contact information, postal address, date of birth, nationality, email address, and cell phone number.

2. Information of a commercial nature. Commercial profile of the user inferred through the analysis of the app usage (services contracted or booked through the app, queries made about our services).

3. Data obtained from cookies. Information about navigation and use by the user through cookies or similar technologies provided that the user has authorized it when accessing the app.

As a general rule, in the Barceló app, we will process information that we have collected directly from you, which will become part of our database. We refer to personal information that you provided at the registration time or when using the app (for example, when booking any of our services, such as the restaurant, SPA, gym, or the Miniclub).

Concerning personal information relating to minors (for the reservation of Miniclub services), this information will be provided exclusively by their legal representatives (mother/father/guardian) at the time of booking Miniclub services. In this sense, the aforementioned legal representatives guarantee the truthfulness and accuracy of the information they provide about the minors they register in the Miniclub.

The RGPD and the LOPD establish that a person's personal information can only be processed when any of the legitimate purposes foreseen in said regulations are applicable. More specifically, Article 6 of the GDPR establishes a closed list of legitimate grounds that may be used to justify and legitimize the processing of personal information.

The application of one or another legitimizing purpose depends mainly and essentially on the purpose for which personal information is to be processed.

That said, Barceló will process your data for the purposes and in accordance with the legitimate purposes detailed below.

A. Measures necessary for the execution of a contract between the interested party and Barceló.

First of all, there are some actions that Barceló must carry out to provide the services included in the Barceló Hotel Group app. This is because they are essential data, and not providing them would result in not being able to complete your registration as a user of the app or give access to the services provided in it.

The following is a list of the processing operations whose legitimizing purposes are contemplated in Article 6.1.b) of the GDPR: "the data processing is necessary for the performance of a contract to which the data subject is party or for the implementation at the request of the data subject of pre-contractual measures."

1. Reservation of services or activities through the app.

The Barceló user and customer will have the option to book, through the app, certain services provided by the hotel where they are staying, such as restaurant and bar services, room service, gym, SPA, or Miniclub. The range of services will depend on the hotel in which the user and customer is staying.

To reserve these services, the customer must provide his/her name, surname, the room number of the hotel where they are staying, and the days on which they have checked in and will check in and check out.

In particular, for the proper provision of the services requested through the app, Barceló needs to transfer the user data indicated in the previous paragraph to (i) the company that owns the hotel, whose identity is known to the user through the data protection clause provided at check-in or (ii) third parties outside the Barceló Hotel Group, if a third party company provides the specific service (SPA, restaurant, Miniclub). In both cases, to process the user's reservation through the app and provide the requested service, it will be necessary to transfer the data indicated in the previous paragraph to the hotel company or specific company that provides the requested service.

For the provision of these services, Barceló will not request any sensitive personal information from the user, such as health data (except the Miniclub, in accordance with the data protection information provided when booking this service). However, the service reservation forms have free fields in which users may enter any comments they deem appropriate. Accordingly, the personal data provided by the user through these free fields are entirely voluntary.

B. Legally binding data processing.

Barceló will also process your personal data as a user and customer to comply with the legal obligations that may be required at any given time, including, among others, those provided for in the regulations listed below. These are actions that Barceló is legally obliged to carry out, which determines their full legitimacy. Article 6.1.c) of the GDPR provides that "the data processing must be necessary for compliance with a legal obligation applicable to the party responsible for the processing of the data."

• Organic Law 4/2015, of March 30, 2015, on protecting citizen security and development regulations, which requires establishments that provide accommodation or lodging services to transfer personal information to the Security Forces and Corps.

• Law 58/2003, of December 17, 2003, General Tax Law.

• Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or "GDPR").

• Law 3/2018 of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPD"), obliges Barceló, as the party responsible for the processing of your personal data, to respond to requests, exercises of rights and claims that may arise in matters of data protection.

These obligations of a legal nature will exist and will be fulfilled by Barceló even after the termination of the provision of services requested by the user, as long as there is an applicable legal obligation.

C. For the legitimate interest of Barceló

Barceló will carry out additional processing operations under the legitimate interest provided for in Article 6.1.f). of the aforementioned Regulation, inasmuch as it considers that they do not prejudice the right of data subjects to the protection of their personal data. This provision authorizes processing operations that are "necessary for the legitimate interests pursued by the party responsible for the processing or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child."

Regarding such data processing, the user has the right to (i) obtain more information on what this "legitimate interest" consists of, (ii) to know how Barceló has concluded that it does not harm the protection of their personal data, (iii) or directly to oppose it. You may do so by the means described in section 8, indicating the specific processing to which you object and the reasons you base your request.

Of all of them and in accordance with the European Regulation to which we have referred, Barceló has made what is known as a "weight test." This is an internal analysis to confirm that Barceló's legitimate interest does not harm users' interests in protecting their personal data.

If the customer wants more information about this test, he can request it through the following email address dpo@barcelo.es.

This data processing is detailed as follows.

1. Personalized commercial actions by Barceló of its products and services. Preparation of your "customer profile."

As we indicate in the informative clause that we provide at the time of booking the services of our hotels, Barceló may make communications and commercial offers about its own products and services tailored to your profile, interests, and needs through automated means or not (via mail, telephone or fax, SMS, instant messaging applications, social networks, email, pop-up notifications in the application, or any other electronic or telematic means available at any time).

These communications will be adapted to your "user and customer profile," as we will try to adapt them to your interests and needs, to the consumption habits you show in the products and services you contract with Barceló through the application.

This user and customer profile will take into account both the information you provided directly to Barceló when booking your stay or using the hotel services and the data generated in our app (booking services through the application).

That is to say, for these commercial actions, we will not collect additional information about you through third parties and public sources; we will only use and take into account the data we already have in our databases: either because you have provided it yourself when contracting a service, or because it has been generated as a result of your relationship with Barceló (e.g., how often you book the SPA or gym services).

All this will allow us to create a profile of you as a user and customer of our services to be able to estimate which products or services and under what conditions you might be most interested in. For example, depending on the services you have requested through the application, we may offer you other similar services that you can enjoy within the hotel.

For this case, Barceló has developed a "weight test" to determine that this data processing does not harm your privacy. According to the result of this test, Barceló understands that its legitimate interest does not affect your privacy, taking into account that only data that you have previously provided or that have been generated in the contractual relationship, and those that we can infer according to the analysis of this information, will be used.

In addition to the above, and to support such a weight test, it should be noted that the sending of commercial communications about related products (including the creation of a profile with data provided by the data subject himself) is an activity permitted and limited by the current regulations on data protection and electronic communications, and interpreted in this sense by the data protection authorities. This is expressly permitted by Law 34/2002 on Information Society Services and Recital 47 of the RGPD.

This data processing will be carried out when you have contracted Barceló products and services, and unless you indicate otherwise, by exercising your right of opposition, in accordance with what is indicated in section 8.

2. Transfer of personal data to Group entities for administrative purposes.

As permitted by the European General Data Protection Regulation, Barceló Hotel Group entities may access your data to carry out internal administrative, accounting, control, verification, management, and reporting tasks. Barceló may also solely collect your data from such entities of its Group to perform these administrative tasks.

In this case, Barceló understands that it has a legitimate interest to carry out this processing, given that the purpose of the use of the data only refers to internal matters of an administrative nature: to monitor the evolution of the business, comply with legal obligations related to the keeping of the accounts of these companies, evaluate possible deviations in operations or the degree of compliance with the regulations and establish the corresponding corrective actions.

These are purely administrative and internal interests to guarantee that Barceló's activity is carried out under the best quality conditions and in strict compliance with regulations.

As a result of the "weight test" that Barceló has developed, we understand that our legitimate interest does not affect the privacy of the user, taking into account that this use of data will be given only for the internal purposes described, not destined to be processed for commercial purposes. In addition, this is also contemplated in the RGPD in its Recital 48.

3. Conducting surveys, loyalty programs, and organizing sweepstakes.

Barceló may process your personal data as a user of the app to send you surveys related to the operation and quality of the services provided through the application.

These surveys will be sent to you by the usual means of contact (email, telephone, app pop-up notifications), although you may also complete other surveys through our website.

Barceló will process your data for these activities based on our legitimate interest. The objective is to expand or improve the services we provide through our application based on the opinions and suggestions provided by users.

For this type of processing, Barceló has also performed a "weight test." Accordingly, we understand that the data processing does not affect your right to privacy because completing the surveys is voluntary, no harm is done in the event that you do not complete them, and the results are anonymous. Please also note that if you unsubscribe from receiving commercial communications, you will not receive requests to complete surveys.

D. Consent-based data processing

There are some types of data processing that Barceló is interested in carrying out, but they depend on your prior authorization. These are the data processing operations whose legitimate basis is the one provided for in art. 6.1.a) RGPD, and that Barceló can only do so if "the data subject has consented to the processing of his or her personal data for one or more specific purposes."

Therefore, the provisions of the following points depend on your authorization. If we have never asked for your consent to carry them out, or if you denied it at the time (or gave it but later withdrew it), these types of data processing do not apply to you.

Likewise, you should know that, if at the time you authorized Barceló to use your data for one of the following types of data processing, in any case, you may withdraw your authorization, when you deem it appropriate and without this preventing or harming in any way your status as a Barceló client, or the services you may request, or have already received, from Barceló. However, we must also point out that the withdrawal of your authorization will take effect from that moment; it has no retroactive effect, so it will not affect the validity of what we have done at Barceló up to that moment.

1. Use of Cookies. Push notifications about advertising campaigns.

When you use the Barceló Hotel Group app, we will process personal data obtained from online identifiers or cookies. We will do so if you authorize it when installing the App or configuring your device. You can obtain more information in the Cookies Policies available to interested parties.

On the other hand, if you expressly authorize it, Barceló will also use your personal data to send you instant notifications -or "push" - to your mobile device, depending on the specific consents you have previously granted, to inform you about promotions and advertising campaigns that we carry out on our products and services. Similarly, suppose you have activated these push notifications. In that case, we will send you communications related to the services you have requested from us (e.g., a reminder of your gym or SPA reservation).

As we have already mentioned, for Barceló to send you these instant notifications, you will have to configure your mobile device and the application with the necessary settings to receive these alerts. Likewise, to stop receiving these kinds of notifications, you must deactivate them in the device settings where you have authorized them.

Barceló will process the personal data of users. At the same time, they remain registered in the same, or by the retention periods provided for our customers - in the Privacy Policy provided in the reservation and check-in cases where the user has contracted or booked services through the application. In cases where the data processing is carried out with the prior authorization of the data subject, as long as they do not withdraw it.

Once these periods have elapsed, and before proceeding to its disposal, Barceló will keep the user's personal information duly blocked to face possible claims and to have it at the disposal of the competent authorities during the legally established statute of limitations. In these cases, Barceló will adopt the necessary technical and organizational measures to ensure they are only used for this purpose.

Your personal information may be disclosed to the following third parties:

- To those third parties to whom it is legally obliged to provide them, such as the Security Forces and Corps (in particular, the competent Police Corps in each Autonomous Community) or administrative or judicial authorities.

- In the event that it is necessary to provide the service requested by the user and customer through the app (SPA, Miniclub, restaurant), the data of the person involved will be transferred to:
 

• The hotel company of Barceló Hotel Group, in the event that the requested service is provided directly by said hotel company or,
• To a company outside the Barceló Hotel Group, which will be the service provider in cases where the service is not provided directly by the hotel company. This transfer will only be made when the service requested by the user is provided by an external company that provides the service in the facilities of the Barceló hotel.

Apart from the aforementioned data communications, Barceló will collaborate with third-party service providers who may have access to your personal information and who will process the aforementioned data in the name and on behalf of Barceló as a consequence of their provision of services.

Barceló follows appropriate criteria for the selection of service providers to comply with its data protection obligations and undertakes to sign with them the corresponding data processing contract through which it will impose, among others, the following obligations: to apply appropriate technical and organizational measures; to process personal information for the agreed purposes and only in accordance with Barceló's documented instructions; and to delete or return the data to the data controller once the provision of the services has been completed.

Specifically, Barceló may contract the provision of services by third-party suppliers that carry out their activity, by way of example, in the following sectors: logistics services, legal advice, private appraisal services, supplier approval, multidisciplinary professional services companies, maintenance-related companies, technology service providers, IT service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies and call center service companies.

In general terms, the third parties mentioned above are located within the European Economic Area, except certain suppliers whose servers may eventually be located outside this territory (for your information, the suppliers with whom Barceló signs service provision contracts are located within the European Economic Area, although their servers may potentially be located outside this territory due to internal issues of their technological infrastructure). In these cases, Barceló will carry out the following actions:

• The measures and guarantees indicated in the GDPR will be adopted to ensure that the level of protection of the customer's personal information is not undermined,
• the user shall be informed, where applicable, of the existence or absence of an adequacy decision of the European Commission concerning the country of destination or, failing this, of the guarantees adopted, as well as how to obtain a copy of them.

We ask that all information you provide through the application is correct, complete, accurate, and up to date.

Thus, if any of the personal information you have communicated to us changes, especially your postal address, email address, and contact telephone numbers, you must inform us as soon as possible through the means of contact described in section 8.

Otherwise, if you do not inform us of these possible changes, the communications that we have sent to you to the contact details we have at that time will remain valid.

The data protection regulations recognize a series of rights that you should know and can exercise to protect your privacy and control our use of your personal information. Specifically:

• You have the right to obtain confirmation as to whether or not Barceló is processing personal information concerning you and, if so, to access your personal information, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

• In certain circumstances, you may request to limit the processing of your data.

• In some instances and for reasons related to your particular situation and those in which Barceló processes your data for our legitimate interest, you may object to processing your data. In this case, Barceló will stop processing the data except for compelling legitimate reasons or the exercise or defense of possible claims.

• You may also request the portability of your data in a commonly used, machine-readable format for transmission to another data controller.

• From this moment and any time after that, you can withdraw any authorization you have granted us.

• In cases where decisions have been made based solely and exclusively on the automated processing of your data, including profiling, you may request human intervention, express your point of view, and challenge the decisions.

You may exercise all the rights indicated above, providing a copy of your ID card, by writing to the Data Protection Officer of Barceló Hotel Group:

• Send a written request to the following address: C/ Rover Motta, 27, 07006, Palma de Mallorca.

• By emailing your request to dpo@barcelo.com.

Finally, you can also appeal to Barceló and the Spanish Data Protection Agency (as the competent Data Protection Control Authority), especially when you have not obtained satisfaction in exercising your rights, by writing to dpo@barcelo.es or through the website https://www.aepd.es.

Barceló has analyzed the different existing data protection risks with respect to all the processing identified in this document. This is an assessment in which, based on the necessity and proportionality of the processing to be carried out concerning its purpose, it evaluates the risks to the customer's rights and freedoms and contemplates the measures envisaged to address, manage, and tries to mitigate them, thus ensuring the protection of their personal information.

The issues analyzed took into account, among others, aspects related to the following:

• volume of data subject to each data processing;
• participation of third parties in the data flow;
• evaluation of personal aspects of individuals;
• categorization and segmentation;
• contracting of external suppliers;
• transfer of data;
• legitimate basis for data processing and
• the possibility for data subjects to exercise their data protection rights.

Following the analyses performed, Barceló has carried out the Data Protection Impact Assessments that have been determined based on the previous risk analyses. You may request access to the essential aspects of the risk analyses by sending a request to the following email address dpo@barcelo.es.

Barceló has designated a person as a "Data Protection Officer" to protect the personal information of our users and clients, as well as to guarantee that Barceló complies with all legal requirements regarding personal information protection.

This person will be responsible for providing all requested information on data protection. You can contact them at the following address: dpo@barcelo.es.