Personal data protection on the Barceló Hotel Group app
I.- Who is responsible for processing my data?
The entity responsible for the processing of your data is Barceló Gestión Hotelera, S.L. (hereinafter referred to in this document as "BGH" or "Barceló"), with registered office at c/ Josep Rover Motta, 27, 07006, Palma de Mallorca. If you have any questions regarding data protection, you can contact the Data Protection Department at Barceló Group by sending an email to firstname.lastname@example.org.
II.- What categories of personal data does Barceló process?
In accordance with the provisions of the European General Regulation 2016/679 ("GDPR") and Organic Law 3/2018, of 5 December, on Data Protection ("LOPD"), at Barceló, we process the personal data of users of the "Barceló Hotel Group" application, whether or not they are customers of Barceló and/or its hotels, as set out below.
As we will not use all of your personal data for each and every one of our activities, this document outlines the types of personal data we need to process in each case:
1. Identification and contact details. First name and surname, gender, postal, telephone and email contact details, postal address, date of birth, nationality, email address, mobile phone number.
2. Data of a commercial nature. Commercial profile of the user derived from the analysis of the use of the app (services contracted or booked through the app, requests for our services).
3. Data obtained from cookies. Information about the user's browsing and use through cookies or similar technologies, if the user has authorised this when accessing the app.
III.- Where does the personal data that Barceló processes in its app come from?
As a general rule, in the Barceló app, we process information that we have collected directly from you, which is incorporated into our database. This information is the personal data that you provide when you register or use the app (for example, when you book one of our services, such as the restaurant, spa, gym or miniclub).
With regard to personal data relating to minors (when booking miniclub services), this information is provided exclusively by their legal representatives (mother/father/guardian) at the time of booking miniclub services. As such, the aforementioned legal representatives guarantee the truthfulness and accuracy of the information they provide about the minors they register for the miniclub.
IV.- For what purpose and with what legitimacy does Barceló process my personal data?
The GDPR and the LOPD (Organic Law on the Protection of Personal Data, Spain) establish that a person's personal data may only be processed if one of the legitimate bases provided for in these regulations applies. More specifically, Article 6 of the GDPR establishes a closed list of legitimate grounds that may be used to justify and legitimise the processing of personal data.
The application of any of the legitimate grounds depends, first and foremost, on the purpose for which the personal data is to be processed.
Consequently, Barceló will process your data for the purposes and in accordance with the legitimate bases set out below.
A. Measures required for the execution of a contract between the interested party and Barceló.
Firstly, there are certain data that Barceló is obliged to process in order to provide the services included in the Barceló Hotel Group app. This is because they are essential data and failure to provide them would mean that you would not be able to complete your registration as a user of the app or access the services offered therein.
The following are the processing operations whose legitimate basis is set out in Article 6.1 (b) of the GDPR: "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
1. Booking services or activities through the app.
Barceló users and customers will be able to book certain services offered by the hotel where they are staying, such as restaurant and bar services, room service, gym, spa or miniclub, through the app. The catalogue of services depends on the hotel where they are staying.
In order to book these services, the customer must provide their first name, surname, the room number in the hotel in which they are staying and the days on which they checked in and/or will check in and check out.
In particular, for the correct provision of the services requested through the app, Barceló is required to transmit the user data indicated in the previous paragraph to (i) the company that owns the hotel, whose identity is known to the user through the data protection clause provided at check-in, or (ii) third parties outside the Barceló Hotel Group, in the event that the specific service (spa, restaurant, miniclub) is provided by a third party company. In both cases, in order to process the user's booking through the app and provide the service requested, it will be necessary to transfer the data indicated in the previous paragraph to the hotel company or specific company providing the service requested.
In order to provide these services, Barceló will not request sensitive personal data from the user, such as health data (with the exception of the miniclub, in accordance with the data protection information provided when booking this service). However, the forms used to book the services contain spaces in which the user can enter any comments they consider appropriate. As a consequence of the above, the personal data provided by the user in these free spaces is entirely voluntary.
B. Processing required by law.
Barceló will also process your personal data, as a user and/or customer, in order to comply with the legal obligations that may be required at any given time, including those provided for in the regulations listed below. These are processes that Barceló is legally obliged to carry out, which determines their full legitimacy. This is established in Article 6.1 (c) of the GDPR: "processing is necessary for compliance with a legal obligation to which the controller is subject".
- Organic Law 4/2015, of 30 March, on the Protection of the Security of Citizens and its implementing regulations, which obliges establishments providing accommodation or lodging services to transmit personal data to the security forces and corps.
- Law 58/2003 of 17 December 2003 on General Taxation.
- Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or "GDPR").
- Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPD"), which obliges Barceló, as the party responsible for the processing of your personal data, to respond to requests, exercise rights and claims that may arise in relation to data protection.
These legal obligations continue to exist and will be fulfilled by Barceló even after the provision of the services requested by the user has ended, as long as there is an applicable legal obligation.
C. Legitimate interest of Barceló.
Barceló will carry out other additional processing operations under the legitimate interest provided for in article 6.1 (f) of the aforementioned regulation, provided that it considers that they do not prejudice the right of the data subjects to the protection of their personal data. This provision allows processing operations that are "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".
With regard to such processing, the user has the right to (i) obtain more detailed information on the nature of this "legitimate interest", (ii) know how Barceló came to the conclusion that the protection of their personal data is not compromised, (iii) or directly oppose it. You may do this by the means set out in section 8, indicating the specific processing to which you object and the grounds on which your request is based.
In accordance with the European regulation to which we have referred, Barceló has carried out a so-called "balancing test". This is an internal analysis to confirm that Barceló's legitimate interest does not override the user's interest in the protection of their personal data.
If the customer would like more information about this test, they can request this by sending an email to email@example.com.
This processing is described below.
1. Personalised commercial actions by Barceló, for its own products and services. Creation of your " customer profile".
As stated in the information provided at the time of booking the services of our hotels, Barceló may send you commercial communications and offers about its own products and services, adapted to your profile, interests and needs, whether or not by automated means (by post, telephone or fax, SMS, instant messaging applications, social networks, email, pop-up notifications in the app, or any other electronic or telematic means available at any time).
These communications will be adapted to your "user and customer profile", as we will try to match them to your interests and needs, as well as to the consumption habits that you show in relation to the products and services that you contract with Barceló through the app.
This user and customer profile will take into account both the information that you have provided directly to Barceló when booking your stay or using the hotel services, as well as the data generated by the use of our app (booking services through the app).
In other words, we will not collect any additional information about you from third parties or public sources for these commercial activities, but we will only use and take into account the data that we already have in our own databases, either because you have provided it yourself when contracting a service, or because it has been generated as a result of your relationship with Barceló (e.g. how often you book the spa or gym services).
All of this allows us to create a profile of you as a user and customer of our services, so that we can assess which products or services you may be most interested in and under what conditions. For example, depending on the services that you have requested through the app, we may offer you other similar services that you can enjoy within the hotel.
In this case, Barceló has developed a "balancing test" to prove that your privacy is not compromised by this treatment. According to the result of this test, Barceló considers that its legitimate interest does not affect your privacy, taking into account that the only data that will be used are those that you have previously provided or that have been generated during the contractual relationship and those that we can derive from the analysis of this information.
In addition to the above, and in support of such a balancing test, it should be borne in mind that the sending of commercial communications about related products (including the creation of a profile with data provided by the data subject themselves) is an activity permitted and limited by the current regulations on data protection and electronic communications, and interpreted in this sense by the data protection authorities. In fact, it is expressly authorised by Law 34/2002 on Information Society Services and by Recital 47 of the GDPR.
This processing will be carried out when you have contracted Barceló products and services and, unless you indicate otherwise, by exercising your right to oppose, in accordance with the provisions of section 8.
2. Transfer of personal data to group entities for administrative purposes.
As permitted by the European General Data Protection Regulation, Barceló Hotel Group entities may have access to your data in order to carry out internal administrative, accounting, control, verification, management and reporting tasks. Barceló may also collect your data from these entities in order to carry out these administrative tasks.
In this case, Barceló considers that it has a legitimate interest in carrying out this processing, given that the purpose of the use of the data only relates to internal matters of an administrative nature: controlling the development of the business, complying with the legal obligations relating to the keeping of the accounts of these companies, evaluating any deviations in the operations or in the degree of compliance with the regulations and determining the appropriate corrective measures.
These are purely administrative and internal interests, aimed at ensuring that Barceló's activity is carried out in the best conditions of quality and in strict compliance with the regulations.
As a result of the "balancing test" developed by Barceló, we understand that our legitimate interest does not affect the privacy of the user, given that this use of data will only be for the internal purposes described above and that the data will not be used for commercial purposes. Furthermore, this is also provided for in the GDPR, in Recital 48.
3. Conducting surveys, loyalty programmes and organising competitions.
Barceló may process your personal data as a user of the app in order to send you surveys related to the operation and quality of the services provided through the application.
These surveys will be sent to you through the usual means of contact (email, telephone, pop-up notifications in the app), although you may also complete other surveys through our website.
Barceló will process your data for these activities on the basis of our legitimate interest. The objective is to expand or improve the services that we offer through our application, based on the opinions and suggestions that users may provide.
For this processing, Barceló has also carried out a "balancing test". In conclusion, we would like to inform you that the processing does not affect your right to privacy, since the completion of the surveys is voluntary and no damage will be caused if you do not complete them, in addition to the fact that the results are anonymous. It should also be noted that if you request not to receive commercial communications, you will not receive any requests to complete surveys.
D. Processing based on consent.
There are some processing operations that Barceló is interested in carrying out, but which require your prior consent. These are the processing operations whose legitimate basis is that provided for in article 6.1 (a) of the GDPR, and which Barceló can only carry out if "the data subject has given consent to the processing of his or her personal data for one or more specific purposes".
Therefore, the provisions of the following points depend on you having given us your consent. If we have never asked for your consent to carry out the processing, or if you have refused consent (or have given consent but subsequently withdrawn it), then this processing will not apply to you.
Likewise, you should know that after giving your consent to Barceló to use your data for one of the following processes, you may withdraw that consent at any time, whenever you deem it appropriate and without this in any way preventing or affecting your status as a Barceló customer or the services you may request or have already received from Barceló. However, we must also point out that the withdrawal of your authorisation will take effect from that moment; it will not have retroactive effect, so it will not affect the validity of what we have done at Barceló up to that moment.
Furthermore, if you expressly authorise it, Barceló will also use your personal data to send you instant notifications - or push notifications - to your mobile device, depending on the specific consent you have previously given, in order to inform you of promotions and advertising campaigns that we carry out for our products and services. Similarly, if you have opted in to these push notifications, we will send you communications relating to the services you have requested (for example, reminders of your gym or spa appointments).
As mentioned above, in order for Barceló to send you these push notifications, you must configure your mobile device and the application with the necessary settings to receive these notifications. Likewise, to stop receiving these notifications, you must deactivate them in the settings of the device in which you have authorised them.
IV.- How long will we keep your data?
At the end of these periods and prior to their destruction, Barceló will duly block the user's personal data in order to deal with any claims and to ensure that they are available to the competent authorities for the duration of the statutory limitation period. In these cases, Barceló will adopt the necessary technical and organisational measures to ensure that they are used only for this purpose.
VI.- Who are the recipients of your data?
Your personal data may be communicated to the following third parties:
- Third parties to whom Barceló is legally obliged to communicate them, such as security forces and corps (especially the competent police forces in each Autonomous Community) and administrative or judicial authorities.
- In the event that it is necessary in order to provide the service requested by the user and client through the application (spa, miniclub, restaurant), the data of the interested party will be transferred to:
- The hotel company belonging to Barceló Hotel Group, in the event that the service requested is provided directly by the hotel company.
- To a company outside the Barceló Hotel Group, which will be the service provider, if the service is not provided directly by the hotel company. This transfer will only take place when the service requested by the user is provided by an external company that provides the service within the Barceló hotel facilities.
Apart from the aforementioned data transfers, Barceló will collaborate with third party service providers who may have access to your personal data and who will process the aforementioned data in the name and on behalf of Barceló as a consequence of the provision of their services.
In order to comply with its obligations regarding the protection of personal data, Barceló applies appropriate criteria for the selection of service providers and undertakes to sign the corresponding data processing contract with them, which imposes, among other things, the following obligations: to apply appropriate technical and organisational measures; to process personal data for the agreed purposes and only in accordance with Barceló's documented instructions; and to delete the data or return it to the data controller once the provision of the services has been completed.
Specifically, Barceló may entrust the provision of services to third parties who carry out their activities in the following sectors, by way of example: logistics services, legal advice, private valuation services, supplier approval, multidisciplinary professional services companies, maintenance-related companies, technology service providers, IT service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies and call centre service providers.
In general terms, the aforementioned third parties are located within the European Economic Area, with the exception of certain suppliers whose servers may be located outside this territory (for your information, the suppliers with whom Barceló signs contracts for the provision of services are located within the European Economic Area, although their servers may be located outside this territory due to internal issues relating to their technological infrastructure). In these cases, Barceló will adopt the following measures:
- The measures and guarantees indicated in the GDPR will be adopted to ensure that the level of protection of the user's personal data is not compromised.
- Where appropriate, the user will be informed of the existence or absence of an adequacy decision by the European Commission with regard to the country of destination or, failing that, of the guarantees adopted and how to obtain a copy of them.
VII.- Do I have to keep my details up to date?
We ask that all the data you provide us with through the app are accurate, complete, precise and kept up to date.
Therefore, if you change any of the personal information that you have provided to us, in particular your postal address, email address, contact telephone numbers, you must inform us as soon as possible using the means of contact described in section 8.
Otherwise, if you do not notify us of these possible changes, the communications we have sent to you to the contact details we have at that time will continue to be valid.
VIII.- What are your rights when you provide us with your data?
The Data Protection Act gives you a number of rights that you should be aware of and can exercise to protect your privacy and control how we use your personal data. In particular:
- You have the right to obtain confirmation as to whether or not Barceló is processing personal data relating to you and, if so, to access your personal data and to request the rectification of inaccurate data or, where appropriate, the deletion of such data if, among other reasons, it is no longer necessary for the purposes for which it was collected.
- In certain circumstances, you may request the limitation of the processing of your data.
- In certain cases and for reasons related to your particular situation, as well as in cases where Barceló processes your data for our legitimate interest, you may object to the processing of your data. In this case, Barceló will cease processing the data, except for compelling legitimate reasons or for the exercise or defence of possible claims.
- Likewise, you may request the portability of your data in a commonly used and machine-readable format for its transmission to another data controller.
- At this point and at any time thereafter, you have the right to withdraw any consent you have given us.
- In cases where decisions have been made solely and exclusively on the basis of automated processing of your data, including profiling, you may request human intervention, express your point of view and challenge the decisions.
You may exercise all of the above rights by writing to the Barceló Hotel Group Data Protection Officer, enclosing a copy of your national identity document:
- By sending a written request to C/ Rover Motta, 27, 07006, Palma de Mallorca.
- By sending an email to firstname.lastname@example.org.
Finally, you may lodge a complaint with Barceló and/or the Spanish Data Protection Agency (as the competent data protection control authority), especially if you have not obtained satisfaction in the exercise of your rights, by writing to email@example.com or via the website https://www.aepd.es.
IX.- Risk analysis and data protection impact assessment
Barceló has carried out an analysis of the various existing data protection risks in relation to all the processing operations identified in this document. This is an assessment in which, based on the necessity and proportionality of the processing to be carried out in relation to its purpose, evaluates the risks to the rights and freedoms of the customer and considers the measures envisaged to address, manage and attempt to mitigate them, thus guaranteeing the protection of their personal data.
The issues analysed took into account, inter alia, aspects relating to:
- volume of data subject to each processing operation
- involvement of third parties in the data flow
- assessment of personal aspects of natural persons
- categorisation and segmentation
- use of external service providers
- transfer of data
- legitimate bases for processing
- possibility for data subjects to exercise their data protection rights
As a result of this analysis, Barceló has carried out data protection impact assessments. You may request to see the main points of the risk analysis by sending an email to firstname.lastname@example.org.
X.- Who is Barceló's Data Protection Officer?
In order to protect the personal data of our users and clients, and to ensure that Barceló complies with all legal requirements relating to the protection of personal data, Barceló has appointed a person to act as "Data Protection Officer".
This person will be responsible for providing any information requested regarding data protection. You can contact them by writing to the following address: email@example.com.