APARTUR MARINAS DE NERJA SL, PRIVACY POLICY
 
1. INFORMATION FOR THE DATA SUBJECT
 
The company APARTUR MARINAS DE NERJA SL, holder of Tax ID (CIF) B29645355 and with registered address at Km 289,5, N-340, 29780 Nerja, Málaga, is responsible for the processing of the personal data of the data subjects. You are informed that your data will be processed in accordance with the provisions of Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and you are therefore provided with the following information on processing:
 
a) Purpose of processing.
The purpose of the collection and processing of personal data is the management of accommodation and maintaining of a commercial relationship with the data subjects. The operations foreseen to carry out the processing are the sending of commercial and/or advertising communications by any means of communication, whether electronic or physical, present or future, that allow commercial communications to be sent. These communications will be carried out by the data controller and will be related to its products and services related to the Ona Hotels brand, or those of its collaborators or suppliers with which it has a promotional agreement. In this case, third parties will never have access to the personal data.
 
The carrying out of statistical research.
The processing of applications or any type of request made by the data subjects through any of the contact methods made available to them.
The sending of newsletters relating to the activity of the “Ona Hotels” brand, with the Ona Hotels brand being understood to mean all those activities carried out by companies directly or indirectly related to the aforementioned brand.
 
b) Data retention criteria:
Personal data provided by data subjects shall be kept for the legally established period of time and/or for as long as there is a mutual interest in continuing the processing. When this is no longer necessary for that purpose, they will be deleted with appropriate security measures to ensure the pseudonymisation of the data or their total destruction.
 
c) Communication of data:
Personal data provided by data subjects will not be transferred to third parties, unless this is provided for by a law or unless such a transfer is necessary for the provision of a service to the data controller. In any case, the processing by third parties shall comply with the provisions of Article 28 et seq. of the GDPR.
 
d) Rights of data subjects:
• Right to withdraw consent at any time.
• Right to access, rectification, portability, and erasure of their data and to limit or oppose its processing.
• The right to lodge a complaint with the supervisory authority (agpd.es) if you believe that the processing does not comply with the regulations.
 
e) Contact details for exercising your rights:
Data subjects may exercise their rights, in the terms provided for by law, by contacting the establishment's address, Km 289,5, N-340, 29780 Nerja, Málaga, or by sending an email to: gdpr@onahotels.com.
 
2. OBLIGATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE DATA SUBJECTS.
 
The data subject, by ticking the corresponding boxes and entering data in the fields marked with an asterisk (*) in the contact form or those present on downloadable forms, expressly and freely and unequivocally accepts that their data are necessary to handle their request by the data controller, with any data entered in the remaining fields being voluntary. The data subject guarantees that the personal data provided to the data controller are accurate and is responsible for communicating any changes to the data.
 
The data controller expressly informs and guarantees the data subjects that their personal data will not be transferred under any circumstances to third parties, and that whenever any type of transfer of personal data is to be carried out, the express, informed, and unequivocal consent of the data subjects will be requested beforehand. All data requested through the website are obligatory, as they are necessary to be able to provide an optimal service to the data subjects. In the event that all the data is not provided, there is no guarantee that the information and services provided will be completely tailored to your needs.
 
3. SECURITY MEASURES
 
In accordance with the provisions of the current regulations on personal data protection, the data controller informs data subjects that it complies with all the provisions of the GDPR and LOPDGDD for the processing of personal data under its responsibility, and manifestly with the principles described in GDPR Article 5, according to which they are processed lawfully, fairly, and transparently in relation to the data subject and are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
 
The data controller guarantees that it has implemented appropriate technical and organisational policies to apply the security measures established by the GDPR and the LOPDGDD in order to protect the rights and freedoms of data subjects and has communicated the appropriate information to them so that they can exercise them.