Privacy Policy
Privacy, Security and Data Protection Policy
I – PRIVACY COMMITMENT
The NEYA Hotels Group is grateful for the trust placed in it and is committed to protecting the privacy of all users of the various websites and digital platforms it provides and owns. In this context, it has drawn up this Privacy, Security and Data Protection Policy in order to guarantee its commitment to and respect for the rules on privacy and the protection of personal data.
II – PERSON RESPONSIBLE FOR PROCESSING PERSONAL DATA
In accordance with and for the purposes of Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation, hereinafter “GDPR”) and Law no. 58/2019, of August 8 (Law implementing the GDPR in the Portuguese legal system, hereinafter “LPDP”), the Joint Data Controller is:
- AZAD, Sociedade de Investimentos Turísticos e Hoteleiros, Unipessoal, Lda, tax payer no. 508774942, with registered office at Rua D. Estefânia, 71-77, 1150-132 Lisboa, in its capacity as owner and operator of the NEYA Lisboa Hotel located at Rua D. Estefânia 71-77, 1150- 132 Lisboa
- NEYA – Empreendimentos Hoteleiros e Turísticos, Unipessoal, Lda, tax number 508561779, with registered office at Praça de Londres, n.º 3, 4.º Esq, 1000 – 191 Lisboa, in its capacity as owner and operator of NEYA Porto Hotel located at Rua de Monchique, n.º 35-41, 4050 – 394 Porto
III – DEFINITION OF PERSONAL DATA
Personal data is any information, regardless of its nature or medium, relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by any factor enabling him or her to be identified.
IV – DEFINITION OF PERSONAL DATA SUBJECT
The holder of the personal data is the customer/user/supplier/subcontractor, a natural person, to whom the data relates. In this case, a customer/user is the person who hires/accesses the site/uses the services or products of the Data Controllers.
V – DATA SUBJECTS’ RIGHTS
Under the terms of the GDPR and the LPDP, the data subject is guaranteed the exercise of all legally permitted rights, provided there is processing of personal data by the Data Controllers, namely:
– Right of access – consists of the right to obtain confirmation of what personal data is being processed and information about it.
– Right to rectification – consists of the right to request the rectification of your personal data that is incorrect/outdated or to request that incomplete data be completed.
– Right to erasure of data or “right to be forgotten ” – consists of the right to obtain the deletion of your personal data, provided that there are no valid and/or legitimate grounds on the part of the Data Controllers for its retention.
– Right to portability – consists of the right to receive the data you have provided in a commonly used and machine-readable digital format, or to request the direct transmission of your data to another entity that becomes the new controller of your personal data.
–Right to withdraw consent or right to object – consists of the right to object or withdraw consent at any time to data processing, provided that there are no valid and/or legitimate grounds on the part of the Data Controllers for not accepting the exercise of this right.
–Right to restriction – consists of the right to request the restriction of the processing of your personal data, in the form of suspension of processing or limitation of the scope of processing to certain categories of data or processing purposes.
–Right to complain – consists of the right to lodge a complaint with the relevant supervisory authority if you consider that your rights have been infringed. In Portugal, this authority is the National Data Protection Commission (hereinafter “CNPD”). More information about the CNPD is available at www.cnpd.pt.
VI – INFORMATION AND CONSENT
By accepting this Privacy Notice, the Data Subject is informed and gives his/her express, unambiguous, free and informed consent for the processing of the personal data he/she provides through the domain and subdomains of neyahotels.com (the “Website”) to be processed by the Data Controllers in the future.
VII – EXERCISING THE RIGHTS OF PERSONAL DATA SUBJECTS
Data controllers undertake to respond to the exercise of rights by data subjects within a maximum of 30 (thirty) days, unless the request is particularly extensive or complex.
The exercise of rights tends to be free of charge, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged taking into account the costs.
It should be noted that the exercise of any of these rights must always be provided in writing, either in person or electronically.
To exercise your personal data protection rights or ask any questions about the use of your personal data, you can do so by e-mail to the following address: [email protected].
VIII – PURPOSE OF OBTAINING DATA
The data obtained within the scope of the digital and physical presence of the Data Controllers is intended to ensure the correct provision of our services, and to ensure the navigation and availability of content on our websites. Among other things, they are used for
- Fulfilling our obligations to our customers;
- Managing accommodation bookings: Creation, storage and processing of legal documents and personal data in accordance with the GDPR and LPDP.
- Managing your stay: Monitoring the use of services for exclusive debit purposes (telephone, bar, pay TV, etc.); managing access to rooms;
- Improving the service we provide: Adapting our products and services to better serve our customers’ needs;
- Customer relationship management: Management of loyalty programs; Segmentation of operations based on the customer’s booking history; Development of internal statistics and reports; Sending and managing newsletters, promotions, service offers and satisfaction questionnaires;
- Use of third-party services for the analysis and mapping of personal data, at the time of booking and/or during the stay, to determine the client’s profile;
- Compliance with local legislation (e.g. when storing official client documents).
IX – TYPES OF PERSONAL DATA COLLECTED
The Controllers, through their websites and/or hotel units, do not process personal data belonging to special categories within the meaning of Article 9 of Regulation EU 2016/679. Through their website, messages or in person, Data Controllers may obtain and process the following personal data:
- a) Specific data:
– Contact details (first name, last name, telephone number and email);
– Personal information (date of birth, nationality, city, country);
– Children’s information (first name, last name, age and date of birth);
– Credit card number (for billing/bank transaction purposes);
– Your preferences (preferred floor, type of bed, interests, limitations, etc).
– Your limitations (allergies, food intolerances, etc).
- b) Any information provided by you through the website or by messages, either by filling in forms or sent in free text. This information includes, in particular, that provided when registering to receive the newsletter, contact requests, accommodation reservations and other complementary services. The information you provide when you participate in any area that involves you registering or providing content of your own, or when you interact with the Data Controllers, such as when you send an e-mail requesting information to any of the addresses belonging to the domains of which the Data Controllers are the owners, may also be processed.
- c) Information relating to your visits to the website including, in particular, IP addresses, page visit time, and browser type, for system administration and to facilitate navigation and return to the website afterwards. In principle, this data will only be processed for statistical purposes on the actions and browsing patterns of website users and does not allow the identification of any individual. However, when the user provides other information, this data may allow their identification and will be processed in accordance with the GDPR and the LPDP
- d) Information regarding Internet access via WIFI and Ethernet by your electronic devices, namely the Internet Protocol address (namely “IP”), Media Access Control address (namely “MAC”), the time of use of the service and activity associated with the device. For more information please consult the Terms and Conditions for WIFI and Ethernet.
We also inform you that the personal data collected by the Data Controllers is limited to what is strictly necessary for the pursuit of the purposes for which it was requested.
When personal data is provided, the Controllers provide all the information legally required for the processing of such data and require the consent of the data subjects when this is required by law and when there is no legitimate interest on the part of the Controllers or third parties, such as the processing of data for the purposes of improving the quality of service, fraud detection and revenue protection, and when our reasons for using it must prevail over your data protection rights.
X – PLACES WHERE PERSONAL DATA IS COLLECTED
The places listed below are those that may usually request access to the customer’s personal data:
- a) Website:
– Contact request;
– Information request;
– Request to book accommodation and/or complementary services;
- b) Hotel activities:
– Room reservation;
– Payment and check-in;
– Food and Beverage outlets and other outlets (SPA, Shop, etc.);
– Requests, complaints and compliments;
- c) Participation in marketing campaigns:
– Registration in loyalty programs;
– Participation in surveys (namely the satisfaction survey);
– Subscription to services complementary to the hotel’s activity;
XI – DATA RETENTION PERIODS
The period during which the data will be stored and kept corresponds only to the period necessary for the fulfillment of the defined purpose or, depending on what is applicable, until you exercise your right to object, right to be forgotten or withdraw consent, varying according to the purpose for which the information is used.
As a rule, personal data relating to contracted accommodation and those provided in the accommodation newsletter will be stored for 2 (two) years after the end of the contract (i.e. two years after the customer checks out).
Billing and payment data is kept for 10 (ten) years, under the terms of the Value Added Tax Code (CIVA).
Data relating to complaints will be kept for a period of 3 (three) years, under the terms of Article 3(1)(d) of Decree-Law 156/2005 of September 15th.
In newsletters, the period of retention and processing of the personal data you provide begins when you submit the subscription form and ends when you unsubscribe. You can unsubscribe at any time via a dedicated link available in all our newsletters. When you unsubscribe, you will receive an email notification and, subject to the terms of the applicable legislation, your data will be removed from our newsletter mailing list.
All other services not detailed above will only store your information for the maximum legal period in force and, if this is indefinite, until you exercise your right to object, right to be forgotten or withdraw consent.
To this end, the COMPANY uses the following entities as subcontractors for specific purposes:
– Maintenance of Property Management System software: Host Hotel Systems, with registered office at: Rua Ana Maria Bastos, Edificio Ponte Nova, 5 Escritório 2 2560-306 Torres Vedras (hereinafter “HOST”), as subcontractor;
– Channel Manager software maintenance: D-Edge S.A.S Portugal, with registered office at: R. Torcato José Clavine n.º 9 CV Esq, 2800-710 Almada (hereinafter “D-Edge”), as subcontractor;
– Guest Review software maintenance: Shiji Information Technology Spain, S.A., with registered office at: Passeig de Gràcia, 17, planta 6, 08007 Barcelona (hereinafter “ReviewPro”);
– Point of Sale software maintenance: Host Hotel Systems, with registered office at: Rua Ana Maria Bastos, Edificio Ponte Nova, 5 Escritório 2 2560-306 Torres Vedras (hereinafter “HOST”), as subcontractor;
– Consultancy relating to Property Management System Software and Food & Beverage: Host Hotel Systems, with registered office at: Rua Ana Maria Bastos, Edificio Ponte Nova, 5 Escritório 2 2560-306 Torres Vedras (hereinafter “HOST”), as subcontractor;
– Maintenance of web platform and booking portal: ROIBACK, with registered office at Av. da Quinta Grande, 53 7ª Edifício Prime 2610-156 Amadora, Portugal , tax identification number B-57.667.586, (hereinafter “Roiback”), as subcontractor;
– Maintenance of graphic content: High Communication – Brand & Media Consulting, Lda, tax identification number 500035300, with registered office at: Rua General Garcia Rosado nº13, 1150-173 Lisboa (hereinafter “Hicom”), as subcontractor;
– Computer systems maintenance: NewAlliance IT Solutions, Lda, tax identification number 513749489, with registered office at: Praça de Londres nº3 4ºEsq, 1000-191 Lisboa (hereinafter “NewAlliance IT”), as subcontractor;
– Registration and sending of newsletters: E-goi, tax identification number 514727420, with registered office at: Av. Menéres 840, 4450-190 Matosinhos (hereinafter “E-goi”), as subcontractor.
– Consultant for the Odoo management system: Thinkopen Solutions, Lda, tax identification number 509624626, with registered office at: Av. das Túlipas A, 1495-161 Algés, (hereinafter “ThinkOpen”), as subcontractor.
– Consultancy related to customer communication software: Quicktext, tax identification number 488 865 619, with registered office at: 64, rue Jean-Pierre Timbaud, 75011, Paris, as subcontractor.
Host, D-Edge, Trust You, Roiback, Hicom, NewAlliance IT, E-goi, PSG, ThinkOpen and Quicktext act on behalf of and in the interests of the COMPANY in accordance with the provisions of the GDPR, specifically Article 45 of Chapter IV, relating to the Data Controller and Processor.
XII – WHERE PERSONAL DATA IS PROCESSED
Data processing takes place at the aforementioned premises of the Data Controllers and is only processed by technical employees of the entity responsible for processing it.
For all the above-mentioned subcontractors, the place of data processing is located in the EU, so the COMPANY acts together with their teams, at the companies’ own headquarters, self-certified in accordance with the provisions of EU law and national law, and ensured by Articles 17, 18, 19 and 20 of Framework Decision 2008/977/JHA, applied by virtue of Article 13 of the GDPR.
XIII – INFORMATION TRACKING
The Data Controllers use tracking technologies to improve navigation on their websites and newsletters. Obtaining this data is essential to ensure functionality, improve navigation on our websites and for sending the newsletter, service subscription forms and accommodation bookings, as well as improving our communications with subscribers and customers and enabling statistical analysis. See our Cookies Policy for more information.
XIV – PRIVACY OF MINORS
Personal data relating to minors may only be made available, in person or on the website of the Data Controllers, by the holders of parental responsibility and within the legal parameters in force.
In such cases, the Data Controllers shall make every effort to verify that consent has been given or authorized by the holder of parental responsibility for the minor, taking into account the available technology.
The Data Controllers cannot be held responsible for the lawfulness of the processing of personal data provided by persons who commit fraud with regard to their identity and other identification elements.
XV – LIABILITY OF THE HOLDER OF PERSONAL DATA
The Data Subject who uses the computer platforms provided by the Data Controllers guarantees that he/she is over 18 (eighteen) years of age and that the data provided is true, accurate, complete and up-to-date, assuming responsibility for the veracity of all the data disclosed and must keep the information provided duly updated.
When the holder of personal data provides their data to third parties for the purpose of contracting the services provided by the Data Controllers, these third parties must ensure that they have obtained the authorization of the data holder for the data to be provided to the Data Controllers for the purposes indicated.
The Data Controller or any third party acting on its behalf and representation shall be liable for false or inaccurate information provided on the website and for direct or indirect damages caused to Data Controllers or third parties.
XVI – VIDEO SURVEILLANCE
The establishments of the Data Controllers are equipped with video surveillance and image recording systems for the purpose of protecting people and property, with the aim of pursuing the legitimate interest of security within their premises. The data collected through the video surveillance systems is intended to be used and communicated exclusively under the terms of criminal procedural law, although a private security entity subcontracted for this purpose may be responsible for processing it. Data subjects may exercise their right of access to data concerning them, which may not involve access to images of third parties, which will be hidden or anonymized. The Data Controllers may, at any time, limit or withdraw the video surveillance system from their establishments, and there may be periods when they are not in operation, namely due to maintenance needs, technical reasons or power cuts.
The data collected by the video surveillance systems will be stored for 30 days.
XVII – PROTECTION OF DATA SUBJECTS’ PERSONAL DATA
In accordance with the legislation in force and taking into account the available technology, the Controllers provide an adequate level of protection for your personal data, namely by implementing the technical and organizational measures necessary to protect your personal data against accidental destruction, loss or modification, as well as against access and other unauthorized processes, namely:
– Logical security requirements and measures, such as the use of firewall, Virtual LAN and intrusion detection systems in your systems.
– Physical security measures, including strict access control to the physical premises of the Data Controllers.
– Means of data protection using technical means such as encryption, pseudonymization and anonymization of personal data.
– Scrutiny, auditing and control mechanisms to ensure compliance with security and privacy policies.
– An information and training program for employees and partners of the Controllers
– Access rules for customers/users to certain products or services, such as a second opt-in level for subscribing to services on the platform and the introduction of a password whenever an employee accesses, directly or indirectly, any database of the Controllers, in order to strengthen control and security mechanisms.
However, the Data Controllers inform you that no security system can guarantee absolute protection.
We remain at your disposal for any questions or comments regarding the confidentiality and security of your personal data.
Lisbon, May 25, 2018
Policy updated on February 3, 2020
Policy updated on December 21, 2020
Policy updated on October 22, 2024