This document governs the rules relating to the Privacy Policy under which the company María del Pilar García Muñoz – Hotel La Fuente – as Data Controller (hereinafter, “the Controller”) will carry out the processing of the personal data of its customers (whether or not they have purchased its services), suppliers, or third parties, provided by them during their access to the website https://www.hotelafuente.com/
in their registration process or provided by any other lawful means.
If you expressly accept the transfer of your data to the Controller, by whatever means you do so, as long as your consent is express, you will be giving your consent freely, informed, specifically, and unequivocally for the Controller to process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April (hereinafter “GDPR”) and Organic Law 3/2018 of 5 December on Data Protection and Guarantee of Digital Rights.
Controller: María del Pilar García Muñoz
Tax ID (CIF): 70934618L
Website: https://www.hotelafuente.com/
Registered Office: Avenida Humilladero, 12, 37710 – CANDELARIO (SALAMANCA), Spain
Email: info@hotelafuente.com
Phone: +34 722 51 30 04
The Controller may collect on its website the data of its customers, suppliers, and other third parties (hereinafter collectively referred to as “the Data Subject(s)”) when they access it and register or request services through the contact link.
The Data Subject must enter all data required by the Platform at each time (especially those marked with an asterisk), because if they fail to do so, they will not be able to complete their registration as a user or the use of certain functionalities or services available through it. Data may also be collected when they are provided by other lawful means in the ordinary course of commercial or professional activity.
The Data Subject must ensure that the personal data provided is true and accurate and must notify any changes or modifications through the appropriate channels. If the Data Subject provides third-party data, they assume the responsibility of having informed them in advance and having obtained their consent.
The Controller may process the following personal data of the user:
Your data may be accessed by providers who perform services for the Controller relating to the services provided to the Data Subject, and appropriate data processing agreements will be in place with each provider.
Personal data may also be disclosed to competent authorities when there is a legal obligation, and to financial entities for payment management. Data may also be shared with third-party companies related to the Controller’s activity to send the user commercial information that may interest them if the user has expressly accepted this.
The Controller will process personal data for the purposes for which it was provided, including:
Delivering contracted services, maintaining and managing the contractual relationship;
Contacting and responding to user inquiries (via email, contact form, or phone);
Managing user participation in the client private area if applicable;
Sending commercial communications about products and services offered by the Controller;
Creating user profiles to offer relevant products and services;
Managing CVs for recruitment and selection processes;
Sending relevant employment information where the user has consented; and other uses depending on user category (clients: quotations, billing, updates; suppliers: billing and communications; social media contacts: community building, marketing info; job applicants: professional profiling, hiring communications).
Data for managing the customer relationship, billing, and collection of services will be retained for the entire duration of the contract. Once this relationship has ended, where applicable, the data may be retained for the period required by applicable legislation and until any potential liabilities arising from the contract have expired.
Data for managing inquiries and requests will be retained for the time necessary to respond to them, with a maximum period of one year.
Data for sending commercial communications and creating commercial profiles of our products or services will be retained for as long as the commercial relationship with the user is maintained and the user does not withdraw their consent.
Curriculum vitae data for recruitment and selection processes will be retained for two years.
For informational purposes, the legal data retention periods applicable to different matters are set out below:
| DOCUMENT | RETENTION PERIOD | LEGAL REFERENCE |
| Employment or social security-related documentation | 4 years | Article 21 of Royal Legislative Decree 5/2000, of 4 August, approving the revised text of the Law on Offenses and Sanctions in the Social Order |
| Accounting and tax documentation for commercial purposes | 6 years | Art. 30 of the Commercial Code |
| Accounting and tax documentation for tax purposes | 4 years | Articles 66 to 70 of the General Tax Law |
| Access control to buildings | 1 month | Instruction 1/1996 of the Spanish Data Protection Agency |
| Video surveillance | 1 month | Guide of 26 November 2018 of the Spanish Data Protection Agency; Organic Law 4/1997; Law 5/2014 of 4 April on Private Security |
Any user who provides their personal data to the Data Controller may exercise the following rights:
Access, rectification, objection, erasure, portability, and restriction of processing, as well as object to the automated processing of personal data collected by the Data Controller.
Furthermore, all users have the right to withdraw their consent at any time.
These rights may be exercised free of charge by the user by submitting a request using the contact information provided in the Legal Notice.
The user has the right to withdraw their consent to receive marketing communications at any time by simply notifying the Data Controller and stating that they no longer wish to receive such communications. To do so, the user may withdraw their consent by submitting a request using the contact information provided in the Legal Notice or by clicking the “no more marketing communications” link.
The user has the right to file a complaint with the Spanish Data Protection Agency if they believe that the Data Controller has committed any type of infringement in the processing of their data.
The Data Controller will not collect data from minors under any circumstances except where permitted by law. Given the difficulty of verifying users’ ages, it is the responsibility of those with parental authority or legal guardianship of children under 14 to establish control measures on the devices that minors may access, to prevent them from improperly sharing their data.
If the Data Controller becomes aware at any time that a minor has accessed its platform and their data is being processed without the authorization of their legal representatives, it will immediately deactivate that user’s account.
The Controller undertakes to comply with the commitment to secrecy of personal data and its duty to safeguard it, treating the user’s personal data confidentially, adopting the necessary technical and organizational measures that guarantee the security of the data and prevent its alteration, loss, unauthorized processing or access, taking into account the state of the art, the nature of the data stored and the risks to which it is exposed.
The Data Controller may modify its Privacy Policy in accordance with applicable law. In any case, any changes to the Privacy Policy will be duly notified to the user so that they are informed of the changes made to the processing of their personal data and, if required by applicable regulations, the user can give their consent.