Privacy Policy
AZORIS HOTÉIS, S.A. (hereinafter AZORIS GROUP), legal entity 512 006 555,
headquartered at Rua de Lisboa s/n, 9500-216 Ponta Delgada, is committed to
protecting the privacy and personal data of all individuals it interacts with,
including customers, suppliers, and employees.
In compliance with Regulation (EU) 2016/679 of the European Parliament
and Council, dated 27-04-2016, also known as the General Data Protection
Regulation (hereinafter GDPR), and applicable legislation, specifically Law No.
58/2019, of 08-08-2019, AZORIS GROUP has established this Privacy Policy.
1. DEFINITIONS
To ensure a better understanding of this Privacy Policy, it is important to know the concepts. For this reason, GRUPO AZORIS provides a glossary of the terms it considers most important:
Personal data: Any information related to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, online identifiers, or one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural, or social identity of that person.
Processing: Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Special categories of personal data: Personal
data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, as well as genetic data,
biometric data uniquely identifying an individual, data concerning health, or
data concerning a person’s sex life or sexual orientation.
Sensitive categories of personal data: Personal
data related to the economic or financial situation of its holder, other
personal data that may lead to stigmatization or exclusion, usernames,
passwords, and other registration details, and personal data that may be used
for identity fraud.
Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Consent: A free, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Privacy by design: Incorporating privacy risks into the design process of a new product or service, rather than considering privacy issues later. This involves carefully
evaluating and implementing appropriate technical and organizational measures from the start to ensure compliance with the GDPR and protect the rights of the data subjects.
Privacy by default: Ensuring that mechanisms are in place within an organization so that, by default, only the necessary amount of personal data is collected, used, and retained for each task. This applies to the extent of its processing, the retention period, and accessibility. These measures ensure that personal data are not made available to an unlimited number of individuals without human intervention.
Pseudonymization: The processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable person.
2. SCOPE
AZORIS GROUP is dedicated to providing hotel and catering services, as well as managing and
organizing events. In the course of this activity, it processes personal data.
This Privacy Policy applies exclusively to personal data for which AZORIS GROUP is
responsible for processing within its business activities, whether in the
commercial area or human resources.
Data may be collected personally, by phone, in writing, by email, by fax, or through websites. AZORIS GROUP websites may include links to other websites that are external to AZORIS GROUP. AZORIS GROUP is not responsible for the data processing carried out through such external websites.
3. PURPOSES AND GROUNDS FOR DATA PROCESSING
Personal data processed by AZORIS GROUP serve various purposes and have
different legal grounds:
Contract management: Processing of identification and other personal data is necessary for the conclusion and performance of service contracts between AZORIS GROUP and
its customers. Customers may choose to provide additional information, which will only be used to help AZORIS GROUP provide the best possible service. Personal data processing is also required to fulfill contracts between AZORIS GROUP and its suppliers.
Legal obligations: AZORIS GROUP is subject to legal obligations that require the processing of personal data.
Quality: AZORIS GROUP may analyze customer information collected through surveys, complaints, and other channels for statistical purposes, with the appropriate consent.
Marketing: With the consent of the data subjects, AZORIS GROUP may process
personal data to send information on promotions, campaigns, newsletters, and
other relevant information to its customers.
Profiling: AZORIS GROUP may analyze customers' commercial information to identify consumption profiles for statistical purposes and/or, with consent, send personalized information to its customers.
Video surveillance: For the safety of customers and employees, AZORIS GROUP facilities are equipped with video surveillance systems, in accordance with the law.
Competitions and contests: AZORIS GROUP may promote contests and sweepstakes that require personal data processing in accordance with applicable regulations.
Recruitment: Candidates may apply for specific positions (through internal or outsourcing recruitment) or submit spontaneous applications. Candidates must provide personal data necessary for recruitment. The information provided by candidates will only be processed for recruitment purposes and will be retained for a maximum of two (2) years.
Human resources management: To fulfill the employment contract, employees must provide personal data to AZORIS GROUP. Where necessary, specific consent will be requested for the processing of sensitive and special data categories.
Whistleblower channel: In compliance with applicable legislation, an internal whistleblower channel has been implemented, through which personal data may be processed, respecting the confidentiality guarantees established by applicable data protection legislation and the policy of said channel. Only necessary personal data for analysis and follow-up of complaints will be processed, and excessive data will be deleted and not processed. Collected data will be retained for five (5) years, after which they may be deleted or anonymized.
4. EMPLOYEES
4.1. AZORIS, as the data controller, processes the personal data of its Employees – the data subjects – who acknowledge that providing personal data constitutes a contractual and legal obligation, as well as a necessary requirement for entering into and executing the Contract.
4.2. The data processing activities are intended for the administration and
management of the contract and the employment relationship between the Parties,
namely for salary processing and/or other personnel management activities. The
personal data and processing are necessary for both the execution of the
contract and the fulfillment of the legal obligations to which AZORIS is
subject, particularly in the areas of labor, social security, and tax law.
4.3. AZORIS may also process personal data necessary to pursue its legitimate interests or those of third parties, particularly when such data processing is strictly necessary and proportional to ensure network and information security.
4.4. AZORIS processes the following categories of personal data of the Employee: (a) Identification Data; (b) Emergency Contact Data; (c) Identity
Card or Citizen Card Data; (d) Bank Data; (e) Academic Status; (f) Tax Status;
(g) Identification Document Data.
4.5. The Employee acknowledges that special categories of personal data may
be processed when: (a) Necessary for compliance with obligations and the
exercise of specific rights of AZORIS or the Employee under labor law, social
security, or social protection; or (b) Necessary for preventive medicine or
occupational medicine and/or the assessment of the Employee's working capacity;
(c) Necessary for the use of biometric systems for attendance and punctuality
control and/or access control.
4.6. AZORIS, in the context of activities related to the administration and
management of the Contract and the employment relationship between the Parties, may communicate and/or transfer the Employee's personal data to the following entities, without excluding other entities not mentioned but that have the legal legitimacy to process the data in question: (a) IGFSS – Institute of Financial Management of Social Security; (b) AT – Tax Authority; (c) Banking Institutions and Insurers; (d) INE – National Statistics Institute; (e) IRT – Regional Labor Inspection; (f) DRQPE – Regional Directorate for Professional Qualification and Employment; (g) Entities responsible for Safety, Hygiene, and Occupational Medicine functions; (h) Subcontractors processing employees' personal data on behalf of AZORIS for purposes determined by it, namely for training purposes; (i) Any other entity tasked with salary processing and/or human resources management functions.
4.7. The communications and/or transfers mentioned in the previous number
are intended for: (a) The calculation and payment of wages, additional benefits, bonuses, and gratuities; (b) The calculation, withholding, and operations related to mandatory or optional salary deductions as required by law; (c) The production of non-nominative statistical operations related to salary processing by the processing entity; (d) Compliance with the obligations AZORIS is subject to, particularly in the areas of labor, social security, and
tax law.
4.8. The personal data mentioned, along with any other data processed by [company name], will be obtained through the contract and other documents requested by [company name] during the Employee's performance of duties and throughout the employment relationship between the Parties.
4.9. The communications and/or transfers mentioned will serve the purpose of operations and activities related to the administration and management of the contract and the employment relationship between the Parties. AZORIS guarantees that in the event of any data transfer outside the European Union, both [company name], its subcontractors, and any third-party recipient of the personal data will comply with their legal obligations concerning the conditions of such transfer, including the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
4.10. The vehicles provided to workers by AZORIS are equipped with geolocation devices (GPS) for the purposes of i) Fleet management for external services: in areas of technical assistance, home service, goods distribution, passenger transportation, goods transportation, and private security; and ii) Asset protection: transporting high-value materials.
4.11. The AZORIS premises are protected by a video surveillance system to
ensure the protection of people and property.
4.12. AZORIS will retain personal data only for the period necessary to fulfill the purposes for which they were collected and to meet its legal obligations, taking into account best practices and the legal obligations AZORIS is subject to, particularly in labor, social security, and tax law.
4.13. The Employee shall exercise their rights relating to personal data as
set out in this Privacy Policy.
4.14. Any other processing of the Employee's personal data that AZORIS may undertake for purposes not identified in this clause will be communicated to the Employee before the processing begins.
5. COOKIES
Cookies are used on GRUPO AZORIS websites to improve the browsing experience and provide the best possible service. Cookies are small files that are stored on access devices through the browser, retaining only information related to preferences and thus not including personal data. Although cookies can be managed directly in the browser, by continuing to browse the site, the user is consenting to their use; however, disabling cookies may prevent some web services from functioning correctly, partially or entirely affecting website navigation.
6. RIGHTS OF DATA SUBJECTS
Under the GDPR, data subjects have, among others, the following rights:
- Right of access;
- Right to rectification;
- Right to erasure (right to be forgotten;
- Right to restrict processing;
- Right to data portability;
- Right to object;
- Right to withdraw consent.
If you wish to exercise any of your rights or clarify any questions, the data subject should contact GRUPO AZORIS in writing, addressed to the "Privacy Officer" at Rua de Lisboa s/n; 9500-216 Ponta Delgada, email: rgpd@financor.pt, or by filling out the form available at GRUPO AZORIS.
7. DUTIES OF THE AZORIS GROUP
The AZORIS GROUP aims to:
a) collect only data for determined, explicit, and legitimate purposes;
b) minimize data collection by promoting only the adequate and relevant collection limited to what is effectively necessary for the relevant purposes;
c) not use the collected data for purposes other than those for which it was collected and the consents obtained;
d) update the data whenever necessary;
e) retain the data in a manner that identification is possible only for the period necessary for the purposes for which it was collected;
f) protect the data against unauthorized or unlawful processing and against loss, destruction, or accidental damage;
g) implement the principles of privacy by design and by default in the activities/processes of personal data processing;
h) adopt a privacy by design reference framework;
i) implement encryption or pseudonymization techniques for the data in
use;
j) ensure compliance with the GDPR.
This policy will be updated periodically.
06.06.2024
___________________________________
WEBSITE PROVIDER (PARATY TECH)
Applicable to Users of this Hospitality Business when making a reservation.
Data Controller (we): The Hospitality Business that will provide you, the user, with the requested service. Our identification and contact details are available on the website you used to make your booking / to ask us your questions. They will also appear on our invoice that we send to you.
Data Compliance Officer: Not applicable to the activities of Data Controllers.
User: You, who filled in the booking form or any other documentation related to it.
Purpose: The purpose of processing the data provided through this form is to manage the reservations made by you, the user, and / or respond to the questions / requests made.
Legal Basis:
- Either the need to perform our contract with you, the user / the need to take action at your request before entering into a contract.
- Or the consent of you, the user, by checking the box of acceptance of the Terms and Conditions of which this privacy and personal data policy is an integral part.
Duration: We will store the data provided by you, the user, for the time necessary to manage the reservation made, as well as the accommodation services requested. Once management is complete, your data will be kept for six (6) months. If you consent to receive marketing and/or commercial information, your data will be stored until you withdraw your consent.
Processor: We hired our partner Paraty Tech ( www.paratytech.com) to carry out the reservation mechanism for our business. Paraty Tech acts under our authority and we signed a contract with Paraty Tech to provide its services. We instruct Paraty Tech in writing on how the processing should be done.
Data entities other than users: When you, the user, provide us with personal data belonging to a data subject other than you, you are responsible for such acts, as well as for obtaining the respective consent of such data subjects for the provision of their Dice.
Data Transfer: We must not transfer personal data to a third country outside the EEA (European Economic Area).
Rights of data subjects: Data subjects can exercise their rights of access, rectification, cancellation and opposition by sending an email or via the postal service to the contact details on our booking website and on our invoices.
Supervisory Authority: If a data subject considers their rights to be affected, they can also resort to the competent supervisory authority of the Member State concerned. More information at: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en