Privacy Policy

AZORIS HOTÉIS, SA (hereinafter the AZORIS GROUP), legal person 512 006 555, headquartered at Rua de Lisboa s/n; 9500-216 Ponta Delgada, is committed to protecting the privacy and personal data of all individuals with whom it relates, namely customers, suppliers and employees.

In this sense and in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27-04-2016, also known as the General Regulation for the Protection of Personal Data (hereinafter RGPD) and other applicable legislation, namely the Law n.º 58/2019, of 08-08-2019, meanwhile published, GRUPO AZORIS established this Privacy Policy.

1. DEFINITIONS

To ensure a better understanding of this Privacy Policy, it is important to know the concepts. For this reason, GRUPO AZORIS provides a glossary of the terms it considers most important:

Personal data: Any information relating to an identified or identifiable natural person (“data subject”); An identifiable person is considered to be identifiable, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, electronic identifiers or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations carried out on personal data or on sets of personal data, by automated or non-automated means, such as collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, broadcast or any other form of making available, comparison or interconnection, limitation, erasure or destruction.

Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data that uniquely identify a person, data relating to health or data relating to to a person's sex life or sexual orientation.

Sensitive categories of personal data: Personal data relating to the holder's economic or financial situation, (other) personal data that may lead to stigmatization or exclusion of the data subject, usernames, passwords and other registration elements, personal data that could be used for identity fraud.

Responsible for processing: Natural or legal person, public authority, agency or other body that, individually or jointly with others, determines the purposes and means of processing personal data.

Subcontractor: Natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Consent: Expression of will, free, specific, informed and explicit, by which the data subject accepts, through a declaration or unequivocal positive act, that the personal data concerning him are subject to treatment.

Violation of personal data: Violation of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, stored or subject to any other type of treatment.

Privacy by design: It means taking privacy risk into account throughout the process of designing a new product or service, rather than considering privacy issues only afterwards. This means carefully evaluating and implementing appropriate technical and organizational measures and procedures from the outset to ensure that the processing complies with the GDPR and protects the rights of the data subjects concerned.

Privacy by default: Means ensuring that mechanisms are put in place within an organization to ensure that, by default, only the necessary amount of personal data will be collected, used and preserved for each task. This obligation applies to the extent of its treatment, the period of conservation and its accessibility. These measures ensure that personal data are not made available without human intervention to an undetermined number of natural persons.

Pseudonymisation: Processing of personal data in such a way that they can no longer be attributed to a specific data subject without resorting to supplementary information, provided that such supplementary information is kept separately and subject to technical and organizational measures to ensure that personal data cannot be be attributed to an identified or identifiable natural person.

2. SCOPE

GRUPO AZORIS is dedicated to the provision of hotel and restaurant services and the management and organization of events, and, within the scope of this activity, processes personal data.

This Privacy Policy applies exclusively to personal data for which GRUPO AZORIS is responsible for the respective treatment within the scope of its area of activity, whether in the commercial area or in the area of human resources.

Data can be collected in person, by telephone and in writing, by e-mail, by fax or through websites.

GRUPO AZORIS websites may include access links to other websites that are unrelated to GRUPO AZORIS. Access links to GRUPO AZORIS websites may be included in websites outside of GRUPO AZORIS. GRUPO AZORIS cannot be held responsible for the processing of data carried out through such third party websites.

3. PURPOSES AND GROUNDS FOR DATA PROCESSING

The personal data processed by GRUPO AZORIS have different purposes and foundations.

Management of the contractual relationship: The processing of personal identification data and others is necessary for the conclusion and fulfillment of the contract for the provision of services entered into between GRUPO AZORIS and its customers. Customers may choose to provide additional information, which will only be used to help GRUPO AZORIS provide the best possible service. The processing of personal data is also necessary for the fulfillment of contracts for the provision of services and goods between GRUPO AZORIS and its suppliers.

Legal obligations: GRUPO AZORIS is subject to compliance with legal obligations that impose the processing of data.

Quality: GRUPO AZORIS may analyze its customers' information, collected through surveys, complaints and other means, for statistical purposes if you have the respective consent.

Marketing: With the consent of the holders, GRUPO AZORIS may process personal data to send information about promotions, campaigns, newsletters and other relevant information to its customers.

Profiling: GRUPO AZORIS may analyze its customers' commercial information to identify consumption profiles for statistical purposes and/or, if you have the respective consent, send personalized information to its customers.

Video surveillance: For the safety of customers and employees, GRUPO AZORIS facilities have video surveillance systems, under the terms of the law.

Hobbies and contests: GRUPO AZORIS may promote hobbies and contests for which processing of personal data is necessary, in accordance with the applicable regulations.

Recruitment: Candidates can apply for specific vacancies (through internal recruitment or outsorsing) or submit spontaneous applications, for which they must provide personal data necessary for recruitment. The information provided by candidates will be processed for recruitment purposes only and will be kept for a maximum of 2 years.

Human Resources Management: For the performance of the employment contract, employees must provide personal data to GRUPO AZORIS. If necessary, specific consents will be requested for the processing of data that so require (for example for categories of special and sensitive data).

Whistleblowing channel: In compliance with the applicable legislation, an internal whistleblowing channel was implemented, within which personal data may be processed with respect for the confidentiality guarantees provided for in the legislation applicable to the protection of whistleblowers, in the legislation for the protection of personal data and in the policy of said channel. Only personal data considered necessary for the analysis and follow-up of complaints will be processed, therefore, excessive data will be deleted and will not be processed. The data collected will be kept for a period of five (5) years, after which it may be deleted or anonymized.

4. COOKIES

Cookies are used on GRUPO AZORIS websites to improve the browsing experience and provide the best possible service. Cookies are small files that are stored in access equipment through the browser, retaining only information related to preferences, thus not including personal data. Despite being able to manage cookies directly in the browser, by continuing to browse the site, the user will be consenting to their use; however, by disabling cookies, it may prevent some web services from working properly, partially or completely affecting navigation on the website.

5. HOLDERS' RIGHTS

Under the terms of the RGPD, data subjects have, among others, the following rights: Right of access; Right of rectification; Right to be forgotten; Right to limitation of treatment; Right to data portability; Right of opposition; Right to withdraw consent.

If you wish to exercise any of your rights or clarify any doubts, the holder must contact GRUPO AZORIS, in writing, addressed to the “Responsible for privacy”, through the address Rua de Lisboa s/n; 9500-216 Ponta Delgada, e-mail: rgpd@financor.pt or filling out the form available at GRUPO AZORIS.

6. DUTIES OF THE AZORIS GROUP

The AZORIS GROUP proposes to:

a) only collect data for specific, explicit and legitimate purposes;
b) minimize the collection of data, promoting only the adequate and pertinent collection, limited to what is effectively necessary in relation to the purposes, the adequate and pertinent data;
c) not to use the data collected for purposes other than the collection and the consents obtained;
d) update the data whenever necessary;
e) keep the data in such a way that their identification is only possible during the period necessary for the purposes for which they were collected;
f) protect data against unauthorized or unlawful processing and against accidental loss, destruction or damage;
g) implement the principles of privacy by design and by default in activities / processes for processing personal data;
h) adopt a privacy by design reference framework;
i) implement encryption techniques or pseudonymization of the data in use
j) ensure compliance with the GDPR.

Ponta Delgada, August 24, 2022.

This policy will be updated periodically.

WEBSITE PROVIDER (PARATY TECH)

Applicable to Users of this Hospitality Business when making a reservation.
Data Controller (we): The Hospitality Business that will provide you, the user, with the requested service. Our identification and contact details are available on the website you used to make your booking / to ask us your questions. They will also appear on our invoice that we send to you.

Data Compliance Officer: Not applicable to the activities of Data Controllers.

User: You, who filled in the booking form or any other documentation related to it.

Purpose: The purpose of processing the data provided through this form is to manage the reservations made by you, the user, and / or respond to the questions / requests made.

Legal Basis:

- Either the need to perform our contract with you, the user / the need to take action at your request before entering into a contract.
- Or the consent of you, the user, by checking the box of acceptance of the Terms and Conditions of which this privacy and personal data policy is an integral part.

Duration: We will store the data provided by you, the user, for the time necessary to manage the reservation made, as well as the accommodation services requested. Once management is complete, your data will be kept for six (6) months. If you consent to receive marketing and/or commercial information, your data will be stored until you withdraw your consent.

Processor: We hired our partner Paraty Tech ( www.paratytech.com) to carry out the reservation mechanism for our business. Paraty Tech acts under our authority and we signed a contract with Paraty Tech to provide its services. We instruct Paraty Tech in writing on how the processing should be done.

Data entities other than users: When you, the user, provide us with personal data belonging to a data subject other than you, you are responsible for such acts, as well as for obtaining the respective consent of such data subjects for the provision of their Dice.

Data Transfer: We must not transfer personal data to a third country outside the EEA (European Economic Area).

Rights of data subjects: Data subjects can exercise their rights of access, rectification, cancellation and opposition by sending an email or via the postal service to the contact details on our booking website and on our invoices.

Supervisory Authority: If a data subject considers their rights to be affected, they can also resort to the competent supervisory authority of the Member State concerned. More information at: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en