Personal data protection policy
NEOBOOKINGS S.L. is an Organisation that collects personal data through the various means at its disposal, which entails a significant responsibility in the design and organisation of procedures so that they are aligned with legal compliance in Data Protection. For this reason, NEOBOOKINGS S.L. will adopt all the security measures necessary to ensure the protection of the data collected.
In the exercise of these responsibilities, and in order to establish the general principles that must govern the processing of personal data in the Organisation, NEOBOOKINGS S.L. approves this personal data protection policy, which it notifies and makes available to all its stakeholders, while also respecting the following regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPD-GDD).
- Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
I. Scope of application
This personal data protection policy shall apply to NEOBOOKINGS S.L., to its administrative, management and staff bodies, as well as to all persons who interact with the Organisation, expressly including service providers with access to data (“Data processors”).
The controller of the personal data collected in the Organisation is: NEOBOOKINGS S.L., holder of Tax ID (NIF): B57298010, whose representative is JOSE MARIA RAMÓN CARMONA (hereinafter, the Data Controller). Its contact details are as follows:
- Address: C/ Font del Vidal 2, Esparreguera, Barcelona, 08292
- Contact telephone: 931767600
- Contact email: facturacion@neobookings.com
II. Information about the controller and the processing of personal data at NEOBOOKINGS S.L.
The additional information about data processing is a set of more specific and expanded details that entities must provide to data subjects on how their personal data is managed. This concept derives from the transparency principle of the General Data Protection Regulation (GDPR) and complements the basic information initially provided, offering a greater level of detail about the processing operations.
Below, NEOBOOKINGS S.L. provides additional information about the data processing it carries out:
Data about the data controller
| Identity | NEOBOOKINGS S.L. |
|---|
| Address | C/ Font del Vidal 2, Esparreguera, Barcelona, 08292 |
|---|
| Contact telephone | 931767600 |
|---|
| Email | facturacion@neobookings.com |
|---|
Purposes of the processing of personal data
| Data processing | Purpose of the processing | Retention period |
|---|
| NEWSLETTER | Customer, accounting, tax and administrative management; advertising and commercial prospecting. | Customer management: for the duration of the contractual relationship and, once ended, during the limitation periods for legal liabilities. Accounting, tax and administrative: 4 years from the end of the voluntary period for filing the relevant return. Advertising and commercial prospecting: while consent is maintained or the right to object/erasure is not exercised; thereafter, during the limitation periods for possible liabilities (blocked). |
| CVs | Human resources. | Human resources: 4 years. |
| SUPPLIERS / WEB PLATFORM USERS | Customer, accounting, tax and administrative management. | Customer management: during the term of the relationship and, thereafter, blocked during the limitation periods for possible liabilities. Accounting: 6 years. Tax: 4 years. Administrative: during the term of the relationship and, thereafter, blocked during the limitation periods for possible liabilities. |
| CUSTOMERS / WEB FORM | Customer, accounting, tax and administrative management. | Customer management: for the duration of the contractual relationship and, once ended, during the limitation periods for legal actions. Accounting: 6 years. Tax: 4 years. Administrative: while necessary for management and, once ended, during the limitation periods for applicable liabilities. |
| HUMAN RESOURCES | Payroll management, occupational risk prevention and human resources; advertising and commercial prospecting. | Payroll management: 4 years. Occupational risk prevention: 5 years (clinical documentation/health surveillance, from the start of each healthcare process). Human resources: 4 years. Advertising and commercial prospecting: while consent is maintained/no objection exists and, where applicable, during the limitation periods for possible legal liabilities. |
| VIDEO SURVEILLANCE | Video surveillance. | Maximum 1 month from capture. |
Legal bases for the processing of personal data
| Data processing | Legal basis |
|---|
| NEWSLETTER | Express consent of the data subject. |
| CVs | Express consent of the data subject. |
| SUPPLIERS | Performance of a services/sales/commercial contract. |
| WEB PLATFORM USERS | Performance of a services contract. |
| CUSTOMERS | Performance of a services contract. |
| HUMAN RESOURCES | Performance of an employment contract. |
| WEB FORM | Express consent of the data subject. |
| VIDEO SURVEILLANCE | Public interest (video surveillance). |
Recipients of your personal data
| Data processing | Foreseen disclosures | International transfers |
|---|
| NEWSLETTER | No disclosures foreseen. | No |
| CVs | No disclosures foreseen. | No |
| SUPPLIERS | Public administration with competence in the matter, banking or financial entities. | No |
| WEB PLATFORM USERS | Public administration with competence in the matter. | Yes |
| CUSTOMERS | Public administration with competence in the matter, banking or financial entities. | Yes |
| HUMAN RESOURCES | Public administration with competence in the matter, banking or financial entities. | No |
| WEB FORM | No disclosures foreseen. | No |
| VIDEO SURVEILLANCE | Public administration with competence in the matter. | No |
Rights of data subjects and means available to them
Any person has the right to obtain confirmation as to whether NEOBOOKINGS S.L. is processing personal data concerning them.
Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where applicable, request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances, data subjects may request the restriction of the processing of their data, in which case we will only retain it for the exercise or defence of claims, as well as to comply with the legally established retention periods.
Likewise, data subjects may object to the processing of their personal data. NEOBOOKINGS S.L. will then stop processing their data, except for compelling legitimate grounds, or for the exercise of possible claims.
In the same sense, when certain circumstances apply and it is technically possible, data subjects shall have the right to have their personal data transmitted directly to another controller or processor, upon request.
To exercise the rights indicated above, you must contact us by sending a written request to:
- NEOBOOKINGS S.L. C/ Font del Vidal 2, Esparreguera, Barcelona, 08292, or by email to facturacion@neobookings.com. We recommend that you enclose a copy of your ID document with your request.
III. Principles applicable to the processing of personal data
The personal data protection policy is a proactive accountability measure, the purpose of which is to ensure compliance with the applicable legislation in this area and, in relation thereto, respect for the right to honour and privacy in the processing of the personal data of all persons who interact with NEOBOOKINGS S.L.
In developing the provisions of this Policy, the Principles governing data processing in the organisation are established and, consequently, the procedures and the organisational and security measures that the persons affected by this Policy undertake to implement within their area of responsibility.
In relation to the above, NEOBOOKINGS S.L. shall ensure compliance with the following principles:
- Lawfulness, fairness, transparency and purpose limitation. Data processing must always be notified to the data subject, by means of established clauses and procedures; and it will only be considered legitimate if there is consent for the data processing (with special attention to that given by minors), or if it has another valid legal basis, and its purpose is in accordance with the applicable Regulations.
- Data minimisation. The data processed must be adequate, relevant and limited to what is necessary in relation to the various purposes of the processing.
- Accuracy. The data must be accurate and, where necessary, kept up to date. In this regard, the necessary measures will be taken to ensure that personal data which is inaccurate with respect to the purposes of the processing is erased or rectified without delay.
- Storage limitation. The data will be kept in a manner that allows the identification of data subjects for no longer than is necessary for the purpose of the processing in question.
- Integrity and confidentiality. Personal data will be processed in such a way as to ensure adequate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, by applying appropriate technical or organisational measures.
- Data disclosures. The purchase or obtaining of personal data whose origin comes from illegitimate sources is prohibited, as well as in cases where such data has been collected or disclosed in breach of the law or where its legitimate origin is not sufficiently guaranteed.
- Contracting suppliers with access to data. Only suppliers offering sufficient guarantees to apply appropriate technical and security measures in data processing will be contracted. The relevant contract will be documented with them in this respect.
- International data transfers. Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.
- Rights of affected persons. The Organisation will facilitate for affected persons the exercise of the rights of access, rectification, erasure, restriction of processing, objection and portability, establishing for this purpose the internal procedures and, in particular, the templates necessary and appropriate for their exercise, which must satisfy, at least, the applicable legal requirements in each case.
NEOBOOKINGS S.L. will promote that the principles set out in this personal data protection policy are taken into account:
- In the design and implementation of all work procedures.
- In the products and services offered.
- In all contracts and obligations they formalise or assume.
- In the implementation of any systems and platforms that allow access by its workforce or third parties and/or the collection or processing of personal data.
IV. Personal data of minors
In compliance with the provisions of Article 8 of the GDPR and Article 7 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights, only persons over 14 years of age may give their consent for the processing of their personal data lawfully by NEOBOOKINGS S.L. In the case of a minor under 14 years of age, the consent of the parents or guardians will be required for the processing, and this will only be considered lawful to the extent that they have authorised it.
V. Secrecy and security of personal data
NEOBOOKINGS S.L. undertakes to inform the user, without undue delay, when a personal data security breach occurs that is likely to result in a high risk to their rights and freedoms. In accordance with Article 4 of the GDPR, a personal data security breach is understood to mean any security breach that results in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data.
Personal data will be treated as confidential by the Data Controller, who undertakes to inform and guarantee, through a legal or contractual obligation, that such confidentiality is respected by its workers, associates, and any person to whom it makes the information accessible.
VI. Commitment of NEOBOOKINGS S.L. staff
For the above reasons, we state that the workers of NEOBOOKINGS S.L. are informed of this Policy and declare themselves aware that personal information is an asset of NEOBOOKINGS S.L., and in this respect they adhere to it, undertaking to do the following:
- To carry out the Data Protection awareness training that NEOBOOKINGS S.L. makes available to them.
- To apply the user-level security measures applicable to their job, without prejudice to the responsibilities in their design and implementation that may be attributed to them according to their role within NEOBOOKINGS S.L.
- To use the established formats for the exercise of Rights by affected users, and to inform NEOBOOKINGS S.L. immediately so that an effective response can be given.
- To inform NEOBOOKINGS S.L., as soon as they become aware, of deviations from the provisions of this Policy, in particular of “Personal data security breaches”, using the format established for this purpose.
VII. Control and evaluation
NEOBOOKINGS S.L. will carry out an annual verification, evaluation and assessment, as well as whenever there are significant changes in the data processing operations, of the effectiveness of the technical and organisational measures to ensure the security of the processing.
