Privacy and Data Policy
Privacy, Security and Data Protection Policy
Neya Lisboa Hotel appreciates the trust placed in us and is committed to protect the privacy of all users of the various websites and digital platforms it makes available and that it owns. In this context, it has developed this Privacy, Security and Data Protection Policy, in order to guarantee its commitment and respect for the rules of personal data privacy and protection.
Thus, pursuant to EU Regulation 2016/679 of the European Parliament and of the Council of April 27th, 2016 (General Data Protection Regulation, hereinafter "GDPR"), the company holding the capital of Azad, Sociedade de Investimentos Turísticos e Hoteleiros, Unipessoal, Lda, taxpayer no. 508774942, headquartered at Rua D. Estefânia, 71-77, Lisbon, 1150-132 (hereinafter referred to as "COMPANY") hereby declares the following:
Personal data definition
Personal Data is any information of any nature and in any medium relating to an identified or identifiable person. A person that can be identified, directly or indirectly, by any element that allows reaching its identification is deemed identifiable.
Definition of personal data owner
Personal data owner is the customer/user/supplier/subcontractor, individual, to whom the data relate. In this case, the person who hires/accesses the website/uses the services or products of the COMPANY is included as customer/user. Any person who provides, directly or indirectly, any type of product or service to the COMPANY is included as supplier. Any person dealing with the personal data provided by the COMPANY, in the name and on behalf of the COMPANY, is included as subcontractor.
Data owner’s rights
In accordance with the General Data Protection Regulation, the data owner is guaranteed the exercise of all legally permitted rights, as long as personal data is processed by the COMPANY, namely:
- Right of access - consists of the right to obtain confirmation on the processing of your personal data and information about them.
- Right to data rectification – it is the right to request the rectification of your personal data that are wrong/out of date or request the completion of incomplete data.
- Right to data deletion or "right to be forgotten" – it is the right to obtain the deletion of your personal data, provided that there are no valid and/or legitimate grounds by the COMPANY for its preservation.
- Portability right – it is the right to receive the data you provided in a digital format of current use and automatic reading, or to request the direct transmission of your data to another entity that becomes the party responsible for your personal data.
- Right to withdraw consent or right of objection – it is the right to object or withdraw your consent to data processing at any time, provided that there are no valid and/or legitimate grounds by the COMPANY for non-acceptance of this right.
- Right of limitation – it is the right to request processing limitation of your personal data, in the form of suspension of treatment or limitation regarding the scope of treatment to certain data categories or treatment purposes.
- Right to complain – it is the right to complain to the relevant supervisory authority if you believe there has been a breach of your rights. In Portugal, this authority is the National Data Protection Commission (hereinafter "CNPD"). More information on CNPD is available at www.cnpd.pt
Enforcement of personal data owners’ rights
The COMPANY undertakes to respond to the enforcement of your rights within a maximum period of 30 days, unless it is a specially extensive or complex request.
The enforcement of rights is generally free, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged.
It is worth noting that the enforcement of any rights must always be provided in writing, both in person and by electronic means.
Optional or mandatory nature of the supply of personal data
Supply of personal data is generally optional. Only in certain cases, the lack of data supply may make it impossible to access specific services and obtain any requested information (e.g., contact requests, reservations and/or additional services, applications, etc.).
Data supply purpose
The data supplied to the COMPANY (online and in person) are intended to ensure a correct provision of our services, and ensure navigation and content availability on our websites. They have the following purposes, among others:
1. Fulfil the obligations regarding our customers;
2. Manage reservations: Creation, storage and processing of legal documents as well as personal data, in accordance with the General Data Protection Regulation.
3. Manage your stay: Monitoring the use of services for exclusive debit purposes (telephone, bar, pay TV, etc.); Manage access to accommodations;
4. Service improvement: Adapting our products and services to better serve our customers' needs;
5. Customer relations management: Loyalty programs management; Segmentation of operations based on our guests reservation history; Development of internal statistics and reports; Sending and managing newsletters, promotions, service offers and satisfaction surveys;
6. Use of third-party services in the analysis and mapping of personal data, at the time of reservation and/or during the stay, to determine the guest’s profile;
7. Compliance with local legislation (e.g. storage of official customer documents).
Personal data collection types
The COMPANY, through its websites and/or hotels, does not process personal data belonging to special categories as per Article 9 of EU Regulation 2016/679.
Through our website, messages or personal contact, the COMPANY can obtain and process the following personal data:
a) Specific data:
- Contact details (first name, last name, phone number and email);
- Personal Information (Date of birth, nationality);
- Children’s information (first name, last name, age and date of birth);
- Credit card number (for banking purposes);
- Date of arrival and departure;
- Your preferences (preferred floor, bed type, interests, limitations, etc.).
b) Any information provided by you through the website or by messages by either filling out forms or sent as free text. This information includes information provided for the subscription to newsletters, contact request, reservations and other additional services. The information you provide when you participate in any area that involves your registration or supply of your data or when you interact with the COMPANY, such as when you send an e-mail requesting information to any of the addresses belonging to the domains owned by the COMPANY can also be treated.
c) Information regarding your visits to the website including, in particular, IP addresses, web page visit time, and type of browser, to manage the system and facilitate navigation and return to the website later. In principle, these data will be treated solely for statistical purposes of the actions and browsing patterns of the website users and do not allow the identification of any individual. However, when the user provides other information, such data may be identified and treated in accordance with the General Data Protection Regulation.
d) Information on Internet access via WIFI and Ethernet through your electronic devices, such as the Internet Protocol ("IP") address, Media Access Control ("MAC") address, service usage time and activity associated with the device. For more information, please refer to the Terms and Conditions for WIFI and Ethernet.
We also inform you that the personal data collected by the COMPANY are limited to what is strictly necessary for the pursuit of the purposes they were requested for.
When personal data are supplied, the COMPANY provides all the information legally required for the processing of such data and requires the consent of its owners when required by law and when there is no legitimate interest by the COMPANY or third parties, such as the data processing for quality of service improvement, fraud detection and revenue protection, and when our reasons for using it should prevail over your data protection rights.
Personal data collection sites
The sites mentioned below are those that can usually request access to customers’ personal data:
- Contact request;
- Information request;
- Reservation request and/or other amenities;
b) Hotel Activities:
- Room reservation;
- Payment and check-in;
- Places that provide food (Food and Beverages);
- Requests, complaints and compliments;
c) Participation in marketing campaigns:
- Registration in customer loyalty programs;
- Participation in surveys (namely satisfaction survey);
- Subscription to other hotel amenities;
Data preservation terms
The time during which the data is stored and preserved corresponds only to the time necessary to achieve the defined purpose or, depending on what is applicable, until you exercise your right of objection, right to be forgotten or withdraw consent, which varies according to the purpose for which the information is used.
In newsletters, the period for preservation and processing of any personal data supplied by you to us, starts when the applicant submits the subscription form and ends when such subscription is cancelled. You can cancel your subscription at any time through a link available in all our newsletters. By cancelling your subscription, the data owner will receive a notification email and, subject to the terms of applicable law, its data will be excluded from our newsletter submission list.
The information regarding reservations and other amenities will be stored only during the maximum legal term.
All other services that are not detailed above and whose maximum legal term is undefined will be stored until you enforce your right of objection, right to be forgotten or withdraw consent.
Party responsible for personal data treatment
The party responsible for the collection and processing of personal data is the COMPANY, which provides the service or supplies the product and, in this context, decides what data is collected, means of treatment, format and purposes for which the data are used, providing all necessary information to its owners:
Neya Lisboa Hotel
Rua D. Estefânia, 71-77, Lisbon, 1150-132
Telephone: +351 21 310 1800
Hence, the COMPANY uses the following entities as subcontractors for specific purposes:
- Maintenance of Property Management System software: Protel hotelsoftware GmbH, established at: Europaplatz 8, 44269 Dortmund, Germany (hereinafter "Protel"), as subcontractor;
- Maintenance of Channel Manager software: Parity Rate S.R.L, established at: Via Antonio Fratti 22, 20128 Milan, Italy (hereinafter "Parity Rate"), as subcontractor;
- Maintenance of Guest Review software: ReviewPro, Inc, based at: 149 Madison Avenue, Suite 1173, 10016 New York, USA (hereinafter "ReviewPro"), as subcontractor;
- Maintenance of Point of Sale software: TCPOS SA, headquartered at Centro Galeria 2, Via Cantonale 2C, CH-6928 Manno, Switzerland (hereinafter "TCPOS"), as subcontractor;
- Consulting on Property Management System and Food & Beverage Software: Hitservices - Serviços e Consultoria, Lda, tax identification number 514317612, with headquarters at: Avenida Tomás Ribeiro nº131, Escritório 9, 2790-466 Oeiras (hereinafter “Hits”) as subcontractor;
- Maintenance of web platform and reservation portal: GUESTCENTRIC SYSTEMS, S.A., tax identification number 514317612, with headquarters at: Avenida José Gomes Ferreira nº9, 1495-139 Oeiras (hereinafter "Guestcetric"), as subcontractor;
- Maintenance of graphic content: High Communication - Brand & Media Consulting, Lda, tax identification number 500035300, with headquarters at: Rua General Garcia Rosado nº13, 1150-173 Lisbon (hereinafter "Hicom"), as subcontractor;
- IT systems maintenance: NewAlliance IT Solutions, Lda, tax identification number 513749489, with headquarters at: Praça de Londres nº3 4ºEsq, 1000-191 Lisbon (hereinafter "NewAlliance IT"), as subcontractor;
- Subscription and mailing of newsletters: MailChimp - Rocket Science Group LLC, tax identification number 582554149, located in: 675 Ponce de Leon Ave NE, Suite 5000, 30308 Atlanta (hereinafter "MailChimp"), as subcontractor.
Protel, Parity Rate, ReviewPro, TCPOS, Hits, Guestcentric, Hicom, NewAlliance IT, MailChimp and Líder Segurança act on behalf of the COMPANY in accordance with the provisions of the General Data Protection Regulation, specifically with Article 45, Chapter IV, relating to the Party responsible for data processing and outsourcing.
Personal data treatment site
The processing of data occurs in the aforementioned facilities of the COMPANY and are handled only by the technical staff of the party responsible for its processing, however there may be personal data transfers to the US and EU:
In the case of ReviewPro and Mailchimp, data processing takes place in the USA, whereby the COMPANY acts together with the data processing facilities at the headquarters of the aforementioned companies, certified in accordance with paragraph 6, Chapter III of the Commission Implementing Decision (EU) 2016/1250 of July 12th, 2016 on the level of protection provided by the EU-US Privacy Protection Shield applied pursuant to Article 45 of the GDPR.
For all the other subcontractors, data processing takes place in the EU, whereby the COMPANY works together with the data processing units at the head offices of the aforementioned companies, certified in accordance with the legal terms of the European Union and national law, and ensured by Articles 17, 18, 19 and 20 of Framework Decision 2008/977/JHA, pursuant to Article 13 of the GDPR.
The COMPANY uses tracking technologies to improve navigation on its websites and newsletters. The collection of these data is essential to ensure functionality, improve browsing on our websites, and submit newsletters, subscription forms for services and reservations, as well as improve our communications with subscribers and customers and enable statistical analysis. See our Cookies policy for more information.
Personal data concerning minors can only be made available, in person or on the COMPANY website, by their parents or guardians and within the legal parameters in force.
In these cases, the data protection officer shall make every effort to verify that consent has been given or authorized by the minors’ parents or guardians, taking into account the technology available.
The COMPANY cannot be held liable for the lawfulness of the processing of personal data supplied by persons who commit fraud regarding their identity.
The subscription to any service by the data owner to the COMPANY is considered as a direct offer of service of the information society, being aimed at people over the age of 16 years. In this respect, the COMPANY does not intend, in any way, to process information of minors under the age of 16 years, therefore, their subscription should only be made by persons aged 16 years or older.
The COMPANY encourages all parents or guardians (customers or not) to take an active role in monitoring the use of the Internet by minors and inform them of the potential dangers of supplying their information on the Internet.
Protection of owners’ personal data
In accordance with current legislation and taking into account available technology, the COMPANY provides a correct level of protection of your personal data, including by implementing the necessary technical and organizational measures to protect your personal data against its destruction, loss or accidental modification, as well as against unauthorized access and other processes, namely:
- Logical security requirements and measures, such as the use of firewall and intrusion detection systems in its systems.
- Physical security measures, including a strict control of access to the physical facilities of the COMPANY.
- Means of data protection using technical resources such as personal data encryption, pseudonymization and anonymization.
- Scrutiny, audit and control mechanisms to ensure compliance with security and privacy policies.
- Information and training program of employees and partners of the COMPANY.
- Access rules for customers/users for certain products or services, such as a second level of opt-in for subscription of services on the platform and the introduction of a password whenever an employee accesses, directly or indirectly, any COMPANY database, in order to strengthen the control and security mechanism.
However, the COMPANY informs that no security system can guarantee absolute protection. We remain at your disposal for any question or remark regarding the confidentiality and security of your personal data.
Privacy and Personal Data Policy - applicable to Users of this Hospitality Business when making a reservation
Data Controller (we): The Hospitality Business which will provide to you, the user, the requested service. Our identification and contact details are available on the website you used to make your reservation / to pose your questions to us. They will also appear on our invoice which we'll send to you.
Data Compliance Officer: Not applicable to Data Controllers' activities.
User: You, who filled-in the reservation form or any other documentation related to it.
Purpose: The purpose of processing the data provided through this form is to manage the reservations made by you, user and/or to answer to the questions / requests you posed.
- Either the need to perform our contract with you, user / the need to take steps at your request prior to entering into a contract.
- Or the consent of you, the user, by ticking in the box of acceptance of the Terms and Conditions of which this Privacy and Personal Data Policy is an integral part.
Duration: We will store the data provided by you, the user, during the time necessary for the management of the reservation you made, as well as of the accommodation services you requested. Once the management is finished, your data will be kept for six (6) months. If you consent to receive marketing and/or commercial information, your data will be stored until you revoke your consent.
Processor: We engage our partner Guestcentric Group (www.guestcentric.com ) for carrying out the reservations engine of our business. Guestcentric acts under our authority and we have signed a contract with Guestcentric Group for the provision of their services. We have instructed Guestcentric Group in written as per how the processing should be done.
Data subjects different from the users: Where you, user, provide us with personal data pertaining to a different data subject from yourself, you are responsible for such acts as well as for obtaining the respective consent of such data subjects for the provisioning of their data.
Transfer of Data: We shall not transfer personal data to a third country outside the EEA (European Economic Area).
Data Subject Rights: Data Subjects can exercise their rights of access, rectification, cancellation and opposition by sending an email or through the postal service to the contact details on our reservation website and on our invoices.
Supervisory Authority: If a data subject considers their rights affected, they can also appeal to the competent supervisory authority of the Member State concerned. More info at: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en