1.1 – Objective The objective of this policy is to define the commitment that HOTELES J.C. MADRID, S.L., with CIF B83014753 and registered office at Glorieta de Pirámides 6, 28005 Madrid, and HOTELES NOA 2016, S.L., with CIF B87685368 and registered office at Glorieta de Pirámides, 6, 28005 Madrid, unite under the same commercial brand "JC HOTELES" (hereinafter, "JC HOTELES") must comply with regarding the processing of personal data in the performance of their functions, and the framework in which this commitment is established. 1.2 – Scope of Application This policy applies to all professionals who are part of the JC HOTELES structure because they hold positions or are staff of JC HOTELES with access to the information for which JC HOTELES is responsible, and it may also extend, in accordance with the treatment agreements that may be signed, to any other company linked to JC HOTELES, whether a regular or occasional collaborator, whose actions may in some way affect the responsibility or reputation of JC HOTELES. 1.3 – Legislation This document is based on the compliance with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 regarding the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR) and the national regulations in force on personal data protection. The applicable legal framework for the matter, which individuals subject to this Policy must know, in addition to the aforementioned GDPR, is determined by:
1.4 – Principles of Data Processing and Information Security. JC HOTELES, its organizational structure, and staff will process the information and personal data under their responsibility according to the following data protection and information security principles:
avoiding, except in cases of urgency or necessity, any isolated action or temporary processing.
When evaluating the risk, JC HOTELES will take into account the risks derived for the rights of individuals concerning the processing of their personal data.
All JC HOTELES professionals must be familiar with this Policy and act according to the principles and behaviors defined, communicating any doubts regarding its compliance or any indications of actions contrary to it to their direct supervisor or the Compliance Department within the General Secretariat area.
This Policy, as well as any procedures arising from it, will be continuously updated on the Intranet for later consultation when required.
All directors have an obligation to ensure compliance with the Policy in their areas, lead its compliance, resolve doubts or concerns raised by professionals, and establish mechanisms to ensure compliance, relying on the advice of the Compliance Department for this purpose.
Doubts regarding information security and data protection may be addressed to the Information Security Officer, who may refer them to the Data Protection Officer if required by law.
Failure to comply with the rules contained in this policy will be subject to JC HOTELES' disciplinary and sanctioning authority, in accordance with the principles and rules provided by the applicable legislation. Therefore, any significant doubt will be referred to the Information Security Officer, and any related non-compliance must be reported to the Compliance Officer of JC HOTELES. The management of doubts and non-compliance will be carried out rigorously following the principles of independence and confidentiality.
Within the framework of the relationship with employees, JC HOTELES will expressly commit, in a document they will sign, to:
complementary provisions, national regulations, or any other law that replaces them in the future.
Employees must comply with the acceptable use or information security policies and instructions established by the company management, as well as with the use of email and other communication systems. Personal use of JC HOTELES' information systems and equipment that interferes with the employee's work, the work of others, or the company is prohibited.
Employees will be informed that access to websites unrelated to work, such as chat pages, non-professional social networks, games, gambling, travel, online shopping, stock trading, illegal content, or pornographic material, is not allowed. It is also expressly prohibited to disseminate and download illegal material, infringe rights, as well as the illegal use, copying, or sending of software or material protected by intellectual or industrial property laws.
When using the internet, employees should take appropriate precautions before downloading files, ensuring the trustworthiness or accreditation of the website from which the download will occur.
JC HOTELES may access content derived from the use of digital media provided to employees in order to control compliance with labor or statutory obligations and to ensure the integrity of these devices.
Therefore, no employee of JC HOTELES should expect that their communications through JC HOTELES media or the use of JC HOTELES' IT systems will be confidential or private, as they are subject to employer control.
Employees will be informed that applications that analyze the internet traffic sent and received may be installed on the company’s equipment and systems, and that this may allow or prohibit certain activities based on rules defined by the system administrators.
The basic principles and obligations of employees will be collected in a document called the Employee Data Protection Manual, which will be periodically disseminated to employees and updated.
Information security is governed by JC HOTELES' Information Security Policy, in line with the measures of the National Security Scheme, as well as a series of documents, procedures, and measures for its development (Security Regulations; Security Procedures; Authorization Processes; Operational and Protection Security Measures) that those responsible for its application must know.
The security of the systems will be attended, reviewed, and audited by qualified, dedicated, and trained personnel at all stages of their life cycle: installation, maintenance, incident management, and decommissioning.
JC HOTELES staff will receive the necessary specific training to ensure the security of information technologies applicable to JC HOTELES systems and services.
The Data Protection Documentary System of JC HOTELES collects, in an orderly manner, the documents related to the protection of personal data generated by JC HOTELES as the data controller and processor, to comply with the General Data Protection Regulation (GDPR), national regulations, and any regulations that may be issued in its development.
As the controller of personal data processing and processor of other treatments, JC HOTELES is responsible for complying with the principles of the GDPR and the Spanish Data Protection Law (LOPDGDD) and the obligations it entails, and must be able to demonstrate this in accordance with the principle of proactive responsibility.
The purpose of the Data Protection Documentary System is to demonstrate compliance with the GDPR and the LOPDGDD.
The Data Protection Documentary System is under the custody of the Management Control Department and the Information Security Officer.
8.1 - Content
"Personal data" refers to any information about an identified or identifiable natural person ("the data subject"). An identifiable person is one whose identity can be determined, directly or indirectly, particularly by means of an identifier, such as a name, identification number (e.g., ID, Social Security number), location data (e.g., address), online identifier (e.g., email accounts), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person (e.g., biometric data). Hereinafter referred to as "Personal Data."
Examples of Personal Data include a full name, ID number or passport, personal or professional address, nationality, profession, financial data, health, genetic, biometric data, of an identified or identifiable person.
8.2 - Scope
This only applies to natural persons, as the mentioned regulations do not apply to data of legal entities.
8.3 - Format of Data
For data to be considered personal data, it does not matter the format in which it is provided, whether electronic/digital (Excel, Word, Access, PowerPoint, application, audio or video file, etc.), or physical (paper document, photographs, etc.).
The security measures to be implemented will vary depending on the format in which the data is available.
8.4 - Record of Processing Activities - Use of Data
JC HOTELES will maintain an up-to-date record of the personal data processing activities for which it is responsible, which will include all the information referred to in Article 30 of the GDPR.
The purposes for processing personal data are those contained in each activity recorded in the Record of Processing Activities.
The Record of Processing Activities will be continuously updated and may be consulted on JC HOTELES' website in accordance with the provisions of the LOPDGDD.
If there is any doubt about the purposes of processing, the Data Protection Officer or the Information Security Officer should be consulted.
Personal data must be adequate, relevant, and not excessive in relation to the purpose for which it was collected.
More data than necessary will not be collected, and personal data will not be used for purposes other than or incompatible with the original purposes for which it was collected.
8.5 - Authorization for Processing Data. Data Collection. Obtaining Consent
Processing is understood as any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other means of enabling access, comparison, or interconnection, restriction, erasure or destruction.
Processing of personal data is considered to have occurred as soon as access to such data is granted or potentially accessible, even if access is not actual (i.e., just the possibility of access constitutes processing of personal data).
The authorization or legitimacy for processing personal data will be based on one of the grounds of legitimacy established in Articles 6 and 9 of the GDPR.
The specific authorizations for each processing activity carried out by JC HOTELES are recorded in the Record of Processing Activities.
JC HOTELES will not collect personal data from users without the knowledge of the data subject. Data inclusion in forms will be voluntary and properly announced, showing the relevant information clauses in two layers. The information layers and their level of detail will include the content indicated in the Guide to Compliance with the Duty to Inform (2018) issued by the Spanish Agency for Data Protection.
Whenever data is collected, written or verbal information will be provided, with the first layer of basic information, in a table format, with headings such as "Controller," "Purposes," "Legitimacy," "Transfers/Recipients," and "Rights," where it will be indicated that rights can be exercised at the email address direccion@jchoteles.com. The second layer will contain detailed information, with two links: one to the detailed second layer and another to an extract of the Record of Processing Activities.
The personal data that may be collected directly from the data subject will be incorporated into the corresponding processing activity owned by JC HOTELES.
When processing is based on consent, methods established in the Procedures for Obtaining and Retaining Consent will be used, which are part of JC HOTELES' Data Protection Documentary System, and the systems used for each processing activity will be identified. Consent, data provided, and information clauses shown will be properly recorded.
8.6 - Method of Access
It does not matter the way in which personal data is accessed (whether in electronic/digital or physical format) to be considered as processing; in all cases, the procedure established must be followed. Likewise, processing is considered to occur if the data is incorporated into JC HOTELES' IT systems or facilities.
8.7 - Security Level
JC HOTELES employees must be aware of and apply the security measures, in line with the National Security Scheme, as outlined in the Record of Processing Activities and the information security system.
For more details about the security levels in personal data protection, employees must contact the Information Security Officer.
8.8 - Personal Data Processing and Privacy Policy for the Website and Internet
The personal data processing and privacy policy for the website and internet, a document that is part of JC HOTELES' Data Protection Documentary System, regulates the processing of personal data through the website and internet and privacy matters. This policy also integrates the treatment of cookies.
The personal data processing and privacy policy for the website and internet must be known by JC HOTELES employees in order to apply it in the daily use of its online and digital services.
8.9 – Data Retention Period Blockage of Data.
According to data protection regulations, personal data will be retained until it is no longer necessary for the purpose of the processing. The retention periods or criteria for each specific activity are recorded in the Processing Activities Register.
Subsequently, the data will be properly blocked. Data blocking involves identifying and reserving the data, adopting technical and organizational measures to prevent its processing, including its viewing, except for the provision of the data to judges and courts, the Public Prosecutor's Office, or the competent Public Administrations, particularly data protection authorities, for the enforcement of potential responsibilities arising from the processing, and only for the period of time prescribed for such responsibilities.
After that period, the data must be destroyed.
Blocked data may not be processed for any purpose other than the one specified.
For the deletion of documents containing personal data, other than auxiliary copies, individuals within JC HOTELES' structure will consult with the Security Officer beforehand regarding the procedure to follow.
8.10 – Recipients of the Data
The data may be transferred or communicated to other recipients as provided for in the GDPR. Specific transfers or communications are recorded in the Processing Activities Register for each activity, and they must all appear in the information clauses and consent collection when consent is the legitimating basis for the processing.
8.11 – Rights of the Data Subjects
The rights recognized in Articles 15 to 22 of the GDPR may be exercised directly or through a legal or voluntary representative. Those holding parental responsibility may exercise the rights of access, rectification, cancellation, opposition, or any other rights that may correspond to them on behalf of minors under fourteen years of age in the context of this Organic Law.
Any person has the right to obtain confirmation as to whether or not JC HOTELES processes personal data concerning them.
Data subjects have the right to access their personal data and obtain a copy of the personal data subject to processing, to update it, and to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances provided for in Article 18 of the GDPR, data subjects may request the restriction of the processing of their data, in which case JC HOTELES will only retain the data for the exercise or defense of claims.
As a result of applying the right to erasure or opposition to the processing of personal data in the online environment, data subjects have the right to be forgotten under the jurisprudence of the Court of Justice of the EU.
Data subjects may object to the processing of their data for marketing purposes, including profiling. In particular, data subjects have the right to be informed for free by JC HOTELES regarding their personal data that cannot be used for advertising or commercial prospecting purposes.
Under the right to data portability, data subjects have the right to obtain their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them, unless the exceptions provided for in Article 22.1 of the GDPR apply. JC HOTELES does not make automated decisions without human intervention.
The data subject has the right to have their data erased due to the disappearance of the purpose that motivated the processing or collection, the revocation of consent when consent is the legitimating basis for the processing, or for other reasons contained in Article 17 of the GDPR. Definitive deletion will be carried out, in any case, after blocking the data.
8.12 – Attention to the Rights of the Data Subjects
JC HOTELES has established a simple procedure for exercising personalized data protection rights, providing an email address for the exercise of rights direccion@jchoteles.com, defined in the document Procedure for Attention to the Exercise of Rights that all employees of JC HOTELES must know and apply.
Any request for the exercise of data protection rights received at JC HOTELES by any means or channel will be forwarded by JC HOTELES employees to direccion@jchoteles.com. This rule will be included in the Data Protection Manual for employees.
Requests from data subjects will be responded to by email with a read receipt if the request has been received through that means or by certified mail with acknowledgment of receipt if the request has been received by means other than email, without undue delay and no later than within one month.
The proof of compliance with the duty to respond to the request for the exercise of their rights made by the data subject rests with JC HOTELES, so a copy of all responses and the justification of the sending and receipt will be kept.
8.13 – Management of Security Breaches
The Procedure for Managing Security Breaches, which is integrated into the Data Protection Document Management System, is established to ensure the correct identification, recording, and resolution, with damage minimization, of security breaches affecting personal data.
The management of the breach will be carried out according to JC HOTELES' Information Security Policy, which governs the documents that develop it and which include prevention, detection, and correction aspects, to ensure that threats to information do not materialize and, if they do, do not significantly affect the information handled or the services provided by the company.
The existence of this Security Breach Management Procedure will be included in the Data Protection Policy directed at employees and any company member, who will be trained on how to act in the event of security breaches and on the responsibilities they have.
9.1 – Ownership
The approval of this document corresponds to the company's management.
The development and evolution of the document corresponds to the Compliance department.
9.2 – Interpretation
The interpretation of this document corresponds to the Data Protection Officer in the company.
9.3 – Validity and Revision
This model will enter into force from the date of its approval and publication. Its content will be subject to periodic review, with changes or modifications being made as deemed necessary.
10.- DOCUMENT VERSION CONTROL
Version File Name Date
1.0 Privacy Policy 03/05/2024
1.1 Web Report 03/05/2024
Privacy policy provided by Noxdata Soluciones Digitales, S.L.
Contact: info@noxdata.es
Join our JC Club and get a 7% discount on your next booking – it’s free!
