This is the data protection policy of PGA Catalunya Resort, which comprises the following companies:
– PGA Golf de Catalunya SA. Carretera Nacional II, Caldes de Malavella 17445, Fiscal Identification Code A6063952Z
– PGA Golf de Caldas SA. Carretera Nacional II, Caldes de Malavella 17445, Fiscal Identification Code A58376104
– Golf Hotel de Malavella SL. Carretera Nacional II, Caldes de Malavella 17445, Fiscal Identification Code B62742606
For the purposes of this document, this group of companies is identified with the name of PGA Catalunya Resort. The policy refers to the data that are processed in the performance of its tourism and leisure services, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016).
Who is the Data Controller?
The Data Controller is, in each case, the group company with whom the customer or supplier interacts. Each company is answerable to its customers and suppliers for compliance with the data protection regulations and guarantees their rights.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) is the person who supervises enforcement of the PGA Catalunya Resort companies’ data protection policy, ensuring adequate processing of the personal data and protection of data subjects’ rights. This person’s duties include attending to any query, suggestion, complaint or claim made by the people whose data are processed. The Data Protection Officer can be contacted by writing to PGA Golf de Caldes SA, Carretera Nacional II, Caldes de Malavella 17445, or to the email address email@example.com.
For what purposes do we process data?
We process personal data for the following purposes:
Attend to the queries made by the people who contact us via contact forms on our websites. We use the data solely for this purpose.
Attend to the people who contact us by telephone. In order to improve the quality of our service, the conversations may be recorded, notifying this beforehand to the person we are talking with.
Receive the CVs sent by people who are interested in working with us and manage the personal data generated as a result of their participation in staff selection processes, with the goal of analysing the match of the candidates’ profile with the vacancies available or the new jobs that have been created. As a general procedure, we also keep the data of the people who have not been selected for a maximum period of one year in case a new vacancy or new job should arise during that period. However, in the latter case, we will delete the data immediately if the data subject asks us to.
Register new customers and the additional data that may be generated as a result of the business relationship with customers. As part of the contracting process, the essential data required for this are requested, including bank details (current account or credit card number), which will be notified to the banks that handle customer payments (they can only be used for this purpose). The provision of tourism services entails other processes, such as including the data for accounting or invoicing purposes or for notifying to the Tax Administration.
Services provided to students at the Golf School.
Registration for the School’s courses, which includes registration of the students and, if applicable, their parents or legal representatives. The data are used to organize the School’s activities, monitor the students’ progress and accredit the tuition given. As part of the registration process, the essential data required for this are requested, including bank details (current account number), which will be notified to the banks that handle payments.
Information about our services.
For so long as customers maintain the business relationship, PGA Catalunya Resort uses their contact details to provide information pertaining to this relationship. This information may circumstantially include references to our services, whether of a general nature or referring more specifically to the customer’s features and needs.
Other information about the services.
With the customer’s explicit authorisation, upon termination of the contractual relationship, the contact details will be kept in order to send advertising related with our services, information of a general nature or specifically adapted to the customer’s features. This information is also sent to people who, while not being customers, have asked for the information or accept it by filling in our forms.
Advertising about the services offered by our group companies.
Always with the explicit prior authorisation of the people identified in the previous section, the contact details are used to send advertising, whether of a general nature or adapted to the person’s features, about the services offered by the companies belonging to our group. In addition, with the data subject’s explicit consent, the contact details may be made available to these companies so that they may send advertising about their services directly.
Managing our suppliers’ data.
We record and process the data of the suppliers from whom we obtain services or goods. This may include the data of people who work as self-employed professionals and also the data of representatives of legal persons. We obtain the essential data that are necessary for maintaining the business relationship. They are used only for this purpose and in the manner required for this type of relationship.
When accessing our facilities, information is provided, when applicable, about the existence of video surveillance cameras by means of officially approved signs. The cameras record images only in those locations where this is justified to guarantee the security and safety of assets and people, and the images are only used for this purpose.
Users of our website.
Other data collection channels.
We also obtain data through face-to-face contacts and other channels such as receiving e-mails, through our profiles on the social media and during the registration process for Wi-Fi services. In all cases, the data are used solely for the specific purposes that justify collection and processing
What is the legal basis for processing the data?
The data processing we perform has different legal justifications, depending on the nature of each type of processing.
In compliance with a precontractual relationship. This applies to the data of prospective customers or suppliers with whom a relationship is established prior to conclusion of a contractual relationship, such as preparing or studying estimates. It also applies to the processing of data of people who have sent us their CVs or who are taking part in selection processes.
In compliance with a contractual relationship. This applies to relationships with our customers and suppliers and all the activities and uses entailed by such relationships.
In compliance with legal obligations. The transfer of data to the Tax Administration is governed by rules that regulate business relationships. It may be necessary to transfer data to judicial authorities or security forces, also in compliance with legal provisions that compel collaboration with these public authorities.
Based on consent. When we send information about our services, we process the addressees’ contact details with their explicit authorisation or consent. The browsing data that we may obtain with cookies are obtained with the consent of the person who visits our website. This consent can be revoked at any time by uninstalling these cookies. We also transfer personal data to other companies in our group with the prior consent of each person concerned.
For a legitimate interest. The images obtained with the video surveillance cameras are processed on the basis of our company’s legitimate interest to protect its assets and facilities. Our legitimate interest also justifies processing of the data obtained from the contact forms.
Who are the data disclosed to?
As a general rule, we only transfer data to public administrations or authorities and always in compliance with legal obligations. The identifying data of the people who stay at our establishments are notified to the Directorate-General of the Police (in compliance with Order IRP/418/2010, of 5 August, concerning the obligation to register and notify to the Directorate-General of the Police the identity of the people who stay at lodging establishments).
When issuing invoices to customers, the data may be notified to banks. Furthermore, if consent has been given, the data may be made available to other companies belonging to our group for the purposes stated above. No data are transferred outside of the European Union (international transfer).
For the performance of certain tasks, we contract the services of companies or people who provide us their experience and expertise. On certain occasions, these companies need to access personal data held by us. This is not a data transfer as such but should be considered a processing assignment. We only contract services from companies that can guarantee compliance with data protection regulations. At the time of contracting the service, such suppliers’ confidentiality obligations are formally stated and their activities are monitored. This may be the case of data hosting services, IT support services or legal, accounting or tax advisors.
For how long do we keep the data?
We comply with the legal obligation to limit as much as possible the period during which the data are kept. Consequently, we only keep them for such time as is necessary and justified for the purpose for which they were obtained. In certain cases, such as the data included in accounting documentation and invoices, tax regulations require us to keep them until our liabilities in this matter have lapsed. In the case of data that are processed on the basis of the data subject’s consent, they are kept until the data subject revokes consent. The images obtained by the video surveillance cameras are kept for a maximum period of one month. However, in the case of incidents where it is justified, they will be kept for such time as may be necessary to assist in the investigations carried out by the security forces or judicial authorities.
What rights do people have respect to the data we process?
As stated in the General Data Protection Regulation, people whose data we process have the following rights:
To know whether they are processed. First of all, any person has the right to know whether we process their data, irrespective of whether or not there has been a prior relationship.
To be informed at the time of collection. When the personal data are obtained from the data subject, clear information must be provided at the time of collection about the purposes they will be used for, who will be the data controller and the other aspects arising from this processing.
To access. This is a very broad right which includes knowing precisely which personal data are being processed, the purpose they are being processed for, the disclosures that will be made to other people (if applicable) or the right to obtain a copy or know for how long it is planned to keep them.
To ask for rectification. This is the right to obtain rectification of inaccurate data that are being processed by us.
To ask for erasure. In certain circumstances, the data subject has the right to ask for erasure of the data when, among other reasons, they are no longer necessary for the purposes for which they were collected and which justified their processing.
To ask for restriction of processing. Also, in certain circumstances, the right is acknowledged to ask for restriction of processing of the data. In this case, processing will be stopped and they will only be kept for the exercise or defence of legal claims, pursuant to the General Data Protection Regulation.
To data portability. In the cases provided in the regulation, the data subject’s right is acknowledged to obtain his or her personal data in a structured, commonly used and machine-readable format, and to transmit those data to another data controller if the data subject so decides.
To object to processing. A person may invoke grounds relating to his or her particular situation to require that his or her data cease to be processed insofar as they may cause harm, except for compelling legitimate grounds or for the exercise or defence of legal claims.
To not receive marketing information. We will comply immediately with requests to not continue sending marketing information to people who had previously authorised us to send it.
How can the rights be exercised or defended?
You can exercise the rights listed above by sending a written request by post to PGA Golf de Catalunya S.A., PGA Golf de Caldas S.A., or Golf Hotel Malavella S.L. or by sending an email to firstname.lastname@example.org, stating in all cases “Personal data protection” as subject.
If you have not obtained a satisfactory response in the exercise of your rights, you can send a claim to the Spanish Data Protection Agency by means of forms or other channels that can be accessed from their website www.agpd.es