INFORMATION OF GENERAL INTEREST
This document has been designed for the processing of low-risk personal data, from which it follows that it may not be used for the processing of personal data that includes personal data relating to racial or ethnic origin, political, religious or philosophical ideology, trade union affiliation, genetic and biometric data, health data, and data on sexual orientation of individuals, as well as any other data processing that entails a high risk to the rights and freedoms of individuals.
Article 5(1)(f) of the General Data Protection Regulation (hereinafter GDPR) determines the need to establish appropriate security safeguards against unauthorised or unlawful processing, against loss of personal data, accidental destruction or damage. This implies the establishment of technical and organisational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility to demonstrate, as set out in Article 5.2, that these measures have been put into practice (proactive accountability).
In addition, it should establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to ensure effective handling of the requests received.
INFORMATION OF GENERAL INTEREST
ATTENTION TO THE EXERCISE OF RIGHTS
The data controller shall inform all employees about the procedure for attending to the rights of data subjects, clearly defining the mechanisms by which the rights may be exercised (electronic means, reference to the Data Protection Delegate if any, postal address, etc.) and taking into account the following:
– Upon presentation of their national identity card or passport, the holders of personal data (data subjects) may exercise their rights of access, rectification, erasure, objection, portability and limitation of processing. The exercise of these rights is free of charge.
– The controller must respond to data subjects without undue delay and in a concise, transparent, intelligible manner, in clear and plain language, and keep proof of compliance with the duty to respond to requests to exercise the rights made.
– If the request is made by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.
– Requests must be responded to within 1 month of receipt, which may be extended by a further two months taking into account the complexity or number of requests, but in this case the data subject must be informed of the extension within one month of receipt of the request, stating the reasons for the delay.
PROCESSING OF CUSTOMER DATA
Details of the data controller:
Kajari Dumra Kennedy (Playa Honda Seafront Apartment)
C/ Cala Reona 11, parcela 217, Calaflores, Cabo de Palos 30370 Cartagena Murcia
E-mail: email@example.com “At Kajari Dumra Kennedy (Playa Honda Seafront Apartment) we process the information you provide us with in order to provide you with the service requested and carry out the invoicing.
The data provided will be kept for as long as the commercial relationship is maintained or for the time necessary to comply with legal obligations and to meet any possible liabilities that may arise from the fulfilment of the purpose for which the data was collected.
The data will not be passed on to third parties except in cases where there is a legal obligation.
You have the right to obtain information about whether Kajari Dumra Kennedy (Playa Honda Seafront Apartment) is processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing before Kajari Dumra Kennedy (Playa Honda Seafront Apartment), C/ Cala Reona 11, parcela 217, Calaflores, Cabo de Palos 30370 Cartagena Murcia or at the email address electrónicoinfo@playahondaapartment.com, attaching a copy of your ID card or equivalent document.
Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may lodge a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.
Your data protection rights:
In the right of access, data subjects shall be provided with a copy of the personal data held together with the purpose for which they have been collected, the identity of the recipients of the data, the expected retention periods or the criteria used to determine this, the existence of the right to request the rectification or erasure of personal data as well as the limitation or opposition to their processing, the right to lodge a complaint with the Spanish Data Protection Agency and if the data have not been obtained from the data subject, any available information on their origin. The right to obtain a copy of the data may not adversely affect the rights and freedoms of other data subjects.
In the right of rectification, the data subject’s data that are inaccurate or incomplete will be modified in accordance with the purposes of the processing. The data subject must indicate in the request to which data refers and the correction to be made, providing, where necessary, the documentation justifying the inaccuracy or incompleteness of the data being processed. If the data have been communicated by the data controller to other data controllers, the data controller shall notify them of their rectification unless this is impossible or would require a disproportionate effort, providing the data subject with information about those recipients, if so requested.
In the right of deletion, data subjects’ data will be deleted when they express their refusal to the processing and there is no legal basis preventing it, they are not necessary in relation to the purposes for which they were collected, they withdraw the consent given and there is no other legal basis legitimising the processing or the processing is unlawful. If the erasure results from the exercise of the data subject’s right to object to the processing of his or her data for marketing purposes, the data subject’s identification data may be retained in order to prevent future processing. If the data have been disclosed by the data controller to other data controllers, the data controller shall notify them of the erasure of the data unless this is impossible or would require a disproportionate effort, providing the data subject with information about these recipients upon request.
Under the right to object, where data subjects object to the processing of their personal data by the controller, the controller shall cease processing their personal data provided that there is no legal obligation to do so. Where the processing is based on a public interest mission or on the legitimate interest of the controller, upon a request to exercise the right to object, the controller shall cease processing the data unless compelling grounds override the interests, rights and freedoms of the data subject or are necessary for the establishment, exercise or defence of claims. If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
Under the right of portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, data subjects may request to receive a copy of their personal data in a structured, commonly used and machine-readable format. They also have the right to request that it be transferred directly to a new controller, whose identity must be communicated, where technically possible.
Under the right of limitation of processing, data subjects may request the suspension of processing of their data in order to contest their accuracy while the controller carries out the necessary checks or in the case of processing carried out on the basis of the legitimate interest of the controller or in the performance of a task carried out in the public interest, while it is verified whether these grounds override the interests, rights and freedoms of the data subject. The data subject may also request the retention of the data if he or she considers that the processing is unlawful and, instead of erasure, requests the restriction of the processing, or if the data subject no longer needs the data for the purposes for which they were collected but the data subject needs them for the formulation, exercise or defence of claims. The fact that the processing of the data subject’s data is restricted must be clearly stated in the controller’s systems. If the data have been disclosed by the data controller to other data controllers, the data controller shall notify them of the restriction of the processing of the data unless this is impossible or would require a disproportionate effort, providing the data subject with information about those recipients, if requested.
If the data subject’s request is not acted upon, the data controller shall inform the data subject, without delay and no later than one month after receipt of the request, of the reasons for its failure to act and of the possibility of lodging a complaint with the Spanish Data Protection Agency and of taking legal action.