Privacy Policy

This policy applies to the processing of personal data voluntarily provided by clients and users of the Palacio de Tavira website: www.palaciodetavira.com. Its purpose is to inform how the data controller acts in accordance with the provisions of the applicable legislation on privacy and data protection, namely Regulation (EU) of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

1. Rights of Data Subjects

Right to Information
When data is collected directly from the data subject, they have the right to be informed of the following:

• The identity and contact details of the data controller and, where applicable, their representative;
• The contact details of the Data Protection Officer, if applicable;
• The purposes of the processing of personal data as well as, where applicable, the legal basis for the processing;
• If the data was not collected directly by Palacio de Tavira, the categories of data concerned, their source and, where applicable, whether they originate from publicly accessible sources;
• Where applicable, the recipients or categories of recipients of the personal data, including recipients established in third countries or belonging to international organisations;
• If the processing is based on the legitimate interests pursued by Palacio de Tavira or a third party, an indication of those interests;
• Where applicable, the possible transfer of data to a third country or international organisation, and whether there is a Commission adequacy decision or appropriate safeguards;
• The period for which the personal data will be stored;
• The right to request from Palacio de Tavira access to and rectification or erasure of personal data, or restriction of processing, as well as the right to object to such processing;
• If processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• The right to lodge a complaint with the CNPD (Comissão Nacional de Proteção de Dados) or any other competent supervisory authority;
• Whether the provision of personal data is a legal or contractual requirement, or a requirement necessary to enter into a contract, and the possible consequences of failure to provide such data;
• Where applicable, the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and expected consequences for the data subject;
• If Palacio de Tavira intends to further process personal data for purposes other than those for which the data was originally collected, the data subject will be informed of this new purpose prior to further processing.

Right of Access
Palacio de Tavira ensures that data subjects have the means to access their personal data.
The data subject has the right to obtain confirmation from Palacio de Tavira as to whether or not their personal data is being processed, and, where that is the case, to access the data.
Upon request, Palacio de Tavira will provide a copy of the personal data undergoing processing free of charge.

Right to Rectification
The data subject has the right to request at any time the rectification of inaccurate personal data and to have incomplete personal data completed, including by means of providing a supplementary statement.
Where data has been rectified, Palacio de Tavira will notify each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

Right to Erasure ("Right to be Forgotten")
The data subject has the right to request the erasure of personal data where one of the following applies:

• The personal data is no longer necessary for the purposes for which it was collected or processed;
• The data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
• The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• The personal data has been unlawfully processed;
• The personal data must be erased to comply with a legal obligation to which Palacio de Tavira is subject.

Palacio de Tavira is not obliged to erase data where processing is necessary to:

• Comply with a legal obligation;
• Establish, exercise, or defend legal claims.

Where data has been erased, Palacio de Tavira will inform each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

Right to Restriction of Processing
The data subject has the right to obtain restriction of processing, meaning the marking of stored personal data to limit its processing in the future, in the following cases:

• The accuracy of the personal data is contested, for a period enabling Palacio de Tavira to verify the accuracy of the data;
• The processing is unlawful and the data subject opposes the erasure of the data and requests restriction of its use instead;
• Palacio de Tavira no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise, or defence of legal claims;
• The data subject has objected to processing, pending verification whether the legitimate grounds of Palacio de Tavira override those of the data subject.

Where processing is restricted, personal data shall only be processed, except for storage, with the data subject’s consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest provided by law.
The data subject will be informed by Palacio de Tavira before any restriction is lifted.

Right to Data Portability
The data subject has the right to receive the personal data concerning them, which they have provided to Palacio de Tavira, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller, where the processing is based on consent or on a contract and the processing is carried out by automated means.
This right does not apply to data generated by Palacio de Tavira as a result of analysis of data submitted for processing.
The data subject also has the right to request that personal data be transmitted directly from one controller to another, where technically feasible.

Right to Object
The data subject has the right, at any time and on grounds relating to their particular situation, to object to the processing of personal data where the processing is based on the legitimate interests pursued by Palacio de Tavira, or where personal data is processed for purposes other than those for which it was originally collected.
Palacio de Tavira shall cease processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims.
Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to such processing. If this right is exercised, Palacio de Tavira will immediately cease processing for direct marketing purposes.

Right Not to be Subject to Automated Decision-Making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision:

• Is necessary for entering into, or performance of, a contract between the data subject and Palacio de Tavira;
• Is authorised by applicable law;
• Is based on the data subject’s explicit consent.

Right to Lodge a Complaint
The data subject has the right to lodge a complaint with a supervisory authority. In Portugal, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD), located at Av. D. Carlos I, 134 – 1.º 1200-651 Lisbon, telephone: (+351) 213928400, e-mail: geral@cnpd.pt.

2. Exercising the Rights of Data Subjects
Data subjects may exercise their rights of access, rectification, erasure, portability, restriction or objection to the processing of their personal data in accordance with applicable law by sending an email to: info@palaciodetavira.com.
For further information, the data controller may also be contacted via this email.
Palacio de Tavira will respond to the request within one month of receipt, except in cases of particular complexity where this period may be extended by two months.
If requests from the data subject are manifestly unfounded or excessive, in particular because of their repetitive character, Palacio de Tavira reserves the right to charge a reasonable administrative fee or to refuse to act on the request.

3. Data Collection
Personal data may be requested and collected when a client or user registers or browses the Palacio de Tavira website, requests contact, provides or requests information through the aforementioned site or by email, makes a reservation or during their stay at the hotel.
The personal data collected generally includes: name, date of birth, telephone number, email address, postal address, tax identification number, or payment method information. Other data may also be requested if deemed necessary for the provision or management of the services offered by Palacio de Tavira (“Personal Data”).
In order to improve the quality of visits and website use, analyse user browsing habits, establish profiles and send tailored commercial and marketing information, Palacio de Tavira may also collect information on the pages visited, type of browser used, access times, and links through which the user accessed the site (“Usage Information”).
All Personal Data and Usage Information are hereinafter collectively referred to as “Data”.
Palacio de Tavira may collect Data in person, by telephone, by email, through its website, or indirectly via partners or official bodies.

4. General Principles Applicable to Data Processing
Palacio de Tavira undertakes to ensure that data:

• Is processed in accordance with applicable legislation;
• Is collected for specified, explicit and legitimate purposes and is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
• Is accurate and, where necessary, kept up to date; appropriate measures are taken to ensure that inaccurate or outdated data is erased or rectified;
• Is kept only for the period necessary to fulfil the purposes for which it is processed;
• Is processed securely, through appropriate technical and organisational measures.

The processing of data by Palacio de Tavira is authorised and legitimised in the following cases:

• The data subject has given their free, explicit and unambiguous consent for one or more specific purposes;
• Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• Processing is necessary for compliance with a legal obligation, or for the establishment, exercise, or defence of legitimate interests of Palacio de Tavira or third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.

Where processing is based on the data subject’s consent, the data subject may withdraw their consent at any time. Such withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

The retention period of data varies according to the purpose of the processing. In any case, data is retained only for as long as strictly necessary to achieve these purposes, unless a legal obligation requires longer retention, after which the data will be permanently deleted.

5. Purposes of Data Processing
Palacio de Tavira uses data of data subjects for the following purposes:

• Provision of hotel and related services (restaurant, bar, spa, gift vouchers, etc.);
• Management of relations and requests for quotes;
• Invoicing and debt collection;
• Providing information on the products and services of the website and/or hotel, special offers, campaigns, news and activities of Palacio de Tavira, for communication and marketing purposes by any means of communication;
• Participation in Palacio de Tavira’s social media platforms;
• Improving the website to meet customer and user expectations: development of tailored content, optimisation of functionalities, and statistical analysis of user profiles;
• Subscription and management of travel insurance policies offered to clients during their stay;
• Sending satisfaction surveys;
• Recording telephone calls made in relation to enquiries or the provision of information concerning reservations, gift vouchers, or other products and services, including their commercial terms and conditions, whether during the formation or management of a contract.

‍

6. Data Sharing
Except in the cases mentioned below, data collected by Palacio de Tavira will not be shared with third parties without the data subject’s consent.

a) Contractual Relationship with Palacio de Tavira
Palacio de Tavira may transfer or disclose data to other entities if such transfer is necessary for the performance of the contractual relationship established between the data subject and Palacio de Tavira, for pre-contractual measures requested by the data subject, for compliance with a legal obligation to which Palacio de Tavira is subject, or to satisfy legitimate interests.
In the event of data being transferred to third parties, Palacio de Tavira undertakes to use all reasonable efforts to ensure that the recipient processes the data in accordance with this Privacy Policy.
If the data subject makes a reservation for a stay with Palacio de Tavira, their personal data will also be transmitted and processed for the purposes of subscribing to and managing the travel insurance offered to all clients during their stay. In this context, the controller will transmit the following data to the insurer: name, place of birth, nationality, date of birth, identification document number, residential address, as well as check-in and check-out dates.

b) Data Processors
In the context of data processing, Palacio de Tavira may use third parties, processors acting on its behalf and under its instructions, in accordance with applicable legislation and this Privacy Policy. These entities are not authorised to pass the data on to other third parties.
Palacio de Tavira undertakes to subcontract only to entities providing the highest guarantees in terms of security and implementation of appropriate technical and organisational measures.

Categories of data processors who may process the data of clients and users of the Palacio de Tavira website.

c) Third Parties
Palacio de Tavira may also disclose data to other third parties who are not considered processors within the meaning of Article 4, No. 8 of the GDPR. These entities will be bound by confidentiality obligations and will ensure that the data is processed in compliance with the provisions of the GDPR.

Categories of third parties who may receive data from clients and users of the Palacio de Tavira website.

7. Implemented Measures
To ensure the highest possible security and confidentiality of data, Palacio de Tavira processes the information provided in strict confidence, in accordance with its internal security and confidentiality policies and procedures, which are regularly updated as required and in line with applicable legal obligations.
Depending on the nature, scope, context and purposes of data processing, as well as the risks to the rights and freedoms of data subjects, Palacio de Tavira undertakes to implement the necessary and appropriate measures to protect the data, comply with legal requirements, and ensure that only data strictly necessary for each specific purpose is processed and not made accessible to an indeterminate number of individuals, processors, or third parties.

8. Data Controller
The entity responsible for the processing of data collected by Palacio de Tavira is UPI Lisbon 12, S.A. with NIPC 515279463, located at Rua Garrett, no. 19, 3rd floor, District: Lisbon, Municipality: Lisbon, Parish: Santa Maria Maior, 1200-203 Lisbon. It acts as data controller and guarantees the confidentiality and protection of personal data in accordance with the applicable personal data protection legislation.

9. Use of Cookies and Similar Technologies
The Palacio de Tavira website uses functional and analytical cookies to collect information about its users to improve navigation and to monitor the use and effectiveness of the website itself. Their activation is subject to the express consent of the data subjects.
Some cookies allow interconnection and data transfer with social media platforms, redirecting users to those pages. Social media operators use their own cookies and may use tools to collect and receive information from the website and subsequently use this information. Palacio de Tavira has no control or influence over these operators or their privacy and security policies. Users are therefore advised to consult these providers directly.
The Palacio de Tavira website also offers content hosted on external websites. The entities responsible for this content may also use cookies. Interaction with this content may result in the installation of “third-party cookies” on the user’s device. As Palacio de Tavira has no control over the use of these cookies, users are recommended to check the applicable terms of use.

10. Third-Party Tools Integrated into the Palacio de Tavira Website
Facebook and Instagram:
The website integrates interactive features with Facebook and Instagram by connecting to the servers of these social networks. This may allow identification of the website visited by the user and storage of other data, such as the IP address.
If the user is logged in to Facebook and/or Instagram, the data will be associated with their account. To avoid this, the user should log out of Facebook and Instagram before visiting the site.
Information on how these networks process data is available at:
https://www.facebook.com/about/privacy/
https://help.instagram.com/519522125107875

Twitter:
The website offers interactivity with Twitter via a specific button, which establishes a connection to Twitter’s servers. These servers may identify the website visited by the user and potentially store other data such as the IP address.
More information about data processing by Twitter is available at:
https://twitter.com/privacy

YouTube:
The website also integrates interactive YouTube content, which allows, via a connection to YouTube’s servers, identification of the website visited and collection of other data, such as the IP address.
If the user is logged in to YouTube, the data will be associated with their account. To avoid this, it is advisable to log out of YouTube before visiting the site.
Information on YouTube’s data processing is available at:
https://www.youtube.com/intl/pt-BR/yt/about/policies/#community-guidelines

11. Personal Data Breach
In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of data subjects, Palacio de Tavira undertakes to notify such a breach.

Personal Data Breach: Cases Where Notification Is Not Required
Notification of a personal data breach to the data subjects is not required in the following cases:

• If Palacio de Tavira has implemented appropriate technical and organisational protection measures with respect to the personal data affected by the breach;
• If Palacio de Tavira has taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
• If notifying the user would involve disproportionate effort for Palacio de Tavira.

12. Changes to the Privacy Policy
Palacio de Tavira reserves the right to amend this Privacy Policy at any time.

13. Disclaimer
Palacio de Tavira and the data controller cannot be held responsible for any loss or damage of any kind arising from the correct or incorrect use of the services, websites, or content by the user, including any unauthorised access to the user’s computer system or data by third parties.
The websites may contain links to websites operated by third parties over which Palacio de Tavira and the data controller have no control and for which they accept no responsibility.
Consultation of the legal provisions on this site does not exempt users from consulting the official legal texts published in the original versions and on official platforms (notably the Diário da República or the Official Journal of the European Union).

14. Governing Law and Jurisdiction
This Privacy Policy is governed by Portuguese law.
The competent court for resolving any disputes relating to this Policy shall be the Court of the District of Faro, which Palacio de Tavira and its clients or users expressly acknowledge as the sole competent court, to the exclusion of any other jurisdiction.