Galapagos Suites Hotel Ecuador

INTERNAL POLICY ON PERSONAL DATA PROCESSING FOR GUESTS, CLIENTS, AND USERS OF HOTEL GALÁPAGOS SUITES

FIRST: GENERAL PROVISIONS

We are committed to protecting and respecting your personal information and data. Therefore, we have designed these data processing policies in accordance with the law.

1.1 Introduction

Hotel Galápagos Suites is responsible for the processing of information and may collect personal data from its users, guests, or visitors through various means designated for accessing the services provided by the hotel. In all cases, data collection will be done with the express authorization of the data owner, and the processing of this data will be subject to the provisions of the law.

The personal information subject to the considerations established herein may be collected directly from the information provided and contained in the hotel registration card, through the website www.galapagossuites.com, during a visit or acquisition of services offered on the platform.

The data owner is deemed to have accepted the considerations established herein upon signing the hotel registration card regarding the information contained therein, upon visiting or using the website www.galapagossuites.com, and/or when entering data or personal information through the functions established for this purpose, regardless of the intended use.

1.2 General Principles

The collection and processing of personal data, as well as its use, handling, processing, exchange, transfer, and transmission, will always be guided by the principles of legality, freedom, truthfulness, transparency, security, confidentiality, and the principle of restricted access and circulation.

1.3 Legal Definitions

In accordance with the law, the following definitions will govern the policies for processing personal information:

1.3.1 Authorization: Prior, express, and informed consent of the data owner to carry out the processing of personal data.

1.3.2 Database: An organized set of personal data subject to processing.

1.3.3 Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons.

1.3.4 Data Processor: The natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the data controller.

1.3.5 Data Controller: The natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of data.

1.3.6 Sensitive Data: Data that affects the data owner’s privacy or whose misuse can lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

1.3.7 Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to a person’s marital status, profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes, and duly enforced court decisions that are not subject to confidentiality.

1.3.8 Data Owner: The natural person whose personal data is subject to processing.

1.3.9 Transfer: The data transfer occurs when the data controller and/or processor, located in Ecuador, sends the information or personal data to a recipient, who in turn is a data controller and is inside or outside the country.

1.3.10 Transmission: The processing of personal data that involves its communication within or outside the territory of the Republic of Ecuador for the purpose of processing by the processor on behalf of the data controller.

1.3.11 Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

SECOND: AUTHORIZATION OF THE DATA OWNER

The data provided will be subject to authorized processing, granted in a prior, express, and informed manner by the data owner. By providing your data upon entering the hotel to fill out the hotel registration card, you are authorizing the processing under the terms and conditions established in this policy.

Visiting, entering, or using the website www.galapagossuites.com constitutes prior, express, and informed authorization for the storage, collection, and processing of information in accordance with the data processing policy contained herein.

In any case, data collection will be limited to the personal data that is relevant and adequate for the intended purpose.

 

THIRD: DATA PROCESSING

3.1 Data Collected

The data collection for the purpose of processing and the purposes pursued will focus on the personal data received and stored during the completion of the hotel registration card, from the information provided by our guests, clients, visitors, and will include all information provided or supplied during visits to the website www.galapagossuites.com, as well as all data related to services or reservations made, and accommodation and lodging data provided physically or virtually.

Notwithstanding that some data may be public, the information collected and processed will include the name, identification number (citizenship card, passport, or any other valid document), profession, nationality, date of birth, email address, personal preferences and interests, work or activity, consumption or travel habits. If a reservation is made through the website www.galapagossuites.com, the credit card information provided for the reservation and stay will be collected.

3.2 Processing and Purpose of Data

The data and information obtained will be used in the normal course of business activities solely for the purposes established in these data processing policies, to enable direct and effective communication with the guest, client, or user, to establish a closer relationship and consolidate a commercial relationship.

The processing includes sending digital information through various communication channels to contact the data owner for service surveys after each stay to rate the service provided and to communicate invitations, offers, promotions, service portfolios, or information about the hotel, without at any time providing, transferring, or delivering their data to individuals other than those responsible or in charge of data processing. Additionally, data collection aims to: carry out, process, handle, and/or complete reservations or purchases of hotel nights or other services; conduct internal studies on tourism habits; evaluate the quality of our services; send surveys and questionnaires regarding the services provided; timely address your requests, petitions, or needs; communicate invitations, offers, promotions, and general information about the service portfolio offered by individuals or legal entities directly linked to hotel operations and specifically to the services provided.

Authorization for the use of the information or data provided that is collected, gathered, or stored in accordance with these policies expressly includes authorization for the data and information to be shared, processed, transmitted, transferred, updated, and/or deleted for the purposes defined in these policies, to be used as established.

By entering the website www.galapagossuites.com, you authorize your information and data to be shared with the tourism service providers to whom it refers and with whom your reservations and/or requests are processed.

It is assumed that all information or data provided or deposited in the hotel registration card or through the website www.galapagossuites.com is true, accurate, and complete and may be withdrawn at any time if considered harmful or detrimental to your interests or the interests of a third party.

The data and general information received when accessing the website www.galapagossuites.com may be both yours and from the device from which you are accessing. To optimize and make your experience more efficient when visiting the website www.galapagossuites.com, cookies and/or web beacons may be used, as well as obtaining and storing information about the internet pages visited, your IP address, the operating system of the device from which you are accessing, through a process of recognition and tracking that allows identifying your preferences and identifying you when you visit the page again and storing certain records based on your IP address. The IP address is not associated or linked to your name or personal data.

3.3 Sensitive Data and Data Corresponding to Children and Adolescents

Under no circumstances will sensitive data be processed, nor is data collection aimed at collecting sensitive information.

The collection of data corresponding to children and adolescents under age, and the respective authorization, must always be done through their legal representative, after the minor exercises their right to be heard. The processing of data corresponding to children and adolescents must respond to and respect the best interests of children and adolescents and their fundamental rights.

In the event that any question may lead to an answer involving sensitive data or data of children and adolescents, the answer to such a question will be optional.

3.4 Duties of the Data Controller

The data controllers, and/or those responsible for and in charge of processing personal data, are obligated to:

  1. a) Guarantee the data owner, at all times, the full and effective exercise of the right of habeas data.
  2. b) Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the data owner.
  3. c) Properly inform the data owner about the purpose of the collection and the rights that assist them by virtue of the authorization granted.
  4. d) Retain the information under the necessary security conditions to prevent its adulteration, loss, unauthorized or fraudulent consultation, use, or access.
  5. e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable.
  6. f) Update the information, timely communicating to the Data Processor all updates regarding the data previously provided and adopting the necessary measures to keep the information supplied to them updated.
  7. g) Rectify the information when it is incorrect and communicate the relevant changes to the Data Processor.
  8. h) Provide the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the present law.
  9. i) Require the Data Processor at all times to respect the conditions of security and privacy of the data owner’s information.
  10. j) Process the queries and claims made in the terms indicated by law.
  11. k) Inform the Data Processor when certain information is under discussion by the data owner, once the claim has been submitted and the respective process has not yet concluded.
  12. l) Inform, upon the data owner’s request, about the use of their data.
  13. m) Notify the data protection authority when security code violations occur, and there are risks in the administration of the data owners’ information.
  14. n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

FOURTH: RIGHTS AND POWERS OF THE DATA OWNER

4.1 Rights of the Data Owner

Once the Data Owner has granted authorization for the corresponding processing, they have the right to:

  1. a) Know, update, and rectify their personal data. This right can be exercised against partial, inaccurate, incomplete, fractional data that induces error, or data whose processing is expressly prohibited or has not been authorized.
  2. b) Request proof of the authorization granted, except when expressly exempted as a requirement for processing, in accordance with the law.
  3. c) Be informed by the data controller and/or processor, upon request, of the use given to their personal data.
  4. d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of the law.
  5. e) Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the processing involved conduct contrary to this law and the Constitution.
  6. f) Request at any time from the data controller or processor, the deletion of their personal data and/or revoke the authorization granted for its processing, by submitting a claim. This will not proceed when the Data Owner has a legal or contractual duty to remain in the database.
  7. g) Access their personal data that has been processed free of charge: (i) at least once every calendar month, and (ii) whenever there are substantial modifications to the information processing policies that motivate new consultations. In the case of requests with a frequency greater than one per calendar month, the data controller and/or processor may charge the Data Owner the costs of shipping, reproduction, and, where appropriate, certification of documents.

4.2 Legitimacy to Exercise the Rights of the Data Owner

The following persons are also entitled to exercise the rights of the Data Owner:

  1. a) The Data Owner, who must sufficiently prove their identity by the means made available by the data controller.
  2. b) Their successors, who must prove such status.
  3. c) The Data Owner’s representative and/or attorney, upon proof of representation or power of attorney.
  4. d) By stipulation in favor of another or for another.
  5. e) The rights of children or adolescents will be exercised by persons authorized to represent them, upon proof of representation.

4.3 Procedure to Exercise the Rights to Know, Update, Rectify or Delete Information and Revoke Authorization

Procedures for accessing, updating, deleting, and rectifying personal data, and for revoking authorization, can be carried out through consultations or claims, directed to the email info@galapagossuites.com or to the address Cucuve 312 and Floreana, Puerto Ayora 200102 Galápagos-Ecuador, depending on the purpose sought. As a minimum, the legitimacy to make the request must be established and clearly and concretely stated.

All requests, suggestions, and recommendations related to the processing of information should be sent to the email info@galapagossuites.com, and a response will be provided no later than ten (10) business days following receipt.

The Data Owner or the authorized person must accompany their request with proof of their status and must provide the necessary data and documents to account for their identity and status.

The email must specify the reason or purpose of the communication, and for this, it will be sufficient to indicate in the text that the right to know, update, rectify, delete, or revoke the granted authorization is being exercised.

4.4 Procedure for the Correction, Update, or Deletion of Data and for Filing Complaints and Claims

Anyone authorized by law, who considers that the information contained should be corrected, updated, or deleted; or when they consider that the processing given to the personal data violates legal norms, may submit a complaint in accordance with the law.

Complaints and claims will be processed under the following rules:

4.4.1 The claim will be made through a request addressed to the Data Controller or Data Processor, identifying the Data Owner, describing the facts that give rise to the claim, and providing the address, along with the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) business days of receiving the claim to remedy the deficiencies. If two (2) months elapse from the date of the request without the applicant providing the required information, it will be understood that the claim has been withdrawn.

If the person receiving the claim is not competent to resolve it, it will be forwarded to the appropriate person within a maximum term of two (2) business days, and the situation will be informed to the interested party.

4.4.2 Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database within no more than two (2) business days. This legend must be maintained until the claim is resolved.

4.4.3 The maximum term to address the claim will be fifteen (15) business days from the day following its receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 

4.5 Consultation and Access to Information 

Personal data consultations will be addressed through a written request via email to info@galapagossuites.com.

Consultations will be addressed within a maximum term of ten (10) business days from the date of receipt. When it is not possible to address the consultation within this term, the interested party will be informed before the expiration of ten (10) business days, stating the reasons for the delay and indicating the date on which the consultation will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

 FIFTH: SECURITY

5.1 Security in Handling Information

The collected data will always be treated within a framework of confidentiality, so it will not be provided, transferred, or delivered to persons other than those responsible for or in charge of the processing.

5.2 Transfer and Transmission of Data

In the event a contract is signed with a third person professional and experienced in managing and using databases, the data controller will sign a data transmission contract as referred to by law.

SIXTH: DISSEMINATION AND VALIDITY

6.1 Means of Dissemination of Information Processing Policies and Privacy Notice

This document, which establishes the policies for processing personal data, will be permanently published at www.galapagossuites.com for consultation by interested parties.

When requesting the Data Owner’s express authorization for data processing, the specific purposes for which consent is obtained will be indicated, and the Data Owner will be informed of the Information Processing Policy and their rights.

6.2 Effective Date of Information Processing Policies

The collection, storage, use, and circulation of personal data, in the development of the considerations established herein, will be carried out and maintained as long as the established needs and purposes proposed by the Processing are valid. If the purpose cannot be achieved through the processing given to personal data, it will be permanently deleted from the database.

This document takes effect from May 2024.

6.3 Procedure for Modifying Policies

In the event that modifications to the personal data processing policies contained herein are made, they will be notified and communicated through this same web page before the modifications take effect.

6.4 Incorporation of the Terms of Use of the Website www.galapagossuites.com

In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.galapagossuites.com.

6.5 Information Responsible

Hotel Galápagos Suites is responsible for and in charge of processing personal data. The societies will be responsible for the information and personal data collected. When the information has been received or collected by any of the noted societies, with express authorization for transfer, Hotel Galápagos Suites will be responsible.