DATA IDENTIFYING THE DATA CONTROLLER

Data controller: Marta María Santalla Castro
NIF: 76412388V
Address: A Garita S/N, 15565, As Somozas, A Coruña
Telephone: 677837656
E-mail: info@casaruralsanandres.com
Activity: rural accommodation

INFORMATION TO USERS OF THE WEBSITE AND CONSENT
In accordance with the European Data Protection Regulation (EU) 2016/679 and with Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, by accepting this privacy policy the user expresses their express, free, informed and unequivocal consent for the personal data that they may provide through the contact channels and forms provided on the website to be included in the company’s files. The data controller informs the interested parties that, as established by the applicable regulations in force, the corresponding technical and organisational security measures have been applied to the personal data processing activities carried out, which have been implemented after the relevant risk analysis has been carried out.

WHAT PERSONAL DATA IS COLLECTED ON THE WEBSITE?
Through the website we collect data identifying the user in order to contact and manage queries and / or requests for information or related to the provision of services developed.
The personal data collected will be processed with the following bases of legitimacy:

• The user’s consent in relation to contact, the management of appointment requests, the sending of CVs and the sending of commercial or advertising communications, via mail, cookies or messaging systems.
• The execution of a contract or service provision agreement with Marta María Santalla Castro to enable the development and management of the services requested.

WHAT IS THE PURPOSE FOR WHICH WE PROCESS THE PERSONAL DATA COLLECTED?
The personal data collected by the data controller through the means of contact provided on the website will be processed for specific purposes in each case and in accordance with the following:

  • Contact form: there is a generic contact form for queries, suggestions, requests for information or appointments or for professional contact. In this case, e-mail will be used in order to respond to the requests received and to send the information requested by the user through the website
  • Booking form: the data collected through the checkout or booking form on the website will be used for:
    • Manage the completion of the reservations requested by the user.
    • Send confirmation or documentation of the reservation made.
    • Process and respond to possible requests for information that may be made by the user.

HOW LONG WILL WE KEEP THE PERSONAL DATA COLLECTED?

The personal data provided to the data controller will be kept at least and generally for as long as the service provision relationship is maintained and/or the data is needed for the development of the activities of the owner and the execution of the health and therapeutic services requested, or for the development of personnel selection processes, and as long as the deletion of the data is not requested, or the consent of the interested parties is not revoked.
Regarding the personal data provided by the data subjects, the specific limitation periods provided for in each case shall apply, with a generic period of 5 years for personal actions without a special period, 6 years for invoices and company accounting books and 10 years in relation to the provisions of the Law on the Prevention of Money Laundering and Terrorist Financing (art. 25). A limitation period of 5 years shall apply in respect of health data provided and in accordance with the provisions of the Patient Autonomy Act.

WHAT IS THE LEGAL BASIS THAT ALLOWS US TO PROCESS THE DATA COLLECTED?
The legal basis of legitimacy that allows us to process the personal data collected through the website is based, in relation to the sending of contact forms with requests for information or appointments, or the sending of CVs, on the express and informed consent of the interested party or their representative, collected and granted in accordance with the conditions indicated in art. 7 of the European Data Protection Regulation, according to which the interested parties have the right to withdraw this consent at any time. The data controller informs that the data requested through the web forms will be those strictly necessary to deal with the specific query or request made by the interested party.

WHAT ARE THE RIGHTS THAT CAN BE EXERCISED BY THOSE WHO PROVIDE US WITH THEIR DATA?

In accordance with the provisions of the European Data Protection Regulation (EU) 2016/679 and the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights
Data Protection (EU) 2016/679 and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, data subjects shall have the right to obtain confirmation as to whether or not personal data concerning them are being processed, as well as to exercise the rights recognised in relation to their data.
Data subjects shall have the specific right to:

• Request access to personal data concerning him or her
• Request rectification or deletion of the data
• Request cancellation of the data
• Request the restriction of data processing
• Oppose the processing of data
• Request data portability

In the case that the interested party has granted consent for a specific purpose, he/she will have the right to withdraw the consent previously granted at any time, and without this affecting the lawfulness of the processing based on the consent granted prior to its withdrawal.
If the interested parties consider that we have not processed their personal data in accordance with the aforementioned reference regulations, and if they understand that we have not satisfied their request to exercise their rights, they may, if they so wish, lodge a complaint with the Spanish Data Protection Agency as the national supervisory authority at the organisation’s address at Calle Jorge Juan, 6 – 28001 – Madrid or through the contact channels indicated on the institution’s website (www.aepd.es), including the electronic headquarters.
In order to exercise all the aforementioned rights, interested parties may contact the contact addresses indicated above to request the application form provided by the data controller for this purpose in compliance with its legal obligations, which form must be accompanied by a copy of their ID card or equivalent document accrediting their identity and that of their representative, if applicable, when it is submitted or sent.
The exercise of the rights will be free of charge, and the request may be delivered by hand, or sent by post or e-mail to the contact addresses indicated.
The data controller informs interested parties that it has established and implemented specific protocols and measures to comply with the data protection regulations of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights.

TO WHICH RECIPIENTS MAY YOUR DATA BE DISCLOSED?

The personal data provided by users will only be processed in general by the person responsible for the activity and by the company’s own staff and any authorised freelance collaborators that may be contracted.
Some of the tools used by the website to manage data have been contracted to third parties for the provision of services developed by them and which are necessary for the activity of the manager. The development or maintenance company of the website itself or the hosting company may have occasional access to the website, with which, in any case, the corresponding service provision contract has been formalised, obliging them to maintain the appropriate level of privacy.
In any case, as a general rule, the following will only be carried out transfers of data to third parties in cases of legal obligation, such as transfers made to Public Authorities and Administrations, or when this is necessary to enable the performance of the services of the controller and/or the services contracted from external suppliers, including banks, financial institutions, mutual and insurance companies, and data processors, and always in this case within the framework provided for in the data processor contract formalised between the controller and the contracted data processors. The data controller undertakes in all cases to inform interested parties of the need for extraordinary transfers of data to third parties in order to manage the provision of services, so that interested parties may express their consent to the transfer of data as a prerequisite for the transfer to take place.
In the case of international data transfers derived from the use of tools or service providers, they will be carried out under the protection of the international conventions and agreements in force at any given time, which guarantee that North American and non-EU software companies comply with European data protection policies in terms of privacy, secrecy and data security.

DATA SECRECY AND SECURITY
Marta María Santalla Castro is committed to the proper use and treatment of the personal data of users, respecting their confidentiality, and to use them in accordance with the purpose of such treatment, as well as to comply with its obligation to save the data and to adapt all the measures in place to prevent alteration, loss, treatment or unauthorized access, and in accordance with the provisions of the data protection legislation in force.
This website includes an SSL certificate, a security protocol that makes your data travel in an integral and secure way, that is, the transmission of data between a server and a user of the website, and in feedback, is fully encrypted or encrypted.
The responsible party cannot guarantee the absolute impregnability of the Internet network and therefore the violation of data through fraudulent access by third parties.
With regard to the confidentiality of data processing, Marta María Santalla Castro will ensure that any person who is authorised to process data of interested parties and/or users, including staff, collaborators and suppliers, is under a corresponding obligation of confidentiality, whether legal or contractual.
When a security incident occurs, once Marta María Santalla Castro becomes aware of it, she will notify the interested party without undue delay and will provide the appropriate information related to the security incident and in any case provided that the interested party requests it in a reasonable manner.

ACCURACY AND VERACITY OF THE DATA
The user is solely responsible for the accuracy and correctness of the personal data submitted or sent through www.casaruralsanandresdeteixido.com, exonerating Marta Maria Santalla Castro of any responsibility in this regard. Users guarantee and are responsible, in any case, for the accuracy, validity and authenticity of the personal data provided, and undertake to keep them duly updated. The
user agrees to provide complete and correct information in the contact form.

CHANGES IN THE PRIVACY POLICY
Marta María Santalla Castro reserves the right to modify this privacy policy to adapt it to new legislation or jurisprudence, as well as to the practices of the sector. In these cases the changes will be announced on the website with due notice before their implementation.

Privacy Policy updated as of 20 August 2022