This is the data protection policy of the group of companies comprising:
- Balade SL, Avda. de Arenales de Mar, 3, Pals (CP 17256), VAT no. B58981523
- Golf Platja de Pals SA, Calle del Golf, 64, Pals (17256) VAT no. A17012170
- Serres de Pals SL, Mas Gelabert, s/n. Pals (CP 17256) VAT no. B16709899
For the purposes of this document, this group of companies is identified under the name Golf de Pals. This refers to any data accessed in the course of its tourist, sports and leisure activities in compliance with the General Data Protection Regulation (Regulation (EU) No 2016/679 of the European Parliament and of the Council dated 27 April 2016) and Organic Law 3/2018, dated 5 December, on the Protection of Personal Data and guarantee of digital rights.
Who is responsible for the processing of your personal data?
The data controller of the personal data is the group company with whom the customer or the supplier is in contact with each case. Each company responds to its customers and suppliers for compliance with data protection regulations and guarantees their rights.
What is the purpose of our processing of the data?
We process personal data for the following purposes.
To deal with any queries from people who contact us through the contact forms on our website. We use them solely for this purpose.
Assisting people ringing us by phone. In order to provide the best service, conversations may be recorded, notifying anyone who rings us of the same in advance.
Receipt of CVs sent to us by people interested in working with us and the management of personal data that are generated by participating in the personnel selection processes, in order to analyse the suitability of each candidate’s profile based on existing or newly created vacancies. Our criterion also involves retaining the data of people who are not hired for a maximum period of one year in the event that a new vacancy or new job position arises in the short term. However, we immediately delete the data if requested by the data subject in the latter case.
Registering new customers and additional data that may be generated as a result of the business relationship with customers. Essential details are requested during the contracting process, including bank details (current account or credit card number), which will be sent to the banking institution managing the charge (they can only use them for this purpose). The relationship involving the provision of tourist services entails other processing, such as incorporating the data to accounting, invoicing or information to the tax authorities. The data of any of our customers who participate in golf tournaments or appear in rankings will be communicated to golf federations, the promoters of the event and other players from the tournaments that they are participating in and eventually to the media.
Services to School students
Enrolment onto School courses, with the registration of the students and, where appropriate, their parents or legal representatives. The data is used to organise the School’s activities, monitor the students and certify the classes taught. Essential details are requested during enrolment, including bank details (current account number) which will be sent to the banking institution managing the charge.
Information about our services.
Golf de Pals uses contact information of its customers to communicate information about this relationship for the duration of the contractual relationship held with them, information that may happen to include references of our products or services, whether of a general nature or more specifically related to the customer’s characteristics and needs.
Other information about the services.
Once the contractual relationship ends, the contact details are stored to send out adverts related to our services or products, general or specific information, based on each customer’s characteristics, subject to the explicit authorisation of the customer. This information is delivered to whoever requests it from us or who agrees to the same by filing in our forms, even if not a customer.
Advertising of services of companies from our group.
The contact details are used to send out general advertising as well as advertising that is adapted to the characteristics of each person, of the services of our group companies, always subject to the explicit prior authorisation of the people mentioned above. Contact details can also be sent to these companies to allow them to directly send advertising about their services subject to the explicit consent of the data subject.
Management of data from our suppliers.
We register and process data from the suppliers who we obtain services or goods from. These can be data of people who are self-employed as well as details of representatives of legal persons. We obtain the data necessary to maintain the business relationship, which is intended solely for this purpose and use it solely for this kind of relationship.
The approved signs warn about the existence of video surveillance when entering our facilities, where applicable. The cameras record images only of the points where justified to ensure the safety of both goods and people and the images are used solely for this purpose.
Users of our website.
Other data collection channels.
We also obtain data through face-to-face relationships and other channels such as the receipt of e-mails or through our profiles on social networks. In all cases, the data is intended solely for the purposes stated that justify the collection and processing of the same.
What is the legal basis for the processing of the data?
The processing of data that we perform has different legal bases, depending on the nature of each processing operation.
In compliance with a pre-contractual relationship. Cases involving potential customers or suppliers with whom we have a relationship prior to the formalisation of a contractual relationship, such as the development or the study of budgets. Also cases involving the processing of data from people who have provided us with their CV or who participate in selection processes.
In compliance with a contractual relationship. Cases involving relationships with our subscribers, customers and suppliers and all actions and uses involved in these relationships.
In compliance with legal obligations. Communication of data to the tax authorities are established by business relation regulatory standards. Data may have to be reported to judicial bodies or security forces, also in compliance with legal standards that oblige them to cooperate with these public bodies.
Based on consent. Whenever we send information about our products or services, we process the contact details of the recipients with their explicit authorisation or consent. The browsing data that we may obtain through cookies is obtained with the consent of the person visiting our website, which can be revoked at any time by uninstalling these cookies.
For a legitimate interest. The images we obtain through video surveillance cameras are processed for the legitimate interest of our company to preserve their property and facilities. Our legitimate interest also justifies the processing of data obtained from contact forms.
Who is the data sent to?
As a general rule, the data is only sent to the public administrations or authorities and in compliance with legal obligations at all times. The identification details of people staying at our establishments are sent to the Directorate General of Police (compliance with Order IRP/418/2010, dated 5 August, on the obligation to register and report people staying in the lodging establishments to the General Directorate of Police).
The data may be communicated to banking institutions when issuing invoices to customers. If consent has been provided, the data may be sent to other companies from our group for the purposes indicated above. No data is transferred outside the scope of the European Union (international transfer).
We also obtain the services of companies or people providing us their experience and specialisation for certain tasks. In some cases, these external companies must access personal data that we are responsible for. This is not a transfer of data per se, but rather processing. Only services of companies that ensure compliance with data protection legislation can be contracted. Their confidentiality obligation is to be formalised at the time of contracting the same and their actions monitored. This may involve the case of data hosting services, computer support services or legal, accounting or tax consulting.
How long do we retain the data?
We comply with legal obligation to limit the period that data is retained as much as possible. For this reason, they are retained only as long as it is necessary and justified for the purpose for which they have been obtained. In certain cases, such as data contained in the accounting and invoicing documentation, they must be retained under tax legislation until the responsibilities are no longer prescribed in this area. Any data that are processed on the basis of the consent of the data subject are preserved for as long as consent for the same is not revoked by this party. The images obtained by cameras are stored for up to one month, but
may be retained for the time necessary in order to facilitate the proceedings of the security forces or the judicial bodies in the event of any incident that justifies the same.
What rights do people have in relation to the data that we process?
As provided by General Data Protection Regulation, people whose data we process have the following rights:
To know if they are being processed. First and foremost, everyone has the right to find out if we are processing their data, regardless of whether there has been a previous relationship or not.
To be informed during collection. Whenever personal data are obtained from the data subject, they must be provided with clear information about the purposes for why they will be used, who will be responsible for the processing and any other aspects arising from this processing at the time of providing the data.
To access them. A very broad right that includes knowing precisely what personal data are being processed, what the purpose for which they are being processed is, notifications that will be send to others (if applicable) or the right to obtain a copy or to know the planned duration of retention of the same.
To request their rectification. You have the right have any inaccurate data that we are processing to be rectified.
To request their deletion. In certain circumstances, there may be a right to have data deleted, including when they are no longer necessary for the purposes for which the data were collected and the processing justified, among others.
To request restricted processing. In certain circumstances, the right to request restricting processing of data is also recognised. In this case, they will no longer be processed and shall be retained solely to exercise or defend claims, in accordance with General Data Protection Regulation.
Portability. The cases referred to in legislation recognise the right to obtain personal data in a machine-readable common use structured format and transfer them to another controller if so requested by the data subject.
To object to the processing. Anyone can argue the reason related to their particular situation, which would result in the termination of processing of their data to the degree or extent that could harm them, except for any legitimate reasons or the exercise or defence against claims.
Not to receive any commercial information. We will immediately deal with any requests not to continue sending commercial information to anyone who had previously authorised us to do so.
How can I exercise or defend my rights?
The rights that we have detailed above can be exercised by sending a written request to Balade SL, av. Arenals de Mar, 3, Pals (PC 17256), or else sending an email to email@example.com, stating “Data Protection” in all cases.
If a satisfactory response has not been obtained in the exercise of the rights, a complaint can be filed with the Spanish Data Protection Agency, by filling out the forms, or other accessible channels on its website. www.agpd.es.