Privacy and data protection policy
It is very important for us to ensure the privacy, security and protection of your personal data, both during their collection and processing.
In this sense, we have created this privacy, cookies and data protection policy to explain what information is collected by the HF Hotels when you visit/use our website or make a reservation and how this information is used.
Data ControllerThe company Expotel - Exploração e Administração Hoteleira, Lda., with headquarters in Rua de Serralves No. 124, 4150-702 Porto, who owns the following brands: HF Ipanema Park, HF Ipanema Porto, HF Fénix Porto, HF Tuela Porto, HF Tuela Porto Ala Sul, HF Fénix Urban, HF Fénix Lisboa, HF Fénix Garden, HF Fénix Music, HF Hotels and HF Hotéis Fénix.
Data Protection OfficerThe Data Protection Officer is Protect Data (Best Privacy Consulting Unipessoal Limitada), represented by Ana Fazendeiro, and can be contacted via the following e-mail address: [email protected]
corporate guideline, which contemplates the regulations of the data protection
regime applicable within the company and was designed to meet the legal
requirements on data protection. The company undertakes to comply with this
policy in the collection and processing of personal data of clients, employees,
partners and suppliers.
HF Hotels, in addition to the commitment to
continuously improve its services, control and management of risks associated
with cyber security and privacy of information, strives to have good practices,
knowledge and tools to create value and meet the needs of the citizens.
Therefore, we comply with the principles contained
in the GDPR (General Data Protection Regulation), such as the "limitation on
processing" of personal data, instituting inside our organisation a rule of "data minimisation" (minimisation of the data collected according to the
requirements for processing purposes) and effective accountability of the data
controller (principle of responsibility).
HF Hotels takes into account the privacy risks from the initial moment of creation of a given project, instead of only considering these risks subsequently - privacy by default and privacy by design.
What is personal data?
Personal data is specific information about
personal or factual characteristics related to an individual that can be
identified from this data. This includes information such as the name, address,
telephone number and date of birth.
Information that does not allow the
individual's identification or that may not be directly connected to the
individual's identity is not considered personal data.
Holders of a YOU card, guests and other HF
Hotels clients are required to provide certain personal information to ensure
that we identify them in a clear manner.
This data is requested at the time of the client's registration and may include the surname, name, postal address, email address and/or telephone number and date of birth (to ensure that the user is not a minor). The user will also be questioned about what kind of information and which communications we can send him.
Which personal data is collected and processed?
You can browse the HF Hotels website without
providing any personal data.
The data collected during the reservation
process, stay or provision of service may include:
· Name, email address, postal address, telephone number, nationality and credit card data;
· Information related to loyalty programmes;
Information relating to preferences and
requests made in previous stays.
This information may be collected directly by us, when the contact request or the reservation is made through our website, or by a third party, when the client makes the reservation through other channels of communication.
Regarding applications, the personal data
collected for further processing may include:
Name, date of birth, education, professional
experience and email address.
In any case, HF Hotels will only collect the
data necessary to reply to your requests.
Under no circumstances will the personal data
collected on this website be made available, sold, shared with or disclosed to
a third party, nor will it be used for any other purpose than the described at
the moment of its collection or in this Policy.
HF Hotels considers that the data was provided by the data subject or with his authorisation for the purpose and that the information is true and up-to-date.
How is data collected?
Personal data can be collected through the
c) Phone calls;
d) In person.
data is processed and stored electronically under the strict compliance with
personal data protection legislation, in specific data bases created for this
purpose by HF Hotels or by data processors.
On the website, some personal data is mandatory. In the case of a missing field or insufficient data, HF Hotels may not be able to provide the services or information requested by the client. Nonetheless, in each specific case, you will be informed, by HF Hotels, of which data is mandatory to provide.
For what purpose is your personal data used and what is the corresponding legal basis?
According to data
protection principles, HF Hotels can only carry out the processing of your
personal data for the determined purposes and with a legal basis. HF Hotels
uses your data for the following purposes and based on the following:
A. On the
basis of the hotel service agreement that you established with us, we process
your data for the purposes of:
a) Managing reservations and stays;
b) Invoicing and verification of payment methods;
c) Providing necessary information for your stay at the hotel;
For the compliance with legal obligations, we process
your data for the purposes of:
e) Complaint management;
with other legal or regulatory obligations.
C. On the
basis of your consent, we process your data for the purposes of:
g) Sending newsletters;
h) Sending marketing actions;
you are our client and we are interested in providing you an increasingly
better service, we process your data for:
j) Satisfaction enquiries related to your stay;
k) Evaluation enquiries for statistical and history analysis.
To undertake the purposes mentioned above, HF
Hotels can carry out the interconnection of the collected data in order to
update and complete it.
There may also be automated decisions, such as the definition of profiles, in order to design our offers in accordance with the needs of our clients and allow the clients subscribed to the YOU card to receive specific promotions and benefits.
There may be other moments in which we collect
and process personal data, namely in the context of the participation in a
contest or drawing.
The collection and processing of data in this context will be the object of specific regulation, fulfilling, even so, the general data protection regulation.
With who is your data shared?
The data collected and kept by HF Hotels can be
transmitted, respecting the duty of confidentiality and the principal of
finality that oriented its collection, to the following entities:
a) Judicial or administrative authorities in cases of mandatory transmission;
b) Recruitment companies;
c) Data processors that will process the data on behalf of HF Hotels, according to the purposes determined by the latter.
Cookies are small files that help identify your browser and store information, such as user settings and preferences.
HF Hotels can store cookies on your device in order to customise and facilitate browsing as much as possible, not disclosing said cookies or the user's personal data.
What are your rights?
Under the terms of the personal data protection
legislation, we guarantee you the right to access and obtain a copy of your
personal data that is in the possession of HF Hotels, as well as the right to
update, rectify, erase, transfer and delete your personal data.
You also have the right to oppose the use of
the provided data for the purposes of marketing, information, list inclusion
and information services. In case you have not informed your opposition at the
time of data collection, you can do so later on.
Moreover, you have the right to submit complaints
to the Portuguese Data Protection Authority (CNPD, Comissão Nacional de
Proteção de Dados).
The exercise of these
rights should be made through this email address : [email protected] or using
the address Rua de Serralves 124, 4150-262 Porto.
While exercising his rights as a data subject,
the client must provide his name, address, date of birth and email address, in
order to confirm his identity.
In case of any change in personal data, clients can inform HF Hotels by using the same email address.
How long do we store your data?
The period of time during which your data is stored varies according to the purpose of the data processing. Provided there is no specific legal requirement, your data will only be stored for the minimum time period necessary for the purposes that led to its collection or subsequent processing, after which said data will be deleted.
Is your data processed safely?
HF Hotels takes all the technical and
organisational security measures required to protect your personal data from
dissemination, loss, improper use, alteration, unauthorised processing or
access, or any other unlawful forms of processing. For example, your data is
stored in a secure operating environment that cannot be accessed by the public.
Your personal data is encrypted using Secure Sockets Layer (SSL) technology
during transmission, which means that an approved encryption procedure is used
for the communication between your computer and the servers of HF Hotels, if
your browser is compatible with SSL (e.g.: Microsoft Internet Explorer, Google
Chrome, etc.). You can verify that you are in secure mode if a padlock or key
icon is shown in the upper-left corner of your monitor. Additionally, you can
check if the first characters of the website's URL are "https", indicating that
you are accessing a secure server.
We review our practices for collecting,
processing and storing information, including physical security measures, to
protect against unauthorised access to the systems.
We restrict access to personal information for
employees, suppliers and agents of HF Hotels who need access to such
information for the purpose of processing. They are subject to confidentiality
obligations and may be subject to disciplinary proceedings (in the case of
employees) or contract termination in case of non-compliance with these
When can your personal data be disclosed?
HF Hotels recognises it may disclose user data,
in virtue of fusion, acquisition and/or integration processes that it takes
part in, not considering this communication the transfer of data to a third
party nor data processing through outsourcing.
How is the data transferred?
GDPR: General Data
Personal data: Any information,
of any nature and regardless of the respective media, including sound and
image, relating to an identified or identifiable natural person ("data
subject); it is considered to be identifiable a person that can be identified,
directly or indirectly, in particular by reference to an identifier such as the
name, identification number or one or more elements specific to his physical,
physiological, mental, economic, cultural or social identity.
Processing of personal data (processing): Any
operation or set of operations performed upon personal data, whether or not by
automatic means, such as collection, recording, organisation, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or any other form of provision, comparison or
interconnection, as well as limitation, deletion or destruction.
Data controller: The natural
or legal person, public authority, agency or any other body which, individually
or together with others, determines the purposes and means of processing of
Data processor: The natural or
legal person, public authority, agency or any other body which processes
personal data on behalf of the body responsible for the processing of personal
Third party: Natural or legal
person, public authority, service or any other body which, without being the
data subject, the agency responsible for the processing, the subcontractor or
another person under the direct authority of the controller or the
subcontractor, is authorized to process the data.
Recipient: The natural or
legal person, public authority, agency or any other body to whom personal data
are disclosed, regardless of whether it is a third party or not.
Consent of the data subject: Any
expression of will, free, specific, informed and explicit, in terms of which
the data subject accepts, by declaration or clear positive act, that his
personal data is object of processing.
Privacy by design: It means taking the
risk of privacy into account throughout the process of designing a new product
or service, instead of considering the privacy issues only later. This means
carefully assessing and implementing appropriate measures and technical and
organisational procedures from the start to ensure that the processing is in
accordance with the GDPR and protects the rights of the data subjects
Privacy by default:This
means ensuring that, within an organisation, mechanisms to ensure that, by
default, only the required amount of personal data will be collected, used and
stored for each task, are put into practice. This obligation applies to the
extension of its processing, the period of storage and its accessibility. These
measures ensure that personal data will not be made available without human
intervention to an indefinite number of persons.
Limitation of processing: Insertion of
a mark on the stored personal data with the objective of limiting its
processing in the future.
Data minimisation:This means that the personal data collected should be limited to what is necessary in relation to the purposes for which it is processed.