1. Tabs “Contact”
The section “Contact”, features an option to “Request Information” and is intended as a mailbox for customer service, where you are asked for your personal details. The purpose is to respond to any query, information, comment or request, suggestion, complaint or expression of thanks made by our customers regarding our outlets, accommodation, services etc. of our hotels, and to obtain statistical data on these matters. Replies may be made through any multi-channel medium.
The personal data provided through the “Contact” section will be recorded in a file owned by “TPV CANARIAS, S.L.”, with CIF B35694199.
See point 4.
2. Tabs “Reservations Online”
The section “Reservations online” is intended to be a customer service mailbox whose main purpose is to facilitate and speed up the reservations process for our customers, as well as enabling them to post comments and/or make requests, through any multichannel medium. It also allows us to collect statistical data from them. Replies can also be made via any multi-channel medium.
The personal data provided through the “Reservations” section will be recorded in a file owned by “TPV CANARIAS, S.L.”, with CIF B35694199.
See point 4.
3. Links “Social Networks”
The personal data provided through the “Social Networks” section will be recorded in a file owned by “TPV CANARIAS, S.L.”, with CIF B35694199.
See point 4.
4. Right of access, objection, rectification and cancellation
We inform you that you may exercise your rights of access, objection, rectification and cancellation in respect of your personal data by notifying “TPV Canarias S.L.” whose company ID number is B35694199 with registered address: Calle León y Castillo, 247, CP 35005 de Las Palmas de Gran Canaria. Spain, attaching a scanned copy of your ID.
5. Statistical data capture
This website neither collects nor stores personal data of visitors to the site without their express consent.
http://www.mowhotels.com, and we do not provide any guarantee in respect of access from other sites via links to this site or in respect of links from this site to other sites.
7. Links to other websites
The personal data requested in the “Newsletter” section will be treated in accordance with the regulations governing the protection of personal data. They will be incorporated into an automated file whose owner is “TPV CANARIAS, S.L.”, with CIF B35694199. The acceptance in the collection of your personal data will mean that you authorize to be part of the aforementioned file and to receive information about TPV Canarias S.L., business information of all kinds and commercial information. We inform you that you may exercise your rights of access, objection, rectification and cancellation in respect of your personal data, attaching a document of accreditation, Calle León y Castillo, 247, CP 35005 of Las Palmas de Gran Canaria.
Data Protection Information Policy of “TPV Canarias, S.L.” General Data Protection Regulation (GDPR)
1.- How do we obtain your personal data?
Personal data with your consent, we collect in the following situations:
When you show interest in a product or service.
When a budget is made.
In the reservation.
When you communicate with us through data from apps, sweepstakes, contests, websites, landing page or social networks.
When participating in raffles, prizes, events, promotions, advertising, promotional or information events through data from apps, sweepstakes, contests, websites, landing page or social networks.
When you visit our business union hotels.
2. WHAT USER DATA WILL MHI PROCESS?
Name, Surname, Postal address, Sex, Email, mobile. Birthdate.
Family situation, members of the family. Birthdate. Place of birth. Profession. Bank data. Requests made, about information of products and services. Most reserved hotel, the hobbies. Form of payment indicated. Account number.
Customer number or contract number
Customer number or contract number
Customer satisfaction rates. Offers received or sent. Data of the holder of the reservation, price, date of reservation, date of entry, exit. Information about purchases or reservations of additional services. History of campaigns, responses to them. Participation in events (place, company). Claim history and complaints.
Room utilization data:
About preferences, capacity, use.
Data of the app, the web or social networks:
All those data in which the client / interested has registered in any app, web, landing page or social networks of “TPV Canarias, S.L.” and different companies belonging to the union of companies.
You can access the use of the visited website of “TPV Canarias, S.L.” Data of cookies (depending on the approval of cookies policies). Use of social networks of “TPV Canarias, S.L.” (for example, visits, messages, photos or videos published), as well as of the different companies belonging to the union of companies.
3.FOR WHAT PURPOSE WILL MHI PROCESS THE USER’S PERSONAL DATA?
To manage the bookings made, including payment management (where applicable) and the management of the user’s requests and preferences.
To manage the subscription to the newsletter and subsequent sending of this.
To manage the User’s contact requests through the channels provided to this end.
To manage the sending of personalised commercial communications, by electronic and/or conventional means, in cases in which the User expressly consents.
To manage the provision of the contracted accommodation service, as well as additional services.
The User’s data will be kept for the period required to fulfil each purpose or until the User requests their withdrawal from “TPV Canarias, S.L,” opposes or revokes their consent.
4.- Legal bases contained in the Directive and reproduced by the LOPD:
The legitimation is for the execution of a contract, in this case to the accommodation in our hotel, rent it. As well as by the consent of the interested party and legitimate interest.
If you have checked the appropriate box, the legal basis for sending commercial communications, customer analysis and birthday greetings, about other products and services is your consent, which you can withdraw at any time, without the withdrawal of consent for this purpose condition the execution of the accommodation contract in the hotel. ”
Consent. You have expressed your consent expressly, you may revoke that consent at any time.
Contractual relationship For the management and maintenance of a subscribed contract, the reservation of hotel rooms and / or added services.
Vital interests of the interested party or of other persons. In case of illness or similar.
Legal obligation for the person in charge.
Legitimate interests prevalent of the responsible party or of third parties to whom the data is communicated.
5.- Rights of customers / users. Data of the entity.
You have the right to obtain confirmation, if in “TPV Canarias, SL”, we are treating your personal data, therefore, you have the right to access your personal data, correct inaccurate data, request its deletion when the data is no longer necessary , portability of the same, and limitation to their treatment. You also have the right to withdraw your consent at any time and to file a claim with the Control Authority (www.agpd.es), if you consider that the treatment does not comply with current regulations.
Under certain circumstances provided for in Article 18 RGPD, interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims.
Interested parties may object to the processing of their data for marketing purposes, including the creation of customer profiles. “TPV Canarias, S.L.” will stop processing the data, except for compelling legitimate reasons or the exercise or defense of possible claims.
By virtue of the right to portability, the interested parties have the right to obtain the personal data that concern them in a structured format of common use and mechanical reading and to transmit them to another person in charge. Whenever possible. The category of data used is full name, ID, Passport, email and telephone.
What is the procedure for exercising the rights collected by the new Regulation?
The RGPD requires those responsible to facilitate the exercise of their rights to those interested. This mandate assumes that the procedures and forms for this must be visible, accessible and simple. This obligation requires the articulation of procedures that easily allow interested parties to prove that they have exercised their rights by electronic means, something that is currently not feasible on many occasions.
The exercise of rights will be free for the interested party, except:
In cases where manifestly unfounded or excessive requests are made, especially for repetitive ones, the person responsible may charge a fee that compensates the administrative costs of attending the request or refuses to act (the fee may not imply additional income for the person responsible, but it must correspond effectively with the true cost of processing the application).
The person in charge must inform the interested party about the actions derived from their request within a month (it may be extended two more months in the case of especially complex requests and must notify this extension within the first month). If the person in charge decides not to comply with an application, he / she must inform about it, motivating his refusal, within a period of one month from its presentation.
According to the RGPD, those responsible must take all reasonable measures to verify the identity of those requesting access and, in general, of those who exercise the remaining ARCO rights.
The person in charge who handles a large amount of information about an interested party may ask the latter to specify the information referred to in their access request.
The person in charge will be able to count on the collaboration of those in charge to attend to the exercise of rights of the interested parties, being able to include this collaboration in the contract of assignment.
6. Data of the company to exercise their rights or about Data Protection
Attaching a document of accreditation to “TPV Canarias, S.L.” – NIF: B35694199 Postal address: Calle León y Castillo, 247, CP 35005 of Las Palmas de Gran Canaria, Las Palmas. Spain. Email: Info@tpv.com
What are the main developments of the General Data Protection Regulation (GDPR)?
1. 1. Scope
The Regulation extends the territorial scope to controllers and processors not established in the European Union when the processing activities are related to offering goods or services or monitoring people’s behaviour, in so far as their behaviour takes place within the European Union.
The GDPR contains many concepts, principles and mechanisms similar to those established by Directive 95/46 and the national laws that apply it. Consequently, the organisations that now adequately meet the requirements of the Spanish Law on the Protection of Personal Data (LOPD) have a good basis from which to evolve towards proper application of the new Regulation.
Nonetheless, the GDPR modifies certain aspects of the current system and includes new obligations that organisations will need to analyse and apply in accordance with their own circumstances.
The most significant innovation of the GDPR for data controllers is made up of two general elements:
The “accountability principle”
The GDPR describes this principle as the need for the controller to apply the appropriate technical and organisational measures necessary to ensure, and be able to demonstrate, that processing activities comply with the Regulation.
In practical terms, this principle requires organisations to analyse which data they process, the purposes for which they do so and which types of processing operations they carry out. On the basis of this knowledge they should explicitly decide how they will apply the measures established in the GDPR. They should also ensure that these measures are adequate to comply with the Regulation and should be able to demonstrate such compliance to the data subject and the supervisory authorities.
In short, this principle requires organisations to adopt a conscious, diligent and proactive attitude towards all the processing of personal data that they undertake.
The “impact assessment”
The GDPR points out that the measures aimed at ensuring compliance must take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
In line with this approach, some of the measures the GDPR establishes need only be applied when there is a high risk to these rights and freedoms, while others should be adopted according to the level and type of risk the processing presents.
Consequently, each organisation must adapt its application of the measures envisaged by the GDPR to its specific characteristics. What is suitable for one enterprise which handles the data of millions of data subjects in complex processing operations that involve sensitive personal information or significant volumes of data pertaining to each data subject may be not be necessary for a small undertaking that carries out a limited amount of processing of non-sensitive data.
These two elements apply to all the obligations that must be met by organisations.
3. New special categories of data
Besides the data with special protection currently provided for in the LOPD, which are now known as “special categories of personal data”, the Regulation includes two new special categories:
Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person (facial images or dactyloscopic data, etc.).
The GDPR requires the data subject to give consent by means of an unambiguous statement or a clear affirmative action. For the purposes of the new Regulation, pre-ticked boxes, tacit consent (silence) or inactivity do not constitute valid consent.
What will happen to processing carried out on the basis of tacit consent?
Such forms of consent are not compatible with the GDPR, as they are based upon inaction of the data subject. The GDPR also stipulates that processing operations supported by this type of consent and initiated prior to application of the Regulation will continue to be legitimate provided the consent has been given in the way established in the GDPR, in other words, by means of an affirmative act or action.
Consequently, controllers carrying out processing operations based on tacit consent will have to avoid obtaining this type of consent and revise such processing to ensure that, as from May 2018, they have adapted to the provisions of the GDPR. This adaptation may be achieved by obtaining consent in accordance with that established in the GDPR or by evaluating whether the affected processing operations can be based on other legal grounds, such as and among others, where the legitimate interest of the controller or of the transferee of the data overrides the rights of the data subject. In any case, if the latter option is deemed possible, the data subject must be informed so that he or she can exercise the rights specifically applicable to the new legal basis chosen, such as the right to object.
In what situations must consent be explicit?
The GDPR establishes some situations in which consent must be explicit. This additional safeguard affects the following cases:
Processing of special categories of personal data
5. Child’s consent
In the area of information society services, consent given by children is only valid if the child is over 16. However, EU Member States may reduce this age limit to 13 years.
Furthermore, the language used to inform children must be clear and plain.
What other references to children does the GDPR contain?
The GDPR refers to the processing of the personal data of a child in various sections. For example, in the following cases:
In regulating the legitimate interests of the controller as the legal basis for processing; the Regulation points out however that this does not apply where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects that require protection of personal data, in particular where the data subject is a child.
Where it indicates that when the data subjects are children, information provided in relation to the processing or to the exercise of rights must be especially concise, transparent, intelligible and easily accessible, using clear and plain language.
In the context of the right to erasure of personal data.
In establishing that educational and awareness-raising activities addressed to children should be among the priorities of data protection authorities.
In the context of the explanations offered by the recitals of the GDPR, in reference to the creation of profiles.
6. Right to information
The new Regulation establishes the right of data subjects to obtain information and extends the issues about which they should be informed, with the following aspects: the contact details of the data protection officer; the legal basis for the processing; where applicable, the legitimate interests pursued by the controller and on which the processing is based; where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the basis for doing so; the period for which the personal data will be stored; the right to request data portability; the right to withdraw consent at any time; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including the logic involved, and the envisaged consequences of such processing for the data subject.
How should the information be provided to data subjects?
The GDPR stipulates that information provided to data subjects, both with respect to the conditions governing the processing operations that affect them and responses to the exercise of rights, should be concise, transparent, intelligible and easily accessible, using clear and plain language. In this aspect it goes further than the provisions in the LOPD, which only require information to be given explicitly, precisely and unequivocally.
These requirements mean that especially convoluted descriptions and those which include references to legal texts should be avoided. Information clauses should explain the content to which they refer immediately in a manner which is clear and accessible by the data subjects, irrespective of the knowledge they may have of the subject.
The importance the GDPR attaches to the clarity and accessibility of information is reflected in the fact that it provides for information to be offered in combination with standardised icons in order to give a meaningful overview of the intended processing. The design of these icons must be carried out by the European Commission, which is now working on the presentation of a proposal.
The GDPR stipulates that information should be provided in writing, or by other means, including, where appropriate, electronically.
The Catalan Data Protection Authority, the Spanish Data Protection Agency and the Basque Data Protection Agency are preparing a standard information clause to be used by the public administrations. Guidelines for private organisations will also be presented during the transition period.
7. Rights of the data subjects
The GDPR incorporates the right to be forgotten as a right linked to the right to erasure, to restriction of processing and to data portability:
Data subjects have the right to obtain the erasure of personal data (right to be forgotten), when:
the personal data are no longer necessary in relation to the purposes for which they were collected;
the data subject withdraws the consent on which the processing was based;
the data subject objects to the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation;
the personal data have been collected in relation to the offer of information society services addressed to children.
Where the controller has made the personal data public and is obliged to erase them, that controller must take reasonable steps to inform those processing the personal data that the data subject has requested the erasure.
Exceptions to the exercise of this right are provided to the extent that processing is necessary:
– for exercising the right of freedom of expression and information;
– for compliance with a legal obligation;
– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
– for the establishment, exercise or defence of legal claims;
– for exercising the right to restriction of processing.
Restriction of processing is present in the GDPR as a right of data subjects. It should not be confused with the blocking of data that currently exists in Spanish legislation, and its inclusion as a new right does not in itself mean that the concept of data blocking disappears.
Restriction of processing means that, at the request of the data subject, the processing operations that would in each case correspond will not be applied. Restriction may be requested when:
The data subject has exercised the rights of rectification or objection and while the controller determines whether the request should be granted.
The processing is unlawful, which would mean the personal data would be erased, but the data subject opposes such erasure.
The personal data are no longer necessary for the purposes of the processing, which would result in their erasure, but restriction is requested by the data subject because they are required for the establishment, exercise or defence of legal claims.
The same terms and procedures are applied to this right as are applied to all other rights provided in the GDPR.
Where the processing has been restricted, the controller may only process the affected data, with the exception of storage, in the following cases:
with the data subject’s consent;
for the establishment, exercise or defence of legal claims;
for the protection of the rights of another natural or legal person;
or for reasons of important public interest of the Union or of the corresponding Member State.
One consequence of this regulation is that it prevents a practice which is occasionally followed and which consists in erasing the personal data when other rights are exercised, such as that of access, since such erasure would impede exercise of the right to restriction of processing.
Right to data portability:
The right to data portability is an advanced form of the right of access, by which the data subject has the right to receive the personal data he or she has provided to a controller concerning him or her in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller, if the following requirements are met:
– the processing is based on consent or on a contract;
– the processing is carried out by automated means;
– the data subject makes the request with respect to data he or she has provided to the controller, including data deriving from the data subject’s own activity. It is thus not applicable to the data of third parties that a data subject has provided to a controller. Nor will it apply if the data subject requests the portability of data that concern him or her, but have been provided to the controller by third parties.
Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.
The European Group of Data Protection Authorities (Article 29 Data Protection Working Party) has adopted an Opinion in which this right is analysed in detail, and which may be consulted here.
What is the procedure for exercising the rights contained in the new Regulation?
In general, the GDPR requires controllers to facilitate data subjects’ exercise of their rights. This mandate means that the procedures and mechanisms of such exercise must be visible, accessible and easy to understand. The GDPR does not establish a specific way of exercising rights, but requires controllers to enable requests to be presented by electronic means, especially when the processing is being carried out by these means.
This obligation requires procedures to be put in place that easily allow data subjects to demonstrate that they have exercised their rights by electronic means, something which on many occasions is currently unfeasible.
The GDPR also provides that the exercise of rights should be free of charge for the data subject. This criterion may not apply in cases in which requests are made that are manifestly unfounded or excessive, in particular because of their repetitive character; in these cases, the controller may charge a reasonable fee based on the administrative costs, or refuse to act on the request. It falls upon the controller to demonstrate the unfounded or excessive character of the request. In any case, the fee may not represent additional income for the controller, but should correspond to the true cost of processing the request.
The controller must provide the data subject with information on action taken on a request within one month of its receipt. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller should inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller decides not to take action on the data subject’s request, that controller should inform the data subject of the reasons for not doing so within one month of receipt of the request.
The GDPR establishes that the controller should use all reasonable measures to verify the identity of a data subject who requests access and, in general, of all data subjects that exercise other ARCO rights.
Where a controller processes a large quantity of information concerning the data subject, that controller may request the data subject to specify the information or processing activities to which the request relates.
The controller may be able to count on cooperation from the processors to manage the exercise of data subjects’ rights. This cooperation may be included in the contract commissioning the data processing.
8. Registration and notification of files
The GDPR abolishes, as from 25 May 2018, the need to formally create files and enter them in the General Data Protection Register of the supervisory authorities.
9. Documentation of the processing operations: records of processing activities
The GDPR establishes new obligations with respect to the controllers and processors maintaining records of processing activities. The obligations referred to in paragraphs 1 and 2 of Article 30 shall not apply to the controllers and processors of an enterprise or an organisation employing fewer than 250 persons unless the processing being undertaken is likely to result in a high risk to the rights and freedoms of the data subjects, is not occasional, or includes special categories of personal data or personal data relating to criminal convictions and offences.
These controllers and processors should maintain records of the processing activities they carry out, and for each activity the records should contain the information established in Article 30 of the GDPR.
This information includes such matters as:
the name and contact details of the controller and, where applicable, the joint controller, and the data protection officer, where applicable;
the purpose of the processing;
a description of the categories of data subjects and of the categories of personal data;
international transfers of personal data;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures.
How should records of processing operations be organised?
One possible way of organising these records of processing activities is based on the files that are currently the subject of compulsory notification by controllers to the Catalan Data Protection Register, and which could be used to detail all the processing operations being carried on every structured set of personal data.
The records could however also be organised around specific processing operations linked to a basic purpose common to all of them (for example, “customer management”, “accounts management” or “human resources management and payroll”), or in accordance with other criteria.
10. Data processing contract
The Regulation extends the minimum content of the processing contract. Among other aspects, the contract must include the following points in addition to those established in the LOPD: the purpose and duration of the proposed processing operation or operations; the nature of the processing; the type of personal data; the categories of data subjects; the obligations and rights of the data controller, and the provision that the persons authorised to process the personal data have committed themselves to confidentiality. The contract should also stipulate whether the processor will assist the controller in the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights; will delete or return all the personal data at the end of the processing; will make available to the controller all information necessary to demonstrate compliance with the obligations of the processor and to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Specific obligations of the processors
Directive 95/46 and, in general, national transposition laws, focus on the activity of data controllers. However, the GDPR contains obligations specifically addressed to the processors. Ultimate responsibility for the processing continues to rest with the controller, which is the figure that determines the existence and purpose of the processing. But in certain matters established by the GDPR the processors have their own obligations which are not circumscribed by the scope of the contract linking them to the controller and which data protection authorities must supervise separately. For example, processors should maintain records of processing activities, determine the security measures applicable to the processing they undertake and designate a data protection officer in those cases where this is provided by the GDPR.
The GDPR also establishes that the processor may adhere to an approved code of conduct or an approved certification mechanism as provided in the Regulation.
The GDPR explicitly establishes that controllers should use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation. This provision also applies to processors when they subcontract processing operations to other processors or sub-processors.
Though in the Spanish case the Regulation for the development of the Data Protection Law (LOPD) already establishes the need for due diligence in the selection of processors, the innovation with respect to this provision in the GDPR derives from its relationship with the accountability principle. According to this principle, the controller must adopt appropriate measures, including in the choice of processors, that will guarantee and make it possible to demonstrate that the processing is undertaken in accordance with the GDPR.
The fact that processors or sub-processors have adhered to a code of conduct or are certified with a scheme provided for in the GDPR may be used to demonstrate that they offer the sufficient guarantees required by the Regulation.
The Catalan Data Protection Authority, the Spanish Data Protection Agency and the Basque Data Protection Agency have prepared materials to help in drafting processing commissions, which may be consulted here. These materials are designed to help controllers and processors during the transition period until the GDPR’s entry into force. Subsequently and according to that envisaged in the Regulation, data protection authorities will be able to prepare standard contractual clauses which must be approved by the future European Data Protection Committee. The European Commission may also draw up such clauses.
What about processing contracts ending prior to application of the GDPR?
Processing contracts ending prior to application of the GDPR in May 2018 should be adapted to respect the content of the Regulation. Though many of the obligations deriving from the system established in the GDPR are already contained in Spanish law, existing contracts will have to be modified to ensure their clauses reflect all the Regulation content, bearing in mind that generic referrals to the GDPR Article that regulates them will not be valid.
11. Data protection impact assessments
Where a processing operation is likely to result in a high risk to the rights and freedoms of natural persons, due to the nature, context, scope and purposes of the processing and in particular if the use of new technologies is involved, the controller will be responsible for conducting a personal data protection impact assessment to evaluate the impact of the processing prior to its initiation.
How is the need to conduct a data protection impact assessment determined and what must the assessment contain?
The GDPR contains a detailed list of the three situations in which processing operations are considered to be of high risk:
profiling on which decisions are based that produce legal effects concerning the natural person or similarly significantly affects him or her;
processing on a large scale of special categories of data;
a systematic monitoring of a publicly accessible area on a large scale.
These criteria include the notion of “large scale”. The GDPR does not define what constitutes “large-scale”. In its guidelines on the designation of data protection officers (which will be referred to in subsequent sections), the Article 29 Working Party considers that the following must be taken into consideration to determine whether processing is carried out on a large scale:
the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
the volume of data and/or the range of different data items being processed;
the duration, or permanence, of the data processing activity;
the geographical extent of the processing activity.
Together with the aforementioned three situations, the GDPR obliges data protection authorities to establish additional lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment.
The GDPR also provides that authorities may establish lists of the kind of processing operations for which no data protection impact assessment is required.
The existence of these lists does not exclude controllers from having to carry out the corresponding risk analysis and, if they conclude that there exists a high risk to the rights and freedoms of natural persons, conducting an impact assessment even if the processing operation in question is not included in either of the aforementioned lists. The basis of the GDPR is the accountability principle, which states that the controller is always ultimately responsible for deciding which measures must be applied and how to apply them. The interventions of supervisory authorities or provisions of the GDPR itself may help clarify or specify the dispositions, but do not substitute the responsibility and liability of the controller.
In addition to the lists expressly provided by the GDPR, during the transition period the Catalan Data Protection Authority, the Spanish Data Protection Agency and the Basque Data Protection Agency will publish resources to help controllers determine the need to conduct an impact assessment.
The GDPR establishes a minimum content of data protection impact assessments, though it fails to provide any methodology for carrying them out.
It should be borne in mind that a single assessment may be conducted to address a set of similar processing operations that present similar high risks.
Definition of the notion of “high risk” for the purposes of determining the obligation to carry out a Data Protection Impact Assessment (DPIA) and a description of the criteria that should be used to do so may be found in the Guidelines on Data Protection Impact Assessment (DPIA), adopted by the Article 29 Working Party on 4 April 2017, which may be found here.
What will happen with processing operations initiated prior to 25 May 2018 for which according to the new Regulation a data protection impact assessment (DPIA) isrequired?
If these processing operations continue beyond 25 May 2018 and the risk analysis the organisation conducts on the processing initiated prior to the date of application of the GDPR indicates that they are likely to present a high risk to the rights and freedoms of natural persons, the Guidelines on Data Protection Impact Assessment (DPIA), adopted by the Article 29 Working Party also recommends a DPIA be carried out “for data processing [operations] which have taken place before May 2018 and were therefore not subject to a DPIA, to make sure that 3 years after this date or sooner, depending on the context, the risks for the rights and freedoms are still mitigated.”
12. Prior consultation
Where the data protection impact assessment (DPIA) indicates that the intended processing may infringe the GDPR, in particular where the controller has insufficiently identified or mitigated the risk, the controller must consult the competent data protection supervisory authority.
In cases where the DPIA identifies a high risk which, in the opinion of the controller, cannot be mitigated by appropriate measures in terms of available technology and costs of implementation, a consultation of the competent data protection authority should take place prior to the processing. This consultation must include the documentation stipulated by the GDPR, including the impact assessment.
The supervisory authority must provide written advice to the controller and, where applicable, to the processor, and may use any of its powers laid down in the Regulation, among them that of prohibiting the processing operation.
13. Data protection by design and by default
The Regulation introduces the principles of data protection by design and by default.
This means that the controller must, both when determining the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures designed to effectively implement data-protection principles (such as pseudonymisation) and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation.
The controller must therefore implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
14. Codes of conduct
The GDPR also regulates codes of conduct that may be drawn up by associations or other bodies representing categories of data controllers or processors to facilitate the effective application of the Regulation.
The code of conduct must be submitted to the competent supervisory authority for approval, registration and publication. The supervisory authority will also accredit the certification body stipulated in the code.
The adherence and compliance of the processor to an approved code of conduct may be taken into account as an element to demonstrate compliance with the obligations of the controller, in particular when drawing up the data protection impact assessment.
15. Certification mechanisms
The Regulation also encourages the establishment of certification mechanisms and data protection seals and marks as a mechanism for demonstrating compliance with the GDPR.
16. Data protection officer
The Regulation introduces the concept of the data protection officer, who may be a member of staff of the controller or processor, or may fulfil the tasks on the basis of a service contract. A data protection officer must be designated in the following cases:
where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity). In this case, a single data protection officer may be designated for several such authorities or bodies;
where the processing operations require regular and systematic monitoring of data subjects on a large scale;
where the operations consist of processing special categories of data or personal data relating to criminal convictions and offences.
The data protection officer has at least the following tasks:
to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the Regulation and other data protection provisions;
to monitor compliance with the different regulations;
to provide advice as regards the data protection impact assessment;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing.
The controller or the processor must publish the designation and contact details of the data protection officer and communicate them to the supervisory authority.
The position of Data Protection Officers in the organisation must fulfil the requirements expressly established in the GDPR. These requirements include their complete autonomy in the performance of their duties, the need for DPOs to report to the highest management level of the controller or the processor and the obligation for the controller and the processor to provide them with the resources necessary to carry out their tasks.
The Article 29 Working Party has published an Opinion on designation of the DPO, which may be consulted here and which includes FAQs on diverse aspects of this official.
What requirements or qualifications must the data protection officer meet or hold?
The DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. This does not mean the DPO should hold any specific qualification. Bearing in mind that advising the controller or processor on all matters relating to data protection rules and regulations are included among the functions of the DPO, possession of legal knowledge in the subject is undoubtedly necessary; but the DPO should also have knowledge outside the strictly judicial field, such as in the area of technology applied to data processing or in relation to the activity of the organisation in which he or she works.
17. International transfers
The model of international or cross-border transfers designed by the GDPR follows the same criteria established in Directive 95/46 and national transposition laws. According to this model, personal data may only be disclosed outside the European Union in the following cases:
To third countries, territories and specified sectors within a third country (the GDPR also includes international organisations) for which the Commission has decided that an adequate level of protection is ensured.
When adequate safeguards have been offered about the protection the data will receive at their destination.
When one of the exceptions is applied that allow data to be transferred without adequate safeguards for protection, for reasons of necessity linked to the interest of the data subject or the general interest.
From the point of view of controllers and processors that currently make international transfers or will make them in the framework of the GDPR, there are certain developments that should be taken into account:
Adequacy decisions adopted by the Commission prior to application of the GDPR remain valid; consequently, until such time as the Commission replaces or repeals them, transfers may continue to be made based on these decisions.
Decisions of the Commission that establish standard data protection clauses for contracts in which safeguards are offered for international transfers remain valid until such time as the Commission replaces or repeals them.
Transfer authorisations by Member States or supervisory authorities based on contractual guarantees remain valid until such time as the authorities revoke them.
Guarantees of the protection that the personal data will receive at their destination must be given by the data exporter, which may be either a data controller or a processor.
The list of instruments that may be used to offer safeguards has been extended. It now includes, among others, corporate rules that are binding upon controllers and processors, codes of conduct and certification mechanisms, and standard data protection contractual clauses approved by a supervisory authority.
In the cases of binding corporate rules, standard data protection contractual clauses, codes of conduct and certification mechanisms, the transfer does not require authorisation by the supervisory authorities.
An exception has been added to the list established by Directive 95/46. It refers to the possibility that the controller may transfer data to a country without the adequate level of protection when such transfer is not repetitive, concerns only a limited number of data subjects and is necessary for the purposes of compelling legitimate interests pursued by the controller. In any case, the transfer is only possible if the aforementioned interests are not overridden by the interests or rights and freedoms of the data subjects, and the controller must inform the supervisory authority of the transfer.
18. Security measures
In contrast to the current law, the Regulation does not provide a list of the security measures to be applied according to the types of data which are being processed, but states that the controller and processor should apply adequate technical and organisational measures to ensure a level of security appropriate to the risk involved in the processing. This means an analysis must be made of the risk inherent in each processing operation, in order to determine the security measures to be implemented.
How is a risk analysis conducted?
The type of risk analysis varies according to the type of processing, nature of the data being processed, number of data subjects concerned and the quantity and variety of processing operations an organisation carries out.
As a general rule, in large organisations this analysis should be conducted using one of the existing methodologies. For controllers of processing operations of smaller dimensions and reduced complexity, the analysis should be the result of minimally documented reflection on the implications of the processing for the rights and freedoms of the data subjects. This reflection should answer such questions as the following:
Are sensitive data being processed?
Are the data of a large number of data subjects being processed?
Does the processing include the creation of profiles?
Are the data obtained from the data subjects cross-referenced with other data available in other sources?
Is it intended that data obtained for one purpose will be used for other types of purpose?
Are large amounts of personal data being processed, including analysis techniques typically employed the processing of big data?
Are highly privacy-invasive technologies being employed, such as those connected with geolocation, large-scale video surveillance or certain applications of the Internet of Things (IoT)?
The greater the number of affirmative answers, the higher the risk that may arise from the processing. Likewise, if the answer to these questions and to others of a similar nature is negative, it is reasonable to conclude that the organisation does not carry out processing operations that produce a high level of risk and, consequently, the measures envisaged for such cases need not be put in place.
19. Notification of personal data breaches
If a personal data breach occurs the controller must notify the competent supervisory authority within 72 hours of having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate the breach in clear and plain language to the data subjects without undue delay, except when:
the controller has implemented adequate protection measures, such as rendering the personal data unintelligible to any person who is not authorised to access it;
the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise;
it would involve disproportionate effort.
What is the term for notification of a data breach to the supervisory authority?
In the case of a personal data breach, the controller must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This criterion may be open to various interpretations. In general, the controller is deemed to be aware of a data breach when that controller is certain it has occurred and knows enough about its nature and scope. The mere suspicion that something has failed or realisation that some kind of incident has taken place, without knowing the exact circumstances, should not give rise to notification since, in most cases, it is impossible in these conditions to ascertain to what extent there may be risk to the rights and freedoms of the data subjects.
Notwithstanding the above, in cases which may have significant impact due to their characteristics it may be recommendable to contact the supervisory authority as soon as evidence appears that an anomalous situation has occurred with respect to data security. These first contacts should however be completed with a formal, more comprehensive, notification within the term established in the Regulation.
Situations may exist in which notification within the first 72 hours is not possible because, for example, of the complexity in fully determining the scope of the breach. In such cases notification may be made at a later time, accompanied by an explanation of the reasons for the delay.
What information should notification of a personal data breach to the supervisory authority contain?
The notification should contain the information established by the GDPR, which includes such elements as the nature of the personal data breach, the categories of data and data subjects concerned, the measures adopted by the controller to resolve the breach and, where applicable, the measures applied to mitigate the possible effects on the data subjects. When full information cannot be given at the time of the notification it may be provided in various stages.
The Article 29 Working Party will prepare a standardised notification form for use in the EU, both to help controllers present complete notifications in accordance with the GDPR criteria and to ensure such notifications are made in a uniform manner.
Irrespective of the notification to the supervisory authorities, controllers must document all personal data breaches. This is an obligation established by the GDPR and is very similar to the Incident Register provided by the Regulation implementing the LOPD.
When is it probable that a security breach represents a high risk to the rights of the data subjects?
The criteria for high risk contained in the GDPR should be understood in the sense that the data breach is likely to cause serious damage to natural persons. This could occur, for example, if confidential information is disclosed such as passwords or participation in certain activities, if sensitive data are disclosed on a large scale or if financial damage may be caused to those concerned.
What are the legal rules covering notification of a personal data breach to those concerned?
The aim of this notification is to enable data subjects to take measures to protect themselves from the consequences of the personal data breach. Thus the GDPR stipulates that they should be notified without undue delay and without reference either to when the controller became aware of the breach or to the possibility of making the notification within 72 hours. The intention is always that the data subject should be able to react as soon as possible.
For the same reasons, the GDPR adds that the content of the notification should include recommendations on the measures that data subjects can take to mitigate the consequences of the personal data breach.
This system enables people, including controllers established in different Member States or that carry out processing which affects different Member States, to have a sole data protection authority as their interlocutor.
Additional, detailed information regarding the use of personal data
CONTROLLER FOR PERSONAL DATA PROCESSING
“TPV Canarias, S.L.” – NIF: B35694199 Dir. postal: Calle León y Castillo, 247, CP 35005 de Las Palmas de Gran Canaria, Las Palmas. España. Correo electrónico: firstname.lastname@example.org
2. PURPOSE AND LEGAL BASIS FOR PERSONAL DATA PROCESSING
In the name of the company, we treat the information you provide us in order to provide the requested service, perform the integral administrative management of it. As well as profiles analysis, commercial communications and birthday congratulations.
The data provided will be kept as long as the commercial relationship is maintained or during the years necessary to comply with the legal obligations.
Commercial Communications: The Consent for Commercial Communications, in reference to the sale of products and services of “TPV Canarias, SL” Always through any multi-channel means, (telephone, email, postal mail, sms, mms, whatsApp, etc…). Newsletter, congratulations on dates of general interest, Christmas, Valentine’s Day, etc …, events, contests and promotions. You can always revoke your consent in each communication.
The legitimation is for the execution of a contract, in this case to the accommodation in our hotel, rent it. As well as by consent of the interested party.
If you have checked the appropriate box, the legal basis for sending commercial communications, profile analysis and birthday greetings, about other products and services is your consent, which you can withdraw at any time, without the withdrawal of consent for this purpose condition the execution of the accommodation contract in the hotel. ”
3. RECIPIENTS OF THE TRANSFERS
The personal data shall not be transferred to third parties, except when it is necessary to transfer it to companies of “TPV Canarias, S.L.” and in cases where there is a legal obligation. And to our marketing communications provider Mailchimp, located in the USA. This entity is attached to the “Privacy Shield” agreement
4. RIGHTS OF DATA SUBJECTS:
Any data subject has the right to obtain confirmation as to whether “TPV Canarias, S.L.” processes personal data that concern them, or not.
Furthermore, and as provided for in the General Data Protection Regulation, we inform you that you have the following rights:
Access to your personal data
You have the right to access your data to know what personal data we are processing which concerns you.
Request for the rectification or erasure of your personal data
In certain circumstances, you have the right to rectify any inaccurate personal data we may hold on you which is the subject of processing on our part, or even to request its erasure when, among other reasons, the personal data is no longer necessary in relation to the purposes for which it was collected.
Request the restriction of the processing of your personal data
Under certain circumstances, you will have the right to ask us to restrict the processing of your personal data, in which case we inform you we will only retain it for the exercise or defence of legal claims as provided for in the General Data Protection Regulation.
The portability of your personal data
In certain circumstances, you have the right to receive personal data concerning you, and that you have provided us with, in a structured, machine-readable and commonly used format, and to transmit it to another controller for processing the said personal data.
Objecting to the processing of your data
In certain circumstances and on grounds relating to your particular situation, you will have the right to object to the processing of your personal data, in which case, we would no longer process it unless we had demonstrated compelling legitimate grounds, or in the exercise or defence of potential legal claims.
Who should you communicate with in order to exercise your rights?
To exercise their recognised rights, the data subject may get in contact with us via the addresses indicated in the first section about controllers for the processing of personal data.