Privacy Policy

I. INTRODUCTION

The purpose of this document is to provide a concise statement of the data protection obligations to be implemented in all companies comprising and integrating the BLUE & GREEN Group (hereinafter “B&G Group”). This policy includes the obligations of the B&G Group regarding personal data processing operations to ensure compliance with the requirements of relevant legislation, with a view to adapting efforts to a continuously changing reality to address the most relevant risks.

For the provision of services and related communications, the hotel units use shared services within the scope of the B&G Group. As such, the data collected and subject to processing operations within the scope of hospitality and communication services provided will have the following entities, constituent of the B&G Group, as joint controllers for processing:

II. FOUNDATION

The B&G Group must comply with the data protection principles established in current legislation.

This Policy applies to all personal data processing operations, including their collection, processing, and storage by all companies of the B&G Group concerning their employees, service providers, and clients, in the course of their respective activities.

III. SCOPE

The Policy covers all personal data, including data related to special categories of personal data, processed concerning data subjects by the B&G Group, whether as Data Controller or Processor.

This Policy also applies to personal data processed manually if included in a structured file.

All personal data relating to special categories of personal data will be treated with additional care by the B&G Group. Both categories will also be referred to as “Personal Data” in this Policy, unless otherwise indicated.

IV. WHO CARRIES OUT PROCESSING OPERATIONS ON YOUR DATA

In the course of its daily activities, companies of the B&G Group may acquire, process, and store Personal Data.

In accordance with European and Portuguese data protection legislation, this data must be acquired and managed lawfully, fairly, and transparently.

The B&G Group is committed to ensuring that its team has sufficient knowledge of data protection legislation and practices to be able to anticipate and identify any data protection issues that may arise.

In these circumstances, the team must ensure that the Data Controller is informed, ensuring that all appropriate and necessary corrective actions will be taken to guarantee the rights, freedoms, and guarantees of the Data Subjects.

The B&G Group may share Personal Data of Data Subjects with Processors as necessary for the normal provision of its services.

Processor access to Personal Data shared by the B&G Group is regulated, within the scope of the B&G Group’s obligations, by the contract concluded with its Processors.

In this sense, the B&G Group contractually ensures and regularly verifies that the Processors are reliable entities that offer adequate protection guarantees, and no data is transmitted to them beyond what is necessary for the provision of the contracted service.

In its function as Data Controller, the B&G Group may also share the Personal Data of Data Subjects with other Data Controllers to carry out the necessary processing operations for the provision of contracted services. Within the framework of this joint responsibility, the B&G Group enters into an agreement with the other data controller, under which the respective purposes and responsibilities in compliance with the current data protection legislation are transparently identified, ensuring compliance with the Rights and Freedoms of Data Subjects through the establishment of adequate communication channels to respond to Data Subjects’ requests.

Regardless of the relationship between Personal Data Recipients, the B&G Group defines, through a formal and written contract, the delimitation of obligations regarding Personal Data, the specific purpose or purposes for which they are involved, and the understanding that they carry out data processing operations in accordance with Portuguese Data Protection Legislation.

V. YOUR DATA MAY BE SHARED WITH THE FOLLOWING RECIPIENTS:
VI. WHAT WE DO WITH YOUR DATA:

As Data Controller, the B&G Group ensures that all Personal Data:

The B&G Group has implemented, or is implementing, levels of security and protection of Personal Data available, as well as technical and organizational measures to protect Personal Data against unauthorized dissemination, loss, misuse, alteration, processing, or unauthorized access, as well as against any other form of unlawful processing.

All B&G Group employees are also subject to confidentiality rules.

VII. PURPOSES AND GROUNDS FOR THE LAWFULNESS OF PROCESSING OPERATIONS:

Clients

The B&G Group performs processing operations regarding the Personal Data of its Clients to ensure compliance with the service provision contract agreed with the Data Subjects or with Joint Data Controllers (regarding data and Data Subjects collected by these, as counterparts, workers, and others). The Personal Data identified and subject to processing operations are under a necessity situation for the execution of a contract or for pre-contractual diligences or for compliance with legal obligations, or in the case of marketing, may be under consent.

Personal Data relating to Clients’ Special Categories, or obtained through Clients, will be subject to appropriate processing operations, to the extent that they are necessary for reasons of important public interest such as the prevention of money laundering and terrorist financing.

The processing of Personal Data of Clients or obtained through Clients, related to criminal convictions and offenses or related security measures will always be subject to adequate safeguards for the protection of the rights and freedoms of Data Subjects, and the operations concerning such data will be limited to strict compliance with applicable legal obligations.

Employees

The B&G Group performs processing operations regarding the data of its employees for the execution of the employment contract. The processed data is necessary for the execution of a contract in which the Data Subject is a party, or for pre-contractual diligences at the request of the Data Subject.

Employee personal data is also collected and processed for the purpose of fulfilling legal obligations to which the Data Controller is subject.

Processing operations concerning data of Special Categories collected from Employees are necessary for the purposes of compliance with legal obligations and in the exercise of specific rights of the Data Controller or the Data Subject in labor law, social security, and social protection legislation and also for the purposes of preventive or occupational medicine, for the assessment of the employee’s work capacity.

The processing of Personal Data of Employees or obtained through Employees, related to criminal convictions and offenses or related security.