Privacy Policy
I. INTRODUCTION
The purpose of this document is to provide a concise statement of the data protection obligations to be implemented in all companies comprising and integrating the BLUE & GREEN Group (hereinafter “B&G Group”). This policy includes the obligations of the B&G Group regarding personal data processing operations to ensure compliance with the requirements of relevant legislation, with a view to adapting efforts to a continuously changing reality to address the most relevant risks.
For the provision of services and related communications, the hotel units use shared services within the scope of the B&G Group. As such, the data collected and subject to processing operations within the scope of hospitality and communication services provided will have the following entities, constituent of the B&G Group, as joint controllers for processing:
- GOLDTUR – Hotéis e Turismo, S.A.
- CHT – Casino Hotel de Tróia, S.A.
- Blue & Green – Serviços e Gestão, S.A.
II. FOUNDATION
The B&G Group must comply with the data protection principles established in current legislation.
This Policy applies to all personal data processing operations, including their collection, processing, and storage by all companies of the B&G Group concerning their employees, service providers, and clients, in the course of their respective activities.
III. SCOPE
The Policy covers all personal data, including data related to special categories of personal data, processed concerning data subjects by the B&G Group, whether as Data Controller or Processor.
This Policy also applies to personal data processed manually if included in a structured file.
All personal data relating to special categories of personal data will be treated with additional care by the B&G Group. Both categories will also be referred to as “Personal Data” in this Policy, unless otherwise indicated.
IV. WHO CARRIES OUT PROCESSING OPERATIONS ON YOUR DATA
In the course of its daily activities, companies of the B&G Group may acquire, process, and store Personal Data.
In accordance with European and Portuguese data protection legislation, this data must be acquired and managed lawfully, fairly, and transparently.
The B&G Group is committed to ensuring that its team has sufficient knowledge of data protection legislation and practices to be able to anticipate and identify any data protection issues that may arise.
In these circumstances, the team must ensure that the Data Controller is informed, ensuring that all appropriate and necessary corrective actions will be taken to guarantee the rights, freedoms, and guarantees of the Data Subjects.
The B&G Group may share Personal Data of Data Subjects with Processors as necessary for the normal provision of its services.
Processor access to Personal Data shared by the B&G Group is regulated, within the scope of the B&G Group’s obligations, by the contract concluded with its Processors.
In this sense, the B&G Group contractually ensures and regularly verifies that the Processors are reliable entities that offer adequate protection guarantees, and no data is transmitted to them beyond what is necessary for the provision of the contracted service.
In its function as Data Controller, the B&G Group may also share the Personal Data of Data Subjects with other Data Controllers to carry out the necessary processing operations for the provision of contracted services. Within the framework of this joint responsibility, the B&G Group enters into an agreement with the other data controller, under which the respective purposes and responsibilities in compliance with the current data protection legislation are transparently identified, ensuring compliance with the Rights and Freedoms of Data Subjects through the establishment of adequate communication channels to respond to Data Subjects’ requests.
Regardless of the relationship between Personal Data Recipients, the B&G Group defines, through a formal and written contract, the delimitation of obligations regarding Personal Data, the specific purpose or purposes for which they are involved, and the understanding that they carry out data processing operations in accordance with Portuguese Data Protection Legislation.
V. YOUR DATA MAY BE SHARED WITH THE FOLLOWING RECIPIENTS:
- Providers of IT, technical, and operational support services;
- Entities of the B&G Group;
- Related entities, or with common management with the B&G Group;
- Entities to whom companies of the B&G Group provide services; and
- Judicial bodies, criminal police bodies, and administrative authorities.
VI. WHAT WE DO WITH YOUR DATA:
As Data Controller, the B&G Group ensures that all Personal Data:
- Will be obtained for specific, lawful, and clearly defined purposes, with the Data Subjects having the right to question the purpose(s) for which the B&G Group collects and retains them, with the B&G Group clearly and precisely informing what the purpose or purposes are.
- Will be compatible with the purposes for which they were collected.
- Will be maintained with appropriate security measures – implemented or to be implemented – to protect against unauthorized access, or against alteration, destruction, or disclosure of any Personal Data held by the B&G Group as Data Controller.
- Will be kept accurately, completely, and up-to-date when necessary.
- Will be collected in a limited manner and only kept for the strictly necessary time, with no excessive data being collected and/or processed. Thus, the B&G Group has implemented a procedure for responding to requests from Data Subjects in order to manage such requests efficiently and appropriately, within the deadlines established by law.
The B&G Group has implemented, or is implementing, levels of security and protection of Personal Data available, as well as technical and organizational measures to protect Personal Data against unauthorized dissemination, loss, misuse, alteration, processing, or unauthorized access, as well as against any other form of unlawful processing.
All B&G Group employees are also subject to confidentiality rules.
VII. PURPOSES AND GROUNDS FOR THE LAWFULNESS OF PROCESSING OPERATIONS:
Clients
The B&G Group performs processing operations regarding the Personal Data of its Clients to ensure compliance with the service provision contract agreed with the Data Subjects or with Joint Data Controllers (regarding data and Data Subjects collected by these, as counterparts, workers, and others). The Personal Data identified and subject to processing operations are under a necessity situation for the execution of a contract or for pre-contractual diligences or for compliance with legal obligations, or in the case of marketing, may be under consent.
Personal Data relating to Clients’ Special Categories, or obtained through Clients, will be subject to appropriate processing operations, to the extent that they are necessary for reasons of important public interest such as the prevention of money laundering and terrorist financing.
The processing of Personal Data of Clients or obtained through Clients, related to criminal convictions and offenses or related security measures will always be subject to adequate safeguards for the protection of the rights and freedoms of Data Subjects, and the operations concerning such data will be limited to strict compliance with applicable legal obligations.
Employees
The B&G Group performs processing operations regarding the data of its employees for the execution of the employment contract. The processed data is necessary for the execution of a contract in which the Data Subject is a party, or for pre-contractual diligences at the request of the Data Subject.
Employee personal data is also collected and processed for the purpose of fulfilling legal obligations to which the Data Controller is subject.
Processing operations concerning data of Special Categories collected from Employees are necessary for the purposes of compliance with legal obligations and in the exercise of specific rights of the Data Controller or the Data Subject in labor law, social security, and social protection legislation and also for the purposes of preventive or occupational medicine, for the assessment of the employee’s work capacity.
The processing of Personal Data of Employees or obtained through Employees, related to criminal convictions and offenses or related security.