Privacy Policy for Sunwing Family Resort, Sunprime Hotels and O.B.C.

This privacy policy sets out how we collect, store and process personal data when you are staying at a Sunwing Family Resort, Sunprime Hotel and O.B.C. (in the following referred to as our hotels). The brands Sunwing Family Resort, Sunprime Hotels and O.B.C. are owned by the Nordic Leisure Travel Group B (in the following referred to as NLTG).

This privacy Policy also sets out how we collect, store and process personal data when you use our digital service MyHotel and digital services used during your stay at one of our hotels.

For more information about how your tour operator is processing your personal data please visit your tour operator’s privacy policy on their website (ving.se, ving.no, spies.dk or tjareborg.fi).

What personal data is

Personal data is any information that can be directly or indirectly used to identify a living person. It can be data such as name, address, national ID number, email address and phone number. It is also information like booking number, encrypted data and electronic identities, like an IP number, if they can be traced back to an identifiable living person. 

Data controllers
The hotel operator is the controller of the collection and processing of your personal data when you stay at a one of our hotels. For bookings, reservations and customer relations as well as for certain services at the hotel, for example table booking and ordering take away, the hotel operator is joint controller with NLTG.

NLTG is joint controller with your tour operator for the digital service MyHotel.

Contact information to the controllers can be found under Hotel information below.

When you stay at our hotels

The hotel processes your personal data for the following purposes:

Customer and guest management

This includes:

• Delivering accommodation and hotel stay services according to your bookings and requests.
• Managing check-in and check-out registration and administration of the access system (key card systems)
• Delivering contracted services (restaurants, activities, SPA, excursions etc)
• Deliver offered program for children's activities
• Invoicing and management of guest payments (food, beverages and services etc)
• Communication with guests (e-mail, telephone or otherwise)

Examples of the types of personal data processed are:

• Identification and contact details of the holder of the reservation and information about fellow guests,
• Data of the reservation itself or request for services (dates of stay, number and age of guests and services requested),
• Data relating to means of payment
• Transaction data for goods and services
• E-mail address, telephone number, message content

Information about special needs, food intolerance or allergies are collected and processed for managing requested support services at the hotel. This processing is based on your consent.

This data is obtained either directly from you or from third parties who have processed the booking or requested the service on your behalf, e.g. the agency or the tour operator.

We process the identification data, means of payment of the reservation holder and financial data and transactions of goods and services to invoice the services and charges that may have been generated during your stay, based on the contractual relationship established and compliance with the legal obligations of the hotel in accounting and tax matters.

Customer relations

This includes:

• Handling of inquiries and complaints from hotel guests
• Registration and management of forgotten belongings - lost and found (including handling claims of a forgotten item by a guest)
• Management of VIP guests and members in loyalty programs (including updating hotel guest’s profiles in the Property Management System)
• Management of hotel guest satisfaction surveys
• Management of hotel guest reviews

Examples of the types of personal data processed are:

• Identification and contact details of the holder of the reservation and information about fellow guests,
• Data of the reservation itself or request for services (dates of stay, number and age of guests and services requested)
• Data relating to means of payment
• Transaction data for goods and services
• Data about forgotten belongings and subsequent claims
• Any information needed for handling of inquiries and complaints (e.g. name, occurrence details, contact information)
• Information given in satisfaction surveys or guest reviews (e.g. name, social media identifier, details of the hotel stay, pictures)

This data is obtained either directly from you or from third parties who have processed the booking or requested the service on your behalf, e.g. the agency or the tour operator.

Processing of personal data is based on our legitimate interest to uphold and develop our customer relations. This includes the ability to handle inquiries and complaints from customers as well as to follow up on the satisfaction of our customers to our services.

Security and safety measures
Upholding of the security and safety for our guests and staff is of utmost importance to us. For this purpose, we have implemented a number of security and safety measures that sometimes includes processing of personal data.

This includes:

• Access control measures (e.g. key cards, pin codes, CCTV- monitors)
• Implementation of security measures to protect our IT-environment
• Video surveillance, for more information please see the “Information of video surveillance on Sunwing Family Resort, Sunprime Hotels and O.B.C.”
• Management of security incidents

Examples of the types of personal data processed are:

• Name and electronic identification (connection details, password, etc.)
• Telephone traffic data and connection logs
• Pictures and recordings (video surveillance)
• All information collected can be processed for the management of a security incident

This data is obtained either directly or indirectly from you.

This processing of personal data is based on our legitimate interest to uphold and ensure the safety and protection of people, property and premises, and preventing crime. We’ve implemented measures to restrict access to the collected data to authorized persons and to make sure the data is stored in a secure way.

Regarding video surveillance, we have taken extensive measures to limit the monitoring to what is necessary to fulfil our purposes, including ensuring that we only collect the data necessary for our purposes (no sound is recorded) and that cameras are not installed in places where there is an expectation of privacy (e.g. bathrooms, changing rooms or similar places). The material is stored for a limited time and in a secure manner, and we have ensured that only authorized persons have access to the material. There are signs informing about the surveillance at all entrances to supervised areas.

We have weighed our interests against the rights and freedoms of the data subjects. In view of the restrictive measures taken, we’ve assessed that the processing has a limited impact on privacy and is in accordance with what can reasonably be expected.

Compliance with legal obligations

This includes:

• Complying with a legal obligation imposed on us. (e.g. obligations we have under the Tax Act, the Accounting Act, a decision from the police or other authority).
• Complying with national legislation of registration and control of travelers (please see below for country specific information)
• Disclosure of information to national or international authorities as a result of law, court or authority decision

Examples of the types of personal data processed are:

• Name and contact details (e.g. email address, telephone number, address)
• Booking details
• Payment information
• Other information about your completed purchases (receipts, etc.).

National laws on registration and control of travelers

Spain
To establish a traveller’s register and to maintain tourism and public safety, we are obligated to register information about all guests staying at our hotels in the public register provided by the Spanish authorities.

Personal data processed is:

• Name and surname
• Sex
• Date of birth
• Country of nationality
• Number and type of identity document
• Date of issue of the document
• Date of entry
• Information about relationship to fellow passengers under the age of 14
• Signature

The data is obtained directly from you in the check-in form and the passport or ID scan performed during check-in. The passport scan is carried out using a character recognition (OCR) program to extract the necessary information for the report and does not store a picture of the identification document.

The data will be stored for three (3) years, counting from the date of the registration.

The collection, registration and storing of the information is necessary to fulfill our legal obligation in the Convention implementing the Schengen Agreement and Organic Law 4/2015, of 30 March, on the protection of public safety, and the Spanish Royal Decree 933/2001.

When you use digital services - (MyHotels)

When you use one of our digital services we collect information about your usage. Some of this information may be personal data. NLTG is joint controller with your tour operator for the digital service MyHotels.

Provide access to our digital services

This includes:

• Managing access to digital services

Examples of the types of personal data processed are:

• Your MyPage account data (name, email address, age, nationality, phone number and password from your My Page account)
• Log in information (time and use of the digital services)

The data is obtained directly or indirectly from you or from third parties who have processed the booking or requested the service on your behalf, e.g. the agency or the tour operator. When you log in to MyHotel using your My page account, the information on your MyPage account will be automatically downloaded and stored in a local database. The data is stored for 20 days and then anonymized.

This processing is necessary to fulfil the contract with you.

Providing services, activities program and children’s activities

This includes:

• Providing information about the destination, activities program, contact details to tour operator representatives etc.
• Booking, organizing and performance of activities and services
• Booking, organizing and performance of children's activities
• Booking of restaurants, food and beverages

Examples of the types of personal data processed are:

• Information needed to organize and perform requested services and activities (e.g name, room number, email address of the participant, any other information needed for the specific activity or service)
• Information needed to organize and perform requested children’s activities (e.g. name of the participating child, age, spoken language, any allergies, and the name, phone number, email address, room number and location of the child’s guardian/responsible adult during the activity)

If needed for offering the best possible experience, we will ask you to provide information about any food intolerance and/or allergies. Please note that providing this information is optional. When providing us with information about food intolerance and/or allergies you consent to the processing of such information. Access to this information will be restricted and the information will only be used during the performance of the activity or service.

The data is obtained directly from you or from third parties who have processed the booking or requested the service on your behalf, e.g. the agency or the tour operator.

This processing is necessary to fulfil the contract with you.

 
Development and improvement of our offers and promotions

This includes:

• Analyzing of usage patterns of digital services to determine what offers and promotions we show on our websites to suit customer preferences
• Analyzing of customer information to develop our offers and promotions

Examples of the types of personal data processed are:

• Usage patterns (e.g. how you navigate the service, your searches and which of our products you show an interest in)
• Use of services at the hotel, customer surveys, customer reviews etc

The data is obtained indirectly from you whenever you use one of our websites, apps or another of our digital services. To analyze usage patterns, we use cookies. For our use of cookies for statistical, analytical and/or marketing purposes, you need to have given your consent. You can change your cookie settings at any time.

For data collected with other means than cookies, our processing is based on our legitimate interest in analyzing customer behaviors to improve our services and products.

Development and improvement of our products and services
We mainly use anonymous or anonymized data on an aggregated level to analyze user behaviour. We may use personal data for these purposes if it is relevant.

This includes:

• Analyzing of usage pattern information to determine what information is needed, and what functions to develop and improve e.g. address problems or improve customer safety.

Examples of the types of personal data processed are:

• Usage patterns (e.g. how you navigate the service, your searches and what type of information you show an interest in)
• Use of services at the hotel, customer surveys, customer reviews, problems with using the digital services etc.

The data is obtained indirectly from you whenever you use one of our websites, apps or another of our digital services. To analyze usage patterns, we use cookies. You can change your cookie settings at any time (see our Cookie policy).

Data processors and transfers

Services and activities booked through MyHotels, and the related processing of personal data, take place at the destination. This means that your personal data may be processed outside the EU/EEA. The data may also be processed by resort staff at the destination not employed directly by us. For example, if you request or book ancillary services provided by third party providers, the personal data necessary for the processing of said request/booking will be communicated to the corresponding suppliers, only for this purpose. The data is only processed in our systems and under our express direction.

We process personal data in our customer management system, our booking- and sales systems, our customer service system and in a system for data processing and optimization. These systems are shared by the companies that are part of NLTG. These systems are required to provide you with the services you have requested from us and to provide customer care and support in conjunction with those services. Any personal data we collect may be processed in any or all these systems.

We take your integrity and the security of your personal data seriously during all processing. Some systems are locally installed and only accessible by our staff. In these cases, no personal data is transferred to any third party. Some systems are cloud solutions or installed at a provider’s premises and require transferring personal data to a third party. We use external providers for profiling and user behavior analysis on our websites and for handling user feedback, mostly collected by cookies and processed aggregated and anonymously.

In all the abovementioned situations, the provider is our data processor and process personal data under a data processing agreement and in accordance with our instructions.

In addition, as mentioned, information about your stay will be communicated to the authorities or security forces in compliance with national legislation on security and control of travelers. We will disclose information to national or international authorities upon their request. We assess the legality and scope of disclosure in each case.

How long will we process your data?

We process your personal data only as long as is needed to fulfil the purposes of the data collection, whereafter your data will be deleted or anonymized. 

This means for example:

• Information collected when you make a request or booking through MyHotels is stored for three (3) weeks. After that, the data is anonymized. Anonymized user data is processed to analyze and develop our products and promotions.
• Information about special needs, food intolerance and/or allergies is only processed during your stay and will then be deleted.
• Information about transactions of goods and services and other information required by accountancy and tax regulations, will be processed for the time required by current legislations.
• Information about hotels guests collected for national obligations to register or report information to national authorities will be stored for the time required by current legislations.

What are your rights?

You have the right to:

• Obtain confirmation as to whether we are processing your personal data and, if so, get a copy of it.
• Request rectification or completion of your data when it is inaccurate or incomplete.
• Object to the processing of your data for direct marketing and profiling purposes or to automated decision making.
• Request deletion of your data.
• In certain circumstances, request the restriction of the processing of your data. In such cases, we will only process the data if we have compelling legitimate grounds that override your interests or rights and freedoms, or for the establishment, exercise or defense of legal claims or for the protection of the rights of other persons.
• Under certain conditions, request the portability of your data so it can be transmitted to another data controller.

You can withdraw your consent at any time, by following the instructions given when you gave your consent. Your withdrawal will not affect the lawfulness of the processing based on the consent prior to your withdrawal. Also, the same information is processed for multiple purposes. This means that even if you do withdraw your consent and the consent-based processing is stopped, the information may still be retained and processed by us for other purposes that do not require your consent.

You have the right to lodge a complaint with a data protection authority. You can consult the list and contact details of the European data protection agencies on the European Commission's website in http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

Contact

If you have questions about how your personal data is processed during your stay with us, please contact the reception at your resort or the point of contact given at Hotel Information. You can also contact the Nordic Leisure Travel Group's Data Protection Officer by sending an e-mail to DPO@nltg.com.

To exercise your rights, please fill in this form.

Consent handler MyHotels

In order for you to have a better and more personal experience, we use cookies for various purposes such as functionality, statistics and marketing. Cookies are also used to customize what is shown to you, e.g. in social media, content on the website and for our analyses. We also share information about your use of our digital services with our partners. Below you can choose how customized the experience you want, by accepting or opting out of various cookies. You can change your settings and revoke your consent to various cookies at any time. If you want to read more about our use of cookies, you can do so in our cookie declaration, cookie policy or privacy policy.

Functional cookies make it possible to save information about how the website is displayed or behaves. For example, your choice of language or region. These are needed for the site to function optimally.

Statistical cookies help us understand how visitors interact with the website by collecting data. We collect information about how you interact with the site, including how often you visit the site and which pages you view. We do this to optimize the design, user-friendliness and strengthen the efficiency of the website. In addition, we use the information to provide you with personalized content and prepare market research.

Marketing cookies are used to track how visitors move around the site and for us and other suppliers we work with to show content that is relevant to each visitor. We collect information about your interests, including which pages and advertisements you click on, which products or services you show interest in or purchase etc (so-called profiling). In order to display targeted ads and other targeted advertising, we work with other companies with whom we share the information.

Cookie declaration
You can find your countrys cookie declaration below:

• Sweden
• Denmark
• Norway
• Finland

Information of Video Surveillance on Sunwing Family Resort, Sunprime Hotels and O.B.C.

** Please, read this privacy policy carefully. **

In this policy you will find important information about video surveillance on Sunwing, Sunprime, O.B.C and Family Garden Hotels and the subsequent processing of your personal data. You will also find information about your rights as a data subject according to the European Data Protection Legislation (GDPR) and related national legislation

For information about who is responsible for the collection and processing of your data and contact details, please see the section Hotel Information below.

Why are we using video surveillance?

We are using video surveillance, and processing the data obtained from it, for the purpose of ensuring the security at our facilities.

This processing is based on our legitimate interest in upholding and ensuring the safety and protection of people, property and premises, and preventing crime. We have weighed our interests against the rights and freedoms of the data subjects (the individuals getting recorded),. We have taken extensive measures to limit the surveillance to what is necessary to fulfil our purposes, including ensuring that we only collect the data necessary for our purposes (no sound is recorded) and that cameras are not installed in places where there is an expectation of privacy (e.g. bathrooms, changing rooms or similar places). The material is stored for a limited time and in a secure manner, and we have ensured that only authorized persons have access to the material. There are signs informing about the surveillance at all entrances to supervised areas. In view of the restrictive measures taken, we’ve assessed that the processing has a limited impact on privacy and is in accordance with what can reasonably be expected.

How long will we keep your data?

The data will be deleted within a maximum period of 30 days from when it was collected. If necessary due to applicable legal provisions or for the purpose of establishing, exercising or defending legal claims, the material will be processed for the time needed in the present case.

To whom can we transfer recorded material?

Upon request from competent authorities, recorded material may be extradited. Each request will be assessed on a case-by-case basis. If necessary for establishing, exercising or defending legal claims, recorded material may be shared with needed expertise or legal representatives.

What are your rights?

You have the right to obtain confirmation of whether we are processing your personal data and, if so, access it. You can also request that your data be rectified when it is inaccurate or that it be completed when it is incomplete, as well as request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

In certain circumstances, you may request the limitation of the processing of your data. If applicable, we will only process the data for establishing, exercising or defending legal claims or for the protection of the rights of other individuals.

Under certain conditions and for reasons related to the specific circumstances, you may object to the processing of your data. If applicable, we will stop processing the data except for compelling legitimate interests that prevail over your interests or rights and freedoms, or for establishing, exercising or defending legal claims.

You also have the right to lodge a complaint with a data protection authority. You can consult the list and contact details of the European data protection agencies on the European Commission website at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

Amendments and updates

We reserve the right to update this information and our privacy policy at any time due to business decisions, as well as to comply with possible legislative or jurisprudential changes. If you have questions or need any clarification regarding the processing of personal data or your rights as a data subject, you can contact us through the channels indicated below.

• Hotel: Sunprime Atlantic View, Sunprime Pollensa Bay, Sunprime Waterfront
• Address: RESORT MALLORCA HOTELS INTERNATIONAL S.L., with address at C/ Fray Juniper Serra, 6, 07014 Palma (Balearic Islands, Spain).
• Contact details: For any questions about the processing of your data or the exercise of the rights recognized by current regulations on the matter, you can send an-email to dpd@rmhi.es
• Contact details Data protection Authority: Agencia Española de Protección de Datos www.aepd.es (Spanish Data Protection Agency)