1. IDENTIFICATION AND CONTACT DATA OF THE DATA CONTROLLER.
The following entities will process your personal data as Joint Controllers: - HESPERIA HOTELS ANDORRA SAU, (hereinafter “Hesperia”), with NIF A706299P, and with address at Carrer del Prat Gran, 3-5, AD700 Escaldes-Engordany, Andorra. - The commercial companies dedicated to the management and operation of the hotels that make up the Hesperia Group (hereinafter “the Hotels”), although not all of the aforementioned hotels will have access to and process your personal data, but only the specific hotel for which you make a reservation and/or where you finally stay (hereinafter “the Hotel”). Likewise, we inform you that the Group to which Hesperia and the Hotels belongs has a Data Protection Officer, who you can contact at the following address: DPO@hesperiaworld.com .

2. NECESSARY AND UPDATED INFORMATION
All the fields that appear in the forms provided to you with an asterisk [*] will be mandatory to complete, so that the omission of any of them could lead to the impossibility of properly responding to your request, providing you with the requested services or proceed to send the requested or authorized communications. You must provide truthful information, and the use of aliases or means to hide your identity is prohibited. So that the information provided is always up to date and does not contain errors, you must inform Hesperia, as soon as possible, of any modifications and rectifications of your personal data that may occur, through the reception of our hotels or the following email. : protecciondedatos@hesperiaworld.com . Likewise, you declare that the information and data you have provided are accurate and truthful.

3. ORIGIN AND PROVENANCE OF YOUR DATA
To manage reservations, we may contract with service providers that will communicate your personal data to us. The categories of data that will be communicated to us and that we will therefore process are those corresponding to identification and banking data necessary for the correct management of your reservation.

- Manage the reservation you make at one of our hotels through any channel. Said treatment is based on the pre-contractual measure requested by you when formalizing said reservation requesting our services. Your data will be kept until the date for which you make the reservation arrives and, in the event that you finally stay at the corresponding hotel, during the duration of our contractual relationship and until the end of your stay at the hotel, being able to keep them. subsequently blocked during the periods resulting from the prescription of legal actions related to this treatment.

- Respond to requests, queries, complaints and/or claims submitted through the “do you need help?” form. of this website, by telephone or email, when they are related to the services that you have previously contracted, based on the execution of the contractual relationship or the adoption of pre-contractual measures if you are not yet a client. To respond to requests and queries that are not related to the services that you have previously contracted, the treatment will be carried out based on the consent that, where appropriate, you give when sending the corresponding request, query, complaint or claim. Your data will be kept until the resolution of the query, request, complaint and/or claim raised, and, when they are related to the services that you had previously contracted, as long as our contractual relationship is maintained. However, the data may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this processing.

- Manage check-in, accommodation and check-out, as well as process payment for the contracted service. This processing of personal data will be carried out based on the contractual relationship you have with us. Your data will be kept for the duration of our contractual relationship and until the end of your stay at the hotel, and may subsequently be kept blocked for the periods resulting from the prescription of legal actions related to this treatment.

- Manage your registration in Hesperia for the purposes of creating a global database of the entities that make up the Hesperia Group to facilitate check-in processes, based on the legitimate interest in transmitting personal data within the group for internal administrative purposes. The data processed for this purpose will be kept throughout our contractual relationship, and may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this treatment. For its part, the Hotel may process your personal data to:

- Manage the sending, by any means, of communications related to the stay you have booked. Said treatment is based on the contractual relationship that you have with us. The data processed for this purpose will be kept as long as our contractual relationship is maintained, and may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this treatment.

- Manage the sending of informative communications related to the opportunities offered by the city in which said hotel is located. These communications are based on the legitimate interest of the Hotel in which you make a reservation, in keeping our guests informed about issues that we consider may be of interest to them because they are relative or related to their stay. The data processed for this purpose will be kept until you unsubscribe from said shipments or after 2 years have passed since your last interaction with us. However, also in this case, your personal data may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this processing.

- Manage the provision of extra services to the accommodation, such as requesting flowers, excursions, restaurant services, special attention on designated dates, which you may request at the time of check-in; as well as manage their payment. This data processing is based on the contractual relationship you have with us. Regarding the processing of health data (mainly, among others, allergy data in the case of catering services or data related to your reduced mobility, to facilitate your access to our facilities) for the provision of services, These will be treated based on the consent that, if applicable, you give to the Hotel. The data processed for this purpose will be kept for the time necessary to provide you with the requested service during your stay at our hotel. However, the data may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this processing.

- Contact medical-care services when required. In cases where it is a medical emergency, your data will be processed to protect your vital interests. In cases where it is not a medical emergency, the processing of the data will be carried out based on the contractual relationship you have with us. Your data will be kept during our contractual relationship. However, the data may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this processing.

- Carry out satisfaction surveys, based on the legitimate interest of the Hotel in which you make a reservation in knowing your degree of satisfaction with the services provided by it. Your data will be kept until you object to its processing, or after 2 years have passed since your last interaction with us. Subsequently, your data may be kept blocked during the periods resulting from the prescription of legal actions related to this treatment.

- Manage the requests you make through the use of the customer service of the hotel where you are staying through the WhatsApp Business tool. The data you provide us when communicating with us through this channel will be processed for the sole purpose of responding to your request or providing you with the service you request. This data processing is based on the consent that, where appropriate, you give when accepting the use of the channel and when you contact us freely and voluntarily. Without prejudice to the above, in the event that as a result of your request we have to process your personal data to carry out management related to the services that you had previously contracted from us, these will be processed based on the execution of the contractual relationship. that you keep with the hotel. The data processed for this purpose will be kept until the revocation of your consent and, when they are related to the services that you had previously contracted, as long as our contractual relationship is maintained. However, the data may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this processing. Likewise, regardless of the aforementioned retention period, the conversations held through this channel will be deleted after 90 days from when your account is canceled.

- Manage the sending, by any means, of offers and promotions of the services offered by the hotels that make up the Hesperia Group, as well as information about events organized by said hotels or news offered by them. These communications are made based on the consent that, where appropriate, you give for such purposes. In the event that you have given us your consent, your data will be kept until you revoke the consent, if applicable, given, or after 2 years have passed since your last interaction with us, and you may subsequently keep them blocked for the periods that arise. of the prescription of legal actions related to this treatment.

- Manage the sending of commercial communications through social networks based on the consent that, where appropriate, you have given us by being a “follower” or “friend” of our profiles. Your data will be kept until you revoke the consent, if applicable, given, or after 2 years have passed since your last interaction with us, and may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this treatment. .

- Manage the sending, by any means, of commercial communications related to news and/or offers related to the restaurant, insurance, entertainment, wellness and aeronautical sectors. These communications are made based on the consent that, where appropriate, you give for such purposes. In the event that you have given us your consent, your data will be kept until you revoke the consent, if applicable, given, or after 2 years have passed since your last interaction with us, and you may subsequently keep them blocked for the periods that arise. of the prescription of legal actions related to this treatment.

- Prepare commercial profiles based on the consent that, if applicable, you give us. Your data will be kept until you revoke the consent, if applicable, given, or after 2 years have passed since your last interaction with us, and may subsequently be kept blocked during the periods resulting from the prescription of legal actions related to this treatment. .

5. EXERCISE OF YOUR RIGHTS
We inform you that you can exercise the following rights: (i) right of access to your personal data to know which data is being processed and the processing operations carried out with them; (ii) right to rectification of any inaccurate personal data; (iii) right to deletion of your personal data, when this is possible; (iv) right of opposition, when this is possible; (v) right to request the limitation of the processing of your personal data when the accuracy, legality or necessity of the processing of the data is doubtful, in which case, we may retain the blocked data for the exercise or defense of claims. (vi) right to the portability of your personal data, when the legal basis that enables us to process it is the existence of a contractual relationship or your consent. (vii) Right to revoke the consent, if applicable, given to Hesperia for the processing of your data. You can exercise your rights at any time and free of charge by sending an email to protecciondedatos@hesperiaworld.com , indicating the right you wish to exercise and your identification data. On the other hand, we inform you that you have the right to file a claim with the Spanish Data Protection Agency if you consider that a violation of data protection legislation has been committed with respect to the processing of your personal data.

6. RECIPIENTS OF YOUR PERSONAL DATA
Your data may be transferred to the Public Administrations determined by the applicable legislation in force at any given time, such as Public Treasury, Judges and Courts, and Security Forces and Corps. The personal data that you provide us for the purpose of managing your reservation, or for contracting extra services may, in turn, be communicated to the banking entity with which Hesperia and the Hotels work. Your personal data may be transferred to our commercial partner (AMResorts Hotels Europe) with whom Hesperia and the Hotels work to carry out promotional and marketing activities, including the sending and receiving of commercial communications, the operation of the website and the facilitation of reservations. Regarding the data that you provide us to manage your registration in Hesperia for the purposes of creating a global database of the entities that make up the Hesperia Group to facilitate check-in processes, they may be communicated to the companies. of the Hesperia Group based on our legitimate interest in transmitting intra-group personal data for internal administrative purposes. Likewise, your data may be transferred to the health care company with which the hotel where you stay works when you require medical care services. In cases where it is a medical emergency, said data communication will be carried out to protect your vital interests. In cases where it is not a medical emergency, the communication of data to the healthcare company will be carried out for the management of our contractual relationship. Without prejudice to the above, in the event that you use the service of the hotel where you are staying through the WhatsApp Business tool, WhatsApp Ireland Limited may have access to your personal data. In these cases, WhatsApp Ireland Limited will only access and process your personal data as data processor, so it will only do so to provide the contracted messaging services, in accordance with the conditions of service published in this link.

7. INTERNATIONAL TRANSFERS
Transfers of your data will be carried out to countries located outside the European Economic Area and, specifically, to: (i) the United States; as a consequence of the following services: a) search engine services that TravelClick, Inc. provides in relation to the location and selection of the specific payment gateways or suppliers that authorize payments related to the services provided by Hesperia. These international transfers are regularized through the standard contractual clauses approved by the European Commission. b) marketing services for Hotels provided by Mailchimp. These international transfers are regularized through the standard contractual clauses approved by the European Commission. c) instant messaging services of hotels that use the WhatsApp Business tool to respond to guest requests, provided by WhatsApp Ireland Limited. These international transfers are regulated through the standard contractual clauses approved by the European Commission, in accordance with the Appendix on WhatsApp Business data transfer. (ii) Andorra, as a consequence of the communication of data to the companies of the Hesperia Group that are located in said territory for the provision of administrative management services of said group. Andorra has been declared by the European Commission with an adequate level of protection, in accordance with the provisions of Decision 2010/625/EU, of October 19, 2010.

8. SECURITY
Hesperia has implemented and maintains the security levels required by the GDPR to protect your personal data against accidental loss and unauthorized access, processing or disclosure, taking into account the state of technology, the nature of the data stored and the risks posed to it. They are exposed. However, although Hesperia makes its best efforts to protect the data it processes, it cannot guarantee in any case the process of communication of personal data from the users' network to that of Hesperia. Therefore, once we receive your data, Hesperia will use rigorous procedures and security features to prevent any unauthorized access.

9. CONFIDENTIALITY
The personal data that we may collect will be treated confidentially, committing us to keep it secret in accordance with the provisions of the applicable legislation.

10. PRIVACY POLICY UPDATE
This Privacy Policy may need to be updated; Therefore, it is necessary that you review this policy periodically and if possible every time you make your reservation, or contact us in order to be adequately informed about the type of information collected and its treatment. We will inform you of any modification to this Privacy Policy that substantially affects the processing of your personal data.