Privacy Policy

OFFICIAL WEBSITE OF ALFAGAR APARTHOTELS & RESORTS, PORTUGAL

I. INTRODUCTION

This Privacy Policy is intended to provide users of the website hosted at www.alfagar.com, hereinafter in abbreviated form (“Site”).
The purpose of this document is to provide a concise policy statement on the data protection obligations to be implemented in all companies that make up and are part of the Alfagar Aparthotels & Resorts Group (hereinafter “Alfagar Group”). This policy includes the Alfagar Group's obligations regarding personal data processing operations, in order to guarantee compliance with the requirements of the relevant legislation, with a view to adapting efforts in relation to a reality in continuous change, to face the most relevant.
To provide services and related communications, the hotel units use shared services within the scope of the Alfagar Group, as such, the data collected and subject to processing operations within the scope of the hotel and communication services provided will be co-responsible for the processing. the following entities, constituents of the Alfagar Group:

- ALGAROSA – Sociedade Gestora de Hotéis, S.A.
Commercial name: Alfagar Village | Alfagar Alto da Colina | Alfagar Aparthotel | Alfagar Cerro Malpique

- SOCIEDADE HOTELEIRA DE ALFAGAR, S.A.

- SILATLANTIS – Empreendimentos Turísticos e Imobiliários, S.A.

As a rule, Personal Data is requested when the user registers or browses the Website, requests contact and/or sending newsletters, interacts with the chat, subscribes to a specific product or service, provides or requests information, adheres to the “A Club” loyalty from the Alfagar Group, purchase a product or establish a contractual relationship with the Alfagar Group through a reservation for a stay in one of our hotel establishments.

II. RATIONALE

The Alfagar Group complies with the data protection principles established in current legislation.
This Policy applies to all personal data processing operations, including their collection, processing and storage by all Alfagar Group companies in relation to their employees, service providers and customers, in the course of their respective activity.

III. SCOPE

The Policy covers all personal data, including data referring to special categories of personal data, processed in relation to data subjects, by the Alfagar Group, as Data Controller or Subcontractor.
This Policy also applies to personal data processed manually as long as they are included in a structured file.
All personal data relating to special categories of personal data will be treated with increased care by the Alfagar Group. Both categories will also be referred to as “Personal Data” in this Policy, unless otherwise indicated.
The Personal Data collected and processed essentially consists of information relating to name, gender, date of birth, telephone, mobile phone, e-mail, address, identification and tax document number, credit card details (collected only for payment purposes ), although other Personal Data may be collected that may be necessary or convenient for the provision or billing of services by the Alfagar Group.
Usability Information and Personal Data are referred to in this Privacy Policy as “user data”.
The Alfagar Group also collects and processes information about the device characteristics of its hardware, its IP and browser/software characteristics as well as information about the pages visited by the user within the Site. This information may include your browser type, domain name, access times and the links through which the user accessed the Site (“Usability Information”). We use this information to improve the quality of your visit to our Website and, when you consent, we analyze your user profile and browsing habits on the Website, measure the conversion of advertising on the Website and send commercial and marketing information adapted to your needs. profile.
For the purposes of this Privacy Policy, a contractual relationship means any and all contracts established between the Alfagar Group and the entities that have relationships with it, regardless of the respective purpose.

IV. WHO PERFORMS PROCESSING OPERATIONS ON THE DATA

In the course of their daily activities, Alfagar Group companies may acquire, process and store Personal Data.
In accordance with European and Portuguese data protection legislation, this data must be acquired and managed in a lawful, fair and transparent manner.
The Alfagar Group is committed to ensuring that its team has sufficient knowledge of data protection legislation and practices in order to be able to anticipate and identify any data protection issues that may arise.
In these circumstances, the team must ensure that the Data Controller is informed, ensuring that all appropriate and necessary corrective actions will be taken, in order to guarantee the rights, freedoms and guarantees of Data Subjects.
The Alfagar Group may share Personal Data of Data Subjects with Subcontractors as long as necessary for the normal provision of its services.
Subcontractors' access to Personal Data shared by the Alfagar Group is regulated, within the scope of the Alfagar Group's obligations, by the contract signed with its Subcontractors.
In this sense, the Alfagar Group contractually ensures and regularly verifies that the Subcontractors are reliable entities that offer adequate protection guarantees, with no data being transmitted to them beyond what is necessary to provide the contracted service.
In the course of its role as Data Controller, the Alfagar Group may also share the Personal Data of Data Subjects with other Data Controllers, in order to carry out the processing operations necessary to provide the contracted services.
Within the scope of the aforementioned joint responsibility, the Alfagar Group enters into an agreement with the other controller, under which the respective purposes and responsibilities in complying with current data protection legislation are transparently identified, guaranteeing compliance with the Rights and Freedoms of Data Subjects through the establishment of adequate communication channels to respond to Data Subjects' requests.
Regardless of the relationship existing between the Recipients of Personal Data, the Alfagar Group defines, through a formal and written contract, the delimitation of obligations in matters of Personal Data, the specific purpose or purposes for which they are involved and the understanding that they carry out the data processing operations in accordance with Portuguese Data Protection Legislation.

V. DATA RECIPIENTS

The data collected by the Alfagar Group is not shared with third parties without the user's consent, with the exception of the situations referred to in the following paragraph. However, if the user contracts with the Alfagar Group for services that are provided by other entities responsible for the processing of personal data, the data may be transmitted and/or accessed by these entities, to the extent that this is necessary for the provision of the said services.

Under applicable legal terms, the Alfagar Group may transmit or communicate data to other entities if such transmission or communication is necessary for the execution of the contract established between the user and the Alfagar Group, or for pre-contractual measures at the user's request. , if it is necessary to comply with a legal obligation to which the Alfagar Group is subject or if it is necessary to fulfill the legitimate interests of the Alfagar Group or third parties. If data is transmitted to third parties, reasonable efforts will be made to ensure that the transmitter uses the transmitted data in accordance with this Privacy Policy.
If the user makes a reservation to stay at one of our hotel units, their personal data will be processed for the purposes of subscribing to and managing the assistance insurance available to all customers during their stay at the Alfagar Group units. For these purposes, the Alfagar Group will transmit to the Insurer, which will act as Data Controller, the following personal data: full name, nationality, date of birth, Passport or Citizen Card number, country of origin, date of check-in, check-out date.
Your data may be shared with the following Recipients:
• Providers of IT, technical and operational support services;
• Alfagar Group entities;
• Entities related to, or with common management with, the Alfagar Group;
• Entities to which Alfagar Group companies provide services;
• Judicial bodies, Criminal Police bodies and Administrative Authorities.

VI. SUBCONTRACTING ENTITIES

In the context of the processing of personal data, the Alfagar Group or may use third parties, subcontracted by it, to, on its behalf, and in accordance with its instructions, process personal data, in accordance with applicable legislation and of this Privacy Policy.
These subcontracted entities will not be able to transmit the data to other entities without the Alfagar Group having previously given written authorization to do so.
The Alfagar Group is committed to subcontracting only entities that offer maximum security in carrying out appropriate technical and organizational measures, in order to guarantee the defense of the rights of data subjects. All entities subcontracted by the Alfagar Group are bound to the latter through a written agreement regulating, in particular, the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of holders of data and the rights and obligations of the parties and other requirements set out in article 28 of the GDPR.
In accordance with the duty of information to which the Alfagar Group is obliged, the following are the categories of subcontractors to which the personal data of website users and Alfagar Group customers are communicated:

Categories of subcontracted entities:	Purposes of personal data processing:
Licensing, maintenance, support and technical assistance companies of software and systems;	Management / maintenance / support for systems and software that support the Alfagar Group’s activity;
Companies processing payment services, EDI and electronic invoicing services, accounting, tax and administrative management and activity support software;	Economic and accounting management of customer, supplier and service provider invoicing
Commercial promoters;	Promotion / Sale of Alfagar Group services;
Direct marketing support companies / digital marketing partners;	Assistance in managing the sending of email marketing, analysis of performance and user profiles and the impact and dissemination of advertising;
Customer satisfaction assessment companies;	Sending customer evaluation questionnaires;
Security/surveillance companies and preventive and corrective maintenance companies for security systems;	Video surveillance and surveillance for the safety of people and property;
Guests' stays management companies;	Provision of services associated with customer stays in the various commercial establishments of the Alfagar Group;
Companies providing support on Customer Service.	Customer service and contact services.

VII. THIRD PARTY ENTITIES

The Alfagar Group may also communicate to other third parties not qualified as subcontractors under article 4, paragraph 8 of the GDPR. These entities are subject to confidentiality, and they have all assumed the guarantee that they process personal data in accordance with the provisions of the GDPR.

The Alfagar Group communicates the data to other recipients in detail:

Recipient Categories	Purposes of personal data processing
Temporary employment companies;	Temporary assignment of workers;
Companies to which the operation of commercial establishments on Alfagar Group facilities is granted:	Supplementary and support services provided to customers;
Insurance Companies;	Customer Assistance Insurance;
Companies providing various services during the guest's stay at Alfagar Group facilities;	Parking, car rental and garden maintenance services;
Social media;	Marketing campaigns;
Travel agencies and tour operators;	Reservations of stays and provision of hotel services;
Consultants and Lawyers;	Provision of consultancy and legal services;;
Companies providing additional services requested by customers;	Taxi / Transfer services, parking, rent-a-car, restaurant reservations and other activities at the customer's request;

v Data collection channels

The Alfagar Group may collect data directly (i.e., directly from the user) or indirectly (i.e., through partner entities or third parties).

Collection can be made through the following channels:

• Direct collection: in person, by telephone, by email and via the Website;

• Indirect collection: through partners or group companies and official entities.

VIII. WHAT THE ALFAGAR GROUP DOES WITH THE DATA

As Data Controller, the Alfagar Group guarantees that all Personal Data:
• They will be obtained for specific, lawful and clearly defined purposes, with the Data Holder having the right to question the purpose(s) for which the Alfagar Group collects and maintains it, and must the Alfagar Group informs clearly and precisely what its purpose or purposes are;

• They will be compatible with the purposes for which they were acquired;

• They will be maintained with appropriate security measures - implemented or to be implemented - to protect against unauthorized access, or against the alteration, destruction or disclosure of any Personal Data held by the Alfagar Group as Data Controller;

• Will be maintained accurately, completely and updated, when necessary;

• They will be collected in a limited way and kept only for the time strictly necessary, without excessive data being collected and/or processed.

Therefore, the Alfagar Group has implemented a procedure for responding to requests from Data Subjects, in order to manage such requests in an efficient and appropriate manner, within the deadlines stipulated in the legislation.
The Alfagar Group has implemented, or is implementing, the levels of security and protection of Personal Data made available, as well as technical and organizational measures to protect Personal Data against its dissemination, loss, misuse, alteration, processing or unauthorized access as well as against any other form of illicit processing.
All Alfagar Group Employees are also subject to confidentiality rules.
Alfagar Group may combine Usability Information with anonymous demographic information for research purposes, and may use the results of this combination to provide more relevant content on the Site.
With the user's consent, in certain restricted areas of the Site, the Alfagar Group may combine Personal Data with Usability Information to provide you with more personalized content.

IX. PURPOSES AND BASIS OF THE LEGALITY OF PROCESSING OPERATIONS:

•        Customers
The Alfagar Group carries out processing operations in relation to the Personal Data of its Customers to guarantee compliance with the service provision contract agreed with the Data Subjects or with the Joint Data Controllers (in relation to the data and Data Subjects collected by them, such as counterparties, workers and others).
The personal data now identified and subject to processing operations are in a situation of necessity for the execution of a contract or for pre-contractual measures or for the fulfillment of legal obligations, or in the case of marketing, they may be under consent.
Special Category data relating to Customers, or obtained through Customers, will be subject to appropriate processing operations, to the extent necessary for reasons of important public interest such as the prevention of money laundering and terrorist financing.
The processing of Personal Data of Customers or obtained through Customers, related to criminal convictions and infractions or related security measures will always be subject to adequate guarantees to protect the rights and freedoms of Data Subjects, with operations relating to such data being limited to strict compliance with applicable legal obligations.

•   Employees
The Alfagar Group carries out processing operations regarding the data of its employees for the execution of the employment contract. The data processed is necessary for the purposes of executing a contract to which the Data Subject is party, or for the purposes of pre-contractual measures at the request of the Data Subject.
The personal data of employees are also collected and processed for the purposes of complying with legal obligations to which the Data Controller is subject.
Processing operations relating to Special Category data collected from Employees are necessary for the purposes of complying with legal obligations and exercising specific rights of the Data Controller or Data Subject in matters of labor, social security and social protection legislation. and also for the purposes of preventive or occupational medicine, to assess the employee's work capacity.
The processing of Personal Data of Employees or obtained through Employees, related to criminal convictions and infractions or related security measures will always be subject to adequate guarantees to protect the rights and freedoms of Data Subjects, with operations relating to such data being limited to strict compliance with applicable legal obligations.

•   Service providers
The Alfagar Group carries out processing operations in relation to the Personal Data of its Service Providers to ensure compliance with the service provision contract agreed with the Data Subjects or with the Joint Data Controllers (in relation to the data and Data Subjects collected by them , such as counterparties, workers and others). The Personal Data identified here and subject to processing operations is necessary for the execution of a contract or for pre-contractual measures or for the fulfillment of legal obligations.
Special Category data relating to Service Providers or obtained through Service Providers will be subject to processing operations, to the extent that they are necessary for the establishment, exercise or defense of a right in legal proceedings, or the processing is necessary for the purposes of fulfilling obligations and exercising specific rights of the Data Controller or Data Subject in matters of labor legislation, social security and social protection or important public interest.
The processing of Personal Data from Service Providers or obtained through Service Providers, related to criminal convictions and infractions or related security measures will always be subject to adequate guarantees to protect the rights and freedoms of data subjects, with the operations relating to to these data limited to strict compliance with applicable legal obligations.

Treatment Activity	Purposes of Treatment	Fundamentals of Lawfulness
Contractual Relationship Management	Reservation and provision of hotel services and associated services	Pre-contractual due diligence or execution of the contract
		Legitimate interest if the holder is not a party to the contract
	Recording of electronic communications within the scope of the contractual relationship, if applicable	Consent
	Call recording within the scope of the contractual relationship
	Call recording to monitor service quality
	Subscription and management of stay assistance insurance	Contract execution
	Satisfaction questionnaire	Legitimate Interest
Commercial Activity and Marketing Sending	Generalized profile analysis	Legitimate Interest
	Sending commercial communications	Consent
		Legitimate Interest
	Participation in campaigns and contests on social media	Consent
Fullfillment of legal obligations	Billing	Legal obligation
	Communications	Legal obligation
Management of the loyalty program \| ” A Club”	Membership and management of the loyalty club	Contract execution
	Sending of program related communications	Contract execution
Profile analysis and website browsing	User profile analysis	Consent
	User conversion analysis	Consent
	Execution of improvements and developments on the webite	Legitimate Interest

v Loyalty program: A Club:

The Alfagar Group has a loyalty program that offers exclusive discounts to users registered on its official website www.alfagar.com. When registering for the “A Club” loyalty program, the user assumes the contractual relationship with the Alfagar Group, namely in the collection of personal data, including contact details (telephone and email), with the aim of providing assistance during your stay and for future promotional communications.

X. TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES IMPLEMENTED

To guarantee the security of personal data and maximum confidentiality, the Alfagar Group treats the information you provide to us in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated according to needs, as well as the legally stipulated terms and conditions.
Depending on the nature, scope, context and purposes of data processing, as well as the risks arising from processing for the user's rights and freedoms, the Alfagar Group undertakes to apply, both when defining the means of processing as at the time of the processing itself, the necessary and appropriate technical and organizational measures to protect personal data and comply with legal requirements.
It is also committed to ensuring that, by default, only the data that is necessary for each specific processing purpose is processed and that these data are not made available without human intervention to an indeterminate number of people. Communication between the user's device and the Alfagar Group Website is carried out through secure communication channels that use the HTTPS protocol and the SSL security standard. Even so, in terms of general measures, Alfagar Group adopts the following:

• Regular audits to identify the competence of the technical and organizational measures implemented;

• Awareness raising and training of personnel involved in data processing operations;

• Pseudonymization and coding of personal data;

• Mechanisms capable of ensuring the confidentiality, availability and permanent resilience of information systems;

• Mechanisms that ensure the restoration of information systems and access to personal data quickly in the event of a physical or technical incident.

XI. USE OF COOKIES

When you visit our website, small text files (Cookies) are created and written to your computer's disk. These text files will allow for a more personalized and efficient browsing experience. On each visit to the Site, your internet browser sends these cookies back to the Site, allowing the recognition and memorization of users' identity, as well as their usage preferences. These Cookies will only be installed with your express consent, except in cases where they are necessary consents for the operation of the Site.
To find out all the information about the cookies we use on the Site, namely their purposes, categories, duration and who they belong to, you can consult our Cookies Policy here[RM1 .

Additionally, you have the possibility to manage your preferences regarding the collection of cookies at any time in the preferences manager.

XII. THIRD PARTY TOOLS INTEGRATED ON THE WEBSITE

v Facebook and Instagram:

There is interactivity on the Site with Facebook and Instagram, through a connection to the servers of these social networks, this will allow identifying the website that the user is visiting and possibly storing other data, such as the IP address.
If the user is logged in to Facebook and/or Instagram, the data will be associated with their accounts. To prevent this from happening, the user must end their sessions on Facebook and Instagram before visiting the page.
Information regarding data processing carried out by these social networks is available at:

· https://www.facebook.com/about/privacy/

· https://help.instagram.com/519522125107875

v Google:

The Site provides interactivity with Google, through the respective button, establishing a connection to Google's servers, which will identify the Site that the user is visiting and possibly store other data, such as the IP address.
More information about how Google processes data is available at:

· https://www.policies.google.com/privacy?hl=pt-PT

v LinkedIn:

The Site provides interactivity with LinkedIn, through the respective button, establishing a connection to LinkedIn's servers, which will identify the Site the user is visiting and possibly store other data, such as the IP address.

More information about how LinkedIn processes data is available at:

· https://www.linkedin.com/legal/privacy-policy

v Youtube:

There is interactivity on the Website with Youtube, through a connection to this website's servers, this will allow us to identify the website the user is visiting and possibly store other data, such as the IP address.
If the user has logged in to YouTube, the data will be associated with their accounts. To prevent this from happening, the user must log out of their YouTube session before visiting the page.
Information regarding data processing carried out by Youtube is available at:

· https://www.youtube.com/intl/pt-BR/yt/about/policies/#community-guidelines

v Net Affinity:

The Site provides interactivity with Net Affinity, through the respective button, establishing a connection to Net Affinity's servers, which will identify the Site the user is visiting and possibly store other data, such as the IP address.
More information about how Net Affinity processes data is available at:

· https://www.netaffinity.com/privacy.html

v Roiback:

The Site provides interactivity with Roiback, establishing a connection to Roiback's servers which will identify the Site the user is visiting and possibly store other data, such as the IP address.
More information about how Roiback processes data is available at:

· https://www.roiback.com/legal/politica-de-privacidad

XIII. CRITERIA FOR CALCULATING RETENTION PERIODS

The Alfagar Group retains Personal Data for the period deemed necessary and sufficient for the purposes that motivated the collection and processing, varying the period of time for storing data according to the purpose for which the information is processed and in accordance with the legal standards that require their retention, after which they will be eliminated, subject to appropriate technical and functional guarantees, as documented in each of the relevant processes.

XIV. RIGHTS OF DATA SUBJECTS

i. Right of Information
Information provided to the user by Grupo Alfagar (when the data is collected directly from the user):
• The identity and contact details of the person responsible for the treatment and, if applicable, their representative;
• The Data Protection Officer’s contact details;
• The purposes of the processing for which the personal data is intended, as well as, if applicable, the legal reasons for the processing;
• If data processing is based on legitimate interests of the Alfagar Group or a third party, indication of such interests;
• If applicable, the recipients or categories of recipients of the personal data;
• If applicable, indication that the personal data will be transferred to a third country or an international organization, and the existence or not of an adequacy decision adopted by the Commission or the reference to appropriate or adequate transfer guarantees;
• Period of retention of personal data;
• The right to request permission from the Alfagar Group for personal data, as well as its correction, deletion or limitation, the right to object to processing and the right to data accessibility;
• If data processing is based on the user's consent, the right to withdraw it at any time, without compromising the legality of the processing carried out based on previously given consent;
• The right to lodge a complaint with the CNPD or other supervisory authority;
• Indication of whether or not the communication of personal data constitutes a legal or contractual obligation, or a necessary requirement to conclude a contract, as well as whether the holder is obliged to provide the personal data and the possible consequences of not providing such data;
• If applicable, the existence of automatic decisions, including the definition of profiles, and information relating to the base concept, as well as the importance and expected consequences of such processing for the data subject.

If personal data is not collected directly by the Alfagar Group from the user, in addition to the information referred to above, the user is also informed about the categories of personal data subject to processing and, as well, about the origin of the data and, eventually, if they come from sources accessible to the public.

If the Alfagar Group intends to further process personal data for a purpose other than that for which the data was collected, before such processing the Alfagar Group will provide the user with information about that purpose and any other information of interest, under the terms above referred to.

Procedures and measures implemented to fulfill the right to information:

The information referred to above is provided in writing (including by electronic means) by the Alfagar Group to the user prior to the processing of personal data in question.

Under applicable law, the Alfagar Group is not obliged to provide the user with the information mentioned above when and to the extent that the user is already aware of it.
The information is provided by the Alfagar Group at no cost.

Right of access
The Alfagar Group guarantees the means that allow the user to consult their personal data.
The user has the right to obtain from the Alfagar Group confirmation that personal data concerning him or her are being processed or not and, if applicable, the right to access his or her personal data and the following information:
• The purposes of data processing;
• The categories of personal data in question;
• The recipients or categories of recipients to whom the personal data have been or will be disclosed, namely recipients established in third countries or belonging to international organizations;
• The period of retention of personal data;
• Right to request the Alfagar Group to correct, eliminate or limit the processing of personal data, or the right to prevent such processing;
• Right to lodge a complaint with the CNPD or other supervisory authority;
• If the data has not been collected from the user, the information available about the origin of that data;
• The existence of automated decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
• Right to be informed about the appropriate guarantees associated with the transfer of data to third countries or international organizations.

Upon request, the Alfagar Group will provide the user, free of charge, with a copy of the personal data that is being processed. Providing other copies requested by the user may involve administrative costs.

Right of rectification

The user has the right to request, at any time, the rectification of their Personal Data and also the right to have their incomplete personal data completed, including through an additional statement.

In the event of data rectification, the Alfagar Group communicates the respective rectification to each recipient to whom the data has been transmitted, unless such communication is considered impossible or involves a disproportionate effort for the Alfagar Group.

Right of erasure (“Right to be forgotten”)

The user has the right to obtain, from the Alfagar Group, the deletion of their data when one of the following reasons applies:
• Personal data are no longer necessary for the purpose for which they were collected or processed;
• The user withdraws the consent on which the data processing is based and there is no other legal basis for said processing;
• The user opposes the processing under the right to object and there are no prevailing legitimate interests that justify the processing;
• If personal data is processed illegally;
• If personal data must be deleted to comply with a legal obligation to which the Alfagar Group is subject;
• Under applicable legal terms, the Alfagar Group is not obliged to delete personal data to the extent that the processing proves necessary to comply with a legal obligation to which the Alfagar Group is subject or for the purposes of declaring, exercising or defending a a right of the Alfagar Group in legal proceedings.

In the event of data deletion, the Alfagar Group informs each recipient/entity to whom the data has been transmitted of its deletion, unless such communication proves impossible or involves a disproportionate effort for the Alfagar Group.

When the Alfagar Group has made personal data public and is obliged to delete them under the right to erasure, the Alfagar Group undertakes to ensure reasonable measures, including technical ones, taking into account technology available and the costs of its application, to inform those responsible for the effective processing of personal data that the user has requested them to delete links to that personal data, as well as copies or reproductions thereof.

Right to limit the processing of personal data

The user has the right to obtain, from the Alfagar Group, the limitation of the processing of user data, if one of the following situations applies (the limitation consists of inserting a mark in the personal data stored with the aim of limiting its processing in the future)
• If you contest the accuracy of personal data, for a period that allows the Alfagar Group to verify its accuracy;
• If the processing is unlawful and the user opposes the deletion of the data, requesting, in return, the limitation of its use;
• If the Alfagar Group no longer needs the personal data for processing purposes, but such data is required by the user for the purposes of declaring, exercising or defending a right in legal proceedings;
• If the user has objected to the processing, until it is verified that the Alfagar Group's legitimate reasons prevail over those of the user.

When personal data is subject to limitation, with the exception of conservation, it may only be processed with the user's consent or for the purposes of declaring, exercising or defending a right in legal proceedings, defending the rights of another natural or legal person , or for reasons of public interest legally provided for.

The user who has obtained the limitation of the processing of their data in the cases referred to above will be informed by the Alfagar Group before the limitation of processing is canceled.

In case of limitation of data processing, the Alfagar Group will communicate to each recipient to whom the data has been transmitted the respective limitation, unless this communication proves impossible or involves a disproportionate effort for the Alfagar Group.

Right to data portability

The user has the right to receive the personal data that concerns him or her and that he or she has provided to the Alfagar Group, in a structured, commonly used and machine-readable format, and the right to transmit this data to another person responsible for processing, if:
• Processing is based on consent or a contract to which the user is a party; It is
• The processing is carried out by automated means. The right to portability does not include inferred data or derived data, i.e., personal data that is generated by the Alfagar Group as a consequence or result of the analysis of the data subject to processing.

The user has the right to have their personal data transmitted directly between those responsible for processing, whenever this is technically possible.

Right to object to data processing

The user has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them that is based on the exercise of legitimate interests pursued by the Alfagar Group or when the processing is carried out for purposes that other than those for which personal data was collected, including profiling, or when personal data is processed for statistical purposes.

The Alfagar Group will terminate the processing of User data, unless it presents urgent and legitimate reasons for such processing that prevail over the user's interests, rights and freedoms, or for the purposes of declaring, exercising or defending a right of the Alfagar Group in a judicial process.

When personal data is processed for the purposes of direct marketing (marketing), the user has the right to object at any time to the processing of data concerning him or her for the purposes of said marketing, which includes the definition of profiles to the extent in which it is related to direct marketing.
If the user objects to the processing of their data for direct marketing purposes, the Alfagar Group will cease processing the data for this purpose.

The user also has the right not to be subject to any decision taken exclusively based on automated processing, including the definition of profiles, that produces legal effects or that significantly affects him in a similar way, unless the decision:
• Is necessary for the conclusion or execution of a contract between the User and the Alfagar Group;
• Is authorized by legislation to which the Alfagar Group is subject; or
• Is based on the user's explicit consent.

XV. EXERCISE OF DATA SUBJECTS’ RIGHTS

Data Subjects may exercise the rights granted under applicable data protection legislation, through the following email address: rgpd@alfagar.com
The Alfagar Group has also appointed a Data Protection Officer (DPO), in accordance with best practices in the area, who can be contacted via the following email address: rgpd@alfagar.com or by letter addressed to the DPO (DPO) for:
• Alfagar Apharthotels & Resorts, Estrada de Santa Eulália,
8200-609 Albufeira
Portugal

The Alfagar Group will respond in writing (including by electronic means) to the user's request within a maximum period of one month from receipt of the request, except in cases of particular complexity, in which this period may be extended up to two months.

If requests submitted by the user are manifestly unjustified or excessive, particularly due to their repetitive nature, the Alfagar Group reserves the right to charge administrative costs or refuse to comply with the request.