This Privacy and Data Protection Policy is aimed at providing the customer with the information needed to understand the scope and purpose of data processing so that acceptance, which is absolutely necessary to be able to offer the contracted tourist service, is based on fully informed consent in accordance with the data protection regulations applicable at all times. Currently by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (RGPD) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
Who is responsible for the processing of your data?
Name: Cáscara de Nuez, S.L.
Address: Hermanos Maristas nº28 -1ºB, CP 46013 – Valencia
Contact details: firstname.lastname@example.org; – Télf: 963 319 070
G20 offers an information and booking service in relation to the different trips, tours or experiences inside and outside Spain, organised and managed by G20, as well as the possibility of requesting personalised information related to them.
G20 wishes to provide, in a transparent manner, information on the data processing it carries out, the basis for its legitimacy, as well as the rights of the interested party with regard to the processing of their personal data.
2.- For what purpose do we process your personal data?
For the development, fulfilment and execution of the travel agency service contract that the client has contracted: This purpose includes the processing of your data mainly for the following purposes:
Contact the client in relation to updates or informative communications related to the contracted service.
Manage the booking of the trip, and in the event that the trip is continued, the payment of the trip subsequently acquired. This management may necessarily involve the international transfer of data when the contracted tourist service so requires.
To guarantee the content of the website and for the continuous improvement of the user experience.
In the event that the interested party has only contacted G20, G20 will process their data in order to respond to requests or requests for information regarding the trips, tours or experiences offered. G20 will only process the personal data that is strictly necessary to manage or resolve the request or application.
For commercial purposes: This purpose includes the processing of your data for, mainly:
The interested party who is a customer of G20 will receive news or trips that are appropriate and similar to those already contracted by electronic means. However, the customer is informed that he/she may object at any time by contacting G20 through the aforementioned channels.
When the user has unequivocally consented, G20 may send him/her commercial communications and news that, as a customer or potential customer, may be of interest. The user may also object at any time.
For the management of your professional profile if you have sent us your CV.
What is the legal basis for the processing of your data?
The legal bases for processing your data are as follows:
The unambiguous consent of the data subject himself, based on Article 6.1.a) of the GDPR:
Obtained through the web form “contact” of the website, and requested to provide answers and advice in relation to requests for information;
Obtained and requested to make the reservation of services offered on the website;
Obtained through the web box provided, for the sending of commercial communications in the personal data collection form;
Management of pre-contractual and, where appropriate, contractual measures, based on article 6.1.b) of the RGPD.
Processing necessary to manage the tourist service booked and, where appropriate, contracted. For this purpose, G20 will process the following data:
Identifying data of the client and potential traveller, in the event that a trip is booked, or of the final contracting party, such as, for example, name, surname, contact details, details of the traveller’s ID card or passport if necessary, etc. In any case, we remind you that the personal data that G20 processes are the personal data collected from the interested parties during the contracting of travel agency services. During the maintenance of the contractual relationship, G20 may process data of third parties that the customer may provide, such as, for example, other travellers other than the contracting party. In this respect, the customer is obliged to inform all such persons of the provisions of the data protection regulations contained herein. For its part, G20 will in no case use the data that the client has provided from these third parties, outside of the services exclusively contracted and provided that such data is necessary for the contracting and/or management of the same.
Financial and transactional information (e.g. payment or card details). On this point, G20 informs that personal credit card data will be stored in the point-of-sale terminals that manage the online payment, not in its platform.
Legitimate interest based on Article 6(1)(f) of the GDPR:
To send commercial communications by electronic means to the customer, provided that they are related to products similar to those contracted by the customer and without prejudice to the right to oppose such sending at any time;
To deal with requests or queries that may arise through the various existing means of contact. G20 understands that the processing of this data is also beneficial for the interested party, insofar as it allows for appropriate attention to be given and the queries raised to be resolved.
To carry out the necessary checks to detect and prevent possible fraud when the customer makes a payment. This processing is positive for all parties involved in the payment of a purchase, especially the customer is protected because G20 can put measures in place to protect against fraud attempts by third parties.
Compliance with legal obligations, based on Article 6(1)(c) of the GDPR.
In cases where the data subject exercises rights listed below, or with claims related to products or services offered by G20, what legitimises G20 to process the data subject’s personal data is the fulfilment of legal obligations on its part.
How has your data been obtained?
They have been provided by the interested party through the data collection forms, either via the web, in person or by telephone, from your request for information or your booking request.
G20 would like to reiterate that the personal data processed by G20 are the personal data collected from the data subjects during the contracting of travel agency services. During the maintenance of the contractual relationship, G20 may process data of third parties that the customer may provide, such as, for example, travellers other than the contracting party. In this respect, the customer is obliged to inform all such persons of the provisions of the data protection regulations contained herein. For its part, G20 will in no case use the data provided by the client of these third parties, outside of the services exclusively contracted and provided that such data is necessary for the contracting and/or management of the same.
How long do we keep your data?
G20 processes the data for the time strictly necessary to fulfil the corresponding purpose. They will then be kept duly blocked and protected for as long as any liabilities arising from the processing may arise, in compliance with the regulations in force at any given time. Once the possible actions in each case have expired, the personal data will be deleted.
For example, if you have provided us with your personal data and you have contracted some of the tourist services offered by G20, and you have unequivocally authorised us to receive subsequent commercial information, we will continue to process your data as long as you do not object to this. If you have not given your authorisation, we will keep them for a period of 4 years after the end of the contracted tourist service.
In relation to the data obtained through the “contact” tab of the website, they will be kept for a maximum period of four years from the time they were obtained, as long as the interested party does not object to their processing.
If you have sent us your CV, your data will be used during the selection process. Afterwards, they will be stored for a period of 4 years, if you have authorised us to do so, in case a vacancy arises that may be of interest to you according to your profile. They will then be deleted.
To which recipients are your data communicated?
The personal data obtained through the data collection form will only be communicated to G20’s service providers and suppliers for the organisation of trips, tours or experiences.
Financial institutions with whom G20 has signed contracts for online point-of-sale terminals or other payment gateways.
Technology service providers.
Service providers and partners such as wholesalers, transport providers or inbound service providers in the country of origin.
Due to the efficiency of the service, some of the aforementioned service providers are located in territories outside the European Economic Area that do not provide a level of data protection comparable to that of the European Union, such as the United States. We inform you that these international transfers are strictly necessary for the execution and management of the contracted tourist service, so that under no circumstances will we trade with your data. In any case, if necessary, we inform you that we will transfer your data with adequate guarantees and always safeguarding the security of your data:
Some providers are certified in Privacy Shield, certification that you can consult at the following link:
With other suppliers, G20 has signed Standard Contractual Clauses approved by the Commission, the content of which can be consulted at the following link:
7.- What are your rights when you provide us with your data?
Right of access: Any person has the right to obtain information about whether or not G20 is processing personal data concerning them.
Right of rectification and deletion: Any data subject has the right to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
Right to limitation of processing: In certain circumstances, data subjects may request the limitation of the processing of their data, in which case we will only keep it for the exercise or defence of claims.
Right to object: In certain circumstances and for reasons related to their particular situation, the data subject may object to the processing of their data. G20, will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims. With regard to processing based on obtaining your consent, you may revoke your consent at any time by contacting the following e-mail address: email@example.com.
Right of portability: Where applicable, you may request the portability of your data.
Right not to be subject to automated decisions: In any case, you may lodge a complaint with the Spanish Data Protection Agency, especially when you have not obtained satisfaction in the exercise of your rights. The Agency’s address is C/ Jorge Juan 6, 28001 and its website www.agpd.es.