Privacy and Processing of Information

1.- Right to be Informed

In accordance with the provisions of Article 11 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD) and Article 13 of the General Data Protection Regulation 2016/679, we inform you about Hotel Montsià de Amposta personal data

1.2.- Definitions

It is understood as:

1) Personal data: any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is any person whose identity can be established, directly or indirectly, by using an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

2) Processing: any operation or set of operations which is performed upon personal data or upon a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3) Profiling: any form of automated processing of personal data consisting of using such data to evaluate personal aspects relating to a natural person, in particular to analyse or predict aspects of that person’s professional performance, financial situation, health, personal preferences, interests, trustworthiness, behaviour, location or movements.

4) Pseudonymisation: processing of personal data in such a way that they cannot be attributed to a data subject without the use of additional information, provided that this information is separated and subject to technical and organisational measures designed to ensure that the personal information is not attributed to an identified or identifiable natural person.

5) File: a structured set of personal data accessible according to specified criteria, whether centralised, decentralised or distributed in a functional or geographical manner.

6) Controller or controller: the natural or legal person, public authority, service or any other body which, alone or jointly with others, decides on the purpose of the processing.

7) Processor or processor: the natural or legal person, public authority, service or any other body processing personal data on behalf of the controller.

8) Recipient: the person to whom personal data are disclosed, whether or not that person is a third party. However, public authorities that may receive personal data in the framework of a specific investigation should not be considered as recipients.

9) Third party: a natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the persons authorised to process personal data under the direct authority of the controller or the processor.

10) Data subject’s consent: any freely given, specific, informed and unambiguous indication of his or her agreement, by means of a clear affirmative statement or action, to the processing of personal data relating to him or her.

11) Supervisory authority: the independent public authority established by a member state in accordance with Article 51 of the GDPR.

12)Cross-border processing:

a) The processing of personal data carried out in the context of the activities of establishments in more than one member state of a controller or of a processor in the European Union, if the controller or processor is established in more than one member state; or
b) The processing of personal data carried out in the context of the activities of a single establishment of a controller or a processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one member state.

1.3.-Who decides on the use to be made of the data and the means to be used for processing?

The data controller is Kronotex Spain, SL
CIF: B98390461
Address: Barrio Castañares, s/n (09199) Burgos
Telephone: +34 947 484 900

1.4.-Who ensures that all the rules governing the processing of information in the hotel are correctly applied?

The data protection delegate is CIPDI Tratamiento de la información SL, with address at Mataró, C/Sant Agustí n. 1 1º 1ª,

1.5.-For what purposes will we use your data, what is the legal basis for this data processing and how long will we keep it?

Goal Legal basis Conversation
Contractual relationship
5 years.
Sending commercial information
Consent and legal authorisation (art. 21.2 of LSSI)
Until consent is withdrawn or your rights are exercised.
Labour management
Contractual relationship and legal entitlement
4 years
Contractual relationship and consent
1 year
Video surveillance
Legitimate interest. Maintaining security within the hotel
30 days

1.6.-Do we do any processing of your images?

With the exception of images that may be captured by security cameras, no.

1.7.-Who will be able to access and know the content of your data?

In order to fulfil the aforementioned purposes, the suppliers who provide services to the hotel may have access to the personal data. Their access will be limited to the data necessary to carry out the functions entrusted to them by the data controller. Confidentiality agreements and/or specific agreements have been signed with all the entities and persons to whom the data is addressed, regulating access to the information, security measures and the use that can be made of the data.
You can obtain further information from the Data Protection Delegate.

1.8.-Are data processed across borders?

The controller does not host data outside the European Union.

1.9.-What rights do data subjects and data subjects have?

Right of access. This is regulated in article 15 of the GDPR 2016/679 of 27 April 2016. This is a request to the data controller in order to obtain, free of charge, all the information it has on the personal data itself and on the communications that have been made, or that are planned to be made.
Right of rectification. This is regulated in Article 16 of the GDPR. This is to ask the data controller to change the content of the information about your person and your data, following instructions from the data subject.
Right of erasure. This is regulated in article 17 of the GDPR 2016/679. It consists of asking the controller to erase any information about the data subject’s person. Erasure involves blocking all data and keeping them at the disposal of public administrations for the period of time foreseen for the right to take legal action to expire.
Right to limit processing. Regulated in article 18 of the GDPR 2016/679 of 27 April 2016. This is to ask the controller to restrict the processing of your data when any of the following conditions are met:

i.- the personal data is inaccurate;
ii.- the processing is unlawful;
iii.- the controller no longer needs to process the data;
iv.- when the reasons for ceasing to process the data alleged by the data subject prevail over those of the controller.

The right to portability of information. It is in Article 20 of the GDPR 2016/679 of 27 April 2016. It consists of requesting the data controller to provide the data subject’s personal data in a structured, commonly used and machine-readable format, in order to transmit it to another data controller when the processing is done by automated means and is based on express consent.

Right to object. Regulated in article 21 of the GDPR 2016/679 of 27 April 2016. This is to ask the data controller to process the data following specific instructions made by the holder of the personal information.
Right to withdraw consent. Regulated in article 13.2.c) of the GDPR 2016/679 of 27 April 2016. It is an order given by the data subject to the data controller notifying him/her that he/she withdraws the consent he/she gave him/her to proceed with the processing of his/her data.

The right not to be subject to automated individual decisions. This is the request to the data controller that all decisions having legal effects not be taken exclusively by machines.
To exercise the above rights, you can write to the address of the data controller, or send an e-mail to with the text “DATA PROTECTION” in the subject line and enclosing a photocopy of your ID card, NIE or passport in that e-mail.

1.10.-How can I make a complaint?

If you consider that your rights have been infringed, the competent body for the correct application of the rules on the processing of information is the Spanish Data Protection Authority, located at Calle Jorge Juan n. 6, Madrid.

1.11.-What obligations do I have as a stakeholder?

The data subject must provide accurate and up-to-date information in all data collection processes and is liable in the event of a breach of this obligation.
Depending on the request made by the data subject, the data that are mandatory are already marked on the collection forms. Failure to provide the mandatory data could jeopardise the right to the requested service.

1.12.-Can the controller draw up profiles?

In order to provide more personalised, careful and effective user care, it is sometimes necessary to draw up profiles of service recipients. Profiles are not drawn up without the direct intervention of a natural person.

2.- User Consent

It is understood that the user accepts the conditions established by pressing the ‘ACCEPT’ button found on all data collection forms, or by sending a message via e-mail.

Personal data is stored in the company’s general administration database and, at all times, technical and organisational measures to preserve the integrity and security of the information processed are guaranteed.

3.- Security

The general database is provided with the mandatory security documentation, and all the technical means at our disposal have been established to prevent the loss, misuse, alteration, unauthorised access and theft of the data you provide. Personal data is processed in accordance with the regulations established in Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

4.- Use of IP Addresses

To facilitate the search for resources we consider to be of interest, you can find links to other websites on this website.

This privacy policy only applies to this website. The data controller does not guarantee compliance with this policy on other websites nor are they responsible for access through the links on this website.