+INFO / dpo@discoveryportugal.com

A. GENERAL PART

• A.1. THE DHM GROUP

The Discovery Hotel Management Group, which includes DISCOVERY FUND HOTEL MANAGEMENT I, S.A. (“Discovery FHMI”), with registered office at Largo Jean Monnet, 1, 7th floor, 1269-068 Lisbon, Portugal, registered under the single registration and legal person number 515312738, and a set of Hotel Units better identified here: www.dhmportugal.com, jointly the “DHM Group”, acts to safeguard the protection of the personal data of its Guests in the context of the services provided to them through our Hotel Units and of Users who visit our Websites, that is, information provided by the Guest and/or User that enables the DHM Group to identify and/or contact them (“Personal Data”).

In this Privacy Policy, we have gathered the main points relating to the processing of the personal data of our Guests and Users, thereby ensuring that we provide the necessary information in a transparent, concise and easily understandable manner, in order to comply with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on Data Protection (“GDPR”).

• A.2. DHM GROUP ENTITIES RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Stays at the Hotel Units

As a rule, when a Guest visits one of our Hotel Units, for example one of the Octant Hotels, or our Hotels & Resorts such as Monte Real Hotel or Dolce Campo Real, it is the Hotel Units that provide the services associated with the stay at those Hotel Units and determine how their data is processed in the context of those services. Therefore, whenever you book a stay at one of our Hotel Units, the entity responsible for processing the data necessary for the provision of hotel services and associated services, such as restaurants, bars, use of health clubs or Spas, contact management with Guests, invoicing and collection, will be the Hotel Unit providing those services to you.

The Personal Data collected and processed for these purposes consists of information relating to name, gender, date of birth, telephone number, mobile number, email address, address, tax identification number and credit card details, collected solely for invoicing purposes, although other Personal Data may be collected where necessary or appropriate for the provision of services by the Hotel Units.

The Hotel Units will also be responsible for the processing of data carried out for the purposes of protecting people and property and ensuring security at the Hotel Units, through video surveillance systems.

In summary, whenever the Hotel Units process Personal Data, they must always have a lawful basis for doing so, as further explained in section B below, in accordance with the GDPR.

In this context, the legal bases used by the Hotel Units for the processing described above are as follows:

1. Purpose: Management of bookings and customer contacts
   Legal basis: Performance of a contractual relationship
2. Purpose: Provision of hotel services
   Legal basis: Performance of a contractual relationship, consent
3. Purpose: Invoicing and collection
   Legal basis: Compliance with legal obligations
4. Purpose: Video surveillance
   Legal basis: Legitimate interest, namely the protection of people and property

Website and marketing

On the other hand, within the scope of making available the Website hosted at www.vilamonte.octanthotels.com and the services and communications provided therein, Discovery FHMI is the entity responsible for processing Users’ Personal Data.

As a rule, Personal Data is requested when the User registers on the Website, requests contact and/or the sending of newsletters, subscribes to a specific Service, purchases a product or enters into a contractual relationship with Discovery FHMI.

Discovery FHMI also collects and processes information about your hardware and software, as well as information about the pages visited by the User within the Website. This information may include your browser type, domain name, access times and hyperlinks through which the User accessed the Website (“Usage Information”). This information is used solely to improve the quality of the visit to the Website.

Discovery FHMI will process Users’ Personal Data and Usage Information for the following purposes:

• Registration of the User on the Website;
• Informing the User, where requested, of new products and services made available on the Website and/or at the hotel units, offers and special campaigns, updated information on the activity of Discovery FHMI or of the hotel units of the DHM Group and, in general, for marketing purposes of Discovery FHMI and the hotel units of the DHM Group, through any means of communication, including electronic means;
• Allowing access to restricted areas of the Website, in accordance with previously established terms;
• Ensuring that the Website meets the User’s needs, through the development and publication of content that is as adapted as possible to the User’s requests and profile, the improvement of the Website’s search capabilities and functionalities and the obtaining of aggregated or statistical information relating to the User’s typical profile, namely consumer profile analysis;
• Provision of Services and other services, such as newsletters, opinion surveys, or other information or products requested or purchased by the User;
• Recording of telephone calls that may be made within the scope of the contractual relationship, either during the contract formation phase or during its term.

In summary, whenever Discovery FHMI processes Personal Data, it must always have a lawful basis for doing so, as further explained in section B below, in accordance with the GDPR. In this context, the legal bases used by Discovery FHMI for the processing described above are as follows:

1. Purpose: Registration of Users on the Website
   Legal basis: Pre contractual steps, consent
2. Purpose: Information about products and services made available on the Website, newsletters, opinion surveys
   Legal basis: Consent
3. Purpose: Access to restricted areas of the Website
   Legal basis: Performance of a contractual relationship
4. Purpose: Improvement of the Website’s operation, namely content adaptation, security and functionalities
   Legal basis: Legitimate interest, namely improvement of the service provided to Website Users
5. Purpose: Call recording
   Legal basis: Consent

• A.1. DATA COLLECTION CHANNELS

Discovery FHMI and the Hotel Units may, depending on the purposes indicated above, collect Personal Data directly, that is, directly from the Guest and/or User, or indirectly, that is, through partner entities or third parties. Collection may take place through the following channels:

• Direct collection: in person, by telephone, by email and through the Website;
• Indirect collection: through partners or companies of the DHM Group and official entities.

B. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA

• B.1. GENERAL

In terms of general principles, the DHM Group undertakes to ensure that the Personal Data it processes is:

• Processed lawfully, fairly and transparently in relation to Guests and/or Users;
• Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
• Accurate and kept up to date where necessary, with all appropriate measures being taken to ensure that inaccurate data, having regard to the purposes for which it is processed, is erased or rectified without delay;
• Kept in a form that permits identification of Guests and/or Users only for as long as necessary for the purposes for which the data is processed;
• Processed in a manner that ensures its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, with appropriate technical or organisational measures being adopted.

Data processing carried out by the DHM Group is lawful where at least one of the following situations applies:

• The Guest and/or User has given explicit consent to the processing of their Personal Data for one or more specific purposes;
• Processing is necessary for the performance of a contract to which the Guest and/or User is party, or in order to take pre contractual steps at the User’s request;
• Processing is necessary for compliance with a legal obligation to which the DHM Group is subject;
• Processing is necessary in order to protect the vital interests of the Guest and/or User or of another natural person;
• Processing is necessary for the purposes of the legitimate interests pursued by the DHM Group or by third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the Guest and/or User which require protection of personal data.

The DHM Group undertakes to ensure that the processing of the Guest’s and/or User’s Personal Data is carried out only under the conditions listed in this Privacy Policy and in compliance with the principles referred to above.

Where the processing of the Guest’s and/or User’s Personal Data is carried out by the DHM Group on the basis of consent, the Guest and/or User has the right to withdraw their consent at any time. Withdrawal of consent shall not, however, affect the lawfulness of processing carried out by the DHM Group on the basis of consent previously given by the Guest and/or User.

The period for which data is stored and retained varies according to the purpose for which the information is processed.

Indeed, there are legal requirements that oblige data to be retained for a minimum period. Therefore, whenever there is no specific legal requirement, the data will be stored and retained only for the minimum period necessary for the purposes that led to its collection or subsequent processing, after which it will be deleted.

• B.2. USE OF COOKIES

This website uses cookies. We use cookies to personalise content and adverts, provide social media features and analyse our traffic. We also share information about your use of the site with our social media, advertising and analytics partners, who may combine it with other information that you have provided to them or that they have collected from your use of their respective services.

Cookies are small text files that may be used by websites to make the user experience more efficient.

The law states that we may store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by independent services that appear on our pages.

You may change or withdraw your consent at any time from the Cookie Declaration on our website, in the footer of our website.

Your consent applies to the following domains: www.octanthotels.com

Please consult our COOKIE Policy in the relevant menu at the bottom of the page.

C. COMMUNICATION OF DATA

Processors

Within the scope of processing User Data, Discovery FHMI and/or the Hotel Units use or may use third party entities, engaged by them as processors, to process the Personal Data of the Guest and/or User on behalf of Discovery FHMI and/or the Hotel Units, and in accordance with the instructions given by them, in strict compliance with the provisions of the law and this Privacy Policy.

These processor entities may not transmit the Personal Data of Guests and/or Users to other entities unless Discovery FHMI and/or the Hotel Units have given prior written authorisation to do so, and they are also prevented from engaging other entities without prior authorisation from Discovery FHMI and/or the Hotel Units.

Discovery FHMI and the Hotel Units undertake to engage only entities that provide sufficient guarantees of implementing appropriate technical and organisational measures, so as to ensure the protection of the User’s rights. All entities engaged by Discovery FHMI and/or the Hotel Units as processors are bound to them by a written contract regulating, in particular, the subject matter and duration of processing, the nature and purpose of processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties.

Other entities of the DHM Group

The Personal Data collected by the Hotel Units and/or by Discovery FHMI is not shared with third parties without the consent of the Guest and/or User, except in the situation referred to in the following paragraph. However, where the Guest and/or User contracts services from the Hotel Units and/or Discovery FHMI that are provided by other entities responsible for the processing of personal data, the Personal Data may be consulted or accessed by those entities, to the extent necessary for the provision of those services.

Discovery FHMI may transmit or communicate the Personal Data for which it is the controller to other entities of the DHM Group where such transmission or communication is necessary for corporate reorganisation purposes, in order to ensure the continuity of the services provided to Guests/Users. In the event of a transfer of Personal Data in these circumstances, we will use reasonable efforts to inform Guests and/or Users of such transfer and to ensure that the transferee uses the transferred Personal Data only in a manner consistent with this Privacy Policy.

Other third party entities

The DHM Group may also communicate Personal Data to third party entities outside its corporate group where such communications are necessary or appropriate, namely in light of applicable law for compliance with legal obligations or court orders, and to respond to requests from public or governmental authorities.

D. RETENTION PERIODS

The DHM Group retains Personal Data only for as long as necessary to fulfil the purposes described in this Privacy Policy with regard to the performance of the contractual relationship with Users and/or Guests, unless otherwise required by law imposing a longer retention period. For the purposes of compliance with tax or accounting obligations, Personal Data is retained for a period of 10 years.

With regard to Personal Data collected on the basis of consent for the sending of marketing communications, such data will be processed until consent is withdrawn. On the other hand, with regard to data processed for the carrying out of opinion surveys, such data will be processed for as long as necessary to carry out those surveys or until consent is withdrawn. In addition, with regard to the recording of calls for the purpose of evidencing commercial transactions, the data will be retained for a period of 90 days and, in the context of video surveillance, for a period of 30 days.

E. TECHNICAL, ORGANISATIONAL AND SECURITY MEASURES IMPLEMENTED

To ensure the security of the Guest’s and/or User’s Data and maximum confidentiality, we process the information you have provided to us in an absolutely confidential manner, in accordance with our internal security and confidentiality policies and procedures, which are updated periodically according to needs, as well as in accordance with the legally applicable terms and conditions.

Taking into account the nature, scope, context and purposes of data processing, as well as the risks arising from the processing for the rights and freedoms of the Guest and/or User, the Hotel Units and Discovery FHMI undertake to apply, both when determining the means of processing and at the time of processing itself, the technical and organisational measures necessary and appropriate for the protection of Personal Data and compliance with legal requirements.

They further undertake to ensure that, by default, only the data necessary for each specific processing purpose is processed and that such data is not made available, without human intervention, to an indefinite number of persons.

In terms of general security measures, the DHM Group adopts the following:

• Regular audits to assess the effectiveness of the technical and organisational measures implemented;
• Awareness raising and training of staff involved in data processing operations;
• Pseudonymisation and encryption of personal data;
• Mechanisms capable of ensuring the ongoing confidentiality, availability and resilience of information systems;
• Mechanisms ensuring the timely restoration of information systems and access to personal data in the event of a physical or technical incident.

F. INTERNATIONAL DATA TRANSFERS

The Personal Data processed by the DHM Group is not made available to third parties established outside the European Union. If, in the future, such transfer takes place in order to fulfil any of the purposes described above, the DHM Group undertakes to ensure that the transfer complies with the applicable legal provisions, namely with regard to determining the adequacy of that country in terms of data protection and the requirements applicable to such transfers.

G. FINAL PART

• G.1. AMENDMENTS TO THE PRIVACY POLICY

The DHM Group reserves the right to amend this Privacy Policy at any time. In the event of an amendment to the Privacy Policy, the date of the last amendment, available at the top of this page, will also be updated. If the amendment is substantial, a notice will be placed on the Website and we may also notify Guests and Users in writing, using the contact details that have been provided to the DHM Group.

• G.2. APPLICABLE LAW AND JURISDICTION

Any disputes arising from the validity, interpretation or performance of the Privacy Policy, or which are related to the collection, processing or transmission of User Data, shall be submitted exclusively to the jurisdiction of the judicial courts of the district of Lisbon, without prejudice to any applicable mandatory legal provisions.