Privacy Policy - Kostoenea

Privacy policy of www.kostoenea.com

To receive information about your Personal Data, the purpose and the parties with whom it is shared, please contact the Data Controller. If you need more information and want to know your rights, you can view the full version of this privacy policy.

by clicking on the link at the bottom of this page.

Data Controller and Data Processor

Casa Rural Kostoenea

Nadia Katy Shishtawi

Zimizarga 42

20280 Hondarribia

Gipuzkoa

Spain

Holder’s contact e-mail: [email protected]

Types of data collected

The Controller does not provide a list of categories of Personal Data collected. Full information concerning each category of Personal Data collected is provided in the sections of this privacy policy dedicated to that purpose or through specific explanatory texts displayed prior to the collection of such Data.

Personal Data may be freely provided by the User or, in the case of Usage Data, will be collected automatically when using this Site.

Unless otherwise indicated, all Data requested by this Site are mandatory and refusal to provide them may make it impossible for this Site to proceed with the provision of its services. In cases where this Site specifically indicates that certain Data are not mandatory, Users are free not to provide such Data without any consequence on the availability or operation of the Service.

Users who are in doubt as to which Data are mandatory may contact the Data Controller.

The use of Cookies – or other tracking tools – by this Site or by the owners of third party services used by this Site is for the purpose of providing the Service requested by the User, in addition to any other purposes described in this document and in the Cookies Policy.

The User assumes responsibility for the Personal Data of third parties obtained, published or shared through this Site.

Modality and place of the processing of the Data collected

Processing Modalities

The Data Controller shall treat Users’ Data in an appropriate manner and shall take appropriate security measures to prevent unauthorised access, disclosure, alteration or destruction of the Data.

Data processing will be carried out by means of computers and/or IT tools, following organisational procedures and methods strictly related to the aforementioned purposes. In addition to the Data Controller, in some cases the Data may be accessed by certain categories of authorised persons related to the operation of this Site (administration, sales, marketing, legal and systems administration departments) or by external contractors providing services to the Data Controller (such as external technical service providers, courier companies, hosting companies, IT companies, communication agencies) who will be appointed by the Data Controller as Data Processors, if necessary. An updated list of such persons may be requested from the Data Controller at any time.

Place

The Data are processed at the offices of the Data Controller, as well as at any other place where the parties involved in such processing are located.

Depending on the location of Users, transfers of Data may involve the transfer of Users’ Data to a country other than their own. For more information on the place of processing of such transferred Data, Users may refer to the section containing details on the processing of Personal Data.

Conservation period

Unless otherwise stated herein, Personal Data will be processed and retained for the time necessary and for the purpose for which it was collected and may be retained for a longer period due to a relevant legal obligation or on the basis of the consent of the Users.

Cookie Policy

This Site uses Trackers. For more information, Users can consult the Cookies Policy.

More information for users

Legal basis for processing

The Data Controller may process the User’s Personal Data, if one of the following conditions is met:

Where Users have given their consent for one or more specific purposes. Notice: Under several different legislations, the Controller may be allowed to process Personal Data until the User opts out (“opt-out”), without the need for consent or any other legal basis. However, this does not apply where the processing of Personal Data is subject to European legislation on the protection of Personal Data;

When the collection of Data is necessary for the performance of a contract with the User and/or any other pre-contractual obligation of the User;

When the processing is necessary for the fulfilment of a legal obligation of obligatory compliance by the User;

Where the processing is related to a task carried out in the public interest or in the exercise of official powers vested in the Data Controller;

Where the processing is necessary for the purposes of a legitimate interest pursued by the Data Subject or a third party.

In any case, the Data Controller is at his disposal to define the specific legal bases that apply to the processing and in particular, whether the collection of the Personal Data is a contractual or statutory requirement or a necessary requirement to conclude a contract.

More information on retention time

Therefore:

Personal Data collected for the conclusion of a contract between the Data Controller and the User shall be retained as such until such contract has been fully concluded.

Personal Data collected in the legitimate interest of the Data Controller shall be retained for the time necessary to fulfil that purpose. Users can find specific information related to the legitimate interest of the Data Controller by consulting the relevant sections of this document or by contacting the Data Controller.

The Data Controller may retain Personal Data for an additional period where the User consents to such processing, provided that such consent remains valid. In addition, the Data Controller shall be obliged to retain Personal Data for an additional period if this is necessary for compliance with a legal obligation or an order from an authority.

Once the retention period has expired, the Personal Data must be deleted. Therefore, the rights of access, modification, rectification and data portability may not be exercised after the expiry of this period.

Users’ rights

Users may exercise certain rights with respect to the processing of Data by the Data Controller.

In particular, Users are entitled to do the following, to the extent permitted by law:

Withdraw consent at any time. Users have the right to withdraw their consent when they have previously given their consent to the processing of their Personal Data.

Objection to the processing of their Data. Users have the right to object to the processing of their Data if such processing is carried out on a legal basis other than consent.

Access to their Data. Users have the right to know whether their Data will be processed by the Data Controller, to obtain information on certain aspects of the processing, as well as to obtain a copy of the Data being processed.

Verify and request amendment. Users have the right to verify the accuracy of their Data and request that it be updated or corrected.

Limiting the processing of their Data. Users have the right to limit the processing of their Data. In that case, the Data Controller will only process their Data for the purpose of storing them.

Erasure or deletion of Personal Data. Users have the right to obtain the erasure of their Data by the Data Controller.

Receive their Data and transfer it to another Data Controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically possible, to have it transferred to another controller without any impediment.

Making a complaint. Users have the right to lodge a complaint with the competent authority for the protection of personal data.

Users shall also have the right to know the legal basis for transfers of Data abroad, including to any international organisation governed by public international law or consisting of two or more countries, such as the UN, and to know the security measures taken by the Data Controller to safeguard their Data.

Details on the right to object to processing

Where the processing of Personal Data is in the public interest, in the exercise of official powers granted to the Data Controller or on the grounds of a legitimate interest of the Data Controller, Users may object to such processing by providing a reason in relation to their particular situation to justify their objection.

Users should be aware, however, that in the event that their Personal Data are processed for direct marketing purposes, they may object at any time to such processing, free of charge and without justification.

If the User objects to the processing for direct marketing purposes, the Personal Data may no longer be processed for such purposes. To find out whether Users’ Personal Data are being processed by the Data Controller for direct marketing purposes, Users should refer to the relevant sections of this document.

How to exercise these rights

Any request to exercise the User’s rights may be addressed to the Owner through the contact details provided herein. Such requests will be processed by the Data Controller free of charge and the Data Controller will respond to them as soon as possible and always within one month, providing Users with the information required by law. The Data Controller shall communicate any rectification or erasure of Personal Data or limitation of processing, to each recipient, as the case may be, to whom the Personal Data has been communicated, unless it is impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform Users about such recipients.

Additional information on data collection and processing

Legal defence

The User’s Personal Data may be used for the legal defence of the Data Controller in court or in the judicial phases prior to a possible lawsuit arising from the inappropriate use of this Site or the related Services.

The User declares to be aware that the Data Subject may be required by public authorities to disclose Personal Data.

Additional information about User Personal Data

In addition to the information contained in this privacy policy, this Site may provide the User with additional and contextual information relating to specific Services or to the collection and processing of Personal Data.

System log and maintenance

For operational and maintenance purposes, this Site and any other services provided by third parties that are used may collect system logs, i.e. files that record interaction with this Site and that may contain Personal Data, such as the User’s IP address.

Information not contained in this privacy policy

Additional information about the collection and processing of Personal Data may be requested from the Data Controller at any time. The contact information is indicated at the beginning of this document.

Modification of this privacy policy The Owner reserves the right to modify this privacy policy at any time, notifying Users through this page and, if possible, through this Site and/or if technically and legally possible by notifying Users directly, if the Owner has the necessary contact information for this purpose. It is strongly recommended that you check this page frequently, taking as a reference the date of the last update indicated at the bottom of the page.

In the event that the changes affect the processing activities carried out on the basis of the User’s consent, the Controller shall, if necessary, obtain the User’s new consent.

Definitions and legal references

Personal Data (or Data)

Personal data is any information which, directly, indirectly or in conjunction with other information – including a personal identification number – makes it possible to identify a natural person.

Usage Data

The information collected automatically by this Site (or by third party services used by this Site) may include: the IP addresses or domain names of the computers used by the User connecting to this Site, the URI (Uniform Resource Identifier) addresses, the time of the request, the method used to make the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server’s response (successful, error, etc.), the country of origin, the characteristics of the browser and operating system used by the visitor, the various time coordinates of the visit (e.g. time spent on each of the pages) and details of the visit (e.g. time spent on each of the pages) and details relating to the visitor’s browser and operating system.), the country of origin, the characteristics of the browser and operating system used by the visitor, the various time coordinates of the visit (e.g. the time spent on individual pages) and details of the itinerary followed within the Site, with particular reference to the sequence of pages consulted, the parameters relating to the operating system and the User’s computer environment.

User

The individual using this Site, who, unless otherwise indicated, must be the same as the Stakeholder.

Interested party

The natural person to whom the Personal Data refers.

Data Processor (or Processor)

The natural or legal person, public administration, agency or any other institution, which processes the Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Data Controller)

The natural or legal person, public administration, agency or any other institution, acting alone or jointly with others, that determines the purposes and measures of the processing of Personal Data, including the security measures relating to the operation and use of this Site. Unless otherwise specified, the Data Controller is the Owner of this Site.

This page

The means by which the User’s Personal Data has been collected and processed.

Service

The service provided by this Site, as described in the definitions and legal references (where available) and on this page.

European Union (or EU)

Unless otherwise stated, all references to the European Union in this document include all current Member States of the European Union and the European Economic Area.

Legal information

This privacy policy applies only to this Site, unless otherwise stated herein.

Last revised: 14 December 2023