Drawn up pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and its implementing law (Portuguese Law No. 58/2019)

Please read this Privacy and Personal Data Policy (hereinafter designated the “Privacy Policy”) carefully, as the processing of the personal data you provide to us entails your knowledge of and consent to the terms set forth herein.

1. INTRODUCTION – WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?

3HB Hotels is the brand used by several legal entities, that operates the hotel units 3HB Clube Humbria, 3HB Guaraná, 3HB Golden Beach, 3HB Falésia Beach, 3HB Falésia Garden and 3HB Faro.
For the purposes of this Privacy Policy, such legal entities and their respective units are hereinafter collectively referred to as the “3HB Hotels Group.”

Within the scope of the activities of the 3HB Hotels Group, we collect, record, organize, store, use and may consult your personal data, as well as may complete any other processing operations necessary thereto. Such data relates not only to guests/customers, but also to users, employees, job applicants, service providers or partners.
As responsible for the collection and processing of personal data, the 3HB Hotels Group may engage third-parties for the achievement of the purposes set out herein.

By this Privacy Policy, the 3HB Hotels Group seeks to explain, in a transparent way, which personal data is collected, how it is used, to whom it is disclosed and under what conditions, as well as the mechanisms to ensure the security and confidentiality of your personal data.

The provisions set forth herein apply to all employees and partners and guarantee that your data are processed lawfully, securely and transparently. Access to and use of our website, available at https://www.3hb.com/, presuppose full acceptance of this Privacy Policy.
For further information or any questions, please do not hesitate to contact us using the details provided under “OUR CONTACT DETAILS.”

2. TERMS AND DEFINITIONS
- Guest/Costumer: any natural person who completes a reservation, is accommodated or uses any of the services of our hotel units.
- User: any natural person who requests a quote or submits an inquiry via our website, in person, by post, telephone or email, participates in a contest organized by us or uses the Wi-Fi services offered at our units, but is not a guest/customer.
- ‘3HB’, ‘3HB Hotels’, ‘we, ‘our’: refers to the 3HB Hotels Group, the brand 3HB Hotels and all associated hotel units.
– Dados Pessoais: todas as informações relativas a uma pessoa e que a identificam, ou a tornam identificável, independentemente da natureza e suporte das informações, incluindo o som e a imagem da pessoa. Por identificável, deve entender-se uma pessoa que possa ser identificada, direta ou indiretamente, designadamente por referência a um número de identificação ou a outros elementos específicos da sua identidade física, fisiológica, psíquica, económica, cultural ou social.
– Categorias especiais de Dados Pessoais: os que revelem a origem racial ou étnica, as opiniões políticas, convicções religiosas ou filosóficas, a filiação sindical, os dados genéticos, biométricos, saúde, vida sexual ou orientação sexual de uma pessoa.
– Responsável dos Dados: pessoa singular ou coletiva, ente público ou privado, agência, instituição ou qualquer outro organismo que decide como e porque é que os dados são processados. Portanto, pessoa física ou jurídica que, isoladamente ou em conjunto com outros, determina os fins e meios de processamento de dados pessoais.
- Data Processor: anu natural or legal person, public authority, agency or other which processes personal data on behalf of the controller.

- Consent: any freely given, specific, informed and unambiguous of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal ata relating to him or her.
- Tratamento de Dados Pessoais: todo e qualquer tipo de operações efetuadas sobre dados pessoais. São exemplos: a recolha, o registo, a organização, a estruturação, a conservação, a adaptação ou alteração, a recuperação, a consulta, a utilização, a divulgação por transmissão, difusão ou qualquer outra forma de disponibilização, a comparação ou interconexão, a limitação, o apagamento ou a destruição.
- Personal Data Breach: a security which, accidentally or unlawfully, leads to the destruction, loss, alteration, disclosure of, or unauthorized access to personal data transmitted, stores or subject to any form of processing.
- Subcontractor: any natural or legal person, public authority, agency or other which processes personal data on behalf of the controller of such processing.
- Third Party: any natural or legal personal, public authority, service or body other than the data subject, the controller, the subcontactor and those persons who, under the direct authority of the controller or the subcontractor, are authorized to process personal data.

3. WHAT PERSONAL DATA ARE COLLECTED AND PROCESSED?
We process different types of data depending on your relationship with us, namely:

1. GUESTS/COSTUMERS – The personal data we collect and process may include:
a) Full name;
b) Contact information (email, address, telephone number);
c) Identification data (passport or other legally required document);
d) Date of birth;
e) Banking and credit-card data;
f) Booking history and stay details;
g) Vehicle information (if applicable);
h) Transactional data, such as payment details and services rendered;

i) Information related to use of our services (e.g. room preference, special requests, activities undertaken, dietary preferences/allergies, feedback and responses to satisfaction surveys);
j) Consumption history;
k) Marketing preferences.

2. USERS – The personal data we collect and process may include:
a) Full name;
b) Contact information (email, address, telephone number);
c) Data de nascimento;
k) Marketing preferences.

2. USERS – The personal data we collect and process may include:
a) Full name;
b) Gender
c) Nationality and place of birth;
d) Contact information (email, address, telephone number);
e) Date of birth;
f) Citizen card or other identification document;
g) Information if you have means of transport and driving license (if applicable);
h) Academic history and respective proof;
i) Professional history;
j) Personal identification, tax and social security number (namely through an authorized copy of the citizen card);
k) Health data relevant to the performance of duties and work accidents;
l) IBAN;
m) Marital status and domicile (number of holders, number of dependents, etc.);
n) Emergency contact (name, relationship and cell phone number);
o) Other information included in the Curriculum Vitae or presented voluntarily.

4. SERVICE PROVIDERS OR PARTNERS 

The personal data we collect and process may include:
a) Business name and official name;
b) Fiscal number;
c) Access code to the commercial certificate and RCBE;
d) Address of headquarters;
e) Direct contacts;
f) History of the commercial and legal relationship (services provided, negotiations, contracts signed, billing, etc.);
a) Other information presented in signed contracts or agreements.

4. HOW DO WE COLLECT YOUR PERSONAL DATA?
Your personal data may be collected through the following means:
a) Email;
b) Telephone calls;
c) In person;
d) Website (namely, through technologies such as cookies and pixel tags. In addition, when browsing the website, information about the device used may be automatically collected, including IP address, operating system and browser. This information does not reveal your specific identity, such as your name or contact information, but may include information about the device and usage, such as the IP address, operating system, language preferences, country, location, information about how and when you use our Services and other technical information). To find out more about the cookies we use, please check our Cookies Policy.

3HB Hotels Group assumes that the data has been provided by the data holder or that he/she has given authorization for this purpose and assumes that it is true and up to date.

5. HOW DO WE PROCESS YOUR PERSONAL DATA? YOUR PERSONAL DATA?
3HB Hotels Group is committed to processing your data in compliance with applicable legislation and best practices, ensuring that processing only occurs under the following conditions:

a) Adequacy and limitation: The data collected is adequate, relevant and limited to what is strictly necessary for the specific, explicit and legitimate purposes for which it is processed, and is not subsequently processed in a manner incompatible with those purposes;
b) Lawfulness, Fairness and Transparency: The data is processed lawfully, fairly and transparently, ensuring its security through appropriate technical and organizational measures that protect against unauthorized access, unlawful processing, as well as against accidental loss, destruction or damage;
c) Accuracy and updating: Measures are taken to ensure that the data is accurate and, where necessary, updated. If inaccurate data is identified, it is corrected or deleted;

d) Storage: The data are kept in a way that allows the identification of the holder for the period necessary for the purposes for which they are processed.

6. WHY DO WE PROCESS YOUR PERSONAL DATA?
The personal data processing operations that we carry out are essential for your satisfaction and for the activity of the 3HB Hotels Group.
We only process your personal information when we believe it is necessary:
- to comply with legal obligations;
- to fulfil the contract to provide the service requested by the customer or for the procedures prior to entering such a contract (reservation);
- to protect vital interests or those of other individuals;
- due to legitimate interests of the 3HB Hotels Group or third parties;
- when you have given us your free, positive, explicit and unequivocal consent.

We may therefore process the personal data of guests/customers, users, employees or candidates, service providers or partners for various reasons, depending on how you interact with our services, when this is possible and necessary, including:

1. Performance of the hotel services and associated services (restaurant, bar, spa, etc.), including management of reservations and stays, quotes, booking confirmation and other information that facilitates the stay, registration of preferences (preferred room, mobility, newspapers/magazines, etc.), billing (including bank card details), provision of information necessary for the stay, customer support, among others;
2. Sending newsletters with general and promotional information about our hotel units and marketing activities (only if you have authorized), including participation in competitions organized by the 3HB Hotels Group;
3. Use of the Wi-Fi services;
4. Execution of the loyalty program (only in the specific case that you have joined the program);
5. Compliance with legal and regulatory obligations, including management of complaints;
6. Protection of the vital interests of data subjects and other individuals;
7. Improvement of the services provided, including conducting satisfaction surveys related to the stay, market studies, contacts, among others;
8. Hiring and pre-contractual due diligence;
9. Processing of salaries and contributions;
10. Management of work accidents and health and safety at work;
11. Signing, managing and maintaining contracts, collaboration agreements, services, purchases and partnerships;
12. Transmission of data to the Customs and Tax Authority and Social Security, when required;
13. Carrying out internal audits and inspections;
14. When the data subject has previously given his/her free, positive, explicit and unequivocal consent to the collection and processing of data for one or more specific purposes;
15. Existence of explicit necessity due to the legitimate interests of the 3HB Hotels Group or of third parties, except where the interests or fundamental rights and freedoms of the data subject prevail.

We will only process special categories of data when necessary under your relationship with us. We will only process these special categories of data due to one of the following reasons:
- Because you have given us your consent;
- When it is necessary to comply with obligations or the exercise of rights related to labour law, social security or social protection;
- When the data have been made public by the data subject;
- If the processing is necessary for reasons of substantial public interest;
- If the processing is necessary for preventive or occupational medicine or for the assessment of the employee’s working capacity.

Your personal data will not be reused for purposes other than those previously identified or which are unrelated to the purposes for which they were originally collected.

7. HOW LONG DO WE RETAIN YOUR DATA?
The personal data collected and processed by the 3HB Hotels Group shall be retained for the period necessary to pursue the purposes that motivated their collection and processing. Where a specific legal requirement exists, the retention period shall be that determined by law.
If there is no mandatory legal requirement, personal data shall be kept for the strictly necessary period to achieve the processing purposes or for the time otherwise authorised. Once that period has expired, the collected personal data shall be deleted.

8. WHAT ARE YOUR RIGHTS?
Legislation grants you the right to request us to exercise the following rights:
(a) Access: You have the right to know the categories of personal data and the purposes of their processing, the recipients, retention periods, the existence of automated decisions, as well as the underlying logic and intended consequences of the processing. Additionally, you have the right to know the appropriate safeguards associated with transfers of data to third countries or international organisations, to access your personal data, to request a copy thereof, and - if the data were not provided directly by you - to inquire as to their origin;

(b) Rectification: You have the right to demand the rectification of any personal data concerning you that are incorrect. In light of the purposes of the processing, if such data are incomplete, you may also demand that they be completed;
(c) Erasure/Right to be Forgotten: Under certain circumstances set out in legislation, you have the right to obtain the erasure of your personal data, namely when:
1. The data are no longer necessary for the purpose that motivated their collection;
2. You have withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
3. You have objected to the processing and there are no overriding legitimate grounds for the processing;
4. The personal data have been processed unlawfully;
5. Such erasure is required to comply with a legal obligation to which the Controller is subject.
(d) Restriction of Processing: Whenever one of the situations listed in legislation applies, you have the right to obtain a restriction of processing of your personal data, namely when:
1. You contest the accuracy of the personal data (for a period enabling the Controller to verify their accuracy);
2. The processing is unlawful and you oppose the erasure of the data;
3. The data are no longer necessary for the purposes of processing, but are required by you for the establishment, exercise or defence of legal claims;
4. You have objected to processing while it is verified whether the Controller’s legitimate grounds override yours;
5. The data are no longer necessary for the purpose that motivated their collection;
6. You have withdrawn the consent on which the processing is based and there is no other legal basis;
7. The personal data have been processed unlawfully;
8. This restriction results from compliance with a legal obligation to which the Controller is subject.

Whenever such occurs, personal data may only be processed (except for storage) with the data subject’s consent or for the purposes of establishing, exercising or defending a right in legal proceedings, defending the rights of another person (individual or collective) or for compelling reasons of public interest. You will be informed before the restriction of processing is lifted.
(e) Objection: you have the right to object at any time to the processing of your personal data for reasons relating to your particular situation, or where such processing is for other purposes than those for which the data were originally collected. In these cases, processing will be suspended, unless there are compelling legitimate grounds that override the interests, rights and freedoms of the data subject or are indispensable for the establishment, exercise or defence of a right of the 3HB Hotels Group in legal proceedings.
Additionally, you have the right not to be subject to automated decisions which produce legal effects concerning you or similarly significantly affect your legal sphere, except where such decisions are necessary for the conclusion or performance of a contract between you and the 3HB Hotels Group, are required or authorised by applicable law, or are based on your explicit consent.
(f) Portability: You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller when:
1. The processing is based on your consent;
2. The processing is carried out by automated means;
3. Where technically feasible, you may also request that the personal data be transmitted directly from one controller to another.

You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
If you request the deletion of some or all of your personal data, certain services you have requested may no longer be provided, and the 3HB Hotels Group will retain only those personal data strictly necessary to comply with its legal obligations.

To exercise any of the foregoing rights, you may send us your request using the contact details provided in the section “OUR CONTACT DETAILS.” We will reply in writing (including by electronic means) within one month of receipt of your request. In cases of particular complexity or if we receive multiple requests, this period may be extended by up to two additional months.

You also have the right to lodge a complaint with the competent supervisory authority for the protection of personal data. In Portugal, the supervisory authority is the Portuguese Data Protection Commission (Comissão Nacional de Proteção de Dados – CNPD), located at Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, email: [email protected].

9. TO WHOM WE DISCLOSE YOUR DATA AND FOR WHAT PURPOSE?
The provision of our services and the making available of information you request may require us to share your personal data with other parties, such as:
1. Public, governmental and supervisory authorities: To comply with a legal or regulatory obligation or to protect our rights or those of third parties, we may need to share data with any law-enforcement body, regulator, court, public or governmental authority (for example, the Tax and Customs Authority, the Authority for Working Conditions, Social Security, AIMA), or others.
2. Subcontracted entities: In the context of personal-data processing, we may appoint subcontractors to provide certain services. Categories of such subcontractors include, but are not limited to: software licensing, maintenance, technical support and assistance companies; payment-processing service providers; digital marketing and customer- satisfaction-survey partners; and security and surveillance firms.
3HB Hotels Group works with service providers such as Roiback, Booking, Salesforce and other reservation-support services, external accountants, entertainment-service providers, occupational hygiene and safety specialists and others.
All such relationships are governed by formal agreements that ensure these subcontractors implement adequate technical and organizational measures to meet all applicable legal and

regulatory requirements, and that they receive only the data strictly necessary to perform the contracted service.
3. Third parties: We may also share data with entities that are not classified as subcontractors, such as insurance companies, travel agencies and tour operators, consultants, auditors, temporary-employment agencies, lawyers, social-media platforms and other service providers during a guest’s stay. These parties are bound by confidentiality and must process personal data in accordance with the GDPR.
3. Third parties: We may also share data with entities that are not classified as subcontractors, such as insurance companies, travel agencies and tour operators, consultants, auditors, temporary-employment agencies, lawyers, social-media platforms and other service providers during a guest’s stay. These parties are bound by confidentiality and must process personal data in accordance with the GDPR.

We will never sell, rent or share your personal data with third parties without your consent, except as described above.
Should any data transfers to non-EU countries occur, 3HB Hotels Group will comply with all legal requirements, namely regarding the destination country offers an adequate level of data protection and applying the necessary safeguards so that personal data are not transferred to jurisdictions lacking sufficient privacy guarantees.

10. HOW DO WE PROTECT YOUR DATA?
We work hard to protect our users’ personal data and adopt technical and organizational measures to prevent unauthorized access, disclosure, loss or destruction thereof.
Some examples of these measures includes:
- The pseudonymization and the encryption of personal data, when possible;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and of the processing services, both digital and manual;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

- A process to regularly test, assess and evaluate the effectiveness of the technical and organizational measures to guarantee the security of the processing;
- Our employees who, in the performance of their duties, carry out processing of personal data, are bound by professional secrecy and required to observe the provisions of this Policy, as well as the applicable legislation on personal data protection and our internal security and confidentiality procedures;
- Procedures are also provided to deal with suspicions of personal-data breaches to be able to notify, within the required periods, the affected data subjects as well as the applicable supervisory authority;
- We only use data-centre service providers who offer us guarantees that your personal data are stored on servers maintained in controlled environments with limited access.

Nevertheless, although we take what we believe to be appropriate precautions to protect the personal data you provide and that we collect, you should remain aware that no security system is impenetrable.

11. PERSONAL DATA BREACH
3HB Hotels Group has an established procedure for the notification of personal data breaches.
Thus, upon detection of a personal data breach that represents a high risk to the rights and freedoms of the data subject, the DPO shall notify the CNPD within 72 hours after becoming aware of the incident, as required by the General Data Protection Regulation (GDPR).
If a personal data breach occurs and it constitutes a high risk to your rights and freedoms, you will be informed.
However, in accordance with the law, communication of the breach to the data subjects may be dispensed with when:
• Appropriate technical and organizational protective measures have been implemented for the affected personal data, ensuring that they become unintelligible to any person not authorized to access them (e.g., encryption);
• Subsequent measures have been taken that eliminate the likelihood of a high risk to the rights and freedoms of the data subjects;

• Individual notification to the data subjects would require a disproportionate effort by the 3HB Hotels Group, in which case a public notification or an equivalent measure is made to ensure effective communication to the data subjects.

12. AMENDEMENTS TO THE PRIVACY AND PERSONAL DATA POLICY
This Privacy Policy repeals and entirely replaces any previous one.
3HB Hotels Group has the right to modify this Privacy Policy at any time and without prior notice.
To always be informed about the processing of your personal data, we recommend that you consult this policy whenever you visit our website.

13. INTELLECTUAL PROPERTY RIGHTS
All content present on this site is the property of the 3HB Hotels Group (texts, images) and is protected by the Copyright and Related Rights Code, in accordance with the Legal Notice. This site may contain links to third-party sites that are not under the control of the 3HB Hotels Group.

14. OUR CONTACT DETAILS
For the exercise of any type of data protection and privacy rights or for any clarification regarding data protection, privacy, and information security matters, our guests/customers, users, employees, candidates, service providers or partners may get in touch with the Data Protection Officer via the following email address: [email protected]
The Data Protection Officer of the 3HB Hotels Group acts independently and impartially within the organization, ensuring compliance with the data protection rules.

For other enquiries, you may use the following general contact details:
+351 289 003 033
Apartado 629, 8200-998 Albufeira, Portugal