Data Protection Framework
Club Las Calas will complete the applicable Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) for activities related to this website if they meet the necessary criteria, and these are available upon request from Club Las Calas (see Section 12).
This privacy notice aims to give you information on how Club Las Calas collects and processes your personal data through your use of this website, including any data you may provide through this website when you sign up to our deal alert newsletter, complete the enquiry or contact forms or the Holiday Planner.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.
Club Las Calas is the controller and responsible for your personal data (collectively referred to as “Club Las Calas”, “we”, “us” or “our” in this privacy notice).
We have appointed a dedicated contact who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Club Las Calas Data Protection administrator using the details set out at the end of this document.
1. Customer and Citizen Data
You may decide to send us your personal information via this website if you are seeking more information about rental accommodation or ownership at Club Las Calas, signing up for newsletters or deal alerts (marketing), contacting us or for other similar purposes. Your decision to disclose your personal data is entirely voluntary, and by doing so, you are taking an affirmative action by providing us with specific consent to use your personal data only for the purposes for which you have disclosed it to us.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
1.1 How data is collected
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
Identity Data: includes first name last name, title.
Contact Data: includes address, email address and telephone numbers.
Technical Data: includes internet protocol address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Usage Data: includes information about how you use our website, products and services.
Purchase Data: includes information about your holiday ownership and rental purchases.
Marketing and Communications Data: includes your preferences in receiving marketing from us and your communication preferences.
We use different methods to collect data from and about you including through:
1.1.1 Direct interactions
You may give us your Identity and Contact Data by purchasing holiday ownership, renting an apartment, filling in online forms or by corresponding with us by phone, email, or otherwise. This includes personal data you provide when you:
- Request information about holiday rentals or holiday ownership;
- Request marketing to be sent to you in the form of deal alerts or newsletters;
- Enter a competition, promotion or survey;
- Purchase holiday ownership;
- Renting an apartment; or
- Give us some feedback.
Should you send us questions via the contact and enquiry forms, we will collect the data entered on the form, including the contact details you provide, to answer your question and any follow-up questions. We do not share this information without your permission.
We will, therefore, process any data you enter onto the contact form only with your consent. You may revoke your consent at any time. An informal email making this request is sufficient. The data processed before we receive your request may still be legally processed.
We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Any mandatory statutory provisions, especially those regarding mandatory data retention periods, remain unaffected by this provision.
1.1.2 Automated technologies or interactions
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookies policy for further details.
1.1.3 Third parties or publicly available sources
We may receive personal data about you from various third parties and public sources as set out below:
- Analytics providers such as Google based outside the EU;
- Search information providers based both inside and outside the EU.
1.2 How we use your personal data
Club Las Calas will only use your personal data when the law allows us to and only for the specified purpose for which you have submitted it to us.
Most commonly, we will use your personal data in the following circumstances: (a) provide information to you, (b) make contact with you, (c) provide contracted services to you, (d) perform the contract between us, (e) where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (f) where we need to comply with legal and regulatory obligations or (g) maintain the operations and security of the website and services we provide to you.
You will receive marketing communications from us if you have:
- Requested information from us;
- Rented holiday accommodation with us;
- Purchased holiday ownership products at Club Las Calas; or
- Provided us with your details and confirmed you want to receive marketing communications
You have the right to withdraw consent to marketing at any time by contacting us at firstname.lastname@example.org, writing to the Club at the address below or by clicking the un-subscribe link (opt-out) in our emails.
Whatever preference you may affirm or change from time to time, GDPR permits us to send communications where a legal requirement arises or legitimate interest prevails.
1.3 Promotional offers from us
We may use your Identity, Contact, Technical and Usage Data to form a view on what we think you may want or need, or what may be of specific interest to you. This is how we decide which products, services and offers may be relevant for you under the basis of contract or legitimate interest (we call this marketing).
1.4 Data Storage
We will, at all times, handle and store your personal data in accordance with industry best practice for information security. This includes the activities and procedures undertaken by our own personnel and authorised third parties (see Section 5), and the technical controls which we have implemented to prevent unauthorised access, compromise or theft of information from our applications, supporting computer systems and premises.
With regard to the Club Las Calas website, these include removal of all personal data from the local and staging website, removal of data migration plugin, password prompts to access the staging site and two-factor authentication and email verification to access the back-end of the site. Data is collected and stored on the site through the Flamingo WP plugin and this is deleted in line with our retention policy. User access to the site is limited. Information sent between your browser and our website is encrypted using SSL (Secure Sockets Layer). If SSL is activated, the data you transfer to us cannot be read by third parties.
We have put in place procedures to deal with any suspected data breach including disaster planning and will notify you, and any applicable regulator, of a breach where we are legally required to do so.
We limit, where possible, access to your personal data to employees and third parties including data processors, who have a business need to know such data. They will only process your data on our instructions and are subject to a processing agreement duty of confidentiality.
In some circumstances you can ask us to delete your data, please see Section 4 below.
We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
2. Sensitive Personal Data
GDPR specifies a set of personal data categories which are “sensitive”, and which require special consideration by Data Controllers. This website, and any services available from this website, do not knowingly collect or process any sensitive personal data.
3. Children's Personal Data
This website, and any services available from this website, are not directed to children under the age of 13. If you learn that a child under the age of 13 has provided us with their personal information without having parental consent, please contact the Club Las Calas Data Protection administrator (see Section 12) immediately so that we can take appropriate action.
4. Customer and Citizen Data Rights
As prescribed within data protection regulations, you have specific rights connected to the provision of your personal data to Club Las Calas using this website. These include your rights to request we:
- Confirm to you what personal data we may hold about you, if any, and for what purposes;
- Change the consent which you have provided to us in relation to your personal data;
- Correct any inaccurate or incomplete personal data which we may hold about you;
- Provide you with a complete copy of your personal data for you to move elsewhere;
- Stop the processing of your personal data, whilst an objection from you is being resolved;
- Permanently erase all your personal data promptly; and
- Confirm to you that this has been done.
Please note there may be reasons why we may be unable to do this.
To contact Club Las Calas, please see Section 12 below.
4.1 Exercising your rights
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
4.1.1 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
4.1.2 Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If Club Las Calas does not address your request within one month, or fails to provide you with a valid reason why we have been unable to do so, you have the right to contact the Information Commissioner’s Office to make a compliant. They can be contacted via their website (www.ico.org.uk) or by telephone +44 (0) 303 123 1113.
5. Declaration of Processing and Sub-Processing
To make an informed decision on whether to provide your personal data to Club Las Calas using this website, we need to make you aware of the following organisations who act as Data Processors for us in the provision of our services to you. These include:
EVC Marketing (Processor), based in the United Kingdom, who undertakes lawful data processing for direct marketing purposes, on behalf of Club Las Calas. EVC Marketing is registered with the Information Commissioner’s Office for the UK Data Protection Act with registration number A8253934.
Resort Solutions Ltd (Processor), based in the United Kingdom, who undertakes lawful data processing for marketing and the provision of management services on behalf of Club Las Calas. Resort Solutions Ltd is registered with the Information Commissioner’s Office for the UK Data Protection Act with registration number Z8935499.
Campaign Monitor (Sub Processor), based in the United States, a marketing platform that deals with the processing and automated processing of email contact and engagement information, via the Club Las Calas website and online forms. Campaign Monitor complies with their requirements under the GDPR. Access to Campaign Monitor is limited and password protected.
SharpSpring (Sub Processor), based in the United States, a marketing platform that deals with marketing automation and email distribution. SharpSpring complies with their requirements under the GDPR. Access to SharpSpring is limited and password protected.
YouTube Plugin, which is operated by Google. The operator of the pages is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit one of our pages featuring a YouTube plugin, a connection to the YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited. If you’re logged in to your YouTube account, YouTube allows you to associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account. YouTube is used to help make our website appealing. This constitutes a justified interest. Further information about handling user data, can be found in the data protection declaration of YouTube under https://www.google.de/intl/de/policies/privacy.
Facebook Pixel Plugin, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. This allows user behaviour to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, which is why we are informing you, based on our knowledge of the situation. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy. You can allow Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes. The legal basis for the use of this service is Art. 6 paragraph 1 sentence 1 letter f GDPR. You can object to the collection of your data by Facebook pixel, or to the use of your data for the purpose of displaying Facebook ads by contacting the following address: https://www.facebook.com/settings?tab=ads. Facebook is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation.
Facebook, Twitter and Instagram apps. When you visit our Facebook, Twitter and Instagram pages, which we use to represent our company or individual products or services, some of your personal data will be processed. The sole controller responsible for the processing of personal data are those organisations and you can find out more about the processing of personal data by them on their websites.
These organisations provide us with anonymised statistics and insights which help us to understand the types of actions that people take on our page and profiles. This processing of personal data is carried out by them and by us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions being taken on our page and to improve our page based on these findings. The legal basis for this processing is Article 6 paragraph 1 letter f GDPR. We are in no case able to assign the information obtained via these analytics to a specific profile or account using the “Like” data for our page, account or profile.
If you have communicated data to us because you are taking part in a contest, we will only process this if it is necessary to send you a prize. After delivery of the prize, or if you do not win, your data will be deleted. The legal basis for this processing is Article 6 paragraph 1 letter b GDPR.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield, which requires them to provide similar protection to personal data shared between the Europe and the US.
If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
Please email us at email@example.com if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
The activities within which each of these Data Processors participates will be recorded within the applicable Club Las Calas Privacy Impact Assessment records (also known as Data Protection Impact Assessments under GDPR) if required and these will be available upon request from the Club Las Calas Data Protection administrator (see Section 12).
6. Website Cookies
We use both session-based and persistent cookies, dependent upon how you use or interact with this website. We use third-party cookies as the website operator has a legitimate interest in analysing user behaviour in order to optimize both its website and its advertising.
Session-based cookies last only while your browser is open and are automatically deleted when you close your browser session. Persistent cookies last until you or your browser deletes them, or until they expire.
If you decide to disable some or all cookies, you may not be able to use some of the functions on our website.
- Make our website work efficiently and smartly
- Save you having to remember login details every time you visit us
- Remember your settings during and between visits
- Improve our site’s speed so it’s quicker to browse
- You share pages on social networks like Facebook
- Improve our online advertising
- Collect any personally identifiable information (without your permission)
- Collect any sensitive information
7. External Links
This Club Las Calas website may include relevant hyperlinks to external websites not controlled by us.
Whilst all reasonable care has been exercised in selecting and providing any such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the on-going suitability of external links, nor do we continually verify the safety or security of the contents that may be subsequently provided to you.
You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences from your use of them.
8. International Transfers
Club Las Calas does not transfer your personal data outside the European Economic Area (EEA).
However, our data processors may use third party services that may transfer your personal data outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever they transfer your personal data out of the EEA, they do their best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:
1 They will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
2 Where they use certain service providers, they may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or
3 Where they use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
Please email us at firstname.lastname@example.org if you want further information on the specific mechanism used by our data processors when transferring your personal data out of the EEA.
9. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we keep basic information about our customers for seven years for tax purposes.
We will retain personal information about members for seven (7) years from the point at which they cease to be a member or owner of a timeshare interest, after which time it will be purged or otherwise removed from our systems.
For non-members and for other individuals who do not own a timeshare interest at the resort, we will destroy any personal data we have collected about you three (3) years after you last transacted with us.
Details of retention periods for different aspects of your personal data are available from request from us by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
12. Contacting Club Las Calas
The Data Protection Administrator – Club Las Calas
C/O Resort Solutions Ltd.
St Mary’s House
St Mary’s Road
Market Harborough, LE16 7DS