Privacy and Data Policy
Date of Last Update: 30 November 2024
A. GENERAL PART
A.1. The DHM Group
The Discovery Hotel Management Group, which includes SUMMER C COLORS - AGRUPAMENTO TURÍSTICO E IMOBILIÁRIO – ACE (“Summer Colors”), headquartered at Rua Joaquim António de Aguiar nº 66, 1070 153, Lisbon, Portugal, under the unique registration number and corporate entity 510945961, and a set of Hotel Units more specifically identified here: www.dhmportugal.com (collectively, the “DHM Group”), acts to ensure the protection of personal data of its Customers in the context of services provided through our Hotel Units and Users who visit our Websites. This includes information provided by the Customer and/or the User that allows the DHM Group to identify and/or contact them (“Personal Data”).
We have compiled the main points regarding the processing of personal data of our Customers and Users in this Privacy Policy, thereby ensuring that we provide the necessary information in a transparent, concise, and easily understandable manner to comply with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 on Data Protection (“GDPR”).
A.2. Entities of the DHM Group Responsible for the Processing of Personal Data
Stays at Hotel Units
As a rule, when a Customer contacts one of our Hotel Units (for example, one of the Octant Hotels, or our Hotels & Resorts such as the Monte Real Hotel or the Dolce Campo Real), it is the Hotel Units that provide services related to the stay at these same Hotel Units and determine how your data is processed in the context of those services. Therefore, whenever you book a stay at one of our Hotel Units, the entity responsible for processing the data necessary for providing hotel services and associated services (restaurants, bars, use of health clubs or Spas), managing contacts with Customers, and billing and collection will be the Hotel Unit that provides these services.
The Personal Data collected and processed for these purposes consist of information related to name, gender, date of birth, telephone, mobile phone, email, address, tax identification number, credit card details (collected only for billing purposes), although other Personal Data that may be necessary or convenient for the provision of services by the Hotel Units may also be collected.
The Hotel Units will also be responsible for data processing carried out for the purposes of protecting people and property and security at the Hotel Units (through video surveillance systems).
In summary, whenever the Hotel Units process Personal Data, they must always have a legitimate basis to do so (as further explained in section B below), in accordance with the GDPR.
In this context, the legal bases used by the Hotel Units for the above-mentioned processing are as follows:
Purpose
Management of reservations and customer contacts
A. GENERAL PART
A.1. The DHM Group
The Discovery Hotel Management Group, which includes SUMMER C COLORS - AGRUPAMENTO TURÍSTICO E IMOBILIÁRIO – ACE (“Summer Colors”), headquartered at Rua Joaquim António de Aguiar nº 66, 1070 153, Lisbon, Portugal, under the unique registration number and corporate entity 510945961, and a set of Hotel Units more specifically identified here: www.dhmportugal.com (collectively, the “DHM Group”), acts to ensure the protection of personal data of its Customers in the context of services provided through our Hotel Units and Users who visit our Websites. This includes information provided by the Customer and/or the User that allows the DHM Group to identify and/or contact them (“Personal Data”).
We have compiled the main points regarding the processing of personal data of our Customers and Users in this Privacy Policy, thereby ensuring that we provide the necessary information in a transparent, concise, and easily understandable manner to comply with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 on Data Protection (“GDPR”).
A.2. Entities of the DHM Group Responsible for the Processing of Personal Data
Stays at Hotel Units
As a rule, when a Customer contacts one of our Hotel Units (for example, one of the Octant Hotels, or our Hotels & Resorts such as the Monte Real Hotel or the Dolce Campo Real), it is the Hotel Units that provide services related to the stay at these same Hotel Units and determine how your data is processed in the context of those services. Therefore, whenever you book a stay at one of our Hotel Units, the entity responsible for processing the data necessary for providing hotel services and associated services (restaurants, bars, use of health clubs or Spas), managing contacts with Customers, and billing and collection will be the Hotel Unit that provides these services.
The Personal Data collected and processed for these purposes consist of information related to name, gender, date of birth, telephone, mobile phone, email, address, tax identification number, credit card details (collected only for billing purposes), although other Personal Data that may be necessary or convenient for the provision of services by the Hotel Units may also be collected.
The Hotel Units will also be responsible for data processing carried out for the purposes of protecting people and property and security at the Hotel Units (through video surveillance systems).
In summary, whenever the Hotel Units process Personal Data, they must always have a legitimate basis to do so (as further explained in section B below), in accordance with the GDPR.
In this context, the legal bases used by the Hotel Units for the above-mentioned processing are as follows:
Purpose
Management of reservations and customer contacts
Provision of hotel services
Billing and collection
Video surveillance
Legal Basis
Execution of contractual relationship
Execution of contractual relationship, consent
Fulfillment of legal obligations
Legitimate interest (protection of people and property)
Execution of contractual relationship, consent
Fulfillment of legal obligations
Legitimate interest (protection of people and property)
Website and Marketing
On the other hand, regarding the provision of the Website hosted at www.octanthotels.com and the services and communications made available there, Summer Colors is the entity responsible for processing the Personal Data of Users.
As a rule, Personal Data is requested when the User registers on the Website, requests contact and/or the sending of newsletters, subscribes to a particular Service, purchases a product, or establishes a contractual relationship with Summer Colors.
Summer Colors also collects and processes information about your hardware and software, as well as information about the pages visited by the User within the Website. This information may include: your browser type, domain name, access times, and the hyperlinks through which the User accessed the Website (“Usability Information”). This information is only used to improve the quality of the visit to the Website.
Summer Colors will process Users' Personal Data and Usability Information for the following purposes:
User registration on the Website;
Informing the User, upon request, about new products and services available on the Website and/or at the hotel units, special offers and campaigns, updated information about the activities of Summer Colors or the DHM Group’s hotel units, and generally for marketing purposes of Summer Colors and the DHM Group’s hotel units, through any means of communication, including electronic support;
Allowing access to restricted areas of the Website, according to previously established terms;
Ensuring that the Website meets the User’s needs by developing and publishing content as tailored as possible to the requests and type of User, improving the Website’s search capabilities and functionalities, and obtaining aggregated or statistical information regarding the typical User profile (consumer profile analysis);
Provision of Services, and other services such as newsletters, opinion surveys, or other information or products requested or purchased by the User;
Recording telephone calls made within the scope of the contractual relationship, both during the contract formation phase and during its term.
In summary, whenever Summer Colors processes Personal Data, it must always have a legitimate basis to do so (as further explained in section B below), in accordance with the GDPR. In this context, the legal bases used by Summer Colors for the above-mentioned processing are as follows:
Purpose
User registration on the Website
Information about products and services available on the Website, newsletters, opinion surveys
Access to restricted areas of the Website
Improvement of Website functionality (content adaptation, security, and features)
Call recording
Legal Basis
Pre-contractual obligations, consent
Consent
Execution of contractual relationship
Legitimate interest (improvement of service provided to Website Users)
Consent
Consent
Execution of contractual relationship
Legitimate interest (improvement of service provided to Website Users)
Consent
A.3. Data Collection Channels
Summer Colors and the Hotel Units may, depending on the purposes indicated above, collect Personal Data directly (i.e., directly from the Customer and/or the User) or indirectly (i.e., through partner entities or third parties). Collection can be done through the following channels:
Direct collection: in person, by phone, by email, and through the Website;
Indirect collection: through DHM Group partners or companies and official entities.
B. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles, the DHM Group is committed to ensuring that the Personal Data it processes:
Is subject to lawful, fair, and transparent processing in relation to Customers and/or Users;
Is collected for specific, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes;
Is adequate, relevant, and limited to what is necessary concerning the purposes for which it is processed;
Is accurate and kept up to date as necessary, with all appropriate measures taken to ensure that inaccurate data, considering the purposes for which they are processed, are erased or rectified without delay;
Is kept in a manner that allows the identification of Customers and/or Users only for as long as necessary for the purposes for which the data is processed;
Is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, with appropriate technical or organisational measures adopted.
The data processing carried out by the DHM Group is lawful if at least one of the following conditions is met:
The Customer and/or the User has given explicit consent to the processing of their Personal Data for one or more specific purposes;
The processing is necessary for the performance of a contract to which the Customer and/or the User is a party, or for pre-contractual steps taken at the request of the Customer and/or the User;
The processing is necessary for compliance with a legal obligation to which the DHM Group is subject;
The processing is necessary to protect the vital interests of the Customer and/or the User or another natural person;
The processing is necessary for the purposes of the legitimate interests pursued by the DHM Group or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Customer and/or the User that require protection of personal data.
The DHM Group commits to ensuring that the processing of the Customer’s and/or the User’s Personal Data is only done under the conditions listed in this Privacy Policy and with respect for the principles mentioned above.
When the processing of the Customer’s and/or the User’s Personal Data is carried out by the DHM Group based on consent, the individual has the right to withdraw their consent at any time. However, the withdrawal of consent does not affect the lawfulness of the processing carried out by the DHM Group based on the consent previously given by the Customer and/or the User.
The period during which the data is stored and retained varies according to the purpose for which the information is processed. In fact, there are legal requirements that oblige the retention of data for a minimum period. Thus, and whenever there is no specific legal requirement, the data will be stored and retained only for the minimum period necessary for the purposes that motivated its collection or subsequent processing, after which it will be deleted.
C. DATA COMMUNICATION
Subcontracting Entities
In the context of processing User Data, Summer Colors [and/or the Hotel Units] may use third-party entities, subcontracted by themselves, to, on behalf of Summer Colors [and/or the Hotel Units], and in accordance with the instructions given by them, process the Customer’s and/or User’s Personal Data, strictly complying with the law and this Privacy Policy.
These subcontracted entities may not transmit the Customers’ and/or Users’ Personal Data to other entities without Summer Colors [and/or the Hotel Units] having previously and in writing authorised such transmission. They are also prohibited from hiring other entities without prior authorisation from Summer Colors [and/or the Hotel Units].
Summer Colors [and the Hotel Units] commit to subcontracting only entities that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure the protection of the User’s rights. All entities subcontracted by Summer Colors [and/or the Hotel Units] are bound to the latter through a written contract in which the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the parties are regulated.
Other DHM Group Entities
The Personal Data collected by the Hotel Units and/or Summer Colors are not shared with third parties without the Customer’s and/or the User’s consent, except for the situation referred to in the following paragraph. However, if the Customer and/or User contracts services from the Hotel Units and/or Summer Colors that are provided by other entities responsible for processing personal data, the Personal Data may be accessed or consulted by those entities to the extent necessary for the provision of those services.
Summer Colors may transfer or communicate the Personal Data for which it is the data controller to other DHM Group entities, particularly DISCOVERY FUND HOTEL MANAGEMENT I, S.A., headquartered at Rua Joaquim António de Aguiar nº 66, 6th floor, 1070 153, Lisbon, under the unique registration number and corporate entity 515312738, if such transfer or communication is necessary for corporate reorganisation purposes, to ensure the continuity of the services provided to Customers/Users. In the event of a transfer of Personal Data under these circumstances, we will make reasonable efforts to inform Customers and/or Users of that transfer and ensure that the recipient only uses the transferred Personal Data in accordance with this Privacy Policy.
Other Third Parties
The DHM Group may also communicate Personal Data to third parties outside its corporate group when such communications are necessary or appropriate (i) in light of applicable law for the fulfillment of legal obligations/judicial orders; and (ii) to respond to requests from public or governmental authorities.
D. RETENTION PERIODS
The DHM Group retains Personal Data only for as long as necessary to fulfil the purposes described in this Privacy Policy concerning the execution of the contractual relationship with Users and/or Customers, unless a legal provision requires a longer retention period (for the purpose of fulfilling tax or accounting obligations, Personal Data are retained for a period of 10 years).
Regarding Personal Data collected based on consent – for sending marketing communications – these will be processed until the consent is withdrawn. On the other hand, concerning data processed for conducting opinion surveys, these will be processed as long as necessary to carry out the aforementioned surveys or until the consent is withdrawn. Additionally, regarding call recordings for the purpose of evidence of commercial transactions, the data will be retained for a period of 90 days and, in the context of video surveillance, for a period of 30 days.
E. TECHNICAL, ORGANISATIONAL, AND SECURITY MEASURES IMPLEMENTED
To ensure the security of the Customer’s and/or the User’s Data and maximum confidentiality, we treat the information you have provided us in an absolutely confidential manner, in accordance with our internal security and confidentiality policies and procedures, which are periodically updated as needed, as well as in accordance with legally stipulated terms and conditions.
Due to the nature, scope, context, and purposes of data processing, as well as the risks arising from processing for the rights and freedoms of the Customer and/or the User, the Hotel Units and Summer Colors commit to applying, both at the stage of defining the processing means and during the actual processing, the necessary and appropriate technical and organisational measures to protect Personal Data and comply with legal requirements.
They also commit to ensuring that, by default, only the data necessary for each specific processing purpose is processed and that this data is not made available without human intervention to an indefinite number of people.
In terms of general security measures, the DHM Group adopts the following:
Regular audits to assess the effectiveness of the implemented technical and organisational measures;
Awareness and training of staff involved in data processing operations;
Pseudonymisation and encryption of personal data;
Mechanisms capable of ensuring the confidentiality, availability, and resilience of information systems;
Mechanisms that ensure the timely restoration of information systems and access to personal data in the event of a physical or technical incident.
F. INTERNATIONAL DATA TRANSFERS
The Personal Data processed by the DHM Group are not made available to third parties established outside the European Union. If, in the future, such a transfer occurs to fulfil any of the purposes described above, the DHM Group commits to ensuring that the transfer complies with applicable legal provisions, particularly regarding the determination of the adequacy of such a country in terms of data protection and the requirements applicable to such transfers.
G. FINAL PART
G.1. Changes to the Privacy Policy
The DHM Group reserves the right to change this Privacy Policy at any time. In the event of a modification to the Privacy Policy, the date of the last change, available at the top of this page, is also updated. If the change is substantial, a notice will be placed on the Website, and we may also notify Customers and Users in writing through the contact details provided to the DHM Group.
G.2. Applicable Law and Jurisdiction
Any disputes arising from the validity, interpretation, or execution of the Privacy Policy, or related to the collection, processing, or transmission of User Data, must be submitted exclusively to the jurisdiction of the judicial courts in the Lisbon district, without prejudice to the applicable mandatory legal norms.
Summer Colors and the Hotel Units may, depending on the purposes indicated above, collect Personal Data directly (i.e., directly from the Customer and/or the User) or indirectly (i.e., through partner entities or third parties). Collection can be done through the following channels:
Direct collection: in person, by phone, by email, and through the Website;
Indirect collection: through DHM Group partners or companies and official entities.
B. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles, the DHM Group is committed to ensuring that the Personal Data it processes:
Is subject to lawful, fair, and transparent processing in relation to Customers and/or Users;
Is collected for specific, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes;
Is adequate, relevant, and limited to what is necessary concerning the purposes for which it is processed;
Is accurate and kept up to date as necessary, with all appropriate measures taken to ensure that inaccurate data, considering the purposes for which they are processed, are erased or rectified without delay;
Is kept in a manner that allows the identification of Customers and/or Users only for as long as necessary for the purposes for which the data is processed;
Is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, with appropriate technical or organisational measures adopted.
The data processing carried out by the DHM Group is lawful if at least one of the following conditions is met:
The Customer and/or the User has given explicit consent to the processing of their Personal Data for one or more specific purposes;
The processing is necessary for the performance of a contract to which the Customer and/or the User is a party, or for pre-contractual steps taken at the request of the Customer and/or the User;
The processing is necessary for compliance with a legal obligation to which the DHM Group is subject;
The processing is necessary to protect the vital interests of the Customer and/or the User or another natural person;
The processing is necessary for the purposes of the legitimate interests pursued by the DHM Group or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Customer and/or the User that require protection of personal data.
The DHM Group commits to ensuring that the processing of the Customer’s and/or the User’s Personal Data is only done under the conditions listed in this Privacy Policy and with respect for the principles mentioned above.
When the processing of the Customer’s and/or the User’s Personal Data is carried out by the DHM Group based on consent, the individual has the right to withdraw their consent at any time. However, the withdrawal of consent does not affect the lawfulness of the processing carried out by the DHM Group based on the consent previously given by the Customer and/or the User.
The period during which the data is stored and retained varies according to the purpose for which the information is processed. In fact, there are legal requirements that oblige the retention of data for a minimum period. Thus, and whenever there is no specific legal requirement, the data will be stored and retained only for the minimum period necessary for the purposes that motivated its collection or subsequent processing, after which it will be deleted.
C. DATA COMMUNICATION
Subcontracting Entities
In the context of processing User Data, Summer Colors [and/or the Hotel Units] may use third-party entities, subcontracted by themselves, to, on behalf of Summer Colors [and/or the Hotel Units], and in accordance with the instructions given by them, process the Customer’s and/or User’s Personal Data, strictly complying with the law and this Privacy Policy.
These subcontracted entities may not transmit the Customers’ and/or Users’ Personal Data to other entities without Summer Colors [and/or the Hotel Units] having previously and in writing authorised such transmission. They are also prohibited from hiring other entities without prior authorisation from Summer Colors [and/or the Hotel Units].
Summer Colors [and the Hotel Units] commit to subcontracting only entities that provide sufficient guarantees of implementing appropriate technical and organisational measures to ensure the protection of the User’s rights. All entities subcontracted by Summer Colors [and/or the Hotel Units] are bound to the latter through a written contract in which the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the parties are regulated.
Other DHM Group Entities
The Personal Data collected by the Hotel Units and/or Summer Colors are not shared with third parties without the Customer’s and/or the User’s consent, except for the situation referred to in the following paragraph. However, if the Customer and/or User contracts services from the Hotel Units and/or Summer Colors that are provided by other entities responsible for processing personal data, the Personal Data may be accessed or consulted by those entities to the extent necessary for the provision of those services.
Summer Colors may transfer or communicate the Personal Data for which it is the data controller to other DHM Group entities, particularly DISCOVERY FUND HOTEL MANAGEMENT I, S.A., headquartered at Rua Joaquim António de Aguiar nº 66, 6th floor, 1070 153, Lisbon, under the unique registration number and corporate entity 515312738, if such transfer or communication is necessary for corporate reorganisation purposes, to ensure the continuity of the services provided to Customers/Users. In the event of a transfer of Personal Data under these circumstances, we will make reasonable efforts to inform Customers and/or Users of that transfer and ensure that the recipient only uses the transferred Personal Data in accordance with this Privacy Policy.
Other Third Parties
The DHM Group may also communicate Personal Data to third parties outside its corporate group when such communications are necessary or appropriate (i) in light of applicable law for the fulfillment of legal obligations/judicial orders; and (ii) to respond to requests from public or governmental authorities.
D. RETENTION PERIODS
The DHM Group retains Personal Data only for as long as necessary to fulfil the purposes described in this Privacy Policy concerning the execution of the contractual relationship with Users and/or Customers, unless a legal provision requires a longer retention period (for the purpose of fulfilling tax or accounting obligations, Personal Data are retained for a period of 10 years).
Regarding Personal Data collected based on consent – for sending marketing communications – these will be processed until the consent is withdrawn. On the other hand, concerning data processed for conducting opinion surveys, these will be processed as long as necessary to carry out the aforementioned surveys or until the consent is withdrawn. Additionally, regarding call recordings for the purpose of evidence of commercial transactions, the data will be retained for a period of 90 days and, in the context of video surveillance, for a period of 30 days.
E. TECHNICAL, ORGANISATIONAL, AND SECURITY MEASURES IMPLEMENTED
To ensure the security of the Customer’s and/or the User’s Data and maximum confidentiality, we treat the information you have provided us in an absolutely confidential manner, in accordance with our internal security and confidentiality policies and procedures, which are periodically updated as needed, as well as in accordance with legally stipulated terms and conditions.
Due to the nature, scope, context, and purposes of data processing, as well as the risks arising from processing for the rights and freedoms of the Customer and/or the User, the Hotel Units and Summer Colors commit to applying, both at the stage of defining the processing means and during the actual processing, the necessary and appropriate technical and organisational measures to protect Personal Data and comply with legal requirements.
They also commit to ensuring that, by default, only the data necessary for each specific processing purpose is processed and that this data is not made available without human intervention to an indefinite number of people.
In terms of general security measures, the DHM Group adopts the following:
Regular audits to assess the effectiveness of the implemented technical and organisational measures;
Awareness and training of staff involved in data processing operations;
Pseudonymisation and encryption of personal data;
Mechanisms capable of ensuring the confidentiality, availability, and resilience of information systems;
Mechanisms that ensure the timely restoration of information systems and access to personal data in the event of a physical or technical incident.
F. INTERNATIONAL DATA TRANSFERS
The Personal Data processed by the DHM Group are not made available to third parties established outside the European Union. If, in the future, such a transfer occurs to fulfil any of the purposes described above, the DHM Group commits to ensuring that the transfer complies with applicable legal provisions, particularly regarding the determination of the adequacy of such a country in terms of data protection and the requirements applicable to such transfers.
G. FINAL PART
G.1. Changes to the Privacy Policy
The DHM Group reserves the right to change this Privacy Policy at any time. In the event of a modification to the Privacy Policy, the date of the last change, available at the top of this page, is also updated. If the change is substantial, a notice will be placed on the Website, and we may also notify Customers and Users in writing through the contact details provided to the DHM Group.
G.2. Applicable Law and Jurisdiction
Any disputes arising from the validity, interpretation, or execution of the Privacy Policy, or related to the collection, processing, or transmission of User Data, must be submitted exclusively to the jurisdiction of the judicial courts in the Lisbon district, without prejudice to the applicable mandatory legal norms.
See our Privacy and Personal Data Policy on the footer menu