The following entities will manage your personal data as parties that are Jointly Responsible for Data Control:

• Hesperia World S.L.U., (hereinafter “Hesperia”), with Fiscal ID number B-67301242, and business address at Avenida Mare de Déu de Bellvitge, number 3, 08907 l’Hospitalet de Llobregat (Barcelona).

• The mercantile societies dedicated to the management and operation of the hotels that form part of the Hesperia Group (hereinafter “the Hotels”), although not all of the aforementioned hotels, will have access to or deal with your personal data, only the specific hotel that you have booked and/or that you stay in (hereinafter “the Hotel”).

We would also like to inform you that the Group to which Hesperia and the Hotels belong has a Data Protection Delegate who you can contact via the following email address: DPO@hesperiaworld.com

All the fields on the form marked with an asterisk [*] must be completed as the omission of any of these fields could mean that it is impossible to attend to your petition, to provide the services requested or to proceed to send the requested or authorised communications. You must provide accurate information, with the use of an alias or other means of disguising your identity being forbidden.

In order that the information provided is always up to date and contains no errors, you should inform Hesperia, as soon as possible, of any changes or corrections to your personal data, either by contacting reception at our hotels or by writing to the following email address: protecciondedatos@hesperiaworld.com.

Also, you declare that the information and the data you have provided is accurate and true.

To process bookings, we may contract service providers who will communicate your data to us. The data categories that we receive and that, as a result, we will use are those corresponding to identification and banking data that are necessary to correctly process your booking.

To follow, we describe the different purposes for which Hesperia and the Hotels will use your personal data, the bases that legitimise that processing and the duration of storage of said data. Hesperia and the Hotel may jointly process your personal data in order to:

• Manage the booking that you make at one of our hotels via any channel. Said data treatment is based on the pre-contractual measure requested by you when formalising the booking requesting our services. Your data will be kept until the arrival date for the booking and, in the event that you finally stay at the corresponding hotel, during the term of our contractual relationship, and may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage.

• To attend, by telephone or email, the requests, questions, complaints and/or claims received via the “Need any help?” form on the website, in accordance with the consent that you have given when sending the corresponding request, question, complaint or claim. Your data will be kept until your request, question, complaint or claim has been dealt with, and may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage.

For its part, the Hotel may use your personal data for:

• Manage the sending, using any means, of communications regarding the stay you have booked, also informative communications detailing the opportunities that your hotel destination has to offer. Said communications arise from the legitimate interest that Hesperia and the Hotel has to keep our guests informed about anything that we consider may be relevant or related to their stay. Date used for this purpose will be stored until you unsubscribe from said mailings or when 2 years have passed since your last interaction with us. Notwithstanding, and also in this case, your personal data may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage. .

For its part, Hesperia may use your personal data for:

• To manage communications, sent by any means, regarding offers, the promotion of services offered by the hotels belonging to the Hesperia Group, as well as information about events organised by these hotels or new products on offer. Said communications are made based on the consent that, where appropriate, you give for such purposes.

Where you have given consent, your data will be stored until you revoke that consent, however, your personal data may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage.

• To manage the sending of commercial communications via social media based on the consent that, where appropriate, you have given us as a "follower" or "friend" of our profiles.

Your data will be stored until you revoke the consent that you had given, however, your personal data may subsequently be retained for the period of time derived from the prescription of legal actions related to this usage.

We inform you that you may exercise the following rights:

1. The right of access your personal data to know which data is being processed and the processing operations that they are being used for. ;
2. The right to correction of any inaccurate data. ;
3. The right to erasure of your personal data, where possible. ;
4. The right to restriction of the use of your personal data, where possible.
5. The right to request the restriction of the use of your data when the accuracy, legality or necessity of the data processing is doubtful, in which case, we may keep the blocked data in order to defend a claim.
6. The right to the portability of your personal data, when the legal basis that enables us to process it is the existence of a contractual relationship or your consent.
7. The right to revoke consent, in this case, given to Hesperia for data processing.

You may exercise your rights at any time and free of charge by sending an email to protecciondedatos@hesperiaworld.com, indicating which right you wish to exercise and including confirmation of your identity. .

On the other hand, we inform you that you have the right to file a claim with the Spanish Agency for Data Protection if you consider that any infringement of data protection legislation has occurred regarding the processing of your personal data.

Your data may always be transferred to any Public Administration departments as determined by the applicable legislation in force, such as the Treasury, Judges and Courts, or the Security forces or services.

The personal data that you provide us with for the purpose of managing your reservation may be communicated, in turn, to the bank with which Hesperia and the Hotels work.

Your data will be transferred to countries located outside the European Economic Area and, specifically to:

1. The Philippines; as a result of the back office management services related to invoicing that Accenture Outsourcing Services, S.A. Carry out for Hesperia. These international data transfers are regulated by standard contractual clauses approved by the European Commission.
2. The United States; as a consequence of the following services:

• search engine services that TravelClick, Inc. provides relating to the location and selection of the specific payment gateways or providers that authorise payments related to the services provided by Hesperia. These international data transfers are regulated by standard contractual clauses approved by the European Commission.
• marketing services for Hotels provided by Mailchimp. These international data transfers are regulated as Mailchimp is a certified entity within the framework of the EU-US Privacy Shield (“Privacy Shield”), approved by the European Commission through its Decision (EU) 2016/1250 of the 12th of July 2016.

Hesperia has implemented and maintains the security levels required by the GDPR to protect your personal data against accidental losses and unauthorised access, treatment or disclosure, taking into account the state of technology, the nature of the stored data and the risks to which it is exposed. However, despite the fact that Hesperia makes every effort to protect the data they process, it cannot guarantee in any case the security during the process of communication of personal data from the users' network to that of Hesperia. Once your data has been received, Hesperia will ensure rigorous security procedures and functions are in place to prevent any unauthorised access.

The personal data that we may collect will be treated confidentially, and we are committed to keeping this totally secret in accordance with the provisions laid out in the applicable legislation.

On occasions, this Privacy Policy may need to be updated and therefore it is important that you review this policy periodically and, if possible, every time you make a reservation or contact us in order to be sufficiently informed about the type of information collected and its treatment. We will notify you of any modification to this privacy policy that substantially affects the processing of your personal data..

Last update: 21st of August 2020.