PALLADIUM REWARDS PRIVACY POLICY

PALLADIUM GESTIÓN S.L.U. is especially sensitive to the protection of personal data of the Users of the services of the website and its clients. By means of this Privacy Policy (or Data Protection Policy) the owner of this site informs the USERS of the website about the uses to which the personal data collected are subjected, in order for them to decide, freely and voluntarily, if they wish to provide the requested information.

PALLADIUM GESTIÓN S.L.U. reserves the right to modify this Policy in order to adapt it to new legislation, jurisprudential criteria, industry practices, or the interests of the company. Any modification will be announced with due notice, so that you are fully aware of its contents.

The data controller is PALLADIUM GESTIÓN S.L., with address for these purposes at: Avenida Bartolomé Roselló, 18, 07800 Ibiza (Balearic Islands).

The contact details of the DPO appointed by the data controller are as follows: dpo@palladiumhotelgroup.com

The purposes of collecting and processing personal data, through the various forms that are owned by the data controller and made available to Users, are as follows, depending on the specific case:

• To manage registration for the "Palladium Rewards" programme, and manage the acquisition and redemption of user points within the programme.
• Booking management: to manage bookings made via the "Palladium Rewards" website at one of our hotels.
• To take into account the information and preferences indicated by you in your "Palladium Rewards" profile, as well as the products and services contracted and enjoyed by you in order to offer you products and services that may be of interest to you, based on statistical data compiled by us.
• To manage your contact requests through the channels and/or forms provided for this purpose.
• Information and, where appropriate, registration in sweepstakes organized or in which the data controller participates.
• Knowing the opinion of customers through satisfaction and quality surveys.
• Sending communications related to your account, including, but not limited to, points balance, card category or level, notifications, and any other items that keep the cardholder informed about the status of his or her account.
• Sending commercial communications by any means (including electronic ones) to inform you about news, events and about our products or services that may be of interest to you, unless you object to such treatment.

The personal data provided will be kept as long as required to comply with legal obligations or for the period that a judge or court may order.

Data held on the basis of your consent will be kept as long as you do not revoke your consent or oppose their use.

In order to improve your experience of future stays in our hotels, we will keep data related to a record of your visits for seven years, unless you indicate otherwise, in which case data will be kept for the legally prescribed periods or for any period ordered by a judge or court.

In accordance with article 32 of Organic Act 3/2018 on Personal Data Protection and the Guarantee of Digital Rights, data controllers will proceed to block data when they are corrected or deleted.

The data lock consists of identifying and reserving the data in question, adopting technical and organisational measures to prevent them from being processed, except for making the data available to judges and courts, the Public Prosecutor's Office or government bodies, and data protection authorities in particular, in order to determine any liabilities that may arise from the use of the data and only for the limitation period specified for such cases.

The controller is entitled to the processing of personal data, based on:

• In cases where it has been requested, based on the consent given by the data subject for one or more specific purposes as stated in Article 6.1. a) of the General Personal Data Protection Regulation by filling in the forms and ticking the box provided for this purpose.
• Based on the execution of a contract for the provision of services in accordance with the Terms and Conditions of the "Palladium Rewards" Program, as stated in Article 6.1. b) of the General Personal Data Protection Regulation
• On the basis of legitimate interest, in accordance with Article 6.1.f) of the General Personal Data Protection Regulation.

The personal data come from the registration made by the User in the "Palladium Rewards" program, from the reservation made by the interested party or from the forms filled in by him/her made available by the data controller.

In order that the data contained in our files always correspond to reality, we will try to keep them updated. So that, for this purpose, the User must make the changes, directly, when so enabled or by communicating, by reliable means, to the corresponding area or department of the data controller.

The personal data you provide to the data controller may be disclosed to the following categories of recipients:

• Third parties to whom the Company is obliged to transmit information, such as public authorities, in order to comply with the requirements of such authorities and the applicable regulations, as the case may be.
• The companies that own the hotels, in order to make the reservation in them. The legitimate basis for processing the data in this case is the execution of a contract or pre-contractual measures (Art. 6.1.b of the GDPR)
• In the event that the registration in "Palladium Rewards" takes place through a personalized link provided by another member of the program, the latter will be able to see in his/her profile the name and surnames of the persons who, through that link, have registered in the program, so that he/she can verify the list of "friends" who have accepted the invitation and for whom they have received points.

Palladium Gestión S.L.U. does not market, sell or perform any other similar activity using your personal data. Your personal data will only be processed for the purposes indicated above and will only be used by the data controller.

The controller has service providers with access to personal data (Data Processors). Among these service providers, you can find companies located outside the European Economic Area, so that international data transfers could be made, in any case, complying with appropriate safeguards in accordance with Articles 44 and following of the RGPD. For the realization of international transfers with suppliers of Palladium Gestión S.L.U. located in the USA, the standard contractual clauses on data protection adopted by the European Commission are provided as a guarantee.

The data subject may exercise the following rights, in accordance with General Data Protection Regulations:

• The right to request access to personal data relating to the subject,
• The right to request the rectification of inaccurate or incomplete data,
• The right to request its deletion,
• The right to request the limitation of their processing,
• The right to object to the processing,
• The right to data portability,
• To revoke, where appropriate, the consents granted.

El interesado podrá ejercitar tales derechos mediante solicitud en la que especificará cuál de estos derechos solicita sea satisfecho, remitiendo escrito a la dirección: Avenida Bartolomé Roselló, 18, 07800 Ibiza (Baleares) o a través del correo electrónico rgpd@palladiumhotelgroup.com. Cuando existan dudas sobre su identidad, se le podrá requerir que acompañe copia del DNI o documento identificativo equivalente.

If you consider that your right to personal data protection has been violated, you may contact our Data Protection Officer at dpo@palladiumhotelgroup.com, or file a complaint with the Spanish Data Protection Agency (www.aepd.es).