The aforementioned report has been prepared based on the information provided by the Data Controller.

PRIVACY POLICY

As you may be aware, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), highlights the need to strengthen the security and protection of personal data. We would like to inform you that we comply with all the requirements of this legislation and that all data under our responsibility is processed in accordance with legal requirements, maintaining the appropriate security measures to guarantee its confidentiality. However, given the legislative developments, we believe it is appropriate to inform you of the following privacy policy:

Who is responsible for processing your data?

· Identity: Vico Black 98 SL

· Postal Address: Puerta Aljarafe Building, Parque Aljarafe s/n (CP 41940 TOMARES) SEVILA

· Telephone: + 34 954-25-73-25

· Email: protecciondatos@grupoq.net

What are your rights?

· Anyone has the right to obtain confirmation as to whether or not we are processing personal data concerning them.

Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

· The right to rectification cannot be exercised in the case of video surveillance processing, since the nature of the data—images taken from real life that reflect an objective fact—would make it impossible to exercise a right of content.

· Under certain circumstances, data subjects may request that the processing of their data be restricted. In this case, we will retain it only for the purpose of filing or defending legal claims.

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data, in which case the Data Controller will cease processing the data, except for compelling legitimate reasons or the exercise or defense of potential legal claims. In this regard, and in relation to video surveillance images, exercising the right to object poses enormous difficulties. If this is interpreted as the impossibility of taking images of a specific subject within the framework of video surveillance installations linked to private security purposes, it would not be possible to satisfy the right to object to the extent that the protection of security prevails.

· Under the right to portability, data subjects have the right to obtain the personal data concerning them in a structured, commonly used and machine-readable format and to transmit them to another controller.

If you have given consent for a specific purpose, you have the right to withdraw it at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal. How can these rights be exercised?

3.1) Where to go to exercise your rights:

If you wish to exercise your rights, please contact the data controller through the channel established for exercising rights: protecciondatos@grupoq.net so that we can respond to your request in a managed manner.

3.2) Information required to exercise your rights:

To exercise your rights, we need to verify your identity and the specific request you are making. We therefore require the following information:

· Documented information (written/email) of the request in which the application is specified.

· Proof of identity as the data subject to the exercise of the right (Name, surname of the interested party and photocopy of the ID of the interested party and/or the person representing them, as well as the document proving such representation (legal representative, if applicable).

· In the case of exercising rights related to data of deceased persons: Copy of:

· Family Book or Civil Registry in which the relationship of kinship or de facto relationship with the deceased is recorded and/or,

· Will in which the applicant is declared as heir and/or,

· Express designation of the requesting person or institution by the deceased.

· Documentation proving legal representation of the deceased.

· In the case of exercising the right to rectification and/or erasure: A statement of responsibility from the applicant certifying that they have the consent of all other persons related to the deceased for family or de facto reasons, as well as their heirs, to carry out said request.

When the data controller has reasonable doubts regarding the identity of the natural person making the request, they may request the provision of the additional information necessary to confirm the identity of the data subject.

· Address for notification purposes, date and signature of the applicant (in case of writing), or full name and surname (in case of email), or validation of the request in the private area of the communication channel with a personal key to authenticate your identity)

When exercising the right to rectification recognized in Article 16 of the GDPR, the data subject must indicate in their request which data it relates to and the correction to be made. They must accompany, where necessary, supporting documentation proving the inaccuracy or incompleteness of the data being processed.

· Likewise, when we process a large amount of data relating to the data subject and the data subject exercises his or her right of access without specifying whether it refers to all or part of the data, the controller may request, before providing the information, that the data subject specify the data or processing activities to which the request refers.

3.3) General Procedure for Exercising Your Rights:

Once we have received the required information, we will respond to your request in accordance with the organization's general procedure for exercising rights:

The data controller shall provide the data subject with information regarding its actions based on a request pursuant to Articles 15 to 22 (Rights of the data subject), and in any event within one month of receiving the request.

This period may be extended by another two months if necessary, taking into account the complexity and number of applications.

The controller will inform the interested party of any such extensions within one month of receiving the request, stating the reasons for the delay.

· When the interested party submits the application electronically, the information will be provided electronically whenever possible, unless the interested party requests that it be provided otherwise.

Only in cases where the data controller's processing systems allow it, the right of access may be granted through a remote, direct, and secure access system to personal data that guarantees permanent access to all of its contents. For these purposes, the data controller's communication to the data subject of the means by which they may access said system will be sufficient to consider the request to exercise this right fulfilled. However, the data subject may request from the Data Controller information relating to the aspects provided for in Article 15.1 of the GDPR that is not included in the remote access system.

If the data controller does not comply with the data subject's request, it will inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for its failure to act and of the possibility of filing a complaint with a supervisory authority and taking legal action.

The information provided will be free of charge, except for a reasonable fee for administrative costs. When the data subject chooses a means other than the one offered, which entails a disproportionate cost, the request will be considered excessive, and the data subject will therefore be responsible for any excess costs incurred. In this case, the Data Controller will only be required to satisfy the right of access without undue delay.

The data controller may refuse to act on the request, although they will bear the burden of demonstrating that the request is manifestly unfounded or excessive. For the purposes of Article 12.5 of the GDPR, the exercise of the right of access on more than one occasion within a six-month period may be considered repetitive, unless there is a legitimate reason for doing so.

In cases where rectification or deletion is required, your data will be blocked. Data blocking consists of identifying and secrecy of the data, adopting technical and organizational measures to prevent its processing, including its visualization, except for making the data available to judges and courts, the Public Prosecutor's Office, or the competent public administrations, particularly data protection authorities, to enforce potential liability arising from the processing and only for the limitation period. After this period, the data will be destroyed. Blocked data may not be processed for any purpose other than that indicated above (Article 16 of the GDPR and Article 32 of the LOPDGDD).

When deletion results from exercising the right to object pursuant to Article 21.2 of the GDPR, the Data Controller may retain the data subject's identification data necessary to prevent future processing for direct marketing purposes. In cases where you do not wish your data to be processed for the purpose of sending commercial communications, we refer you to the existing advertising exclusion systems, in accordance with the information published by the competent supervisory authority (AEPD) on its website www.aepd.es.

· In cases where the processing of personal data is limited, this will be clearly stated in the Data Controller's information systems.

· In the event of a certain, due and payable debt, a communication is sent to the debtor at the time of requesting payment regarding the possibility of inclusion in said systems (organization's late payment treatments), indicating those in which it participates (collection management entities for the management of the relevant claim...) In the event that the debt is not resolved within a maximum period of 15 days from the notification of insolvency, information is provided on the possibility of exercising the rights established in articles 15 to 22 of the GDPR within thirty days following notification of the debt to the system, the data remaining blocked during this period.

Persons related to the deceased for family or de facto reasons, as well as their heirs, may contact the data controller or data processor to request access to their personal data and, where appropriate, its rectification or deletion. As an exception, the persons referred to in the previous paragraph may not access the data of the deceased, nor request its rectification or deletion, when the deceased has expressly prohibited it or when a law so establishes. This prohibition will not affect the heirs' right to access the deceased's financial data.

In order to comply with current video surveillance regulations (Inst 1/2006) of the Spanish Data Protection Agency (AEPD), we inform you that the retention period for recordings is one month from the date they are captured. Therefore, we will not be able to process requests submitted after this time. Likewise, to avoid violating the rights of third parties, in the event of an access request, we will issue a certificate specifying the data processed as precisely as possible and without affecting the rights of third parties. For example, "Your image was recorded in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your entry and exit from the facility."


1. What avenues for complaint exist?
   
   If you consider that your rights have not been properly respected, you have the right to lodge a complaint with the competent data protection authority ( www.agpd.es )


ADDITIONAL INFORMATION PROCESSING OF CONTACT DATA

For what purpose do we process the personal data you provide us?

· Attention to your queries and requests: Management of Response to Queries, Complaints or Incidents, Requests for technical or corporate information, Resources and/or Activities, and if you have consented, for the purposes described in the additional consents

· Contact with the interested party through the means of communication provided (email, postal address and/or telephone) in order to manage the queries sent to us through the channels enabled for this purpose, manage notifications and coordinate actions arising from the services requested by persons related to the company or the group to which it belongs and/or by data processors related to it for the legitimate and/or consented purposes.

· Management of registration for conferences and events of the company or the Group to which it belongs

· Newsletter subscription management.

Contact and/or sending satisfaction surveys, newsletters and corporate information, and offers and promotions of products and services of the organization and hotels and activities in order to evaluate the quality of our processes and provide you with offers of services of interest to you through the means of communication provided, if you have consented to do so.

The capture and subsequent publication of audiovisual and/or graphic material in which you may be involved in corporate media (for example, but not limited to, website, social networks, newsletters, activity report, reports, presence in the media) and/or other public communication media (sector publications and/or reports in print, TV, etc.), such as dissemination of the results of the activity, promotion and dissemination, management of campaigns, activities and events, if you have consented to this.

Associated management, including prior notification, that may arise from the development of any structural modification of companies or the contribution or transfer of a business or branch of business activity, provided that the processing is necessary for the successful completion of the transaction and, where appropriate, guarantees the continuity of the provision of services.

· Inclusion in whistleblowing systems of data associated with reporting (even anonymously) the commission within the organization or the actions of third parties contracting with it of acts or conduct that may be contrary to the general or sectoral regulations applicable to it.

How long do we retain the data provided?

The data provided will be retained as long as the lawful processing relationship is maintained and, once the validity of the relationship expires, the data subject does not request its deletion. This may be retained for the purpose of formulating, exercising, or defending claims against the data controller or for the protection of the rights of another natural or legal person and/or for reasons of legal obligation.

· The data processed for the purpose of sending commercial communications will be retained until you revoke your consent.

The data of the person who filed a complaint, employees, and third parties are kept in the reporting system to decide whether to initiate an investigation into the reported events, and subsequently as evidence of the functioning of the legal entity's criminal prevention model, in accordance with Article 24 of the LOPDGDD.

What is the legitimacy for processing your data?

The legal basis for processing your data is to fulfill your request. The requested data is necessary for the correct processing of your data.

Satisfy a legitimate interest of the Controller: Cases of legitimate interest in which the controller could be an injured party and it is necessary to process and communicate the data of the non-compliant party to third parties in order to manage regulatory compliance and defend the interests of the data controller, as well as cases of legitimate interest of specific processing contemplated in the LOPDGDD: Article 19. Processing of contact data and of individual entrepreneurs; Article 20. Credit information systems; Article 21. Processing related to the performance of certain commercial operations (corporate restructuring or business transfers) Article 22. Processing for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Internal reporting systems).

The consent of the interested party, which they have unequivocally provided to us through formal means and/or by checking the boxes provided for this purpose in the data protection clauses included in the basic document governing the business relationship, depending on the contact channel.

To which recipients can your data be communicated?

· Organizations or individuals directly contracted by the Data Controller to provide services related to the processing purposes: Collaborators, Subcontracted Entities for the execution of projects/services that are the subject of the request or inquiry.

· Whistleblower Channel (Complaints about violations of regulations and the code of conduct are transmitted to the Regulatory Compliance Unit): Access to the data contained in these systems will be limited exclusively to those, whether or not incorporated within the entity, who perform internal control and compliance functions, or to the data processors eventually designated for this purpose. However, access by other persons, or even communication to third parties, will be lawful when necessary for the adoption of disciplinary measures or for the processing of legal proceedings, if applicable.

· Law Enforcement Agencies: To the extent that a justified right of access is required in the investigation of a regulatory breach.

· Others (specify): Media and specialized magazines for the Promotion of the Organization's Activities.

Under what guarantees is your data communicated?

Data is communicated to third parties through entities that demonstrate the availability of a Personal Data Protection System in accordance with current legislation.

How did we obtain your data?

The interested party himself, through the communication sent and/or through professional social networks.

What category of data do we process?

Identification and contact information, related to and/or provided with the Inquiry, Request for Technical or Corporate Information, Resources and/or Activities, Complaints or Incidents that you submit to us, as well as any personal data of third parties that you may provide to us.

How is your personal data stored securely?

Vico Black98 SL takes all necessary measures to keep your personal data private and secure. Only authorized individuals, authorized data processors, or authorized hotel and activity personnel (who are legally and contractually obligated to keep all information secure) have access to your personal data. All personnel with access to your personal data are required to agree to comply with the Hotel's Privacy Policy and data protection regulations, and all employees of third parties who have access to your personal data are required to sign confidentiality agreements in accordance with current legislation. Furthermore, third-party companies with access to your personal data are contractually required to keep them secure. To ensure that your personal data is protected, Vico Black 98 SL has a secure IT environment and adopts the necessary measures to prevent unauthorized access.

Vico Black 99 SL has entered into agreements to ensure that we process your personal data correctly and in accordance with data protection law. These agreements reflect our respective roles and responsibilities towards you and address which entity is best positioned to meet your needs. These agreements do not affect your rights under data protection law. For further information about these agreements, please do not hesitate to contact us.

ADDITIONAL INFORMATION ON CUSTOMER DATA PROCESSING:
For what purpose do we process the personal data you provide us?

· Internal use, execution of operations and administrative, economic and accounting management derived from the relationship with the transferor (commercial and/or contractual relationship associated with the management of accommodation, catering and event services)

· Offer and Commercial Management of the organization and its services "In order to provide interested parties with offers of services of interest to them"

· Management of the organization's contracting and provision of services, as well as compliance with contractual requirements

· Management of Responses to Queries, Complaints or Incidents, Requests for Information, Resources and/or Activities

Promotion and Dissemination of the Organization: The Preparation, Publication and Communication of Statistics, Activity Reports, Success Stories and Information associated with the communication and transparency of its Activity, as well as the Recording and Publication of Informative Material, Communication and Management of Campaigns, Activities, Events, Contests and/or Recording and Publication, in the organization's media (including website and social networks) and/or other public communication media, of videos, recordings and photos associated with the activities carried out by the organization that may incorporate people in the development of their functions "In order to provide stakeholders with information about the organization"

· Sending Newsletters, Activity Reports and Information related to the Organization's Activity (Newsletter)

· Quality management of processes and activities, as well as the evaluation of satisfaction/perception and performance results of the organization's stakeholders. Satisfaction Surveys

· Providing evidence of technical solvency in the presentation of bids and/or applications, management and justification of campaigns, activities, events, competitions, projects and grants in which the organization participates

· Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, including controls on access to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illicit behavior.

· Profile Analysis: In order to offer you products and services tailored to your interests and to improve your user experience, we will create a profile based on the information you provide. No automated decisions will be made based on this profile.

· Assessment of Asset Solvency and Credit

· Contact Management / Agenda

· Statistical and historical purposes

· Management of Facility Visits and Video Surveillance, as well as security and regulatory compliance, investigation of potential incidents or accidents, management of associated insurance, and management of warnings or sanctions for non-compliance with safety regulations.

· The management and auditing of quality, environmental management and/or occupational safety management of the organization's processes and facilities

Sending offers and promotions via electronic communications. Sending Christmas greetings.

Consult the advertising exclusion systems that may affect your operations, excluding from processing the data of those affected who have expressed their opposition or refusal to the process by consulting the advertising exclusion systems published by the competent supervisory authority.

Associated management, including prior notification, that may arise from the development of any structural modification of companies or the contribution or transfer of a business or branch of business activity, provided that the processing is necessary for the successful completion of the transaction and, where appropriate, guarantees the continuity of the provision of services.

· Inclusion in whistleblowing systems of data associated with reporting (even anonymously) the commission within the organization or the actions of third parties contracting with it of acts or conduct that may be contrary to the general or sectoral regulations applicable to it.

· Others (specify): In the case of deposit contracts, we reserve the right to conduct periodic audits at the facilities of clients and other debtors.

The international transfer of your data to the extent strictly necessary to comply with your inclusion in a project in a country outside the EU. Failure to accept this clause will prevent your inclusion in the project in that country.

How long do we retain your data?

The data provided will be retained as long as the lawful processing relationship is maintained, and the data subject does not request its deletion after the formal written termination of the relationship with the data subject, with the exception of its retention for the formulation, exercise, or defense of claims by the data controller or for the protection of the rights of another natural or legal person and/or for reasons of legal obligation.

· In any case, upon termination of the relationship, the data subject's data will be duly blocked, as provided for in current data protection regulations.

· Registration Book and Entry Forms for Hotel Establishments: The entry forms must be kept available to the Security Forces and Bodies, and then disposed of in a manner that does not allow access to the personal information contained therein (OM INT 1922/2003, of July 3, on registration books and entry forms for travelers in hospitality establishments and other similar establishments) – 3 years

Accounting and Tax Documentation – For Tax purposes: Accounting books and other mandatory record books according to applicable tax regulations (personal income tax, VAT, corporate tax, etc.), as well as documentary evidence justifying the entries recorded in the books (including computer programs and files and any other supporting documentation of tax significance), must be kept for at least the period in which the Administration has the right to verify and investigate and, consequently, settle tax debts (Articles 66 to 70 of the General Tax Law). Statute of limitations for Tax Offenses associated with the verification of offset or pending offset bases or quotas, or deductions applied or pending application. Crimes against the Public Treasury and Social Security – Art. 66 bis of the General Tax Law and the Penal Code, respectively. – 4 years. Statute of limitations for infractions: 10 years.

Accounting and Tax Documentation – For Commercial purposes: Books, correspondence, documentation, and supporting documents pertaining to your business, duly organized as of the last entry made in the books, except as established by general or special provisions. This commercial obligation extends to mandatory books (income, expenses, capital assets, and provisions), as well as the documentation and supporting documents supporting the entries recorded in the books (invoices issued and received, receipts, corrective invoices, bank documents, etc.) (Art. 30 Commercial Code) – 6 years.

Solvency Files: Data referring to certain, overdue, demandable and unclaimed debts (Art. 20 of LOPDGDD) – while the non-compliance persists, with a maximum limit of five years from the due date of the monetary, financial or credit obligation – 5 years

· Images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they must be kept to prove the commission of acts that threaten the integrity of persons, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public security, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

Data included in automated processing created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days

· Data processed in connection with the legal guarantee will be retained for the duration of the legal guarantee and, once it expires, for the period in which a judicial or administrative claim may arise in connection with the legal guarantee.

· The data processed for the purpose of sending commercial communications will be retained until you revoke your consent.

The data of the person who filed a complaint, employees, and third parties are kept in the reporting system to decide whether to initiate an investigation into the reported events, and subsequently as evidence of the functioning of the legal entity's criminal prevention model, in accordance with Article 24 of the LOPDGDD.

· Therefore, the data will be kept as long as the relationship with the organization remains in force, based on the retention periods established by the current regulations indicated above, as well as the legally or contractually established periods for the exercise or prescription of any liability action for breach of contract by the interested party or the Organization (the reform of the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that is calculated from the date on which compliance with the obligation can be demanded).

What is the legitimacy for processing your data?

· Execution of a contract: Fulfillment of an offer, reservation, order, and/or commercial contract for accommodation, catering, and event services.

· Comply with a legal obligation: Regulations with the rank of administrative, commercial, tax, fiscal, accounting, and financial laws, as well as consumer and user protection legislation. Basic regulations governing traveler registration books.

Satisfy a legitimate interest of the Controller: Data processing as part of a business relationship and/or contract, which is necessary for its maintenance or fulfillment, data transmissions within business groups for internal administrative purposes, direct marketing, fraud prevention, cases of legitimate interest in which the controller could be a harmed party and the processing and communication of the data of the non-compliant party to third parties is necessary in order to manage regulatory compliance and defend the interests of the data controller, video surveillance purposes as a legitimate interest of the organization in the protection of its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending commercial communications about products or services similar to those contracted by the client with whom there is a prior contractual relationship), as well as cases of legitimate interest of specific processing contemplated in the LOPDGDD: Article 19. Processing of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Processing related to the performance of certain commercial transactions (corporate restructuring or business transfers); Article 22. Processing for video surveillance purposes; Article 23. Advertising exclusion systems; Article 24. Internal reporting systems.

· Fulfill the purposes of the processing with the unequivocal consent of the interested party through acceptance of the clauses enabled in the forms and/or the established consent clauses depending on the channel through which they have contacted the company and/or through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship depending on the commercial contact channel.


To which recipients can your data be communicated?

Organizations or persons directly contracted by the Data Controller for the provision of services related to the processing purposes (specify): Travel Agencies and Intermediaries, Community Managers, Subcontracted Entities for the execution of work/services that are the object of the service with the client, Management and/or Regulatory Compliance Auditors

· Financial Institutions: Direct debit of bills and/or collection of bills and other payment methods, due to legitimate interest associated with collecting payment for services provided.

· Public Administration bodies or agencies with jurisdiction over the matters covered by the processing purposes: AEAT

· Law Enforcement Agencies: Civil Guard and/or National Police, in accordance with the basic regulations governing passenger registration books and to the extent that a justified right of access is required in the investigation of a regulatory breach, for legal compliance.

The entity that processes the reservation and/or manages payment of the invoice and the services we have provided to you, if you have given your consent. If you do not authorize this use, you must pay for the services we have provided to you.

· Media and specialized magazines for the Promotion of the Organization's Activities, to the extent that you consent to the recording, publication and/or reference in the organization's media and/or other public media, of videos, recordings and photos associated with the services we have provided to you as promotional material, proof of technical solvency and/or justification of events, projects and subsidies in which the organization participates.

· Compliance Reporting Channel (Reports regarding violations of data protection regulations are forwarded to the Chief Privacy Officer located at the parent company), due to legitimate interest: Access to the data contained in these systems will be limited exclusively to those, whether or not incorporated within the entity, who perform internal control and compliance functions, or to the data processors eventually designated for this purpose. However, access by other persons, or even communication to third parties, will be lawful when necessary for the adoption of disciplinary measures or for the processing of legal proceedings, where appropriate.

· Other: We may carry out international transfers of your data to the extent strictly necessary to comply with your incorporation into a project in a country outside the EU or due to the location of the processing systems of data management applications.

Under what guarantees is your data communicated?

Data is communicated to third parties through entities that demonstrate the availability of a Personal Data Protection System in accordance with current legislation.


How did we obtain your data?

The interested party itself and other companies of the Business Group to which Vico Black 98 SL belongs, travel agencies and intermediaries, entities that process the reservation and/or manage the payment with which the data controller maintains a contractual relationship or provision of services and for which it must have personal data of contact persons, users and/or guests for administrative and operational management in order to manage their access to the accommodation, catering and/or event service.

What category of data do we process?

Business data and contact information for administrative and operational management associated with the execution of the contract/service; Data relating to the position of contact persons for administrative and operational management associated with the execution of the contract/service; Business data and contact information for administrative and operational management associated with the execution of the contract/service; Economic, financial, and/or payment terms data; Goods and services received by the affected party, financial transactions; Name, surname, and tax identification number of the legal representative, contact information for individuals within the organization involved in or related to the project covered by the contract/service.

It does not contain specially protected data or data relating to criminal convictions and offences, except for those stated by the interested party for the adaptation of the required service (e.g. reduced mobility, food intolerances, etc.).

How is your personal data stored securely?

Regarding the processing of your personal data, we inform you:

All necessary measures are taken to keep your personal data private and secure. Only authorized data processors or authorized hotel and activity staff (who are legally and contractually obligated to keep all information secure) have access to your personal data. All staff with access to your personal data are required to agree to comply with the Privacy Policy and data protection regulations, and all employees of third parties with access to your personal data are required to sign confidentiality agreements in accordance with current legislation. Furthermore, third-party companies with access to your personal data are contractually guaranteed to keep them secure. To ensure that your personal data is protected, we maintain an IT security environment and adopt the necessary measures to prevent unauthorized access.

The company and its group members have entered into agreements to ensure that we process your personal data correctly and in accordance with data protection law. These agreements reflect their respective roles and responsibilities towards you and address which entity is best positioned to meet your needs.

These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.

Regarding personal data that may be accessed as a result of the contracted services, we inform you:

The provision of services covered by the contract may involve physical access by the company's personnel to premises or facilities that may store personal data for which the client is the data controller. In this regard, the company has signed clauses with its personnel that prohibit access to all types of confidential information and, specifically, to personal data belonging to the client, unless the scope of the service includes the transfer, repair, destruction, and/or management of computer media that may contain personal data. In this case, Vico Black 98 SL would act as the data processor. In this case, the relevant contract would be established in accordance with current data protection regulations. This contract would include, among other aspects, the purpose, duration, nature, purpose, category of the data being processed, security measures, obligations and rights of the data processor, organizational and technical security measures to guarantee confidentiality during the process, as well as the agreements adopted between the client and the data processor regarding the transmission of security breaches and/or the exercise of rights. Failure by the client to formalize the personal data processing service in a contract presupposes that Vico Black 98 SL has no associated liability as the data processor.

However, in the event that Vico Black 98 SL becomes aware of any confidential information for the purpose of providing the service, it undertakes to maintain its confidentiality and not to disclose or publish it, either directly or through third parties or companies, or to make it available to third parties. This confidentiality obligation is of indefinite duration and continues to exist after the termination of the contract for any reason. Vico Black 98 SL undertakes to inform and enforce the confidentiality obligations established by its personnel and those employed by it.


ADDITIONAL INFORMATION ON SUPPLIER DATA PROCESSING:
For what purpose do we process the personal data you provide us?

· Internal use, Commercial and relational management, Carrying out operations and administrative, economic and accounting management derived from the relationship with the supplier/collaborator

· Internal use, execution of operations and administrative, economic and accounting management derived from the relationship with the transferor (commercial and/or contractual relationship)

· Management of the organization's contracting and provision of services, as well as compliance with contractual requirements

· Management of Responses to Queries, Complaints or Incidents, Requests for Information, Resources and/or Activities

Promotion and Dissemination of the Organization: The Preparation, Publication and Communication of Statistics, Activity Reports and Information associated with the communication and transparency of its Activity, as well as the Recording and Publication of Informative Material, Communication and Management of Campaigns, Activities, Events, Contests and/or Recording and Publication, in the organization's media (including website and social networks) and/or other public communication media, of videos, recordings and photos associated with the activities carried out by the organization that may incorporate people in the development of their functions "In order to provide stakeholders with information about the organization"

· Sending Newsletters, Activity Reports and Information associated with the Organization's Activity

· Quality management of processes and activities, as well as the evaluation of satisfaction/perception and performance results of the organization's stakeholders.

· Management of the Selection, Approval and Contracting of Suppliers/Collaborators and verification of regulatory compliance

· Health and safety management (occupational risk prevention and safety monitoring) and compliance assessment

· Management of the presentation of technical solvency in the presentation of offers and/or applications, management and justification of campaigns, activities, events, contests, projects and grants in which the organization participates

· Time and/or attendance control and monitoring of functional performance

· Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, including controls on access to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illicit behavior.

· Contact Management / Agenda

· Statistical, historical or scientific purposes

Access control and video surveillance of the facilities, as well as their security and regulatory compliance, ensuring the safety of people, property, and facilities, as well as the exercise of the employee oversight functions provided for in Article 20.3 of the Workers' Statute, the investigation of potential incidents or accidents, management of associated insurance, and management of warnings or sanctions for non-compliance with safety regulations.

· The management and auditing of quality, environmental management and/or occupational safety management of the organization's processes and facilities

Associated management, including prior notification, that may arise from the development of any structural modification of companies or the contribution or transfer of a business or branch of business activity, provided that the processing is necessary for the successful completion of the transaction and, where appropriate, guarantees the continuity of the provision of services.

· Inclusion in whistleblowing systems of data associated with reporting (even anonymously) the commission within the organization or the actions of third parties contracting with it of acts or conduct that may be contrary to the general or sectoral regulations applicable to it.

· Others: We reserve the right to conduct periodic audits at the facilities of suppliers and creditors.

How long do we retain your data?

The data provided will be retained as long as the lawful processing relationship is maintained, and the data subject does not request its deletion after the formal written termination of the relationship with the data subject, with the exception of its retention for the formulation, exercise, or defense of claims by the data controller or for the protection of the rights of another natural or legal person and/or for reasons of legal obligation.

· In any case, upon termination of the relationship, the data subject's data will be duly blocked, as provided for in current data protection regulations.

Accounting and Tax Documentation – For Tax purposes: Accounting books and other mandatory record books according to applicable tax regulations (personal income tax, VAT, corporate tax, etc.), as well as documentary evidence justifying the entries recorded in the books (including computer programs and files and any other supporting documentation of tax significance), must be kept for at least the period in which the Administration has the right to verify and investigate and, consequently, settle tax debts (Articles 66 to 70 of the General Tax Law). Statute of limitations for Tax Offenses associated with the verification of offset or pending offset bases or quotas, or deductions applied or pending application. Crimes against the Public Treasury and Social Security – Art. 66 bis of the General Tax Law and the Penal Code, respectively. – 4 years. Statute of limitations for infractions: 10 years.

Accounting and Tax Documentation – For Commercial purposes: Books, correspondence, documentation, and supporting documents pertaining to your business, duly organized as of the last entry made in the books, except as established by general or special provisions. This commercial obligation extends to mandatory books (income, expenses, capital assets, and provisions), as well as the documentation and supporting documents supporting the entries recorded in the books (invoices issued and received, receipts, corrective invoices, bank documents, etc.) (Art. 30 Commercial Code) – 6 years.

Occupational Risk Prevention Documentation – Documentation on information and training for workers. Records of occupational accidents or occupational diseases (Legislative Royal Decree 5/2000, of August 4, approving the revised text of the Law on Infractions and Sanctions in the Social Order) – 5 years.

· Images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they must be kept to prove the commission of acts that threaten the integrity of persons, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public security, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

Data included in automated processing created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days

· Data processed in connection with the legal guarantee will be retained for the duration of the legal guarantee and, once it expires, for the period in which a judicial or administrative claim may arise in connection with the legal guarantee.

Solvency Files: Data referring to certain, overdue, demandable and unclaimed debts (Art. 20 of LOPDGDD) – while the non-compliance persists, with a maximum limit of five years from the due date of the monetary, financial or credit obligation – 5 years

· The data processed for the purpose of sending commercial communications will be retained until you revoke your consent.

The data of the person who filed a complaint, employees, and third parties are kept in the reporting system to decide whether to initiate an investigation into the reported events, and subsequently as evidence of the functioning of the legal entity's criminal prevention model, in accordance with Article 24 of the LOPDGDD.

· Therefore, the data will be retained as long as the business relationship is in force, based on the retention periods established by the current regulations mentioned above, as well as the legally or contractually established periods for the exercise or prescription of any liability action for breach of contract by the interested party or the Organization (the reform of the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that is calculated from the date on which compliance with the obligation can be demanded).

What is the legitimacy for processing your data?

· Execution of a contract: Fulfillment of the offer, order and/or commercial contract.

· Comply with a legal obligation: Regulations with the rank of administrative, commercial, tax, fiscal, accounting and financial law, occupational risk prevention, social security, and applicable sector regulations.

Satisfy a legitimate interest of the Controller: Data processing as part of a business relationship and/or contract, which is necessary for its maintenance or fulfillment, data transmissions within business groups for internal administrative purposes, fraud prevention, as well as cases of legitimate interest in which the controller could be an injured party and the processing and communication of the data of the non-compliant party to third parties is necessary in order to manage regulatory compliance and defend the interests of the data controller, video surveillance purposes as a legitimate interest of the organization in the protection of its assets, as well as cases of legitimate interest of specific processing contemplated in the LOPDGDD: Article 19. Processing of contact data and of individual entrepreneurs; Article 20. Credit information systems; Article 21. Processing related to the performance of certain commercial operations (corporate restructuring or business transfers) Article 22. Processing for video surveillance purposes; Article 24 Internal whistleblowing information systems).

The consent of the interested party, which they have unequivocally provided to us through formal means and/or by checking the boxes provided for this purpose in the data protection clauses included in the basic document governing the business relationship, depending on the contact channel.

To which recipients can your data be communicated?

Organizations or individuals directly contracted by the Data Controller to provide services related to the processing purposes: Hotels, Legal Consultants, Management and/or Regulatory Compliance Auditors, Prevention Services, third parties to whom data on subcontractor employees is provided for access to their facilities.

· Public Administration bodies or agencies with jurisdiction over the matters covered by the processing purposes: AEAT

· Financial Institutions: Transfer and/or management of payment instruments.

· Trade unions, Staff Boards/Works Committees: Employee Representatives: Contracts or subcontractors established (including self-employed workers) (Art. 35.2 CC and Art. 42 ET): CIF/NIF, company name, registered office, purpose of the contract, employer's Social Security registration number, place of execution of the contract, coordination of activities from the perspective of occupational risks, estimated duration of the contract (start and end dates). Number of workers to be employed by the contract or subcontractor at the main company's workplace.

· Compliance Reporting Channel (Reports regarding violations of data protection regulations are transmitted to the "Chief Privacy Officer" located at the parent company), due to legitimate interest: Access to the data contained in these systems will be limited exclusively to those, whether or not incorporated within the entity, who perform internal control and compliance functions, or to the data processors eventually designated for this purpose. However, access by other persons, or even communication to third parties, will be lawful when necessary for the adoption of disciplinary measures or for the processing of legal proceedings, where appropriate.

· Risk Prevention Delegates are empowered to access information and documentation relating to working conditions that are necessary for the performance of their duties, and in particular, that provided for in Articles 18, 23, and 36 of the LPRL. Risk Prevention Delegates shall be subject to the provisions of Section 2 of Article 65 of the Workers' Statute regarding the professional confidentiality required with respect to information to which they have access as a result of their work in the company. (Article 37.3 LPRL).

Occupational Risk Prevention Services: The processing by occupational risk prevention services of medical records resulting from medical examinations performed on workers must be limited to the provisions of Article 22.4 of the LPRL. In this regard, access to medical information obtained under the provisions of the LPRL by the employer or any third party, including persons or bodies with responsibilities in prevention matters, other than "medical personnel and health authorities that carry out surveillance of workers' health," is prohibited, with the sole exception of the conclusions derived from such monitoring regarding the workers' fitness to perform their jobs.

Under what guarantees is your data communicated?

Data is disclosed to third parties through entities that demonstrate the availability of a Personal Data Protection System in accordance with current legislation. How did we obtain your data?

· The interested party or his legal representative

Vico Black 98 SL, as well as the entity with which the data controller maintains a contractual or service provision relationship and for which it must have personal data of contact persons for administrative and operational management in order to manage their access, incorporation into the project/service object and/or verification of regulatory compliance under the responsibility of the organization (e.g., data relating to workers who will carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks).

What category of data do we process?

Business data, contact details for administrative and operational management associated with the execution of the contract/project, and workers who will perform the contracted work in terms of coordination of business activities associated with occupational risk prevention; As a result of the provision of CVs of the supplier's personnel involved in the provision of the service/work, in order to demonstrate technical solvency in bids; In the case of workers who will perform the contracted work in terms of coordination of business activities associated with occupational risk prevention (Data that may arise from possible incidents or work-related accidents involving subcontractor workers would be included in the "Occupational Risk Prevention" processing); Licenses or approvals, in the case of workers who will perform the contracted work in terms of coordination of business activities associated with occupational risk prevention; Professional and employment details as a result of the provision of CVs of the supplier's personnel involved in the provision of the service/work, in order to demonstrate technical solvency in bids; Commercial information and approval data; Economic, financial, and/or payment terms data; Goods and services supplied by the affected party; Financial transactions; Other data: Name, surname, and tax identification number of the legal representative; contact information for individuals within the organization involved in or related to the project covered by the contract/order.

The data structure we process does not contain data relating to criminal convictions and offenses, nor sensitive data, except in cases where the data subject has special conditions and must provide documentation incorporating such information so that compliance with said condition can be accredited or justified.

How is your personal data stored securely?

Vico Black 98 SL takes all necessary measures to keep your personal data private and secure. Only authorized individuals, authorized personnel of Third Parties, or authorized personnel of our companies (who have a legal and contractual obligation to keep all information secure) have access to your personal data. All personnel with access to your personal data are required to agree to comply with the Privacy Policy and data protection regulations, and all employees of Third Parties who have access to your personal data are required to sign confidentiality agreements in accordance with current legislation. Furthermore, we contractually ensure that third-party companies that have access to your personal data keep them secure. We ensure that your personal data is protected by maintaining a secure IT environment and adopting the necessary measures to prevent unauthorized access. The Group companies have formalized agreements to ensure that we process your personal data correctly and in accordance with data protection law. These agreements reflect the respective roles and responsibilities with respect to you and address which entity is best positioned to meet your needs. These agreements between group companies do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.

CONFIDENTIALITY AND INFORMATION TO THIRD PARTIES FROM WHOM YOU PROVIDE US WITH DATA

In compliance with the provisions of personal data protection regulations, we process the information you provide us with (as well as the personal data of contact persons for administrative and operational management in order to manage their access, incorporation into the project/service that is the object of the contracted service and/or verification of regulatory compliance under the responsibility of the organization, personal data of the legal representatives of the entity and/or the persons involved in the project (curriculum vitae) and/or personal references from previous jobs in order to prove technical solvency and, where applicable, personal data relating to workers who will carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks) in accordance with the provisions of the clause and additional information on data protection.

By accepting and/or validating the process that serves as the basis for formalizing your relationship with Vico Black 98 SL, you expressly consent to the processing of your data in accordance with the provisions of the clause and additional information on data protection, as well as to inform and obtain the consent of third parties whose personal data you provide us with for said processing. Furthermore, and to the extent that, as a result of your relationship, you may have access to personal data and/or confidential information, you undertake to maintain absolute confidentiality and discretion regarding the information obtained about the activities, interested parties and entities related to Vico Black 98 SL or the companies of its group, especially with regard to Personal Data, even after the end of your relationship with the organization.

In accordance with the above, you undertake to inform, on behalf of and in an express, precise and unequivocal manner, the data owners whose information you provide to the company - within one month of the time of communication of the data to Vico Black 98 SL - of the following aspects: "Your personal data will be communicated to the Data Controller VICO BLACK 98 SL - protecciondatos@grupoq.net. Said communication of data and its processing is carried out in compliance with current legislation on contracts, labor, occupational risk prevention and social security, for the purposes of informing, verifying and controlling compliance with the applicable legislation in relation to the personnel designated by the supplier/collaborator for the execution of the contracted service and the maintenance of historical commercial relations. Said processing is mandatory in accordance with current legislation. The refusal to provide the data may entail the termination of the contract. Likewise, the interested party is informed that, in accordance with current legislation, they must communicate the information and data contained in the contracting process to organizations and third parties to whom, pursuant to current regulations, they are required to communicate the data. Rights: The interested party may access, rectify, and delete the data, as well as limit, withdraw, or object to processing in accordance with the procedures established in our privacy policy. If they consider that the exercise of their rights has not been fully satisfactory, they may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid. Origin: The data we process comes from the entity with which the data controller maintains a contractual or service provision relationship. For this purpose, the data controller must have personal data of contact persons for administrative and operational management purposes, in order to manage their access, incorporation into the project/service in question, and/or verify regulatory compliance under the organization's responsibility (e.g., data relating to employees who will perform contracted work in terms of coordinating business activities and preventing occupational hazards). The data structure we process does not contain sensitive data, except in cases where the data subject is a beneficiary of special conditions and must provide records that allow for accreditation or justification of compliance with said condition. You can consult our Privacy Policy on the corporate website.

ADDITIONAL INFORMATION ON VIDEO SURVEILLANCE DATA PROCESSING AND ACCESS LOG:

For what purpose do we process the personal data you provide us?

Access/Visit Control and Video Surveillance of the Facilities, as well as their security and regulatory compliance, preserving the safety of people, property, and facilities, as well as exercising the employee oversight functions provided for in Article 20.3 of the Workers' Statute, investigating potential incidents or accidents, managing associated insurance, and issuing warnings or sanctions for non-compliance with safety regulations, through the video surveillance system.

· Verify that workers comply with their work obligations and duties in accordance with Article 20.3 of the Workers' Statute, which authorizes the employer to adopt surveillance and control measures for this purpose (controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes, or illegal behavior).

· Health and safety management (occupational risk prevention and safety monitoring) and compliance assessment

· Time and/or attendance control and monitoring of functional performance

· Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, including controls on access to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illicit behavior.

· Access/Visit Logging and Video Surveillance of Facilities, as well as their security and regulatory compliance, investigation of potential incidents or accidents, management of associated insurance, and management of warnings or sanctions for non-compliance with safety regulations.

· Others (specify): the investigation of possible incidents or accidents at work, management of associated insurance, as well as for the investigation of incidents and confirmation of compliance with the security and personal data protection regulations established in the data protection systems and management systems implemented for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls related to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior.

· Temporary body temperature monitoring to allow access to the facility for the following purposes (to detect potentially infected individuals and prevent their access to a specific location and contact with other people within it):

· Protect the health and lives of the people working at this workplace.

· Contribute to containing the pandemic.

· Comply with occupational risk prevention regulations.

· Verify that workers comply with the obligation to come to work without fever.

· Inclusion in whistleblowing systems of data associated with reporting (even anonymously) the commission within the organization or the actions of third parties contracting with it of acts or conduct that may be contrary to the general or sectoral regulations applicable to it.

How long do we retain the data provided?

· Images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they must be kept to prove the commission of acts that threaten the integrity of persons, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public security, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

· Data included in automated files created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days

The data of the person who filed a complaint, employees, and third parties are kept in the reporting system to decide whether to initiate an investigation into the reported events, and subsequently as evidence of the functioning of the legal entity's criminal prevention model, in accordance with Article 24 of the LOPDGDD.

The entity has established a retention period for temperature control data as necessary to address potential legal actions arising from the decision to deny access.

What is the legitimacy for processing your data?

The legal basis for processing your data is to satisfy a legitimate interest of the Controller:

Security and legitimate interest cases in which the controller could be a damaged party and it is necessary to process and communicate the data of the non-compliant party to third parties in order to manage regulatory compliance and defend the interests of the data controller, as well as legitimate interest cases for specific processing contemplated in the LOPDGDD: Article 19. Processing of contact data and data of individual entrepreneurs; Article 22. Processing for video surveillance purposes; Article 24. Internal reporting systems.

· Art. 20.3 and 4 Royal Legislative Decree 1/1995, of March 24, approving the revised text of the Workers' Statute Law (ET): The employer may adopt the measures it deems most appropriate for surveillance and control to verify compliance by the worker with his or her labor obligations and duties, maintaining in their adoption and application the due consideration for his or her human dignity and taking into account the real capacity of disabled workers, where applicable.

The employer may verify the employee's alleged illness or accident to justify his or her absence from work by means of an examination by medical personnel. The employee's refusal to submit to such examinations may result in the suspension of any economic rights the employer may owe to the employee due to such situations.

( ) Constitutional Court Judgment 39/2016, of March 3 (LA LEY. 218/2016), arguing that this power of control is legitimized by art. 20.3 of the ET, which expressly empowers the employer to adopt surveillance and control measures to verify workers' compliance with their labor obligations. This general power of control provided for in the law legitimizes the company's control of workers' compliance with their professional tasks, and the workers' consent for such purposes is implicit in the conclusion of the employment contract. The legitimacy of this purpose is fulfilled by the existence of several distinctive signs displayed by the organization in the facilities that announce the presence of cameras and image capture, and with explicit information, preferably in writing, consisting of the fact that they will be recorded, with the sole objective of monitoring compliance with labor obligations and that they may be sanctioned according to the recorded images in the event of verified non-compliance. In the same sense, STS 77/2017 of January 31, 2017.

AEPD Guide on Video Surveillance: Article 20.3 of the Workers' Statute empowers employers to adopt the surveillance and control measures they deem most appropriate to verify employee compliance with their work obligations and duties, taking into account the employee's human dignity and the actual capacity of disabled workers, where applicable. These measures may include the capture and/or processing of images without consent. However, such practices are fully subject to the LOPD (Spanish Data Protection Act) and Instruction 1/2006 and must comply with specific requirements.

· The legal basis for processing associated with temperature control is compliance with the legal obligation to guarantee the safety and health of workers. This legal basis is specified in this case in the following regulations:

· Workers' Statute.

· Law 21/1995 on the Prevention of Occupational Risks.

Royal Decree 664/1997 on the protection of workers against risks related to exposure to biological agents at work

· Procedure for action by occupational risk prevention services against exposure to SARS-CoV-2

· Good practice guidelines for the industrial sector in relation to Covid-19 (National Institute for Occupational Safety and Health).

· Guidelines adopted by the entity's OSH service through legal authorization and delegation of preventive functions.

To which recipients can your data be communicated?

· Organizations or persons directly contracted by the Data Controller for the provision of services related to the processing purposes (specify): Contracted security company

· Insurance Companies (specify): In the event of a loss, incident, or accident, data is provided to insurance companies for investigation into the event in order to determine the scope and coverage of the insurance premium contracted by the data controller.

· Law Enforcement Agencies (specify): To the extent that a justified right of access is required in the investigation of a regulatory breach.

· The owner of the establishment, due to a legitimate interest in protecting the assets under his ownership

· Judges and Courts, as well as Law Enforcement Agencies: To the extent that a justified right of access is required in the investigation of a regulatory breach.

· If temperatures exceed the health threshold, the person will not be allowed access and will be referred to primary care services (in the case of outpatients) or the health surveillance service (in the case of inpatients) to receive diagnostic tests and other communications established in accordance with the pandemic control protocol.

· Compliance Reporting Channel (Reports regarding violations of data protection regulations are transmitted to the "Chief Privacy Officer" located at the parent company), due to legitimate interest: Access to the data contained in these systems will be limited exclusively to those, whether or not incorporated within the entity, who perform internal control and compliance functions, or to the data processors eventually designated for this purpose. However, access by other persons, or even communication to third parties, will be lawful when necessary for the adoption of disciplinary measures or for the processing of legal proceedings, where appropriate.

Under what guarantees is your data communicated?

Data is communicated to third parties through entities that demonstrate the availability of a Personal Data Protection System in accordance with current legislation.

What avenues for complaint exist?

If you consider that the exercise of your rights has not been entirely satisfactory, you may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.

What category of data do we process?

Image and identification and professional data, as well as reasons for your visit and/or person to be visited, time of entry and exit from the facility

Likewise, temperature control data may be available to the extent that temporary temperature checks are carried out for access to facilities for the purpose of pandemic control and prevention, in accordance with the COVID Data Processing Protocol that may be established to ensure the occupational safety of the organization's employees.

How is your personal data stored securely?

All necessary measures are taken to keep your personal data private and secure. The provisions of Law 5/2014 of April 4, on Private Security, and its implementing provisions, will be observed in all cases. In this regard, the following security measures are established and communicated to you:

· DUTY TO INFORM: Information about the existence of cameras and image recordings is provided, in order to comply with the duty to inform provided for in Article 12 of the GDPR. This information is provided in a sufficiently visible location, identifying the existence of processing, the identity of the data controller, and the possibility of exercising the rights provided for in Articles 15 to 22 of the GDPR. The information may also include a connection code or internet address for this information. In any case, the information referred to in the aforementioned regulation in this Privacy Policy is available to those affected, referenced in the aforementioned information. In the event that the flagrant commission of an illegal act has been captured, the duty to inform will be deemed fulfilled when at least the video surveillance information device exists.

· CAMERA LOCATION: Images of public spaces will only be captured to the extent necessary for safety purposes. Under no circumstances will sound recording or video surveillance systems be installed in areas intended for the rest or recreation of workers or public employees, such as changing rooms, restrooms, cafeterias, and similar facilities.

· SOUND CAPTURE: Sound recording will only be carried out when the risks to the safety of facilities, property, and people arising from the activity carried out in the workplace are relevant, always respecting the principles of proportionality, minimum intervention, and guarantees.

· MONITOR LOCATION: The monitors that display camera images are located in a restricted access area so that they are not accessible to unauthorized third parties.

· PRESERVATION: Images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they must be kept to prove the commission of acts that threaten the integrity of persons, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public security, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

· WORKPLACE CONTROL: The processing is carried out for the exercise of the worker control functions provided for in Article 20.3 of the Workers' Statute, within its legal framework and with the inherent limits thereof. To the extent that the cameras may be used for the purpose of labor control as provided for in Article 20.3 of the Workers' Statute, workers and their representatives are informed about the present control measures established by the employer, with express indication of the labor control purpose of the images captured by the cameras, in accordance with the provisions of the inclusion notification clause and in this privacy policy.

· RIGHT OF ACCESS TO IMAGES: To comply with the interested party's right of access, a recent photograph and the interested party's National Identity Document will be requested, as well as details of the date and time to which the right of access refers. The interested party will not be provided with direct access to images from cameras that display images of third parties. To avoid affecting the rights of third parties, in the event of an access request, we will issue a certificate specifying, as precisely as possible and without affecting the rights of third parties, the data that has been processed. E.g., "Your image was recorded in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your entry into and exit from the facility."

Vico Black 98 SL has entered into agreements to ensure that we process your personal data correctly and in accordance with current data protection regulations. These agreements reflect our respective roles and responsibilities with respect to you and address which entity is best positioned to meet your needs. These agreements do not affect your rights under data protection law. For further information about these agreements, please do not hesitate to contact us.

The Data Controller takes all necessary measures to keep your personal data private and secure. Only authorized individuals, authorized third-party personnel directly contracted by the Data Controller to provide services related to the processing purposes, or authorized personnel of companies operating under the Vico Black 98 SL brand name (which have a legal and contractual obligation to keep all information secure) have access to your personal data. All VICO BLACK 98 SL personnel with access to your personal data are required to agree to comply with the Data Controller's Privacy Policy and data protection regulations, and all employees of third parties with access to your personal data are required to sign confidentiality agreements in accordance with current legislation. Furthermore, third-party companies with access to your personal data are contractually required to keep them secure. To ensure that your personal data is protected, we maintain an IT security environment and adopt the necessary measures to prevent unauthorized access.

CHANGES IN PRIVACY POLICY

Vico Black 98 SL reserves the right to make any modifications, changes, deletions, or cancellations to the content and presentation it deems appropriate at any time. We therefore recommend that you consult our privacy policy whenever appropriate. If you do not agree with any of the changes, you may exercise your rights in accordance with the procedure described above by sending an email to protecciondatos@grupoq.net.

In compliance with personal data protection regulations, we process the information you provide us (as well as the personal data of other people you may provide us) for the purposes specified in this privacy policy. In this regard, you declare that you have been informed, consent, and have informed and obtained the consent of any third parties whose personal data you provide us for such processing.

By accessing facilities subject to video surveillance, you expressly consent to the processing of your data in accordance with the provisions of the clause and additional information on data protection, as well as to informing and obtaining the consent of third parties whose personal data you provide us with for the processing of access logs.

Likewise, by accepting and/or validating this process, you declare that you are over 14 years of age and have legal capacity** and expressly consent to the processing of your data in accordance with the provisions of the clause and additional information on data protection. If you have checked the corresponding consent box, the legal basis for these purposes is your consent, which you may withdraw at any time.

(**)In cases where you represent a minor under 14 years of age or a person with legal incapacity, you responsibly declare that you have parental authority or guardianship of the minor or the corresponding legal representation, whose justification may be required by the Data Controller in order to legitimize the accepted consent.