Processing of customer data
Informative clause:
Data of the data controller:
Identity: Gare de Madrid
Email: reservas@garedemadrid.es
At Gare de Madrid, we process the information you provide to provide the requested service and process reservations. The data provided will be retained for the duration of the business relationship and for the time necessary to comply with legal obligations and address any potential liabilities that may arise from the fulfillment of the purpose for which the data was collected. The data will not be transferred to third parties except in cases where a legal obligation exists. You have the right to obtain information about whether Gare de Madrid is processing your personal data. You may exercise your rights of access, rectification, erasure, objection, and restriction of processing by contacting Gare de Madrid at the email address reservas@garedemadrid.es.
Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.
Activity and treatment record
ANNEX
Treatment: Customers
a) Data controller Identity:Madrid Station,Email: reservas@garedemadrid.es.
b) Purpose of the treatment:
Management of customer reservations and accommodation inquiries, including the legal requirement to maintain a traveler registration file.
c) Legitimation of the treatment:
GDPR6.1
a) the interested party gave his or her consent to the processing of his or her personal data
b) the processing is necessary for the performance of a contract to which the data subject is party
c) the processing is necessary for compliance with a legal obligation applicable to the data controller
d) Categories of interested parties Clients:
People with whom a business relationship is maintained as clients/guests
e) Data categories:Necessary for maintaining the business relationship and legal compliance. Accommodation reservations and rental contracts.Identification: name and surname, NIF/CIF/Passport, nationality, sex, postal address, telephone numbers, email.
f) Categories of recipients:
State Tax Administration Agency,Security Forces and Corps
g) International transfers:
No international transfers are planned.
h) Deletion period:The time required for the purpose for which they were collected, as well as the statute of limitations for liability and legal provisions regarding public safety.
i) Security measures:
Technical and organizational measures are adopted toensure the security of information systems and treatments.
INFORMATION ON THE ATTENTION OF THE EXERCISE OF RIGHTS
The data controller shall inform the data processing personnel about the procedure for addressing the rights of data subjects, clearly defining the mechanisms by which these rights may be exercised (electronic means, postal address, etc.) and taking into account the following:
- Upon presentation of their national identity card or passport, data subjects may exercise their rights of access, rectification, erasure, objection, and restriction of processing. The exercise of these rights is free of charge.
- The data controller must respond to data subjects without undue delay and in a concise, transparent, intelligible manner, using clear and simple language. The controller must retain proof of compliance with the obligation to respond to requests for the exercise of rights.
- If the application is submitted electronically, the information will be provided by these means whenever possible, unless the interested party requests otherwise.
- Applications must be responded to within one month of receipt. The deadline may be extended for another two months depending on the complexity or number of applications. In this case, the interested party must be informed of the extension within one month of receipt, stating the reasons for the delay.
RIGHT OF ACCESS:
Under the right of access, data subjects will be provided with a copy of the personal data held, along with the purpose for which it was collected, the identity of the data recipients, the expected retention periods or the criteria used to determine it, the existence of the right to request rectification or deletion of personal data, as well as the restriction or objection to its processing, the right to file a complaint with the Spanish Data Protection Agency, and, if the data has not been obtained from the data subject, any available information about its source. The right to obtain a copy of the data may not adversely affect the rights and freedoms of other data subjects.
RIGHT OF RECTIFICATION:
Under the right to rectification, data subjects' data that are inaccurate or incomplete will be amended, taking into account the purposes of the processing. The data subject must indicate in the request which data it refers to and the correction to be made, providing, where necessary, supporting documentation for the inaccuracy or incompleteness of the data being processed. If the data controller has communicated the data to other controllers, the controller must notify them of the rectification unless it is impossible or requires a disproportionate effort, providing the data subject with information about these recipients, if requested.
RIGHT OF ERASURE:
Under the right to erasure, data subjects' data will be deleted when they state their objection to processing and there is no legal basis to do so, the data is no longer necessary in relation to the purposes for which it was collected, they withdraw their consent and there is no other legal basis legitimizing the processing, or the processing is unlawful. If the erasure results from the exercise of the data subject's right to object to the processing of their data for marketing purposes, the data subject's identifying data may be retained to prevent future processing. If the data controller has communicated the data to other controllers, they must notify them of the erasure unless this is impossible or would require a disproportionate effort, providing the data subject with information about these recipients upon request.
RIGHT OF OPPOSITION:
Under the right to object, when data subjects express their objection to the processing of their personal data to the controller, the controller will cease processing them unless there is a legal obligation to do so. When processing is based on a mission of public interest or the legitimate interest of the controller, upon a request to exercise the right to object, the controller will cease processing the data unless compelling reasons prevail over the interests, rights, and freedoms of the data subject, or if necessary for the establishment, exercise, or defense of legal claims. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
RIGHT TO LIMIT PROCESSING:
Under the right to restriction of processing, data subjects may request the suspension of the processing of their data to contest its accuracy while the controller conducts the necessary verifications, or if the processing is based on the controller's legitimate interest or in compliance with a mission of public interest, while it is verified whether these reasons prevail over the interests, rights, and freedoms of the data subject. The data subject may also request the retention of the data if they consider the processing to be unlawful and, instead of deletion, request the restriction of processing, or if, even if the controller no longer needs the data for the purposes for which it was collected, the data subject requires it for the establishment, exercise, or defense of legal claims. The fact that the processing of the data subject's data is restricted must be clearly stated in the controller's systems. If the data has been communicated by the controller to other controllers, they must notify them of the restriction of their processing, unless it is impossible or would require a disproportionate effort, providing the data subject with information about these recipients upon request.
If the interested party's request is not complied with, the data controller will inform the interested party, without due delay and no later than one month after receiving it, of the reasons for its failure to act and of the possibility of filing a complaint with the Spanish Data Protection Agency and taking legal action.