Privacy and Security Policy - Confidentiality, Security and Protection of Personal Data
1. IDENTITY OF THE DATA CONTROLLER
- Company: RASO - Viagens e Turismo S.A. (hereinafter "RASO")
- Registered Office: Centro Cultural de Belém, Rua Bartolomeu Dias, 1400 - 026 Lisboa
- Juristic Person ID Number: 500886113
- Telephone: +351 211 572 000
- Email: firstname.lastname@example.org
2. INFORMATION AND CONSENT
The Personal Data Protection Law (Law no. 67/98, of 26 October, hereinafter referred to as the "LPDP") and the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as the "GDPR") ensure the protection of natural persons in relation to the processing of personal data and the free movement of that data. "Personal data" is any information, of any type and on any support, including sound and image, regarding a natural person, who is identified or identifiable. The protection of natural persons therefore does not extend to legal persons. An identifiable person is a person, who can be identified directly or indirectly, e.g. by reference to an identification number, or to one or more specific aspects of his/her physical, physiological, mental, economic, cultural or social identity (for example his/her name associated with his/her telephone number or email address).
RASO, keeps a database with the record of its clients. The data stored on this database is limited to the data provided by the data subjects when they register and is collected and processed automatically, by RASO Viagens e Turismo S.A., the entity that is responsible for the corresponding file, in a manner approved by the National Data Protection Commission.
The making of reservations via our website involves the entering by users of personal identification data such as aspects relating to their personal preferences, special circumstances that affect them and other data regarding debit and credit cards, which will be used to facilitate and enable the purchase and reservation of specific services that meet the client's requirements, as well as to provide information regarding the products and services of RASO.
In no circumstances will information be requested regarding philosophical or political beliefs, membership of political parties of trade unions, religious beliefs, private life or racial or ethnic origin or with regard to health and sex life, including genetic data.
When personal data is collected via the "Newsletter" form, or via other forms related to the activity of the website, it will be necessary for users to complete at least the fields marked with an asterisk, for, if this necessary data is not provided, RASO will be unable to accept or manage the web service or the consultation requested by the user. In no circumstances will we effect any of the following activities in relation to the personal data provided to us via this site:
- Communication of personal data to other persons, or other bodies, without your prior consent;
- Transfer of personal data to other States, without your prior consent.
3. PURPOSE OF THE PROCESSING OF PERSONAL DATA
The personal data that we process via this page will only be used for the following purposes:
(i) Purposes linked to the business of a wholesale and retail travel agency;
(ii) The provision of data to those involved in the services requested by the user, in order to implement the reservation/ service purchased by the User;
(iii) Management, administration, supply, expansion and improvement of the services subscribed or registered for by the user, or the use and adaptation of these services to users' preferences and tastes,
as well as for shopping cart recovery actions;
(iv) Checking of credit cards and other types of cards, indicated by the User, which are used to make payments;
(v) Study of the use of the services by users;
(vi) Checking, maintenance and development of systems and statistical analyses;
(vii) Advertising, promotion and commercial prospecting, where duly authorized and consented to by the User;
(viii) Sending of questionnaires, to which the user is not required to respond;
(ix) Sending of SMS messages for direct selling, advertising or other purposes related to the service purchased, where duly authorized and consented to by the User.
The user may permit RASO to process his/her Personal Data in order to establish his/her profile and offer products and services. These services can be provided either by RASO, or third parties.
Furthermore, the user consents to the accessing of information regarding the service purchased from RASO, in order to enable it to offer other services to the user.
When the Personal Data is collected, the user may, with the exception of the fields the completion of which is obligatory, provide the Personal Data on a voluntarily basis. Absence of a reply will not (in the absence of other indication) affect the quality or quantity of the corresponding services. Nevertheless, failure to provide data that is considered to be obligatory, will involve an inability to access the service for which the data was requested.
4. TRANSFER OF PERSONAL DATA
RASO may only reveal users' information to third parties in order to complete the reservation requested and for administrative reasons, in accordance with the legislation in force applicable to travel to / services for certain countries.
All data collected in this way on the website will be transmitted to the entities involved in order to purchase the services required to the extent absolutely necessary for the reservation / service and compliance with the legislation of destination countries.
Furthermore, the user will expressly consent to the possible transfer of the Personal Data to:
(i) Proper national and international authorities responsible for tourism, terrorism or crimes against human rights;
(ii) Any legal person that is a subsidiary or affiliate of RASO, or of the company that has provided the service purchased (hotels, water, land, rail or air transport companies, rental companies, etc.), to be used in order to ensure a proper provision of each service requested by the user.
The user warrants that the information provided is true, accurate, complete and up-to-date, and is responsible for all direct or indirect loss or damage, which may be caused as a result of breach of the said obligation. Where the data provided belongs to a third party, the user warrants that he/she has informed the third party of the aspects referred to in this document and has obtained the third party's permission to provide their data to RASO for the purposes indicated.
5. APPROPRIATE SECURITY MEASURES IN THE PROCESSING OF PERSONAL DATA
RASO, Viagens e Turismo S.A. declares and warrants that it has implemented and has and will continue to implement the technical and organisational security measures necessary to ensure the security of personal data that is provided to it, in order to prevent the alteration, loss, processing and/or unauthorized accessing thereof, taking into account the current state of the technology, the nature of the data stored and the risks to which it is exposed.
The Personal Data obtained via registration on the websites are incorporated in a computer application, which belongs to RASO. The accessing, by employees of RASO, of the information stored is only possible via the insertion of access codes, which access is registered and documented. The data stored in the files can be altered and a record is kept of the date and the code of the user responsible for the alteration.
The Personal data is processed with the level of protection required by law in order to ensure the security thereof and to prevent the alteration, loss, processing or unauthorized accessing thereof, taking into account the state of the technology, and the user is aware and accepts that Internet security measures are not impregnable.
RASO has peripheral control infrastructures, i.e. network firewalls, private circuits and VPNs that comply with the security requirements. The servers are housed with a data centre operator, which provides a digital information security service for servers so housed. The service includes file backup, storage thereof in accordance with the policy agreed and restoration thereof at the request of RASO.
RASO uses SSL - Secure Socket Layer technology to secure users' communications, which ensures the security of all credit card transactions. This technology encodes the credit card data and transfers it via Internet, in individual modules, which are subsequently recombined. Credit card data is used solely in order to make the payment and is deleted from our records once the transaction has been effected.
Because of security issues in relation to certain countries, the inclusion of data such as name, passport number, sex, age and nationality in reservations, is compulsory. This information which is included in the reservation may be consulted by the customs authorities of the countries of origin or destination, in accordance with the applicable legislation.
When RASO accesses any personal data, it undertakes:
- To store personal data using the technical and organisational security measures required by law, which ensure the security of the data, in order to prevent the alteration, loss, processing or unauthorized accessing thereof, in accordance with the state of the technology from time to time, the nature of the data and the possible risks to which it is exposed;
- To use the data solely for the purposes previously defined;
- To ensure that the data is processed solely by employees, whose intervention is necessary for the provision of the service and who are subject to a duty of secrecy and confidentiality. Where there is a possibility that the information may be revealed to third parties, they shall be required to comply with due confidentiality in accordance with the provisions of this document.
6. COMMERCIAL AND PROMOTIONAL COMMUNICATIONS
One of the reasons why we process personal data provided by users is in order to send electronic communications containing commercial and promotional information.
Communications of this type will only be sent to those users, who have previously and expressly consented to this.
Where a user no longer wishes to receive commercial or promotional communications from RASO, he/she may object to the service, in accordance with the provisions of Decree-Law 7/2004, of 7 January, by sending an e-mail to the following address: email@example.com or via the link provided for that purpose in the corresponding communications.
7. EXERCISE OF RIGHTS
According to the provisions of the LDPD and the GDPR, users may exercise their right to access, correct, delete and object, by making the corresponding request in writing in either of the following ways, including, in all cases, a copy of a document proving the user's identity and specifying the right or rights that he/she wishes to exercise.
- Postal address: Centro Cultural de Belém, Rua Bartolomeu Dias, 1400 - 026 Lisboa
- Email: firstname.lastname@example.org
Furthermore, and even if a user is registered on the site, he/she may decide not to receive our information, i.e. the newsletter, or other types of information, by selecting the appropriate option on the "personal data" page.