COMPLETE PRIVACY NOTICE
Official website of Park Royal Hotels & Resorts in America
1. NAME AND ADDRESS OF DATA CONTROLLER
This privacy notice governs the handling of personal data on the part of SERVCIOS PROFESIONALES DE HOTELERIA COCASA, S.A. DE C.V.; referred to hereinafter as “GPRCO”, whose address for notices is Carretera a Chankanaab Km. 3.5, Colonia Zona Hotelera Sur, C.P. 77600, Cozumel, Quintana Roo, as Data Controller, who will handle the personal data that concern you as owner of your personal data, in order to protect your right to control access to them, as established in the Federal Protection of Personal Data in the Possession of Individuals Act (the “LFPDPPP”, initials in Spanish), its Regulations and the Privacy Notice Guidelines issued by the Department of the Economy (the “Legislation”).
The terms “Personal Data”, “Sensitive Personal Data”, “Days”, “Handling”, “Owner of Data”, “Data Controller”, “Transfer”, “ARCO Rights” – “Right of Access”, “Right of Rectification”, “Right of Cancellation”, “Right of Opposition”; “Cookies”, and all other terms used herein shall be as defined in the Legislation.
3. PERSONAL DATA THAT WE COMPILE AND HANDLE
“GPRCO” compiles and processes the following types of personal data:
a) Identity data
Name, surname, signature and identity card bearing a photograph.
b) General data
Full address (home address or work address), personal or work e-mail address; private or work telephone number; cellphone number, Nextel ID (if any) and fax number.
Date of birth; age, marital status, nationality and other similar information.
c) Tax data
Tax number, tax address and taxation system (if applicable).
d) Data concerning bank accounts, credit and/or debit cards.
Name of account holder, account number and bank, inter-bank transfer code (if any), card number, expiry date, type of card and security code.
e) Sensitive personal data
“GPRCO” does not compile or handle your personal sensitive data.
f) Personal data received from a public source by agreed transfer
Data compiled from public records, directories, social networks and other lawful sources available on the market, and personal data that we have received from third parties that you have already authorized.
g) Personal data of third parties
Identity data and contact details, such as name, position and organization, fixed work number and cellphone number and e-mail address, to ask for your business references, including details of your payment record and behavior.
Data originating from automatic data collection tools and public sources
h) Personal data compiled by automatic data collection tools on the websites of “GPRCO”
Data on the type of browser you use, the language you use, the user name you use to sign into to our websites, passwords to access the PARK ROYAL HOTELS & RESORT website, access time, IP address, type of browser and operating system of the computer or device you use to access the website of PARK ROYAL HOTELS & RESORT, interaction with our e-mails and our website.
i) Personal data that form part of an automated decision-making process
“GPRCO” does not handle your data as part of automated decision-making processes, without the involvement of real people.
j) Personal data from public sources received by agreed transfer
Data compiled from public records, directories, social networks and other lawful sources available on the market.
k) Personal data gathered from social networks
“GPRCO” may collect and process personal data such as name and email that you have shared on social networks (Facebook®, Twitter®, among others).
The personal data referred to above are gathered by: i) the use of printed forms or documents; ii) the use of e-mails and/or iii) el the voluntary furnishing of information and personal data when the Owner visits our points of sale, when it talks to our Operators on the telephone (including the customer services department); iv) our website, and l) the use of public sources and other sources available on the market.
“GPRCO” handles your personal data to carry out certain tasks with a view to meeting its obligations under or derived from any business and/or legal relationship we have with you and that we consider as main purposes, including:
i) Allowing you access to our web page.
ii) Managing security-related incidents.
iii) Allowing the handling, administration and security of your personal data.
iv) Keeping physical, electronic and procedure records of personal data in accordance with applicable laws and regulations.
v) Requesting, engaging, changing or canceling services.
vi) Managing your payments using various means of payment.
vii) Raising digital tax invoices or receipts.
viii) Issuing quotations and providing service information.
ix) Making telephone reservations over the website.
x) Providing customer services.
xi) Proving your identity and checking the information you provide us.
xii) Managing our business relationship with you.
xiii) Entering you on our customer database.
xiv) Opening your file, allocating you a reference number and creating your profile.
We will handle your personal data for other secondary purposes that will not give rise to nor are necessary for our business/legal relationship with you, including:
i) Carrying out activities to promote, maintain and improve our products.
ii) Taking part in chats, discussion forums and social networks.
iii) Informing “GPRCO” of any problems with its websites.
iv) Receiving publicity on hard copy or over electronic media, including notices for online marketing purposes or telemarketing of products and services.
v) Creating personal profiles.
vi) Taking part in surveys.
vii) Using the services available on websites, including downloading content and formats.
viii) Reporting any problems with websites to Operators.
ix) Taking part in competitions, tournaments, raffles, games and draws.
x) Making comments and suggestions about products and services.
xi) Any other activity similar to those referred to above.
xii) Sending publications, notices, and club news to data owners by telephone, physical and remote media and personally.
xiii) Handling the accommodation reservation service.
xiv) Handling service quality, complaints and guest services.
xv) Handling cancellation of reservations and guest refunds.
xvi) Handling guest complaints and problems.
5. OWNER’S CONSENT.
For the purpose of the Legislation, you hereby declare that: i) “GPRCO” has provided you a copy of the Notice before compiling and/or handling your personal data; ii) you have read, understood and agreed with the terms established herein with regard to compiling and handling your property and/or financial data, so if you provide these data, you will place your name at the foot of this document and sign it, or you will give your consent over the dialogue windows on our websites, in accordance with Articles 8 and 9 of the LFPDPPP, and Articles 11, 12, 14, 15 and 16 of the Regulations, without detriment to the exceptions established in Articles 10 and 37 of the LFPDPPP that authorize us to handle and transfer your personal data to be able to meet our legal and contractual obligations or on account of the legal relationship we have or may have with you, either now or in the future.
You will have given us your tacit consent to compile, handle and transfer your data, except for financial and property data, in accordance herewith, if you do not contest or object to its content within 48 hours of your personal data having been compiled and this notice having been made available to you over any medium, including publication on our website.
6. TRANSFERRING DATA TO THIRD PARTIES.
Having read, understood and agreed the terms established herein, the Owner declares that it gives its consent so that the Data Controller or any other Operator may transfer Personal Data to third parties, either in Mexico or abroad, on the understanding that said third parties must handle the Personal Data of the Owner in accordance with the terms of the Privacy Notice.
For the purpose of this Section, although subject to the final paragraph hereof, the Data Controller informs the Owner that to be able to provide its customers, consumers and other users its services products, services and solutions, the Data Controller and/or its Operators have or will enter into business agreements with goods suppliers and service providers, both in Mexico and abroad, so that the following services may be provided: e-mail; database administration and management; automatic transfer of Personal Data and the storage thereof; authenticating and validating e-mails; telemarketing; credit card terminals; digital invoicing; marketing; audits and other similar services. The authorization of the Owner given in accordance with this Section enables the Data Controller and/or its Operators that transfer the Personal Data of the Owner to said providers, on the understanding that said providers shall be bound under contract to keep the Personal Data sent by the Data Controller and/or its Operators as confidential, and to adhere to the conditions of the Privacy Notice. The Data Controller and/or its Operators may transfer the Personal Data compiled from the Owner to any other member company of the group to which the Data Controller belongs and that operates under the same processes and internal policies, whether in Mexico or abroad, to be handled for the same purposes referred to herein. It may also transfer your Personal Data to other third parties that assist it in performing the contracts or meeting the legal relationship it has with the Owner.
Your personal information may be transferred stored and processed in a country other than that in which it is compiled. Should this be the case, we will transfer the information in accordance with applicable data protection laws. We take certain measures to protect your personal data, irrespective of the country in which they are stored or to which they are transferred, and have set up procedures and controls to guarantee this protection.
We reserve the right to transfer your Personal Data if all or part of our business or assets is sold or transferred. Should this happen, we will do everything possible to ensure that the next owner of our business uses your Personal Data in accordance with this Privacy Notice. If you do not wish for your Personal Data to be processed after the sale or transfer, please contact the new owner.
Notwithstanding the conditions established in this Section or in any other part of the Privacy Notice, the Owner agrees and accepts that the Data Controller shall not require the authorization or conformation of the Owner to transfer Personal Data locally or internationally under the circumstances established in Article 37 of the Federal Protection of Personal Data in the Possession of Individuals Act or any other exception established in said act or any other applicable legislation.
7. PROCEDURE FOR EXERCISING ARCO RIGHTS AND CANCELLING CONSENT.
To exercise its ARCO Rights, the Owner or its representative must submit an access, rectification, cancellation or opposition application, with the following information and documents:
• I) Name and address of the Owner, or any other manner in which the Owner may be contacted regarding its application.
• II) Identity documents (uncertified copy on hardcopy or in digital format of voter’s identity card, passport or FM-2 or FM-3) or if the application is submitted by the legal representative of the Owner (uncertified copy on hardcopy or in digital format of a power of attorney signed by the Owner and the legal representative and a copy of their voter’s identity card, passport or FM-2 or FM-3).
• III) A clear and accurate description of the Personal Data for which any of the ARCO Rights are to be exercised.
• IV) Any other information or documents that will help locate the Personal Data of the Owner.
If the Owner submits an application to rectify its Personal Data, it must specify the changes to be made and submit all supporting documents.
If you have any enquiries regarding the receiving and processing of applications to exercise your right of access, rectification, cancellation and opposition of your Personal Data, restricting the use or disclosure of said data and any other rights established in the Federal Protection of Personal Data in the Possession of Individuals Act, please send an e-mail to firstname.lastname@example.org (this address is for receiving applications to exercise ARCO rights only. No other type of enquiry will be dealt with). You may obtain application forms and any other documents that need to be submitted at www.park-royalhotels.com.
The Data Controller or its Operators will give the Owner an answer regarding its application for access, rectification, cancelation or opposition within twenty business days as from when it is received, so that the Owner may exercise its ARCO rights within fifteen days as from when it receives said answer. The Data Controller or its Operators will verify the identity of the Owner or its representative before processing applications for access to Personal Data. The times referred to above may only be extended in accordance with the Federal Protection of Personal Data in the Possession of Individuals Act.
Personal Data shall be provided free of charge and the Owner shall only pay justified delivery costs and the cost for providing the data on copies or in another format. If the Owner cancels its request within twelve months, it must pay all relevant costs at rate of three times the Unit of Measurement and Update in Mexico City, in accordance with the Federal Protection of Personal Data in the Possession of Individuals Act, unless any major changes are made to the Privacy Notice that may make it necessary to submit new applications.
The provisions of Article 26 of the Federal Protection of Personal Data in the Possession of Individuals Act and the conditions of the Privacy Notice shall apply regarding applications to cancel Personal Data, including the cases of exception of cancellation of Personal Data mentioned.
If the Owner of Personal Data submits an application for opposition of the use thereof, the Controller may oppose the use of the Personal Data that the Owner has provided it.
8. PERSONAL DATA DEPARTMENT.
If you have any questions or comments or require further information about our Privacy Notice, please contact our Personal Data Protection and ARCO Rights Administration Committee at: email@example.com (this address is for receiving applications to exercise ARCO rights only. No other type of enquiry will be dealt with). For the purpose of Article 16, Sub-section I, of the Federal Protection of Personal Data in the Possession of Individuals Act, the address of the Data Controller may be found in Section 1 hereof.
9. RESTRICTION TO USING AND DISCLOSING INFORMATION.
“GPRCO” shall retain your personal data while necessary to manage our business and/or legal relationship with you, and to keep the records established in the LFPDPPP, its Regulations and applicable commercial, administrative and tax laws.
The personal data that “GPRCO” compiles are protected against damage, loss, alteration, destruction or any unauthorized use, access or handling, by administrative, technical and physical security measures, in accordance with the LFPDPPP and its Regulations.
To restrict the use and disclosure of your personal data, please send an e-mail to the Personal Data Department at firstname.lastname@example.org, together with your application.
You may ask to be taken off our e-mail distribution list by using the dialogue boxes on or website. You may also register with the Public Register of Consumers of the Federal Consumer Protection Agency (http://rpc.profeco.gob.mx) to block calls that inform you of publicity, promotions or special offers.
Compiling data when browsing on the web sites of PARK ROYAL HOTELS & RESORT
“GPRCO” may compile personal data from its website or from the use of automatic data collection tools. The data collection tools that “GPRCO” uses on its websites include cookies, Web beacons and links in e-mails.
These cookies may be disabled. To find out how to do so, click on the link below or send an e-mail to:
•Internet Explorer: http://windows.microsoft.com/es-MX/windows-vista/Block-or-allow-cookies
Use of Web beacons.- These are also known as Internet labels, pixel labels and clearGIFs).- “GPRCO” may use Web beacons in HTML format on its websites or in its e-mails, either on their own or with cookies, to gather information on the use of its websites and their interaction with e-mails. Web beacons are single pixel (1x1) or GIF electronic images that may recognize information processed on your computer, such as cookies and the time and date when the site and its sections are consulted.
Links in “GPRCO” e-mails.- E-mails that contain links by which “GPRCO” may find out if you have activated the link and visited the destination web page; this information may be included in your profile.
Protecting minors, people at interdiction status or those who have no capacity. “GPRCO” does not gather or handle the personal data of minors, people at interdiction status or those who have no capacity and encourages parents and/or tutors to take actively help children or the people they are responsible for when using the Internet. If “GPRCO” believes that minors, people at interdiction status or those who have no capacity have provided personal data in contravention of the Privacy Notice, we will delete said data immediately. If you are aware that said personal data have been provided by minors, people at interdiction status or those who have no capacity, please send us an e-mail to: email@example.com.
10. CHANGES TO THE PRIVACY NOTICE.
“GPRCO” reserves the right to amend the Privacy Notice to take into account changes made to our data protection practices derived from our ongoing improvement policy, and any applicable legal, regulatory and administrative changes. We suggest that you check the Privacy Notice on our website form to time, where we will publish changes made and the date of the most recent updates.
Last updated: May 2022
PROCEDURE TO EXERCISE ARCO RIGHTS
Procedure regarding SERVICIOS PROFESIONALES DE HOTELERIA COCASA, S.A. DE C.V.; jointly or separately, hereafter “GPRCO” in its capacity as Responsible for Attention to Owners Request regarding exercise of ARCO Rights:
“GPRCO”, in compliance with the Federal Law on Protection to Personal Data in Possession of Private Persons, agreeing about the importance of your privacy, makes available this procedure to request any kind of information to treatment to your personal data or exercise of any ARCO right acknowledged by previously referred to Law, without limiting your right to personally do it at your offices.
Rights every person may exercise regarding treatment to their own personal data are:
• Exercise Access Right: to let you know about data we have on you, as a result from our contract relationship, forms or communications established between both of us.
• Exercise Rectification Right: to communicate, notify and undoubtedly let us know about data that is inapplicable to your person so that we may proceed to make changes.
• Exercise Cancellation Right: should you want cancellation of data we have about you deriving from the contractual relation, forms or communications established between both of us.
• Exercise of Challenge Right: to limit purposes of the treatment or use of your data for which you have already previously granted your consent.
1.- The Owner of Personal Data or his/her Legal Representative will be the sole persons with capacity to request exercise of ARCO rights.
2.- Delivery of Request to exercise ARCO rights may be through:
a) Website: www.parkroyal.mx
b) E-mail addressed to: firstname.lastname@example.org
3.- Such request is to be addressed and channeled to persons responsible for Personal Data Protection, who will verify that this request provides the following information:
• The name of Owner of data, telephone number, full domicile, e-mail or any other means to communicate and answer to request made.
• Current document evidencing the Owner’s identity.
• Clear and accurate description of personal data and/or reasons regarding which Owner is seeking exercise of any ARCO right.
• Any other element or document facilitating location of personal data.
• In the event of a RECTIFICATION request to personal data, Owner must also indicate the modifications that are to apply and contribute documents supporting his/her request.
4.- Should a request fail to satisfy any of the above requirements will result in its rejection, informing applicant accordingly.
5.- Should request be in satisfaction with all above requirements, processing will continue in accordance to the following:
5.1. Personal Data Protection Responsible Persons will notify the Owner or his/her Legal Representative within a maximum term of twenty (20) business days as from the date the access, rectification, cancellation or opposition request was received, the resolution taken through the means indicated by Owner in his/her request.
5.2. Should access, rectification, cancellation or opposition request be admissible, the same will enter into effect within fifteen (15) business days following the date an answer is notified to Owner.
5.3. When about ACCESS request to personal data, delivery thereof will occur prior demonstration of requesting party’s identity or his/her representative, as applicable, to which effect the person is to personally complete this requirement or through its legal representative.
5.3.1. ACCESS obligation to information will be satisfied when personal data are made available to Owner, or else, by the issue of simple copy, e-documents or any other means.
6.- Personal Data Protection Responsible Persons will be supported by areas and persons which in name and account of “GPRCO”, handle Owner’s personal data, jointly implementing any measures required to satisfy the request.
7.- Owner of personal data may be denied access or may be the rectification or cancellation or opposition to the treatment in the following events:
• When the requesting party is not the owner of personal data, or his/her legal representative is not duly credited to such effect;
• When requesting party’s personal data are not found in the database;
• When there is a legal impediment or resolution of pertinent authority in the sense of restricting access to personal data, or does not allow rectification, cancellation or opposition thereof; and
• When rectification, cancellation or opposition has already been previously completed.
7.1. Personal Data Protection Responsible Persons must report on the reason of resolution, which is to be notified to Owner or, as applicable, to his/her legal representative, within the terms established to such effect by the same means established in the request, accompanied, as applicable, by pertinent supporting evidence.
The purpose of this form is to facilitate communication and help to complete ARCO Right exercise request (Access, Rectification, Cancellation and Opposition) as established under the Law. On these conditions have been read, proceed to fill in attached form’s information to initiate the process.
PROCEDURE TO EXERCISE ARCO RIGHTS