A. GENERAL PART
1.1. USER DATA COLLECTION AND TREATMENT 

Within the scope of the websites hosted at
www.pestana.com, www.secure.pestana.com, www.pousadas.pt, www.pestanacollection.com, www.pestanacr7.com, www.pestanahotelsresorts.comdetailed information on how the entities of the Pestana Group, represented here by Pestana Management - Serviços de Gestão S.A., a public limited company with head office at Rua Jau, n.º 54, 1300 - 314 Lisbon, registered at the Lisbon Commercial Registry Office with the corporate taxpayer number 511230397 ("Pestana Group") process their personal data. 


As a rule, Personal Data is requested when the User registers on the Site, requests a contact and/or sending newsletters, subscribes to a certain service, provides or requests information, acquires a product or establishes a contractual relationship with Pestana Group, namely when he/she makes a reservation on one of our hotels. 

The Personal Data collected and processed is generally the following: name, gender, date of birth, telephone, mobile phone, email, address, tax identification number, credit card data (collected for billing purposes only), although other Personal Data may be collected if necessary or appropriate for the provision of services by Pestana Group. 

After the collection of Personal Data, Pestana Group provides the User with detailed information about the nature of the data collected and about the purpose and processing that will be performed on the Personal Data, as well as the information mentioned in clause 8. Pestana Group also collects and processes information about the characteristics of the user’s hardware device, your IP and browser/software features, as well as information about the pages visited by the User within the Site. This information may include browser type, domain name, access times and links by which the User has accessed the Site (“Usability Information”). We only use this information to improve the quality of the user’s visit to our Site and, when you give your consent, we will send you commercial and marketing information adapted to your profile. 

Usability Information and Personal Data are designated in this Privacy Policy as “User Data”. 

For the purposes of this Privacy Policy, a contractual relationship means any contract established between Pestana Group and its related entities, regardless of their purpose.

1.2. PERSONAL DATA TRANSFER TO THE THIRD PARTIES 

The User Data collected by Pestana Group is not shared with third parties without the User’s consent, except in the situations mentioned in the following paragraph. However, in the event of the User contracting services with Pestana Group that are provided by other entities responsible for the processing of personal data, User Data may be consulted or accessed by such entities, to the extent that it is necessary for the provision of such data services. 

Pestana Group may transmit or communicate the User Data to other entities in the event of such transmission or communication being necessary for the implementation of the contract established between the User and Pestana Group or for pre-contractual procedures at the request of the User, if necessary for the fulfilment of a legal obligation to which Pestana Group is subject or, if it is necessary, to obtain them in the legitimate interests of Pestana Group or of a third party. In the event of the transmission of User Data to third parties, reasonable efforts will be made to ensure that the transmitting entity employs the User Data transmitted in a manner appropriate to this Privacy Policy.

When a User reserves a stay in one of our hotels, his/ her personal data will be processed for accession and management of the assistance insurance available to all customers during their stay at Pestana Group hotels. For the present purposes, Pestana Group will transmit the following personal data to the Insurance Company RNA SEGUROS DE ASSISTÊNCIA, S.A., which will act as Data Controller: full name, nationality, date of birth, passport or citizen card number, country of origin, check-in date, check-out date. For more information on how RNA processes your personal data, please consult https://www.rnaseguros.pt/Politica_Privacidade_.pdf

I) Data communication to the processors 

As part of the processing of User Data, Pestana Group uses or may use processors whose on its behalf, and in accordance with its instructions processes the User’s Data, in accordance with the law and this Privacy Policy. 

These processors may not transmit the User Data to other entities without the prior written authorization. 

Pestana Group undertakes to only subcontract the processors that have implemented the appropriate technical and organizational measures, in order to guarantee the defense of the User’s rights. All entities sub-contracted by Pestana Group shall be bound by Pestana Group by means of a written agreement which covers: the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties and other obligations provided by the article 28 of GDPR. 

We are listing below the processors categories to which the personal data of the Pestana Group website users and guests is communicated:


Processors Categories

Processing of Personal Data Purposes

Licensing, maintenance, support and technical software and systems technical support Management / maintenance / systems and software support to the Pestana Group's activity
Payment service processing, EDI and electronic billing services, accounting, tax and administrative management companies and business support softwareEconomic and accounting management of the invoicing of the guests, suppliers and service providers
Commercial Promoters Promotion / Sale of Pestana Group services
Direct marketing support companies / digital marketing partnersE-mail marketing sending assistance, performances' analysis and disclosure of publicity
Guest Intelligence solutions providersSending of the guest satisfaction surveys
Security companies and preventive and corrective maintenance of security systems companiesVideo surveillance and surveillance for the security of people and properties
Guest stay management companiesServices provision related to the stay of guests in the establishments of Pestana Group
Provision of guest services companiesGuests contact and support

II) Data communication of other recipients

Pestana Group can further communicate to other third parties not qualified as processors pursuant to the article 4 (8) of the GDPR. This entities are subject to confidentiality and may not transmit the User’s and guests’ Data to other entities without prior written authorization of Pestana Group to do it , ensuring that they process personal data in accordance with the provisions of the GDPR.

Pestana Group communicates the data to other recipients, in detail:

Recipientes Categories

Processing of Personal Data Purposes

Temporary-work agenciesTemporary transfer of workers
Companies that explore commercial establishments inside Pestana Group Hotels

Supplementary services provided to guests 

 

Insurance CompaniesCustomer Service Insurance
Companies providing various services during the guest's stay at the Pestana Group facilitiesParking, car rental and garden maintenance services
Travel agencies and tour operators
Reservations
Advisers or Lawyers Provision of consultancy services and legal services
Different companies of additional services requested by guestsTaxi service / Transfers to the airport, car parking services, car rental, restaurants reservations and other activities requested by guests

1.3. DATA COLLECTION CHANNELS 

Pestana Group may collect data directly (i.e., directly from the User) or indirectly (i.e. via partner entities or third parties). Such collection may be done through the following channels: 

• Direct collection: in person, by telephone, e-mail and through the Site;

• Indirect collection: through partners or group companies and official entities.

2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA 

In terms of general principles regarding the processing of personal data, Pestana Group undertakes to ensure that the User Data processed by it is:

• Subject to processing in accordance with the law, as well as being fair and transparent in relation to the User; 

• Collected for specific purposes that are objective and legitimate, not being processed subsequently in any way that runs contrary to these purposes;

• Appropriate, justified and limited to what is necessary in relation to the purposes for which these data are processed;

• Accurate and updated whenever necessary with all necessary measures being taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or corrected without delay;

• Kept in a manner that allows the identification of the User only for the period necessary for the purposes for which the data are to be processed;

• Handled in a manner that ensures data security, including protection against their unauthorized or illegal treatment and against their loss, destruction or unforeseen damage, with appropriate technical or organizational measures being taken. 

Data processing carried out by Pestana Group is permitted and legitimate when at least one of the following situations occurs:

• The User has given his/her free, positive, explicit and unequivocal consent to the processing of his/her for one or more specific purpose;

• The processing is necessary for the implementation of a contract in which the User is a party, or for pre-contractual procedures at the request of the User;

 • The processing is necessary for the fulfilment of a legal obligation to which Pestana Group is subject; 

• Processing is necessary for the defense of the vital interests of the User or another individual;

• The processing is necessary for legitimate interests pursued by Pestana Group or by third parties (unless the interests or fundamental rights and freedoms of the User requiring the protection of personal data prevail).

Pestana Group undertakes to ensure that the processing of User Data is only done under the conditions cited above and respecting the principles mentioned above.

 When the processing of the User Data is performed by Pestana Group is based on the User’s consent, the User has the right to withdraw his consent at any time. Such withdrawal of the consent, however, does not jeopardize the legality of the processing carried out by Pestana Group, based on the consent previously given by the User. 

The length of time during which the data is filed and stored varies according to the purpose for which the information is being processed, being stored only for the necessary time for the fulfilment of the purposes for which they are processed, taking into account the Data Retention Policy approved by Pestana Group. 

Effectively, there are legal requirements that require the data to be preserved for a minimum period. Thus, and where there is no specific legal obligation, the data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, which at the end of the period will be eliminated. 



3. USE AND PURPOSES OF THE DATA PROCESSING

In general, Pestana Group uses the User Data for the following purposes: 

• Provision of hotel services and associated services (restaurants, bars, spa, etc.);

 • Billing and invoicing the User;

• Registration of users on the Site;

• Providing information to the User, who has requested it, on new products and services that have been made available on the Site and/or at the hotel units, special offers and campaigns, updated information on Pestana Group’s business operations and, generally, for the purpose of marketing Pestana Group and its hotel units, using any means of communication, including electronic media;

• Allowing access to restricted areas of the Site, in accordance with previously established terms;

• Ensuring that the Site meets the User’s needs by developing and publishing content that is best adapted to the requests made and the type of User, improving the search capabilities and functionalities of the Site and obtaining associated or statistical information regarding to the user’s profile (analysis of consumption profiles)

• Providing services, and other peripherals, such as newsletters, opinion surveys, or other information or products requested or purchased by the User; 

• Accessing and management of the assistance insurance available to all clients during their stay at the Pestana Group units; 

• Sending Satisfaction Surveys;

• Recording of telephone calls that may be made in connection with the solicitation or provision of information about reservations, vouchers and other products or services and their commercial conditions of use and the establishment of any contractual relationship, either during the formation phase of the contract or while it is in force. 

Pestana Group may combine Usability information with anonymous demographic information for research purposes, and we can use the result of this combination to provide relevant content on the Site. In certain restricted areas of the Site, Pestana Group can combine Personal Data with Usability information to provide the User a more personalized content. 

4. TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES IMPLEMENTED

In order to guarantee the security of the User Data and maximum confidentiality, Pestana Group treats the information you provided to us in an absolutely confidential manner, in accordance with its internal security, and confidentiality policies and procedures, which are updated periodically as required, as well as the terms and conditions legally set out. 

As a function of the nature, scope, context and purpose of data processing, as well as the risks arising from the treatment of the rights and freedoms of the User, Pestana Group undertakes to apply, both when defining the method and timing of handling the data, the technical and organizational measures necessary and appropriate for the protection of User Data and compliance with legal requirements.

It also undertakes to ensure that, by default, only data that are necessary for each specific handling purpose are processed and that such data are not made available without human intervention to an indeterminate number of people. Communication between the user’s device and the Pestana Group Site is done through secure channels and communications using the HTTPS protocol and the SSL security standard. Nevertheless, in terms of general measures, Pestana Group adopts the following: 

• Regular audits to identify the effectiveness of the technical and organizational measures implemented;

• Sensitization and training of personnel involved in data processing operations;

• Pseudonymization and coding of personal data;

• Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems; Mechanisms to ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident;

5. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION 

Pestana Group may transfer your personal data to recipients in countries outside the European Union, which may have different levels of personal data protection. 

Consequently, Pestana Group is concerned to adopt appropriate measures to ensure the secure transfer of your personal data, whenever there is a transfer to a third country, whose level of protection of your personal data is different from that of the country where the personal data are collected.

This transfer of data results, inter alia, from the need to send your data as part of reservation processes to the hotels of Pestana Group, located in different geographical locations: Brazil, Argentina, Venezuela, United States, Cuba, Mozambique, South Africa, Sao Tome and Principe, Cape Verde and Morocco. 

Pestana Group undertakes to ensure that transfers of personal data to countries outside the European Union comply with the applicable legal provisions, in particular with regard to determining the suitability of such country with regard to data protection and the requirements applicable to such transfers. 

6.USE OF COOKIES 

When you visit the Site, a small text file (Cookie) is created and recorded on your computer disc. These text files will allow a more personalized and efficient navigation experience. Each time you visit the Site, your internet browser sends these cookies back to the Site, allowing the recognition and the identification of the Users, as well as their usage preferences. These Cookies will only be installed with your express consent, except in cases where they are necessary for the operation of the Site.

As to the necessary cookies, you can delete or block them in the "Help" menu on your browser, where you will find how to do it. However, if you do not allow the use of cookies, there may be some functionality of the Site that you will not be able to use.

I- What are Cookies?

Cookies are small software files, which are stored on your device through the browser, and that hold a certain amount of data, namely, regarding the state of the navigation, and the activity during you are browsing. These cookies data can then be retrieved and can allow us to customise our web pages and services accordingly, through the information previously introduced on the Website.

II- What cookies do we use?

Necessary Cookies to: 

(i) Allow the navigation on the website; 

(ii) Use website’s features, such as accessing secure areas and exclusive contents for registered Users. 

Functionality Cookies to: 

(i) Record information about our Users options; 

(ii) Memorize what is in your shopping cart and, when applicable, remind you by email that there are unfinished reservations in the shopping cart; 

(iii) Allow the customization of our Website accordingly with your needs, namely, to memorise the language. 

Performance Cookies to: 

(i) Monitor how is your access to our Website and the regularity of this access. 

Session cookies to: 

(i) The reservation process, since this type of cookies are safer and can not be manipulated by third parties. 

(ii) We also use direct or indirect analytical services to assess the effectiveness of our content and the Users’ preferences, which help us with the optimization of the functioning of this Website.

To find out what cookies we collect, their purpose and conservation period, please click on the following link : https://tracker-detail-page.trustarc.com/#/?domain=1642&category=1&locale=en

We also use web beacons or tracking pixels to count the number of visitors to our Website, anonymously and without identifying any particular User. However, for registered Users who are connected to the Website we will combine this information with the data collected through cookies to analyze how Users navigate in this Website in more detail. 

III- How to control cookies

All recent versions of popular browsers give Users a level of control over cookies. Users can set their browsers to accept or reject all, or certain, cookies. Additionally, all Cookies, except the necessary Cookies, are subject to the User's consent. 

Please note that, when you delete or block cookies, some functionalities of the website may be affected. 

 If you want to know more about how Cookies work, you can check the AboutCookies.org or Cookiecentral.com Websites.

IV- Cookies Security: Since Cookies can be intercepted or changed, we take the following security measures: 

 (i) Sensitive information – such as passwords or personal data such as the guest's address or telephone number – is not stored; 

(ii) Non-secure requests (HTTP) are not sent where cookies are sent to the browser in plain text and can be intercepted.

7. TOOLS USED FOR ANALYTICS AND USER BEHAVIOR

Google Analytics 

 In this Site is used Google Analytics, a web analysis service provided by Google Inc., (hereinafter “Google”). 

The cookies are being recorded in order to provide information on the Site’s use. This data, including the user’s IP address, is transmitted to Google servers, but the data collected by Google Analytics is not related to any other data held by Google. 

 You may also deactivate the tool by downloading and installing a browser add-on available from Google: https://tools.google.com/dlpage/gaoptout?hl=en. 

Facebook and Instagram 

In the Site there is an interactivity with Facebook and Instagram through a connection with these social networks’ servers is established. This allows the social networks to identify the Site that the User is visiting, and potentially store other data such as the IP address. 

If the user is also connected in these social networks, may also be associated the data with the User’s account. If the user wants to prevent this, should done log out from Facebook and/ or Instagram before visiting the webpage. 

You can find more information about how Facebook and Instagram process data on their Sites: https://www.facebook.com/about/privacy/ and https://help.instagram.com/519522125107875

Twitter 

The Site has an interactivity with Twitter Inc.(hereinafter “Twitter”). When you access a webpage using such buttons, a connection with Twitter’s servers is established. This allows Twitter to identify the Site that the User is visiting, and potentially store other data such as the IP address. 

You can find more information about how Twitter processes data on Twitter Site: https://twitter.com/privacy. 

Youtube

The Site has an interactivity with Youtube through a connection with this website servers is established. This allows Youtube to identify the Site that the User is visiting, and potentially store other data such as the IP address. 

If the user is also connected in Youtube, may also be associated the data with the user’s account. If the user wants to prevent this, should done log out from your Youtube account before visiting the webpage.

You can find more information about how Youtube processes in the following link: https://www.youtube.com/intl/en-GB/yt/about/policies/#community-guidelines

 B. USER RIGHTS (DATA OWNERS)

 8. THE RIGHT OF INFORMATION 

8.1. Information provided to the User by Pestana Group (when data are collected directly from the User): 

• The identity and contacts, of the personal data controller and, if applicable, of its representative; 

• The contacts of the Data Protection Supervisor;

• The purposes of the processing to which the personal data are intended, as well as, if applicable, the legal reasons for the processing; • If the processing of the data is based on the legitimate interests of Pestana Group or a third party, an indication of such interests;

• If applicable, recipients or categories of recipients of personal data;

  • If applicable, an indication that personal data will be transferred to a third country or an international organization, and whether or not a decision on appropriateness has been adopted by the Commission or a reference to suitable or appropriate transfer guarantees;

• Term for the retention of personal data;

• The right to request Pestana Group’s permission for personal data, as well as its correction, elimination or limitation, the right to oppose its processing and the right to access the data;

  • If the processing of the data is based on the User’s consent, the right to withdraw it at any time, without compromising the legality of the processing carried out based on the consent previously given; 

• The right to file a complaint with the CNPD (Comissão Nacional de Protecção de Dados [National Commission for Data Protection]) or other supervisory authority;

 • Indication of whether or not the communication of personal data constitutes a legal or contractual requirement to enter into a contract and whether the holder is required to provide the personal data and the possible consequences of not providing such data;

• If applicable, the existence of automated decisions, including the definition of profiles, and information regarding the basic concept, as well as the importance and expected consequences of such processing for the data subject. 

• If the User Data is not collected directly by Pestana Group from the User, in addition to the aforementioned information, the User is also informed about the categories of personal data being processed, as well as the origin of the data and, whether they are from sources accessible to the public. 

• In the event of Pestana Group intending to proceed with the further processing of the User Data for a purpose other than that for which the data was collected, before this processing, Pestana Group shall provide the User with information about that purpose and any other information of interest, under the terms referred to above.
 

8.2. Procedures and measures implemented to fulfil the right to information. The information referred to in paragraph 8.1. is provided in writing (including by electronic means) by Pestana Group to the User prior to the processing of the personal data in question. In accordance with applicable law, Pestana Group is under no obligation to provide the User with the information mentioned in paragraph 8.1 when and to the extent that the User already has knowledge of them. This information is provided by Pestana Group at no cost. 

9. THE RIGHT OF ACCESS 

Pestana Group guarantees the means that allow the user to consult his or her Personal Data. 

The User has the right to obtain confirmation from Pestana Group that personal data concerning him or her are processed and, if applicable, the right to access his/her personal data and the following information: 

• The purposes of data processing;

• The categories of personal data in question;

• The addressees or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients based in other countries or belonging to international organizations;

 • The term for the retention of personal data;

 • The right to ask Pestana Group to correct, eliminate or limit the processing of personal data, or the right to prevent such processing;

• The right to file a complaint with the CNPD or other supervisory authority; • If the data has not been collected from the User, the available information on the origin of such data;

• The existence of automated decisions, including the definition of profiles, and information on the underlying reasoning, as well as the importance and expected consequences of such processing for the data subject;

• The right to be informed about the appropriate safeguards associated with the transfer of data to third countries or international organizations. 

Upon request, Pestana Group will provide the User, free of charge, with a copy of the User Data that is being processed. The providing of other copies requested by the User may entail administrative costs. 

10. THE RIGHT TO RECTIFICATION 

The User has the right to request, at any time, correction of his or her Personal Data, as well as the right to have incomplete personal data completed, including by means of an additional declaration.

In the event of limitation of processing of data, Pestana Group shall inform each recipient/entity to whom the data has been transmitted of the limitation, unless such communication proves impossible or involves a disproportionate effort on behalf of Pestana Group. 

11. THE RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”) 

You have the right to obtain, on the part of Pestana Group, deletion of your data when one of the following reasons apply: 

• The User Data is no longer required for the purpose for which it was collected or processed;

 • The User withdraws the consent on which the data processing is based and there is no other legal basis for such processing;

  • The User opposes the treatment under the right of opposition and there are no prevailing legitimate interests justifying the processing;

• If User Data is processed illegally;

• If User Data must be deleted in order to comply with a legal obligation to which Pestana Group is subject;

• Under the applicable legal terms, Pestana Group is under no obligation to delete User Data to the extent that the processing proves necessary to fulfil a legal obligation to which Pestana Group is subject or for the purposes of declaring, exercising or defending Pestana Group’s rights in judicial proceedings.

In the event of the data being deleted, Pestana Group shall inform each recipient/entity to whom the data has been transmitted of the deletion, unless such communication proves impossible or involves a disproportionate effort on behalf of Pestana Group. 

When Pestana Group has made the User Data public and is obliged to delete it under the right of such deletion, Pestana Group undertakes to ensure reasonable measures, including of a technical nature, taking into account available technology and costs of its application to inform those responsible for the effective processing of personal data for which the User has requested deletion of the links to such personal data, as well as copies or reproductions thereof. 

12. RIGHT TO RESTRICTION OF PROCESSING 

 The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • If the accuracy of personal data is challenged, for a period that allows Pestana Group to verify its accuracy; 

• If the processing is unlawful and the User opposes the deletion of the data, requesting, instead, a limitation on its use;

 • If Pestana Group no longer requires the User Data for processing purposes, but such data is required by the User for the purposes of declaring, exercising or defending their rights in judicial proceedings;

 • In the event of the User objecting to the processing, until it is verified that Pestana Group’s legitimate reasons prevail over those of the User. 

When User Data is subject to limitations, they may only, with the exception of storage, be processed with the consent of the User or for the purpose of declaring, exercising or defending a right in judicial proceedings, defending the rights of another natural or legal person, or for public interest reasons provided by law. 

The User who has obtained the limitation of the processing of their data in the above cases shall be informed by Pestana Group before the limitation on processing is annulled. In the event of limitation of processing of data, Pestana Group shall inform each recipient/entity to whom the data has been transmitted of the limitation, unless such communication proves impossible or involves a disproportionate effort on behalf of Pestana Group. 

13. THE RIGHT OF PORTABILITY OF PERSONAL DATA

The User has the right to receive personal data concerning him/her and which he/she has provided to Pestana Group, in a structured, current and automated reading format, and the right to transmit such data to another person responsible for its processing, if: 

 • The processing is based on consent or a contract to which the User is a party; and 

• The processing is performed by automated means. 

The right of portability does not include inferred or derived data, i.e. personal data that are generated by Pestana Group as a consequence of, or resulting from, analysis of the data being processed.

Users are entitled to have their personal data transmitted directly between those responsible for the processing, whenever this is technically possible. 

14. RIGHT TO OBJECT 

Users have the right to object at any time to the processing of personal data based on the legitimate interests pursued by Pestana Group or when the processing is carried out for purposes other than those for which personal data were collected, including the definition of profiles, or when personal data are processed for statistical purposes.

Pestana Group shall terminate the processing of User Data unless it can demonstrate urgent and legitimate reasons for such processing that prevail over the User’s interests, rights and freedoms, or for the purposes of declaring, exercising or defending Pestana Group’s rights in legal proceedings.

When User Data is processed for the purpose of direct sales (marketing), Users have the right to oppose at any time the processing of the data that concern them for the purposes of said marketing, which includes the definition of profiles insofar as it relates to direct marketing. If Users object to the processing of their data for the purposes of direct marketing, Pestana Group must cease the processing of the data for this purpose. 

Users also have the right not to be subject to any decision made solely on the basis of automated processing, including the definition of profiles, that has an effect in the legal sphere or has a significant similar effect, unless the decision:

 • Is necessary for the signing or implementation of a contract between the User and Pestana Group; 

• Is authorized by legislation to which Pestana Group is subject; or 

• Is based on the explicit consent of the User. 

 15. PROCEDURES FOR THE EXERCISING OF RIGHTS BY THE USER 

The right of access, right to rectification, right of elimination, right to restriction, right to data portability and right to object may be all exercised by the User through the platform available at: https://pestanahotelgroup.atlassian.net/servicedesk/guest/portal/5

For further information, please contact the Pestana Group Data Protection Officer through the following e-mail dpo@pestana.com or by letter to the Data Protection Officer, Rua Jau, No. 54, 1300-314 Lisboa, Portugal. 

Pestana Group will respond in writing (including by electronic means) to the User’s request within a maximum period of one month from the receipt of the request, except in particularly complex cases, for which this period may be extended up to two months. 

If the requests submitted by the User are manifestly unjustified or excessive, especially due to their repetitive nature, Pestana Group reserves the right to charge administrative costs or refuse to comply with the request. 

16. PERSONAL DATA BREACH

In the event of a personal data breach and insofar as such a breach is likely to entail a high risk to the User’s rights and freedoms, Pestana Group undertakes to inform the User in question of the personal data violation within 72 hours of learning of the incident. 

Under the legislation, communication to the User is not required in the following cases:

• When the personal data breach is not likely to result in a high risk to the rights and freedoms of natural persons; 

• If communication to the User implies a disproportionate effort on behalf of Pestana Group. In this case, Pestana Group will release a public communication or take a similar action by which the User will be informed. 

C. FINAL PART 

17. AMENDMENTS TO THE PRIVACY POLICY 

Pestana Group reserves the right to make changes to this Privacy Policy at any time. In the case of modification to the Privacy Policy, the date of the most recent change, available at the top of this page, shall also be updated. If the change is substantial, a notice will be placed on the Site. 

18. RIGHT TO COMPLAIN BEFORE THE SUPERVISORY AUTHORITY

Please note that you have also the right to lodge a complaint before the competent supervisory authority — National Data Protection Committee, with its head office at Av. D. Carlos I, 134 - 1.º 1200-651 Lisbon, with the following phone number (+351) 213928400 and the following e-mail: geral@cnpd.pt 

19. APPLICABLE LAW AND LEGAL JURISDICTION The Privacy Policy as well as the collection, processing or transmission of User Data are all governed by the provisions of the Regulation (eu) 2016/679 of the European Parliament and of the Council of 27 April 2016, and by the laws and regulations applicable in Portugal. 

Any litigation arising from the validity, interpretation or implementation of the Privacy Policy, or related to the collection, processing or transmission of User Data, must be submitted exclusively to the jurisdiction of the courts of Lisbon, without prejudice to mandatory legal rules.