POLICIES ON DATA PRIVACY AND INFORMATION HANDLING. LAW 1581 of 2012 AND REGULATORY DECREE 1377 OF 2013
ENTITY RESPONSIBLE FOR PROCESSING DATA
NAME: Oasis Hotels & Resorts, S.A. de C.V.
VAT No.: B333222111
ADDRESS: Blvd. Kukulcan Km 16.5-Lt45-47, Zona Hotelera, 77500 Cancún, Q.R., México
EMAIL ADDRESS: info@oasishoteles.com
WEBSITE: https://oasishoteles.com
1. PURPOSE
The purpose is to establish and disclose the Information Processing and Personal Data Protection Policies implemented by Oasis Hotels & Resorts, S.A. de C.V. with the aim of guarantee suitable compliance with Law 1581 of 2012 and Decree 1377 of 2013, which aim to develop the constitutional right that all individuals have to access, update and correct the information collected about them and stored in databases or files, and all other constitutional rights, freedoms and guarantees referred to in Article 15 of the Political Constitution: “Habeas Data”, in addition to the right to information detailed in Article 20 of the same document.
The company Oasis Hotels & Resorts, S.A. de C.V. shall adopt the internal policy manual and procedures required to guarantee compliance with this precept and these regulations.
2. SCOPE
This document applies to personal data recorded on any database managed by the company and that are liable to processing.
3. DEFINITIONS:
3.1. Authorisation: Prior, express and informed consent of the owner to carry out the processing of personal data.
3.2. Database: Organised set of personal data that is the subject of processing.
3.3. Personal data: Any information linked or that may be associated to one or various individuals who may be determined.
3.4. Entity responsible for processing: The individual or legal entity, whether public or private, acting alone or in association with others, that processes personal data on behalf of the Processing Manager.
3.5. Processing manager: The individual or legal entity, whether public or private, acting alone or in association with others, that makes decisions regarding the database and/or processing of data.
3.6. Owner: The individual or legal entity whose personal data is the subject of processing.
3.7. Processing: Any operation or set of operations carried out on personal data, such as gathering, storage, use, circulation or elimination.
3.8. Consultations: Requests made by the owner regarding the personal information on them stored in any database, and regarding which the @@empresa@ is obliged to supply to the owner and their successors all information contained in the individual record or that is linked with the identity of the owner.
3.9. Complaint: Request to correct, update or remove the information contained on a database processed by Oasis Hotels & Resorts, S.A. de C.V. or a request made by the owner or their successors due to presumed non-compliance with any of the obligations contained in Law 1581 of 2012.
3.10. Public data: Data that is not semi-private, private or sensitive. Among others, data related to the marital status of people, their profession or role, and their status of merchant or public servant are considered public data. Due to their nature, public data may be contained in public records, public documents, gazettes and official bulletins, and duly executed legal rulings that are not subject to reservation.
3.11. Sensitive data: Data that reveal racial or ethnic origin, political opinions, religious or moral beliefs, membership of trade unions, information related to health or sex life, or any other data that may, due to its nature or context, result in any form of discriminatory treatment of the owner of the data. This data will be especially protected.
3.12. Habeas data: A fundamental right that enables someone to access, update and correct the information stored on databases and in the files of public and private entities. .
3.13. Successor: Person who succeeds or has been subrogated by any entitlement in the right of another or others.
4. GENERAL GUIDELINES
4.1. The policies considered in this document must be observed by Oasis Hotels & Resorts, S.A. de C.V. as a source of information data as well as by those responsible for processing personal data on behalf of the company.
4.2. Both the entity responsible and managers must safeguard the databases that contain personal data and maintain confidentiality regarding processing.
5. LEGISLATIVE BACKGROUND
5.1. Article 15 of the Political Constitution.
“All individuals have the right to personal and familial privacy and the privacy of their good name, and the State must respect them and ensure they respect others. Likewise, they have the right to access, update and correct the information about them that has been gathered in databases and in the files of public and private entities. In the gathering, processing and circulation of data, the liberty and all other guarantees detailed in the Constitution shall be respected.”
5.2. Article 20 of the Political Constitution.
“Every person is guaranteed the liberty to express and communicate their thoughts and opinions, to be informed and received truthful and impartial information, and to fund mass media. These are free and socially responsible. The right to rectification in conditions of equality is guaranteed. There will be no censorship.”
6. Oasis Hotels & Resorts, S.A. de C.V. IN REGULATIONS
We are an information source.
6.1. WHY ARE WE AN INFORMATION SOURCE?
As Oasis Hotels & Resorts, S.A. de C.V. is a company responsible for gathering the credit information of the users to whom it offers services via credit and cash payment systems, it constitutes an information source as addressed in paragraph (b) of Article 3 of Law 1266 of 2008 (…).
“The individual, entity or organisation receives or accesses the personal data of the owners of the information, pursuant to a commercial relationship, service relationship or relationship of any other kind, and, by virtue of legal authorisation or authorisation of the owner, supplies this data to an information operator, who will deliver these to the final user. If the source delivers the information directly to users, and not through an operator, they will have the double condition of source and operator and will assume the duties and liabilities of both. The information source will be liable for the quality of data supplied to the operator, who, as soon as they have access and they supply the personal information of third parties, must comply with the duties and liabilities established to guarantee the protection of the rights of the owner of the data(…)”
6.2. OBLIGATIONS OF INFORMATION SOURCES. ARTICLE 8, LAW 1266 OF 2008
Information sources must comply with the following obligations, notwithstanding compliance will all other legal provisions established in this law and in others that govern their activity:
a. Guarantee that the information they supply to database operators or to users is truthful, complete, exact, updated and verifiable.
b. Periodically and promptly report to the operator all new issues related to the data previously supplied and adopt all measures necessary to ensure the information supplied is kept up-to-date.
c. Rectify information when it is incorrect and inform operators of the relevant aspects.
d. Design and implement efficient mechanisms to properly report information to the operator.
e. Request, when applicable, and keep a copy or evidence of the respective authorisation granted by the owners of information and ensure that they do not supply operators with any data whose supply has not been authorised, when said authorisation is necessary, in accordance with the provisions established in this law.
f. Certify on a weekly basis to the operator that the information supplied has the correct authorisation, in compliance with the provisions established in this law.
g. Resolve the complaints and requests of the owner in the manner regulated by this law.
h. Inform the operator that certain information is under discussion with its owner when a request of rectification or updating has been made with the aim that the operator includes in the database a note in this regard until said process has been completed.
i. Comply with the instructions issued by the control authority in relation to compliance with this law.
j. All other obligations derived from the Constitution or this law.
7. PROCESSING OF PERSONAL DATA
7.1. Principles for the processing of personal data
The following principles will be considered by @@empresa@ in the processing of personal data.
7.1.1. Legality in matters of data processing
Data processing must be subject to the provisions contained in Law 1581 of 2012 and in any standard that is developed or that regulates these provisions.
7.1.2. Purpose and processing
Data processing must obey a legitimate purpose in accordance with the Constitution and Law, of which the owner of data must be informed. Data processing and the aim of the information in the databases of Oasis Hotels & Resorts, S.A. de C.V. are based on the provision of the service, the contractual relationship, and the commercial and/or advertising aims. Oasis Hotels & Resorts, S.A. de C.V. may convey the information to third parties, providers and authorities.
Processing may only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorisation, or in the absence of a legal mandate that relieves consent.
7.1.3. Veracity or quality
The information subject to processing must be truthful, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete or fragmented data, or of data that may lead to error, is prohibited.
7.1.4. Transparency
During processing, the right of the owner to obtain advertising from Oasis Hotels & Resorts, S.A. de C.V. or the entity responsible for processing must be guaranteed at all times, free of restrictions, as well as the right to obtain information on the existence of data concerning them.
7.1.5. Restricted access and circulation
Processing is subject to the limits that are derived from the nature of the personal data, from the provisions of Law 1581 of 2012 and from the Constitution. In this regard, processing may only be performed by people authorised by the owner and/or by the people stated in law.
Personal data, with the exception of public information, may not be made available on the Internet or other means of disclosure or mass media, unless access is technically controlled for afford restricted knowledge only to the owners or authorised third parties, in compliance with law.
7.1.6. Security
The information subject to processing by the entity or manager responsible must be handled by taking the technical, human and administrative measures necessary to provide security to records, aiming to prevent their unauthorised or fraudulent alteration, loss, consultation, use or access.
7.1.7. Confidentiality
Every person who is involved in processing personal data that is not classed as public information is obliged to guarantee the safeguarding of information, including after the end of their relationship with any of the tasks involved in said procedure, and they may only supply or communicate personal data when this corresponds to the development of the activities authorised by law and in the terms established in law.
7.2. Special categories of data
7.2.1. Sensitive data
This is data that affects the privacy of the owner, or whose undue use may give rise to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social organisations, human rights organisations or organisations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, in addition to data related to health, sex life and biometric data.
7.2.1.1. The processing of sensitive data is prohibited, except when:
a. The Owner has granted express authorisation for their processing, unless the granting of said authorisation is not required by law.
b. Processing is necessary to safeguard the vital interest of the owner and they are physical or legally incapable. In these scenarios, the legal representatives must grant authorisation.
c. Processing is performed in the course of legitimate activities and with the due guarantees by a foundation, NGO, association or any other not-for-profit organisation whose purpose is political, philosophical, religious or labour-related, provided that they refer exclusively to their members or the people who maintain regular contact due to their purpose. In these scenarios, the data may not be supplied to third parties without the authorisation of the owner.
d. Processing refers to data that is necessary to recognise, exercise or defend a right in a legal process.
e. Processing has a historical, statistical or scientific purpose. In this scenario, measures that lead to the concealment of the identity of owners must be adopted.
In the processing of sensitive data, when said processing is possible in accordance with the aforementioned exceptions contained in Article 6 of Law 1581 of 2012, the following obligations must be obeyed:
The owner must be informed that, as sensitive data is involved, they are not obliged to authorise their processing. The owner must also be explicitly informed in advance of the general requirements of their authorisation for the gathering of any type of personal data, what data that is the subject of processing is considered sensitive, and the aim of processing, and their express consent must be obtained.
7.2.2. Rights of children and minors
In processing, respect for the rights of children and minors will be ensured. It is prohibited to process the personal data of children and minors unless the data is public. .
7.2.3 Rights of owners
7.2.3.1. Access, update and rectify their personal data before @@empresa@ or the entity responsible for processing. This right may be exercised before others with regard to partial, inexact, incomplete or fragmented data, or data that may lead to errors, or data for which processing is expressly prohibited and that has not been authorised.
7.2.3.2. Request proof of the authorisation granted to Oasis Hotels & Resorts, S.A. de C.V. unless expressly exempted as a requirement for processing, in compliance with the provisions stated in Article 10 of Law 1581 of 2012.
7.2.3.3. Be informed by Oasis Hotels & Resorts, S.A. de C.V. or by the entity responsible for processing, via request, regarding the use made of their personal data.
7.2.3.4. Present to the Superintendency of Industry and Commerce complaints due to infractions of the provisions outlined in Law 1581 of 2012 and all other regulations that modify, amend or complement it.
7.2.3.5. Revoke authorisation and/or request the removal of data when constitutional and legal principles, rights and guarantees are not respected during processing. Revocation and/or removal will occur when the Superintendency of Industry and Commerce has determined that Oasis Hotels & Resorts, S.A. de C.V. or the appointed entity has committed conduct contrary Law 1581 of 2012 and the Constitution during processing.
7.2.3.6. Freely access their personal data that is the subject of processing in the terms and conditions defined in this document.
8. CONDITIONS FOR DATA PROCESSING
8.1. Authorisation
In the development of the principles of purpose and liberty, the gathering of data performed by Oasis Hotels & Resorts, S.A. de C.V. will be limited to the personal data that is relevant and suited to the purpose for which they must be gathered or are required, in compliance with current legislation, except in the cases expressly stated in law.
8.2. Authorisation of the owner
To ensure Oasis Hotels & Resorts, S.A. de C.V. performs any personal data processing action, the prior and informed authorisation of the owner is required. This will be obtained by any means that may be the subject of subsequent consultation. These mechanisms may be predetermined through technical means that facilitate to the owner their automated declaration or they may be in writing or oral. The authorisations of owners will be recorded as follows:
Oasis Hotels & Resorts, S.A. de C.V. requests authorisation for the processing of the information from all its owners, as long as said collection involves the processing of information by Oasis Hotels & Resorts, S.A. de C.V. or third parties (previously authorised). This authorisation request is made when commercial relations with clients are generated (credit and cash sales), product and service purchase are made with providers, and staff are hired for the undertaking of tasks inherent to the organisation. Oasis Hotels & Resorts, S.A. de C.V. adopts the procedures to request, at a later time during the collection of data, authorisation of the owner to processing said data, and it will communicate which personal data will be gathered as well as all the specific aims of the processing for which consent is obtained.
The personal data found in public access sources, regardless of the means by which they are accessed, as understood as data or databases found to be available to the public, and they may be processed by Oasis Hotels & Resorts, S.A. de C.V. as long as, given their nature, they involve public data.
If substantial changes are made to the content of the processing policies, referring to the identification of the entity responsible and the aim of personal data processing and which may affect the content of the authorisation, Oasis Hotels & Resorts, S.A. de C.V. will communicate these changes to owners a minimum of three days before the new policy comes into force and it will also obtain from the owner new authorisation when the change refers to the purpose of processing.
8.2.1. Cases in which authorisation is not necessary
a. Information required by a public or administrative entity when exercising its legal functions or by legal ruling.
b. Public data.
c. Cases of medical or health emergency.
d. Processing of information authorised by law for historical, statistical or scientific purposes.
e. Data related to the Civil Registry of people.
8.3. Supply of information. The information requested by the owner will be supplied by @@empresa@, using any means, including electronic means, as required by the owner. Information must be easy to read, free of technical barriers that impede access, and in must correspond entirely to the information contained on the database.
8.4. Duty to inform the owner. Oasis Hotels & Resorts, S.A. de C.V., when requesting authorisation from the owner, must clearly and expressly inform them of the following: The processing to which their personal data will be subject and the aim of this. The optional nature of responding to questions made when these are regarding sensitive data or the data of children and minors. The rights that pertain to the owner. The identification, physical address, email address and telephone number of the entity responsible for processing.
8.5. People to whom information may be supplied. Information on the personal data subject to processing by Oasis Hotels & Resorts, S.A. de C.V. may be supplied to the following people: To owners, their successors or their legal representatives. To public or administrative entities exercising their legal functions or by legal ruling. To third parties authorised by the owner or by law.
9. RIGHTS OF THE OWNER
9.1. Revocation of authorisation and/or removal of data.
Owners may, at any time, make a request to Oasis Hotels & Resorts, S.A. de C.V. that their personal data be removed and/or the authorisation granted for the processing of said data be revoked. This is to be done via the presentation of a complaint, in accordance with the provisions established in Article 15 of Law 1581 of 2012. The information removal and authorisation revocation proceed WILL NOT OCCUR WHEN THE OWNER HAS A LEGAL OR CONTRACTUAL OBLIGATION TO REMAIN ON THE DATABASE OF Oasis Hotels & Resorts, S.A. de C.V.. The procedure will be as established in this document for the presentation of complaints.
9.2. Complaints.
The owner or their successors have the right to present to Oasis Hotels & Resorts, S.A. de C.V. complaints, subject to the validation of their identity, through any of the following mechanisms of customer service made available by the company on a national level. Oasis Hotels & Resorts, S.A. de C.V. will respond to the complaint using the same means on which it was formulated.
9.2.1. Consultation
Owners or their successors may consult the personal information of the owner gathered in the database. Oasis Hotels & Resorts, S.A. de C.V. will supply the requestor with all the information contained in the individual record or that is linked to the identity of the owner.
The owner may freely consult their personal data:
At least once (1) every calendar month. Whenever substantial modifications to the information processing policies exist, causing new consultations. For consultations made more frequently that once (1) per calendar month, Oasis Hotels & Resorts, S.A. de C.V. will only charge shipping, reproduction and, if applicable, document certification costs. Costs of reproduction may not be more than the costs of recovering the corresponding material.
Response to consultations
For the purposes of responding to consultations, Oasis Hotels & Resorts, S.A. de C.V. establishes a term of ten (10) working days from the date they are received. When it is not possible to attend to the consultation within this term, the party involved will be informed, explaining the reasons for the delay and indicating the date on which their consultation will be addressed, which under no circumstances may exceed five (5) working days following the expiry of the first term.
Complaints
The owner or their successors who believe the information contained on a database must be corrected, updated or removed, or when advising of presumed non-compliance with any of the obligations contained in Law 1581 of 2012, may present a complaint to Oasis Hotels & Resorts, S.A. de C.V., which will be processed under the following rules and formulated via request sent to Oasis Hotels & Resorts, S.A. de C.V. containing the following information, at minimum:
Name of the Processing Manager or entity responsible for processing.
Name of the requestor.
Identification number of the requestor.
Actions causing the request.
Aim of the request.
Correspondence address.
Supporting documentation.
If the complaint is incomplete, the party will be required to correct the faults within five (5) working days following receipt of the complaint. If two (2) months pass from the date this communication is made without the requestor presenting the information required, it will be understood that they have withdrawn the complaint. If the person who receives the complaint is not capable of resolving the issue, it will be transferred to someone who can within a maximum of two (2) working days and the party involved will be informed of the situation. Once the full complaint has been received, the database will include a key that states "complaint being processed" and the reason for this, within a maximum of two (2) working days. This key must be maintained until the complaint has been settled. The maximum term to address the complaint will be fifteen (15) working days from the day after it is received. When it is not possible to address the complaint within said term, the party involved will be informed of the reasons for the delay and the date on which their complaint will be addressed, which, under no circumstances, may exceed eight (8) working days following the expiry of the first term.
9.2.2. Requirement of procedure.
The owner or success may only present a complaint before the Superintendency of Industry and Commerce once the consultation or complaint process with the entity responsible for processing or Processing Manager has been exhausted.
9.2.3 Procedure for consultations and complaints.
In compliance with the foregoing, Oasis Hotels & Resorts, S.A. de C.V. will respond to the consultation and/or complaint using the same means via which it was formulated.
The procedure established by Oasis Hotels & Resorts, S.A. de C.V. for the presentation of complaints, making of consultations and/or exercising of owner’s rights is as follows.
9.2.3.1. Reception of the complaint or consultation in any format, which may be identified on the website https://oasishoteles.com, sent in a letter addressed to the administrative offices at Blvd. Kukulcan Km 16.5-Lt45-47, Zona Hotelera, 77500 Cancún, Q.R., México.
9.2.3.2. Complaints and consultations may also be sent by email to info@oasishoteles.com, in compliance with Clause Two, Paragraph Two, ARTICLE 16 of Law 1266 of 2008, and Clause Two, Article 15 of Law 1581 of 2012.
9.2.3.3. For requests or consultations, ten (10) working days will be counted from the date they are received. If necessary, this term may be extended by up to five (5) further working days.
9.2.3.4. For complaints, fifteen (15) working days will be available to resolve them, in compliance with Clause Three of Article 16 of Law 1266 of 2008.
9.2.3.5. In exceptional circumstances, eight (8) additional working days will be granted to provide a response to the request, as long as the person making the request is notified.
9.2.3.6. Oasis Hotels & Resorts, S.A. de C.V., within the two (2) working days following reception of the complaint, will ensure that the database operator records or makes a note of the “complaint being processed”.
9.2.3.7. If it is not possible to resolve the complaint, two (2) working days will be granted to transfer the information to the corresponding entity.
9.2.3.8. Once a response has been given to the consultation or complaint made by the client, it will be sent to the address provided in the request or to the means via which the consultation or complaint was made.
9.2.3.9. In the event of doubts regarding the complaints, consultation and/or rights exercising procedure by the owner of data gathered by Oasis Hotels & Resorts, S.A. de C.V., general information may be requested from the Customer Service Department by email: info@oasishoteles.com
10. OBLIGATIONS OF Oasis Hotels & Resorts, S.A. de C.V. IN THE PROCESSING OF DATA
a. Guarantee the owner, at all times, the full and effective exercising of their right of habeas data.
b. Request and safeguard, under the conditions established by law, a copy of the respective authorisation granted by the owner.
c. Duly inform the owner of the purpose of data collection and the rights that correspond to them by virtue of the authorisation granted.
d. Take measures aimed at safeguarding the information under security conditions to prevent its unauthorised or fraudulent alteration, loss, consultation, use or access.
e. Strive to ensure the information supplied to the Processing Manager is truthful, complete, exact, updated, verifiable and understandable.
f. Update information, communicating all new aspects to the Processing Manager in a timely manner regarding the data that was supplied previously and adopt all measures necessary to ensure the information supplied is kept up-to-date.
g. Correct information when it is incorrect and communicate the relevant aspects to the Processing Manager.
h. Supply the Processing Manager, if applicable, with only the data for which processing has been previously authorised in compliance with the provisions outlined in law.
i. Demand that the Processing Manager respects the security and privacy conditions of the information at all times.
j. Process the consultations and complaints formulated in the terms outlined in law.
k. Adopt an internal processing policies manual to guarantee proper compliance of the law and, in particular, to address consultations and complaints.
l. Inform the Processing Manager when certain information is under discussion with the owner, once the complaint has been presented and the respective process remains incomplete.
m. Provide information, at the request of the owner, regarding the use of their data.
n. Inform the data protection authority when violations of security codes occur and when risks to the administration of information exist.
o. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
10.1. Obligations of the Data Processing Manager.
Processing Managers must comply with the following obligations, notwithstanding all other provisions established in law and any others that govern their activity:
a. Guarantee the owner the full and effective right to exercise habeas data.
b. Take measures aimed at safeguarding the information under security conditions to prevent its unauthorised or fraudulent alteration, loss, consultation, use or access.
c. Promptly update, correct or remove data in the terms established in law.
d. Update the information reported by processing entities within five (5) working days from when it is received.
e. Process the consultations and complaints formulated by owners in the terms established in law.
f. Adopt a document that guarantees proper compliance with law and, in particular, to address the consultations and complaints made by owners.
g. Record in the database a “complaint being processed” key as regulated by law.
h. Enter in the database the “information under legal discussion” key, once informed by the corresponding authority of legal processes related to the quality of the personal data.
i. Abstain from circulating information that is controversial or whose blocking has been ordered by the Superintendency for Industry and Commerce.
j. Allow access to the information only to the people who may access it.
k. Inform the Superintendency of Industry and Commerce when violations of codes of security and risks in the administration of information exist.
l. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
m. Safeguard databases that contain personal data.
n. Maintain confidentiality regarding the processing of personal data.
11. SECURITY MEASURES
Oasis Hotels & Resorts, S.A. de C.V. takes every reasonable precaution and technical, administrative and organisational measure to guarantee the safety of owners’ personal data, mainly those aimed at preventing its unauthorised alteration, loss, treatment or access. Security measures are applied to files and processing. The application of security measures aims to maintain the confidentiality, integrity and availability of the data.
12. MODIFICATIONS
Oasis Hotels & Resorts, S.A. de C.V. reserves the right to modify these information processing policies, either fully or partially. In the event of substantial changes to processing policies that refer to the identification of Oasis Hotels & Resorts, S.A. de C.V. and the aim of personal data processing, which may affect the content of the authorisation, Oasis Hotels & Resorts, S.A. de C.V. will communicate these changes to the owner when implementing the new policies at the latest.
13. GOOGLE API SERVICES USER DATA POLICY
Oasis Hotels & Resorts ORewards' use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.