Privacy policy

Who is Responsible for the Processing of Personal Data?

Data Controller : Boix Restaurant Vilamarí SL (the “Data Controller ”)
Tax ID : B55315089
Address : Ctra. Banyoles – l’Escala Km: 7.5, 17468, Vilamarí (Girona)
Email : info@canboixvilamari.com

 

For what purpose will personal data be processed and what is the basis of legitimation?

The Controller will process identification and contact data (name, surname, email, ...) as well as the data indicated in the body of the message, which you have provided directly through the contact address provided on the Website or through the contact form or through the link to the Controller's WhatsApp for the purpose of managing and responding to the communication initiated by the user. The basis of legitimation for the processing of the data is the relevant actions to respond to the contact (art 6.1 b) RGPD).

The Controller will process identification and contact data (name, surname, email, telephone address, etc.) and bank details for the purposes relating to the purchase of the gift voucher, which are the management and completion of the purchase through the Website, to issue the relevant invoice, if applicable, and to meet the tax or legal obligations arising therefrom. The basis of legitimacy for the processing of the data is the actions for the execution of the service and contract (art 6.1 b) GDPR). 

The Data Controller will process identification and contact data (name, surname, email, etc.) as well as other data indicated by the User, for the purpose of managing and responding to the user's reservation request. The basis of legitimacy for the processing of the data is the relevant actions to carry out the user's request (art 6.1b GDPR).

The Controller may also access the user's identification and navigation data on the Website (IP, location, browser version, ...), resulting from the cookies installed. The necessary cookies are processed for the purpose of providing the services intended for the website and the accessory cookies are installed for analysis and statistics purposes with the aim of improving the services and content and performance of the Website. The user can consult more detailed information, regarding the purposes of the processing for the installation of cookies, in the Cookies Policy . The basis for legitimation of the processing of the necessary cookies is the legitimate interest (art 6.1 f) GDPR) and the basis for legitimation of the accessory cookies is the user's consent (art 6.1 a) GDPR).

Who are the recipients of the data?

The Data Controller is the main recipient of the data, however, these may be accessible by third-party service providers of the Data Controller when required by reason of the contracted services, as is the case of access will be regulated in accordance with compliance with legal obligations to that effect, specifically in accordance with those of article 28 of the GDPR. In the case of the Website, the Data Controller has third-party providers such as the provider of the SquareSpace website, and with regard to the services that the Website offers, it has third-party providers for the Myresto reservation and for the management of the SquareSpace purchase and the banking gateway. In any case, the third-party service providers mentioned will not process the data for their own purposes or different from those for which they have been provided, nor will they exceed the relevant purposes for the provision of the contracted services and, in no case, will they make them available to third parties, sell them or rent them.

The Data Controller will not transfer the data to third parties without prior informed consent, in accordance with the legally required requirements, from the user.

The Data Controller may transfer the data to third parties in cases of legal obligations, without the need to require the user's consent.

How long will the data be kept?

The Data Controller will process the data as long as it is necessary to carry out the purposes for which it was provided, during the legal period of 4 years, however the user may request its deletion at any time.

Even if the user requests the deletion of their data, the Data Controller may keep them duly blocked for the period necessary to meet related legal obligations or to make them available to third parties with the relevant competence for the fulfillment of legal obligations.

Will international transfers be made with the data?

Your data is not subject to international data transfers, which means outside the European Economic Area (“ EEA ”). Without prejudice to the above, the Controller may have relationships with service providers located or who provide services outside the EEA. In this regard, the Controller assures the user that their personal data subject to international transfers will be protected with the appropriate legal guarantees and, in any case, complying with the legal measures established by the legislation to that effect, which may consist of standard clauses or third-party certifications approved by the European Union.

Is the data subject to automated decisions or profiling?

The data is not subject to automated decisions or the creation of profiles resulting from data processing carried out by the Website Manager.

The Controller, as a result of the installation of accessory cookies accepted by the user, may create profiles of the processing of their browsing data, with the purpose of adapting the Website to their preferences, making improvements and statics of the contents and services of the Website. The creation of profiles for the processing of cookie data is strictly linked to the consent of their installation. The user can obtain more information in relation to cookies and how to manage them by consulting the Cookies Policy .

 

What are your rights?

Current legislation grants a series of rights to users due to the processing of their data, which are summarized below:

1. Right of access: the user will have the right to know their personal data processed by the controller and the purposes.

2. Right of rectification : the user can request the rectification/update of their data at any time.

3. Right to erasure: the user may request, at any time, that their personal data be erased from the controller's files. However, as indicated in the data retention section, in certain circumstances, compliance with current legislation may prevent the effective exercise of this right.

4. Right to object : the user may object to the processing of their data in relation to any of the purposes for which the controller processes their data, in accordance with the privacy policies applicable in each case.

5. Right to limitation of processing : the user may request the limitation of processing in the following cases:

a. If you consider that the data is not correct or accurate;

b. If you consider that your data is not being processed legitimately, but prefer that we limit the processing of the same to its elimination;

c. If the data is no longer necessary in accordance with the purpose for which it was collected, but needs to be retained to file legal claims;

d. If, having exercised the right to object to any processing, a response in this regard is pending from the person responsible.

6. Right to the portability of your data:

The user will have the right, whenever technically possible and reasonable, to request that the personal data they have provided directly be communicated to another data controller.

 

How can you exercise your rights?

Although your data has been acquired through your consent, the user may revoke it at any time, without any consequences beyond, according to the right exercised, not being able to provide you with certain services.

The exercise of rights by users must be in the terms and conditions provided for in current legislation by contacting the Controller by any of the following means:

(i). Email addressed to info@canboixvilamari.com

(ii). Postal mail addressed to: Can Boix, Ctra. Banyoles – l'Eskaka Km:7.5., 17468, Vilamarí (Girona

The user may file a complaint with the Competent Control Authority in matters of data protection, if they consider that their data have not been processed lawfully or that their requests or rights have not been met. The Competent Control Authority is the Spanish Data Protection Agency ( www.aepd.es ).