Legal notice

In accordance with Article 10 of Act 34/2002 of 11 July on Information Society Services and Electronic Commerce, we inform you that the site and domain gnahotelsolutions.com belong to GNA SERVEIS TELEMÀTICS SL, with address at Plaça Independència 18, 3 1 – 17001 Girona (Spain), telephone +34 972 209 189 and e-mail info@gnahotelsolutions.com.

GNA Serveis Telemàtics SL’s tax code is B-17456773. This company is registered in the Mercantile Register of Girona, volume 868, book 0, section 8, sheet 62, page GI-16478, entry 1a. 

Privacy policy

In accordance with the regulations in force concerning data protection, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (GDPR); Organic Law 15/1999, of 13 December, regarding Personal Data Protection; and Royal Decree 1720/2007, of 21 December, approving the Implementing Regulations of Organic Law 15/1999, the Data Protection and Privacy Policy of our company is as follows:
Personal Data Controller:
The personal data controller is the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of the processing. In this case, the details of the data controller are:
· Identity: GNA Serveis Telematic SL
· Company Tax No.: B-17456773
· Postal Address: Plaza Independència 18 1r-3ª de Girona (Spain)
· Telephone: +34 972 209 189
· Email Address: info@gna.es
GNA Serveis Telematic SL as the data controller and person responsible for the website, in accordance with the legislation in force, and specifically, what is laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (GDPR), as well as Spanish Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSICE), you are informed that we have implemented appropriate technical and organisational measures in accordance with the state of the art and the cost of their implementation with regards to the risks and nature of the personal data processed to guarantee and protect the confidentiality, integrity and availability of the personal data.
Personal data:
Personal data is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There is a wide range of information that can be classed as personal data, for example: name, contact details, identification number, computer IP address, etc. For further details about this information, you can consult the website of the Spanish Data Protection Agency (http://www.agpd.es) or the website of the Catalan Data Protection Authority (http://apdcat.gencat.cat/), among others.
Processing of data:
“Processing” is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Purpose of processing of data:
Why do we process personal data?
Personal data provided by data subjects will be processed for the following purposes:
  • Booking, registering and contracting products: Managing and executing the provision of the services and/or products contracted or requested by data subjects, as well as the actions required to carry out the contractual relationship with the data subject, including informing, processing, managing, modifying and any other operation needed to manage the booking or purchase as well as subsequent billing and payment. Usage analysis may be carried out based on a data subject’s purchase and booking history. Automated decisions that have legal effects may not be made under any circumstances.
  • Querys: To answer, respond to and follow up consultations and requests made by the data subjects and/or provide information requested by the user.
  • Job list: Evaluating and managing your CV and the academic and professional details you have provided, for the selection processes you registered for or which meet your professional profile, and carrying out the actions needed to select and hire staff, including contacting you for further information or to arrange an interview if the data subject has registered on the form to work with us and/or has provided his or her CV.
  • Notification of changes to the privacy policy: Notifying or informing of changes in the Data Protection and Privacy Policy, legal notice or cookies policy.
  • Statistics: Carrying out market studies and preparing statistics for our products and services, without automated decision-making being performed in any case. The company informs you that it will not process your personal data for any purpose other than those listed in this section, except where there is a legal obligation or injunction. Personal data will not be subject to automated decision-making that produces legal effects for the data subject.
How long will we keep your personal data?
The personal data you provide will be stored for the time required to provide the service requested or contracted and for a maximum period of 5 years from the last confirmation by you of the existence of an interest in us keeping your data. This is without prejudice to possible longer retention for the purpose of compliance with possible legal obligations and for the exercise and monitoring of any legal and judicial actions that might be relevant. After the periods mentioned have elapsed, we will delete the personal data.
Basis for processing of data
The legal basis for processing of your personal data is the free and legitimate acceptance of the legal relationship by the user in the moment he or she accepts this personal Data Protection and Privacy Policy. Similarly, the legitimation for processing your data is set out below for each of the personal data processing purposes previously identified:
  • Booking, registering and hiring products: The legal basis for the processing of your personal data is the contractual relationship and, where appropriate, the precontractual one, established between the parties for the supply of the services and/or products contracted or requested by the data subjects, and specifically, to execute the booking of our establishment’s services and products that you have made, in accordance with the terms and conditions stated in the Terms and Conditions section, and to comply with the corresponding commercial, tax and accounting obligations. All of this is based on what is laid down in points (a) and (b) of Article 6(1) of the GDPR. Refusal to provide the personal data requested for the booking will, therefore, make it impossible to complete the contract or booking requested. For more information about contracting our products and services, consult the Terms and Conditions of Contracting section. Once the booking has been made, the data subject will receive a confirmation email with the details of the booking.
  • Questions: The legal basis for the processing your personal data is the possibility of responding to questions freely asked by data subjects. This processing is based on what is laid down in parts (a) and (b) of Article 6(1) of the GDPR.
  • Advertising our products and services: If the data subject has marked the box corresponding to agreeing to receive commercial publicity communications (newsletters), the legal basis for sending advertising for products and services is the data subject’s own free and express consent, which he or she may withdraw at any time, without the withdrawal of consent for this purpose affecting the execution of the room booking contract where appropriate. This processing of data is based on what is laid down in point (a) of Article 6(1) of the GDPR. Refusal to provide the personal data requested will, therefore, make it impossible to sign up for the newsletter or receive commercial communications with information about our products or services. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal If you want to withdraw your consent, see the “Data subjects’ rights” section.
  • Job list: If the data subject has registered on the form for working with our company and/or has sent us his or her CV, the legal basis for processing of his or her data is his or her free acceptance and consent for processing of this personal data and evaluating and managing his or her job application based on what is laid down in points (a) and (b) of Article 6.1 of the GDPR. Refusal to provide the personal data requested will make it impossible to process the job application.
  • Notification of changes to the privacy policy: The legal basis for processing the data in this case is the need to notify data subjects of any changes that might be implemented in the company’s privacy policy, and in their free acceptance and consent for this processing based on what is laid down in points (a) and (b) of Article 6.1 of the GDPR.
  • Statistics: The legal basis for processing data to carry out market studies and preparing statistics about our products and services, without automated decision-making being performed in any case, is the free acceptance and consent of the data subject for this processing, based on what is laid down in point (a) of Article 6.1 of the GDPR. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal If you want to withdraw your consent, see the “Data subjects’ rights” section.
Recipients of data transfers.
Personal data will be shared with other companies in the group of undertakings for purposes connected to the processing of the personal data of clients or users. In order to better deliver the services requested from us, we provide certain data to processors with which we have signed the corresponding contracts regarding data protection. In these cases, the data provided is only that strictly necessary for the specific activity to be performed. Services which can be processors include but are not limited to: suppliers of IT services, security companies, tax or legal advice, etc. This list­ is provided as an example and the company may use services from companies from other business sectors in order to provide quality services. Outside of these cases, no data transfer within or without the EU is foreseen. Information will also be provided to third parties if this is required by the regulations in force or when there is an injunction (public authorities, courts and tribunals, law enforcement agencies and security services, tax agency, etc.)
  • Rights of data subjects
  • As a data subject you have the following rights:
  • Right to access: any person has the right to know and obtain information on the personal data we process.
  • Right to rectification: data subjects have the right to request the rectification, completion and/or correction of inaccurate, incorrect or incomplete data.
  • Right to erasure (also known as “right to be forgotten”): data subjects, if they wish,  will have the right to request the erasure of the personal data concerning them, among other reasons, when the data are no longer necessary for the purposes for which they were collected.
  • Right to cancellation: data subjects can request the cancellation of their data.
  • Right to object: data subjects can object to the processing of their data for marketing purposes, including profiling, and in the other cases specified in Article 21 of the GDPR. If you request it, the company will stop processing your data, unless there are compelling legitimate grounds or to bring or defend possible claims.
  • Right to restrict processing: in certain circumstances laid down in Article 18 GDPR, data subjects can request restriction of the processing of their data. In this case, we will only store it to bring or defend possible claims. Specifically, you have the right to limit processing in cases in which:
    • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
    • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
    • The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
    • The data subject, for reasons relating to his or her particular situation, has objected to the processing of his or her personal data based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, pending verification of whether the legitimate grounds of the controller override those of the data subject.
  • Right to data portability: The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, pursuant to article 20 of the GDPR.
  • Right not to be subject to automated individual decision making: data subjects have the right not to be subject to a decision based on the automated processing of his or her data which produces legal effects.
  • Right to withdraw previously-given consent: data subjects have the right to withdraw consent previously-given consent at any time. Withdrawal of consent will not affect the legality of processing carried out before the withdrawal of consent. Data subjects can obtain additional information about their rights from the website of the Spanish Data Protection Agency (http://www.agpd.es) or the website of the Catalan Data Protection Authority (http://apdcat.gencat.cat/).
How can you exercise your rights?
You can exercise your rights by writing to the postal address Plaza Independència 18 1r-3ª de Girona (Spain) or the email address info@gna.es, with the subject “Personal Data”, attaching a photocopy of your identity document or any similar method established in law.
What complaint procedures are available?
If the data subject believes his or her rights have not been appropriately respected, he or she has the right to present a claim with the Spanish Data Protection Agency or any competent supervisory authority.
Information processed. What categories of personal data do we process?
We try to ensure that the information we request and process is the minimum necessary to manage the purposes that appear in this Data Protection and Privacy Policy.
Our company can process the following categories of personal data:
  • Identifying data: name and surname(s), identification number, country, etc.
  • Postal and email addresses and telephone numbers.
  • Economic and financial information for managing bookings and the subsequent invoicing and billing of the service requested.
  • Data relating to the products and services booked
  • Access codes and identification keys if the data subject has registered as a user in the “My bookings” section or in the “Club”.
  • Website navigational information. For more information, see the cookies section.
These are not specially protected data or special categories of data. The categories of data subjects whose personal data we process are the people interested in our company’s products and services and in contracting or booking them. Persons who register with the job list or submit their CVs will also be classed as data subjects. The data subject guarantees that the personal data he or she provides is truthful and accepts responsibility for notifying the company of any modification to it or error in it, and so answers for its truthfulness and accuracy at all times. If the data subject intends to disclose the personal data of third parties, he or she must first notify the third party and obtain his or her consent, in accordance with our Data Protection and Privacy Policy. Therefore, if the user enters the personal data of a third party, he or she declares and guarantees that he or she has the third party’s consent to disclose this data and for its subsequent processing by our company, and that he or she has previously informed the third party whose data it is of the content of this Data Protection and Privacy Policy.
Personal data we collect automatically.
When the data subject visits our web pages, we collect certain information automatically, including whether he or she makes a booking or hires a service in the end. This information may include the IP address, the date and time when our services were accessed, information about the hardware, software or web browser used and the language selected, among others. This information allows us to improve the services and user experience of our website, and identify potential fraudulent use and attacks on the security of our website, as well as preparing statistics on the use and effectiveness of the website. This data will not be kept unless fraudulent use or an attack on the security of the website is detected. In no case will automated decision-making based on this information which produces legal effects for the user be used. For more information, see the cookies section.
Sending communications
Whenever the data subject makes a booking or contracts a service or product, he or she will be sent an email confirming the booking or contracting and giving information about it. In addition, we may contact the data subject for the purpose of informing him or her of any modification or news relating to it. Furthermore, the company may send commercial communications relating to the products or services it offers on condition that the data subject has expressly and specifically given consent for this by ticking the box provided for this purpose or by any express statement of consent for it. The data subject may withdraw his or her consent to receive any type of commercial communication at any time by sending a message in the terms stated in the “Rights of data subjects” section. In addition, this option will also be offered to the data subject in every commercial communication he or she receives via email or SMS.
Provision of personal data by minors
The services offered through this website are only available to persons of legal age. Persons who are not of legal age must not provide personal data in the website.
Links to third-party websites
Our website might contain links to the websites of third-party companies and entities.  As we cannot accept responsibility for how these companies handle the protection of their users’ privacy and personal data, we advise you to read closely the privacy policy statements relating to the use, processing and protection of personal data of these websites that do not belong to the company.
Social media
Our company uses social networks to publicise its services and products and share information and experiences with users and followers. As we cannot accept responsibility for how these companies handle the protection of privacy and of personal data, and as each of them has its own policy in this matter, we advise you to read closely the privacy policy statements of each social network regarding how they process their users’ personal data before using them.
Changes to the privacy policy:
The company reserves the right to modify this Data Protection and Privacy Policy in accordance with the processing of data it carries out and with the applicable legislation at all times. If it does modify it, notification will duly be given on the website and so we recommend that data subjects periodically check it to stay informed of how the company processes and protects their personal data.
Questions and doubts
If you have any questions or doubts about this privacy policy, please contact us by sending an email to info@gna.es with “Privacy Policy” as the subject.