UPDATES TO THE DATA PROTECTION POLICY IN ACCORDANCE WITH THE GDPR

ADDITIONAL INFORMATION ON DATA PROTECTION

1. Data of the Data Controller
In compliance with the provisions of the General Data Protection Regulation 679/2016, (hereinafter “RGPD”), and Law 34/2002 of July 11, on Information Society Services and Electronic Commerce, we inform you that the person responsible for the personal and professional data processed is:

Company name: VIAJES Y REPRESENTACIONES S.L (hereinafter the Controller),

Address: C/ FRANCISCO SILVELA 36, 1º OFIC 7, CP: 28028, MADRID, SPAIN

C.I.F: B85172948

Telephone: +34 677 32 38 36

Email directorcomercial@flyforvacations.com

We undertake to keep the information you provide us in the strictest confidentiality, avoiding unauthorized access, manipulation of information, loss or destruction. To do this, we will apply the security measures established by the applicable regulations and all those that our resources and modern technology allow us. Please note that in many cases, it is essential that you provide the information we request in order to enjoy the benefits of our website.

2. Scope of application
This Policy applies to all Clients to whom the Controller provides services that involve the processing of personal and professional data.

3. Data we process about our Clients
The categories of personal and professional data that we process are the following:

Identification data: name, surname, identity documents, address and telephone number.
Postal and electronic mail addresses.
No specially protected data is processed.

4. Treatment purposes
The purposes for which we process your personal and professional data are the following:

Properly provide the contracted services.
Manage the contractual relationship, prepare offers or requested budgets.
Carry out billing, accounting and tax management corresponding to the contracted services.
Send you commercial information through newsletter, news, information about events, offers, promotions and launch of new services.
Check the veracity of your information.
Respond to your queries, requests, complaints, suggestions.
Communicate with you for organizational issues related to the services.
Compliance with legal obligations applicable to the Controller, and collaborate with authorities that require information from us.
We will communicate with you through electronic means such as SMS, WhatsApp, email, ordinary mail. You can always object to the receipt of information through all or some of these means. In each communication we will inform you about the cancellation procedures.

5. Data transfers to third parties and international transfers
For the management of the purposes inherent to the development and fulfillment of the object of the contract and to adequately provide the services you request from us, it may be necessary and mandatory for the provision of the service that your data may have to be communicated to the different providers, such as companies. airlines, shipping companies, hotels, local car rental agencies, and other service providers related to your request, who will be obliged to use the data, solely and exclusively, to comply with the purpose of the contract.

These providers, depending on the country of destination of your trip, may be located in third countries for which it is necessary to carry out an international data transfer. The Company requests those companies with which we share your personal information to apply the same level of information protection as we do.

Your data will be transferred to public administrations and organizations of the judicial system or security forces or bodies when the Company is required to present information.

We will not communicate your data to third companies except those indicated above, without your authorization, unless said transfer must occur due to legal imperative or because it is essential to comply with the contractual relationship.

6. Data retention criteria
Personal and professional data will be kept during the contracted provision of services, and as long as the right to deletion is not exercised. Once the contractual relationship has concluded or the right to deletion has been exercised, we will keep the information securely, as long as you do not request its cancellation or express your desire not to receive advertising. The information that for legal reasons we must keep in accordance with Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism, will be stored for a maximum period of 10 years from the end of the contractual relationship. , mandatory conservation period established by said standard.

If the information is necessary for the exercise of legal or contractual actions, it may exceptionally be kept for a longer period than indicated. After the period, the data will be destroyed.

7. Outsourcing
The Client expressly authorizes the Controller to contract the services in whole or in part with third parties whose intervention is deemed appropriate for the proper development of the services. In this case, the Controller is obliged to sign a contract with the subcontracted third party that stipulates the obligations that it must comply with in relation to the protection of personal data, in particular, compliance with the same protection obligations will be required. of data to which the Controller has committed to its clients, as well as sufficient guarantees of application of appropriate technical and organizational measures so that the processing complies with the applicable regulations.

The Controller will be diligent in selecting suppliers by applying mechanisms to verify the level of compliance with data protection regulations, with the aim of mitigating risks that may affect the security of the information.

8. User Rights
The RGPD includes a series of rights in favor of the people whose data is processed. This section offers information on how to exercise the rights that assist you as a Client regarding your personal data. You can exercise all the rights mentioned below by sending your request to the email: directorcomercial@flyforvacations.com, attaching a copy of your identity document. Please note that we may ask you for additional information to verify your identity before proceeding with your request. The interested party, without prejudice to any other administrative appeal or judicial action, will have the right to file a claim with the Spanish Data Protection Agency through the electronic headquarters at: www.agpd.es.

1.Right of access:
The right of access allows the interested party to know and obtain free information about their personal data undergoing processing. You may ask us to tell you what information we hold about you.

2.Right to rectification:
This right is characterized because it allows you to correct errors, modify data that turns out to be inaccurate or incomplete and guarantee the certainty of the information being processed. You must inform us of any changes to your details and will be responsible for updating your information.

3.Right of cancellation/deletion/forgetfulness:
The right of deletion allows data that turns out to be inadequate or excessive to be deleted, unless the data must be retained by legal imperative or be subject to legal or judicial action.

4.Right to object:
The right of opposition is the right of the interested party to not have the processing of their personal data carried out or to cease processing it for certain purposes. You may object to the processing of your data by indicating the specific purposes object of the opposition.

5.Portability Right:
The right to portability will allow you to request a copy from us in a structured, commonly used and machine-readable format of your personal data.

F. Right of Limitation:
The right to data limitation allows you to limit the use and request restrictions on the processing of your personal data.

9. Security measures
When processing your information, we apply appropriate security measures depending on the type of data. Our goal is to prevent unauthorized third-party access, theft, loss or unauthorized disclosure of your information. However, even if we apply all possible security measures, the risk of a technical or human failure occurring with respect to the information will never completely disappear, for this reason we ask that if you detect any incident or have indications that your information may be in risk, please contact us so we can investigate the incident and offer solutions. The measures we apply to protect your information are mainly the following:

1.We maintain a record of processing activities referred to in article 30 of Regulation (EU) 2016/679.
2.We have implemented identification and authentication systems to prevent unauthorized access;
3.We implement pseudonymization when possible and resources allow.
4.We encrypt personal data and confidential information for sensitive data that we access due to the service provided;
5.We implement measures to guarantee the confidentiality, integrity, availability and permanent resilience of processing systems and services such as antivirus, firewalls;
6.We implement a backup and recovery system to be able to quickly restore availability and access to personal data in the event of a physical or technical incident;
7.We maintain control of the access made to the information that may be processed during the services;
8.We implement an effective incident management procedure, which allows us to detect incidents related to the confidentiality of information, and their immediate resolution;
9.We adequately inform and train employees and managers in confidentiality obligations and in maintaining the technical and organizational measures implemented, collecting their confidentiality and compliance commitments in writing.
10.We have approved a Data Protection and Business Resource Management Policy, known and accepted by all members of the organization.

10. Applicable law and jurisdiction
This Policy will be governed by Spanish and European legislation, especially the RGPD. Any controversy will be resolved before the courts corresponding to the domicile of Madrid.