1 - Introduction
This Privacy Notice ("Notice") establishes how COMPASSO protects the privacy of the Personal Data of our employees, customers, partners or any other entity with which COMPASSO relates in the context of its activity.
Being a travel agency, COMPASSO need to collect, use, and disclose Personal Data to perform the functions and business activities, including carrying out and managing travel reservations on behalf of our clients. In COMPASSO we are committed to protect the privacy and confidentiality of Personal Data and to maintain the various physical, digital, human and process related controls.
In the context of the General Data Protection Regulation 2016/679 ("GDPR") COMPASSO is a "data controller" of any personal information that is shared in the context of our relationship with our clients or other interested parties.
By providing us Personal Data, stakeholders agree that this Notice apply to how we deal with Personal Data and consent that Personal Data is collected, used, and disclosed as detailed in this Notice. If stakeholders do not agree with all or part of this Notice, the stakeholders should not provide us their Personal Data. If stakeholders do not provide us their Personal Data or withdraw their consent according to this Notice, that could affect our ability to provide the services or negatively affect the quality of services provided. For example, most travel bookings must be made under the traveller's full name and must include contact details and appropriate identification (e.g. passport details). We cannot make reservations without this information. There may be cases where local data protection laws impose treatment practices more restrictive than the practices defined in this Notice. When that occurs, we will adjust our data processing practices to comply with these local laws data protection.
2 - What Personal Data do we collect?
Personal Data have the meaning given by the local data protection laws and, where the GDPR applies, the meaning given under the GDPR. Personal Data usually mean data related with a living individual who can be identified from that data; or is identifiable from the combination of that data and other available data.
Generally, the type of personal information we collect is necessary to facilitate travel arrangements, support reservations or to arrange services and / or products relating to travel on behalf of our clients.
In this regard, we usually process the following types of Personal Data about our customers:
• Contact information (such as name, address, telephone number, email address);
• Payment data;
• Passport detailed data;
• Data on dietary needs and health problems (if any); and
• Other details relevant to the travel plans or required by the relevant travel service provider(s) (e.g. provider of accommodation or other tourism services).
When our customers contact us for other purposes, Personal Data related to those purposes may also be collected. For example, we may collect personal information so that we may contact our customers to respond to a question or comment they have sent us.
We also collect data necessary for use in the business activities of COMPASSO and our related entities, including, for example, financial details required to process multiple transactions, video surveillance images used for security purposes, or other relevant Personal Data you may choose to provide us.
In some circumstances, we may collect Personal Data from our customers that may be considered sensitive data in accordance with local data protection laws. Sensitive data may include (without limitation) racial or ethnic origin, philosophical or religious beliefs or affiliations, sexual preferences or practices, criminal history and the alleged commission of an offense, affiliation to political, professional, or commercial associations, biometric and genetic information, financial data, and health data. We will only collect sensitive data in accordance with local data protection laws, with explicit consent of the subject and where the data is reasonably necessary or directly related to one or more of our functions or operational activities (for example, travel), unless required or permitted to do so by law.
To the extent permitted or required by local data protection laws, our customers consent that we use and disclose your sensitive data solely for the purpose for which it was collected, unless we subsequently receive your consent for another purpose. For example, if our clients provide us with health information related to travel insurance that they wish to do, customers consent that we use and disclose such health information on their behalf in the contacts made with the entity that promotes such travel insurance. Another example is when our customers can divulge their religious beliefs because they are interested, for example, in certain vacation packages, the use and disclosure of this information to make the trip operational. We will not use sensitive data for purposes other than those for which it was collected, unless we receive consent for another purpose.
3 - How we collect Personal Data?
We will only collect Personal Data in accordance with local data protection laws. We generally collect Personal Data in the context of contacts with our customers. We will collect this data directly from our customers, unless it is unreasonable or impractical to do so.
Generally, this collection will occur when customers:
• contact us in person, by phone, letter, e-mail;
• visit us through our website; or
• contact us through social networks.
We may also collect Personal Data when:
• purchase or ask questions about travel plans or other products and services;
• sign up to receive marketing communications (for example, e-newsletters);
Unless they choose to do so under a pseudonym or anonymously, we may also collect Personal Data from our customers in the context of surveys or when they provide feedback.
In some circumstances, it may be necessary to collect Personal Data from our customers from third parties. This includes cases where a person makes a travel reservation on behalf of another person (s). When this happens, we have the authority of the person making the travel reservation to act on behalf of any other traveller in the reservation, as well as with the consent of that person to collect, use and disclose Personal Data in accordance with this Notice. Our clients should inform us immediately if they know that their personal information has been provided to us by another person without their consent or if they have not obtained the consent before providing us with the Personal Data of another person.
We make every effort to maintain the accuracy and completeness of the Personal Data we store and to ensure that all Personal Data is up-to-date. However, any interested party may contact us immediately if there is any change to their Personal Data or if they are aware that we have inaccurate Personal Data (see section 12 below). We will not be liable for any losses arising from any inaccurate, defective, or incomplete personal information that the Interested Parties, or anyone acting on your behalf, may provide to us.
4 - How do we use Personal Data?
We will only process Personal Data when:
• Consent has been given for such processing (which may be withdrawn at any time, as detailed in section 7 below);
• Processing is necessary to provide our services;
• Processing is necessary for compliance with legal obligations; and / or
• Processing is necessary for our legitimate interests or for any third party receiving Personal Data (as detailed in sections 5 below).
When you contact us regarding an inquiry or travel reservation, the purpose for which we collect your personal information is generally to provide you with travel advice and / or to help you book travel-related products and services.
When a customer makes a reservation or organizes travel-related products and services with our support, we generally act as an agent for travel service providers (e.g. for a hotel).
In this case, we process Personal Data as necessary to provide the requested services. This usually includes the collection of Personal Data for internal purposes as described in this Notice, and for the travel service provider for whom we act as an agent (for example, to provide contracted services).
We may share data with our travel service providers (hotels, car rental companies or other providers related to travel reservations). These travel service providers may also use the Personal Data as described in their respective privacy policies for additional information that facilitates booking the trip or providing the services requested. We recommend that our Customers review the privacy policies of any travel service providers that are purchased through COMPASSO. We will provide copies of all relevant terms, conditions, and privacy policies of travel service providers upon request.
If there is any concern regarding the transfer of Personal Data to a travel service provider, or if further information is required, please refer to section 12 of this Notice.
The purposes for which we collect Personal Data also include:
• identification of fraud or errors;
• legal or regulatory compliance;
• develop and improve our products and services;
• maintaining or improving the relationship with our Clients, namely by creating and maintaining a customer profile that allows the delivery of a service aligned with their preferences;
• internal organization and accounting;
• compliance with applicable legal obligations; and
• other purposes as authorized or required by law (e.g. to prevent a life threatening, health or safety protection, or to enforce the legal rights of COMPASSO).
Where permitted by local data protection laws, we may use Personal Data to perform marketing activities related to our (and third party) products and services that we believe may be of interest to our Customers, unless they have requested to not receive such information. Customers can sign up to receive e-newsletters and other promotional / digital marketing materials by following the relevant links on our website or requesting one of our collaborators to do so.
Any individual who does not wish to receive promotional / marketing material from us, participate in market consultations or receive other types of communication should refer to sections 7 and 12 of this Notice.
5 - What personal information is disclosed to third parties?
At COMPASSO we do not sell, rent, or exchange Personal Data. Personal Data will only be disclosed to third parties in accordance with the provisions of this Notice and in accordance with local data protection laws (note: in this Notice the reference to "disclosing" includes transferring, verbal, or written sharing, sending, or making available data to another person or entity).
Personal Data may be disclosed to the following types of third parties:
• contracted entities, suppliers, and service providers, including:
• in each of the circumstances described in section 4 ("How do we use Personal Data?");
• providers of ICT solutions that support us in delivering products and services (such as any external data-hosting providers we can use);
• publishers, printers, and distributors of marketing material;
• organizers of events and exhibitions;
• external consultants (such as lawyers, accountants, auditors, or recruitment consultants);
• travel service providers such as travel wholesalers, tour operators, hotels, car rental companies, transfer managers and other related service providers;
• any third party to whom we assign or transfer any of our rights or obligations;
• people making travel reservations on behalf of others (for example, a family member, friend, or co-worker);
• as required or authorized by applicable law, and to comply with the legal obligations of COMPASSO;
• government agencies or public authorities to comply with valid and authorized requests, including court orders or other valid legal process;
• regulatory authorities or law enforcement authorities, including for fraud protection and related security purposes; and
• supervisory agencies where there is suspicion of illegal activity and that the Personal Data are a necessary part for investigation or denunciation of the subject.
In addition to the above, we will not disclose personal information without consent, unless we believe disclosure is necessary to reduce or prevent a threat to life, health or safety of an individual, public health or safety, or for an action (e.g. prevention, detection, investigation, or punishment of criminal offenses), or where such disclosure is authorized or required by law (including applicable data protection / privacy laws).
On the websites or social networks of COMPASSO users may choose to use certain thirdparty resources with which we associate. These features, which may include social networking tools and geo-localization, are operated by third parties, and are clearly identified as such. These third parties may use or share Personal Data in accordance with their own privacy policies. We recommend consulting third-party privacy policies if you consider these relevant tools.
6 - Information security
At COMPASSO we are committed to protecting Personal Data by implementing and maintaining appropriate technical and organizational control measures to ensure a level of safety aligned with the risks related to: accidental or illegal destruction; loss; unauthorized alteration or disclosure; or improper access to Personal Data transmitted, stored, or processed. COMPASSO regularly monitors and reviews security controls and strives to protect Personal Data in the same way that it protects sensitive Business Information.
COMPASSO destroys or de-characterizes Personal Data whenever they cease to be relevant to the business or as required by law.
7 - Rights in relation to the Personal Data we collect
Should any interested party that COMPASSO have Personal Data intend to:
• update, modify, delete, or obtain a copy of Personal Data; or
• restrict or prevent COMPASSO from using any personal information, including withdrawing any consent you have previously given for the processing of such information; or
• obtain a copy of personal information that has been processed based on the consent or as required to perform a contract.
Interested parties must formally submit the request to COMPASSO through the contacts identified in section 12 of the Notice. After the request will be given an acknowledgment of the same and information will be given on the deadline within which the information will be made available.
COMPASSO will make every effort to respond to such requests within one month or less, although it may be necessary to extend this period for complex requests.
In addition, COMPASSO reserves the right to deny access to the Information for any reason permitted by applicable law. If the request for access or correction of the Information is denied, the reasons for such refusal will always be communicated in writing, unless it is unreasonable to do so or when required by local data protection laws.
All communications related to requests for access to Personal Data must be made formally in writing to the Data Protection Officer through the contacts indicated in section 12 of the Notice.
If COMPASSO is requested to restrict or stop using Personal Data, withdrawing the consent previously provided for the processing of Personal Data, the ability to provide services or the quality of services may negatively impact the services. For example, most travel reservations must be made under the traveller's full name and must include contact details and appropriate identification (e.g. passport details), and reservations cannot be made without this information.
Personal Data shared with COMPASSO should be accurate and individuals agree to update them whenever necessary. In addition, they agree that, in the absence of any update, COMPASSO may assume that the submitted data is correct.
Any individual may at any time ask COMPASSO to stop sending marketing communications and may use the cancellation links provided in the marketing emails or through the contacts indicated in section 12 Notice.
In any of the situations listed above, it may be requested to provide a valid means of identification that the applicant proves his / her identity and thus ensure that COMPASSO fulfils its security obligations and prevents the unauthorized disclosure of Personal Data.
COMPASSO reserves the right to charge a reasonable administrative fee following any manifestly unfounded or excessive requests regarding access to Personal Data or for any additional copies of Personal Data requested.
8 - Integrations with Social networks
COMPASSO websites and mobile applications can use social networking features and tools (like "Like" and "Share" buttons), ("Social Networks Resources"). These features are provided and operated by outside companies (for example, Facebook) and hosted by outside companies or directly on our website or mobile application. Social Networks Resources may collect data related to the page visited on the website / mobile application, the IP address and may set cookies to allow the RS Feature to function properly.
If the user has activated social networking accounts, then they may be able to share data about visiting and using our website or mobile application with social network accounts.
Likewise, interactions with RS resource can be registered by third parties. In addition, the external company may share with COMPASSO personal data in accordance with its policies, such as your name, profile picture, friend lists or any other information you have chosen to make available, and we may share data with the outsourced company for promoting the marketing directed through the platform of social networks. Users can manage data sharing and turn off targeted marketing in the privacy settings of their social networks.
9 - IP Addresses
When a user accesses the website, uses any mobile device or digital matches of the COMPASSO servers, they can record data relating to the device or network that the user uses, including the IP address. An IP address is a series of numbers that identify a computer and are usually assigned when you access the Internet.
COMPASSO website does not keep visitors' ip's. IP can only be used to redirect users to the site version in their language depending on the IP they present.
10 - Tracking Technologies / Cookies
COMPASSO may use web analytics services from outside vendors on their websites and mobile applications, such as those listed in the "Cookies Policy". Providers of these services may use technologies such as cookies and web beacons to help analyse visitors using websites and applications.
11 - Associated websites
COMPASSO websites may contain links to third-party sites over which COMPASSO has no control. Is not responsible for the privacy practices or the content of any associated websites. COMPASSO recommends reading the privacy policies of any associated websites that are visited, as their privacy policies and practices may be different from those of COMPASSO.
12 - Feedback / Claims / Contact
Any questions, comments, or complaints about this Notice or about the processing of personal data; if you wish to inform COMPASSO about a change or correction of personal data; if you wish to receive information about the personal data that are treated by COMPASSO; or for any claim or comment related to data protection; should be addressed to the Data Protection Officer of COMPASSO through the contacts below:
Contact Name: Paula Antunes
Address: Av. Eng.º Adelino Amaro da Costa, 728 R/c - E 2750-277 Cascais - Portugal
COMPASSO will respond to any queries or complaints received as soon as possible.
13 - The changes to notice
This Notice may be changed from time to time. If a change to the Notice is made, the revised version will be published and dated on COMPASSO website. If justified, in addition to updating the Notice, consent may be requested for certain types of treatment.
This Privacy Notice was last updated on May 25, 2018.