A. Identity and Domicile of the Data Controller.
In accordance with the Federal Law on Protection of Personal Data Held by Private Parties (hereinafter referred to as LFPD, for its initials in Spanish Language) and in accordance with applicable provisions, Palace Resorts Rent a Car, S.A. de C.V. (hereinafter referred to as the “Data Controller”) having corporate domicile for hearing and being served notices at Carretera Cancún Puerto Morelos Km 21, Manzana 01, Lote 1 – 11, Edificio A, Supermanzana 47, Municipio Benito Juárez, Cancún, Quintana Roo, C.P. 77506, informs and states:
B. Personal Data Collected and Subjected to Processing.
In order to provide the required and engaged services, we collected the following types of personal data:
1) Identifiable Data and,
2) Personal characteristics Data.
C. Processing of Sensitive Personal Data. Health Data
The Data Controller does not collect any sensitive personal data for any of the purposes listed below:
D. Processing Purposes.
c. Initial and Necessary Purposes
1) Management, control, and administration of the lease agreements and transactions of the vehicles leased by the Data Controller.
2) Management, control and administration of accidents, liability towards third-parties or property thereof, or that of thefts involving leased vehicles, for processing thereof, if applicable, by the relevant insurance companies.
3) Judicial or ex parte collection of settled debts and debts enforceable in favor of the Data Controller.
4) Historical registry to comply with the applicable legislation.
d. Additional Purposes.
1. Submittal of communications on offers and new products and/or services provided by the Data Controller.
2. Submittal of communications on offers and new products and/or services provided by third-parties.
In addition to the foregoing, we inform you that the personal data corresponding to third-parties, which you provided to the Data Controller for the compliance with the purposes described above (relatives or companions), shall be provided after such people has been informed on the existence of the processing and on the contents hereof.
B. Additional Purposes. Processing Denial.
0 I do not want to receive any communications on offers and new products and/or services rendered by the Data Controller.
0 I do not want to receive any communications on offers and new products and/or services provided by third-parties.
You may at all times revoke you consent for the processing of your personal data with regard to the described additional purposes by means of the mechanisms contained herein and pursuant to effective legislation.
E. Transfer of Personal Data.
Your personal data may be transferred to or processed by people different from the Data Controller in the following events:
1. Holding, subsidiary or affiliate corporations of the Data Controller or a parent corporation thereof having centralized-information- protection purposes and for the performance of statistics in order to assess, improve and designing new services.
2. Unaffiliated third-parties (service providers), with the sole and exclusive purpose that such third-parties help the Data Controller in providing the engaged services (fulfilling the liability arising from the legal relation between Data Controller and Data Subject).
3. Insurance Companies, in order to comply with the effective regulations related to the liability insurance of the leased vehicles and, if applicable, for communicating information required by the insurance company engaged and appointed by lessees themselves.
4. Collection Companies, to recover unpaid credits and to judicially or otherwise collect them.
F. Data Transfer Consent.
Personal data transfer referenced at numbers 1 to 4 above do not require your consent for conduction thereof, pursuant to provisions of article 37 of the LFPD. For the rest of the events, your personal data shall not be transferred to any third-parties without your consent, except for exceptions contained at article 37 of the LFPD. Transfer thereof shall always meet the conditions set forth at article 37 of the LFPD.
G. ARCO Rights Exercise.
For all legally possible cases, you may, at all times, enforce your access, rectification, cancellation and opposition rights (hereinafter referred to as ARCO rights) through procedures we have implemented. Your request shall comply with requirements set forth on the effective legislation, by means of a document addressed to our Chief Privacy Officer, whose domicile is Carretera Cancún Puerto Morelos Km 21, Manzana 01, Lote 1 – 11, Edificio A, Supermanzana 47, Municipio Benito Juárez, Cancún, Quintana Roo, C.P. 77506.
The request shall contain the following information:
I. Your name and domicile or any other means for letting you know the answer to your request;
II. The documents proving your identity or, if applicable, your powers of attorney;
III. A clear and precise description of the personal data with regard to which any ARCO rights are to be enforced; and
IV. Any other element or document which make it easy to locate personal data.
Data Controller shall inform to you, within a twenty business day maximum term from the date when Data Controller receives the relevant request, on the adopted determination. If your request is accepted, it shall be conducted within a fifteen business day term after the date when Data Controller communicates the answer. In case the information provided in your request is mistaken or insufficient, or in the event that documents required for proving your identity or powers of attorney are not enclosed thereto, Data Controller, within the five business days after your request had been received, shall demand that deficiencies are corrected in order to process your request. In these cases, you shall have ten business days for
the performance of the correction; which period shall commence on the day after receipt thereof. It shall be deemed that the relevant request has not been submitted should you do not answer within said term. You may obtain the requested information or personal data through single copies thereof, electronic documents in conventional formats (Word, PDF, etc.), by means of a restricted and authorized access to the system processing your personal data (access) or trough any other lawful means guaranteeing and accrediting the efficient exercise of the requested right.
Alternatively, the Data Subject may address the request to firstname.lastname@example.org, meeting all the aforementioned requirements, stating as subject thereof as follows: “ARCO Rights and/or Revocation of Consent”. Procedure terms shall be the same mentioned at paragraph above. The usage of electronic means for enforcing the ARCO rights authorizes the Data Controller to answer the relevant request through the same means thereof, unless the Data Controller clearly and expressly establishes any other means for such purposes.
You shall be responsible for updating your personal data held by the Data Controller; therefore, you guarantee and shall be liable, in any case, for the veracity, accuracy, effectiveness and authenticity of personal data provided and bind to keep such data updated, communicating any change to Data Controller.
H. Consent Revocation
You may revoke your consent for the processing of your personal data, without any retroactive effects, in all cases were such revocation does not entail that it will be impossible to fulfill any obligations arising from an effective legal relation between you and Data Controller. The procedure for revoking the consent, if applicable, shall be the same one that is set forth at the foregoing section for the exercise of the ARCO rights.
I. Limitations to the disclosure of your personal data.
You may limit the use or disclosure of your personal data by addressing the relevant request to our Personal Data Department. Requirements for proving your identity, as well as the procedure for taking care
of your request shall be the same as those indicated at section G) hereof (Exercise of the ARCO rights).
J. Amendment or updating hereto.
The Data Controller may amend, update, extend or otherwise change the terms, conditions and scope hereof at any time at its entire discretion. In which event, the Data Controller shall report such changes through the web site.
December 1, 2016