A. Identity and address of Controller. In accordance with the provisions of the Federal Law for the Protection of Personal Information Held by Third Parties (LFPD – Mexican acronym) and other applicable regulations, Administración Riviera Resorts, S. A. de C.V. (hereinafter commonly referred to as “Grupo Palace Resorts” or “Controller”, whose domicile to hear and receive communications is: Carretera Cancún Puerto Morelos km 21, Manzana 01, Lote 1– 11, Edificio A, Supermanzana 47, Municipio Benito Juárez, Cancún, Quintana Roo, C.P. 77506, expressly states:
B. Personal information collected and processed. For the purposes described in this Privacy Notice we collect the following types of personal information: a) Identification b) Social environment c) Employment d) Marketing
C. Processing of sensitive personal information. Grupo Palace Resorts® does not collect sensitive personal information for the purposes described in the following section. Account owners-users of social networks must abstain from sending such information through said networks.
D. Responsibility of Grupo Palace Resorts®, account owners-users of social networks and social network service providers. Grupo Palace Resorts® processes the personal information of social network account owners-users by accessing and managing information which they publish or broadcast in the profiles they create on all social networks that they use to communicate with Controller. Such processing also includes the use of personal information for the disclosure of Grupo Palace Resorts® Activities. Grupo Palace Resorts® accesses, manages and uses the personal information of social network account owners-users only during the time in which they remain linked to the profiles managed by Controller in in the associated social networks. Social network account owners-users are responsible for the truth, accuracy and validity of the personal information they publish in their profiles, as well as for the degree of distribution of their information and access to same they allow or authorize to third parties through said profiles. Grupo Palace Resorts® recommends that social network account owners-users check their privacy settings continuously on all websites they use to link to Controller. Social network service providers are responsible for the databases created with the personal information of users on their networks. These service providers are also responsible for implementing security measures to safeguard their users’ personal information. Therefore, Grupo Palace Resorts® is responsible for the proper access, handling and use of the personal information belonging to account owners-users that is attached to the profiles which Grupo Palace Resorts® administers on its different social networks. Grupo Palace Resorts® manages information on networks, it does not create new databases using the information and/or personal information of social network account owners-users.
E. Purpose of processing.
a. Relevant and necessary purposes.
1. Managing social network followers (Facebook, Twitter, YouTube, Forsquare, Google+, Linkedin, etc.) and managing Grupo Palace Resorts® newsletter subscribers.
2. Announcing Grupo Palace Resorts® activities.
3. Compiling statistics on social network followers.
b. Additional purposes. 1. None
F. Sharing of personal information. Grupo Palace Resorts® does not share information for these designated purposes with third parties.
G. Consent to share information. Your personal information will not be shared with third parties without your consent, except under the exceptions provided in article 37 of the LFPD, and in all cases such sharing will be performed in strict compliance with Article 17 of the LFPD Regulations.
H. Exercise of ARCO Rights with Controller.
Under all legal circumstances you may exercise your right to access, modify, cancel and oppose information (ARCO rights) using the legal processes we have set up. All requests should be sent in writing to the address indicated in paragraph A of this Notice, addressed to our Controller of Personal Information and must comply with all legal requisites.
Information requests should contain the following:
I. Your name and address or other means of contacting you with a response.
II. Valid identification documents or power of attorney, as the case may be.
III. A clear and precise description of the personal information on which you wish to exercise your ARCO Rights.
IV. Any other element or document that could facilitate locating your personal information.
Controller will answer you with a decision within 20 business days counted from the date on which your request is received. If the request is admissible it will be put into effect within 15 business days following the date on which Controller advises you of a decision. In the event that the information you provide is incorrect or insufficient, or if you fail to send the necessary identity documents or power of attorney, Controller will ask that you correct such deficiencies within five business days after receiving your request, and you will have 10 business days to comply counted from the day after you receive such notice. The process will be terminated if you do not answer within the required time.
You can request personal information in the form of plain copies or electronic documents in common formats (Word, PDF, etc.), through authorized restricted access to the databanks (access) containing your personal information, or by any other legal method that guarantees and records the exercise of a requested right. Alternatively, after fulfilling all the above-mentioned requirements, the Owner may submit their request by e-mail to email@example.com indicating “ARCO Rights and/or Consent Revoked” in the Subject line. Response times will remain the same as those mentioned in the immediately preceding paragraphs. The use of electronic media in the exercise of ARCO rights authorizes Controller to answer the request using the same media unless the petitioner specifically requests another format.
I. Exercise of ARCO rights with social network service providers.
The exercise of ARCO rights with social network service providers with whom a user of such networks has created a profile will be governed by the applicable legislation, as well as in accordance with the terms and conditions of the Privacy Notices, Privacy Policies and/or Legal Notices published by each social network service provider in the networks they operate and manage.
J. Revoking consent.
You may revoke consent to have your personal information processed, non retroactively, in all cases in which said revocation does not make it impossible to fulfill any obligations arising from the legal relation in effect between you and Controller. You may revoke consent for the processing of your personal information by unlinking your profile from Controller in the appropriate social network. The process for revoking consent will be the same as the one set in the immediately preceding section on how to exercise your ARCO rights.
K. Limitations on disclosure of your personal information.
You may limit the use or disclosure of your personal information by sending a written notice to our Personal Information Department. Identification requirements and the process for attending your request remain the same as those indicated in the section “Exercise of ARCO Rights”. Nonetheless, we remind you that as an account owner-user of social networks you are responsible for the truthfulness, accuracy and validity of personal information published in your social network profile, as well as for the degree of distribution and access to your personal information by third parties that you authorize through such profiles.
L. Modifications or updates to this General Privacy Notice.
Controller may also announce changes to this Privacy Notice by e-mail during the duration of the legal relation when that channel of communications is set up.
December 1, 2016