Privacy policy

This Privacy Policy (hereinafter the “ PRIVACY POLICY ” ) generally regulates the gathering and processing by SAN SEBASTIÁN TURISMO/DONOSTIA TURISMOA, S.A. (hereinafter “ DONOSTIA TURISMOA ” ) of (i) the personal data you provide us with as a user of the website that may be accessed via the domain name www.sansebastianturismoa.eus/es/ (hereinafter the “ WEBSITE ” ), including any services that may be available at any given time via the WEBSITE; and (ii) other data collected by other capture systems duly identified below. All of the above shall apply without prejudice to any specific provisions established in certain sections, forms or services available on the WEBSITE, the purpose of which is to provide you with the relevant information and, where applicable, to obtain your consent.

DONOSTIA TURISMOA is a company with its registered office in Donostia/San Sebastián (Gipuzkoa), at Boulevard 8, listed in the Gipuzkoa Companies Register in volume 1479, sheet 81, page SS-9471, with Tax Identification Number (N.I.F.) A-20188884.

DONOSTIA TURISMOA reserves the right to amend this PRIVACY POLICY in order to adapt it to new legislation, case law and/or administrative requirements, and to the practices it may implement at any time through the WEBSITE, taking your rights and interests into account at all times.

In any case, DONOSTIA TURISMOA will provide you with the appropriate technical means to enable you to access the PRIVACY POLICY, in order to duly comply with the information obligations we are required to observe under the applicable data protection regulations.

Who is the Data Controller for your personal data?

Through the WEBSITE and other data collection systems used in its dealings with third parties (e.g. physical forms related to promotions, competitions, events etc.), DONOSTIA TURISMOA carries out the processing of personal data which, depending on the case, shall be understood as carried out by this entity either (i) in its capacity as Data Controller; or (ii) on the responsibility of Donostia/San Sebastián Town Hall, acting in such cases as Data Processor on behalf of that entity.

DONOSTIA TURISMOA has appointed a Data Protection Officer (DPO), who is responsible for managing and overseeing privacy matters within the organisation and whom you may contact via the following e-mail address: dbo@donostia.eus.

For any matter related to the PRIVACY POLICY and/or the processing of your personal data, you may contact us via the following e-mail address: dbo@donostia.eus.

How did we obtain your data?

The data processed by DONOSTIA TURISMOA (whether as Data Controller or as Data Processor) has been obtained directly from you, through (i) the various forms you complete while browsing the WEBSITE and/or through other channels (e.g. registration as a WEBSITE user — where applicable — contact forms, forms related to promotions and competitions, etc.); (ii) by sending an enquiry e-mail; or (iii) through other duly identified data collection systems.

Minors under the age of 14 are not permitted to provide their personal data through the WEBSITE without the prior authorisation of their parents or guardians, who must give their consent to the processing of the minor ’ s data when required. DONOSTIA TURISMOA and Donostia/San Sebastián Town Hall accept no responsibility for any failure by a minor to comply with the aforementioned requirement.

In the event that the personal data provided belongs to a third party, you guarantee that you have informed that third party of the PRIVACY POLICY and have obtained their authorisation to provide their data to DONOSTIA TURISMOA for the purposes specified in each case.

Additionally, we wish to inform you of the possible processing of your data through social media via the corporate profiles that DONOSTIA TURISMOA maintains on each social network on which it is present, all in accordance with the terms and conditions established by each social network.

What kind of data do we process?

The data processed by DONOSTIA TURISMOA consists of the information you have provided to us through the relevant forms, by e-mail, as well as any other data that, where applicable, we may obtain through DONOSTIA TURISMOA ’ s corporate profiles on the social networks on which we are present and/or through other duly identified data collection channels.

In particular, at DONOSTIA TURISMOA we process the following categories of data:

  • Identification and contact details (e.g. name, surname, ID number, postal and e-mail address, telephone number etc.).
  • Banking and financial transaction data.
  • Identification codes and passwords as a registered user of the WEBSITE.
  • Data relating to purchases and/or the contracting of services that you complete through the WEBSITE.
  • Internet browsing data (e.g. IP address, visits to web pages, wifi network connections etc.).
  • Personal characteristics, education, employment details etc. (in the case of job applications/offers and/or recruitment processes run by DONOSTIA TURISMOA in which you participate voluntarily).
  • Image of data subjects who take part in activities and events organised by DONOSTIA TURISMOA, where they have given their consent.

For what purpose do we process your data and on what legal basis?

The processing of your personal data is carried out for the following purposes:

  • To manage and process your registration as a user of the WEBSITE, where this is possible and based on your request for pre-contractual measures or on the contractual relationship established with you for this purpose.
  • To manage your access to and use of the content and services that DONOSTIA TURISMOA makes available to you through the WEBSITE, including blog services, social networks or any other functionalities that may be accessible from the WEBSITE at any given time, all based on your request for pre-contractual measures or on the contractual relationship established with you for this purpose.
  • To handle and manage the information provided through the internal reporting system accessible via the WEBSITE and, where applicable, to investigate the reported facts, all based on compliance with the legal obligations that DONOSTIA TURISMOA is required to observe (Law 2/2023 of 20 February on the protection of persons who report regulatory breaches and on combating corruption).
  • To keep accessible, through our Transparency Portal available on the WEBSITE, the data that we are legally required to make available to the public, all based on compliance with our legal obligations (transparency regulations applicable).
  • To keep accessible, through our Contractor Profile available on the WEBSITE, the data that we are legally required to make available to the public, all based on compliance with our legal obligations (applicable public sector contracting regulations).
  • To process and manage any request for information, suggestions, complaints or claims that you make through the WEBSITE or by e-mail, all based on your consent.
  • In cases where you have given your consent, to manage and publicise activities and events organised by DONOSTIA TURISMOA using your image and identifying details, all based on the consent provided.
  • To manage your job application or your registration for a job offer and your participation in the corresponding selection process, all based on your request for the adoption of pre-contractual measures (job application), as well as your subsequent inclusion in employment pools where you have given your consent (and on the basis of that consent).

We wish to remind you that, when consent is the legal basis for processing, you may revoke it at any time, freely and without charge, under the terms set out in Section 7 below.

To whom do we disclose your data?

Apart from those cases in which DONOSTIA TURISMOA is required to do so by legal obligation (e.g. Tax Authorities, the Courts of Justice or other Public Administrations), your data will not be disclosed to third parties except in cases where you have given your consent.

No international transfers of your data are planned.

How long will we keep your data?

As a general rule, personal data will be retained for as long as you do not withdraw your consent to its processing or request its erasure, as well as for the time necessary to comply with the legal obligations that DONOSTIA TURISMOA must observe.

In any case, we wish to inform you that DONOSTIA TURISMOA has internal data cleansing policies in place to monitor the retention periods of the personal data in its possession, so such data may be deleted when they are no longer necessary and/or appropriate for the purpose for which they were collected.

In any case, please note that you can identify the retention periods applicable to each processing activity in the Record of Processing Activities and the Record of Processing Contracts, both accessible through this PRIVACY POLICY.

What are your rights?

The data protection regulations applicable grant you a series of rights relating to your personal data, which you may exercise while your data are being processed. These rights are as follows:

  • Access to your data : you have the right to access your data in order to know which personal data concerning you we are processing.
  • Request the rectification or erasure of your data: in certain circumstances, you have the right to rectify any inaccurate personal data concerning you that we may be processing or even to request their erasure when, among other reasons, the data are no longer necessary for the purposes for which they were collected.
  • Request restriction of the processing of your data : in certain circumstances, you have the right to request the restriction of the processing of your data, in which case we inform you that we will only retain them for the exercise or defence of claims, as provided for by the data protection regulations applicable.
  • To the portability of your data: in certain circumstances, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and to send them to another data controller.
  • Object to the processing of your data: in certain circumstances, and for reasons related to your particular situation, you have the right to object to the processing of your data, in which case we will stop processing them unless there are compelling legitimate grounds or for the exercise or defence of possible claims that require them to be retained.

Likewise, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.

You may exercise these rights by sending a written request to DONOSTIA TURISMOA, by e-mail to dbo@donostia.eus.

Finally, please note that you may lodge a complaint with the competent Supervisory Authority (the Basque Data Protection Authority), especially if you have not obtained satisfaction in the exercise of your rights. You may contact this Authority via its website: www.avpd.eus.

Security measures

DONOSTIA TURISMOA will process your data at all times in strict confidence and will observe the mandatory duty of secrecy with regard to such data, in accordance with the provisions of the applicable data protection regulations. To this end, it will adopt the necessary technical and organisational measures to guarantee the security of your data and to prevent their alteration, loss, unauthorised processing or access, taking into account the state of the art, the nature of the data stored and the risks to which they are exposed.

Cookies policy

Additionally, we wish to inform you that DONOSTIA TURISMOA has a Cookies Policy, which is available at the following link: https://www.sansebastianturismoa.eus/es/politica-de-cookies.