Privacy policy

1. Data controller identification and contact details

Ticket Management System SL, identified with Tax Identification Number B67624437, and registered at Calle Balmes nº 32, Principal 2ª, C.P. 08007, Barcelona (Spain), recorded at the Companies House of (Barcelona) under Volume 47314, Page 29 (referred to as the “Controller”), is responsible for processing data collected or generated during users’ access, use, and navigation on www.touristoffice.org (hereinafter referred to as the “User” or “Users” and the “Website” or the “Web,” respectively).

Through this privacy policy (hereinafter referred to as the “Privacy Policy”), the Controller informs Website Users about the treatment and protection of their personal data, which may be collected through browsing or contracting services on the Website. The User’s use of this Website implies acceptance of this Privacy Policy.

2. Data collection

When visiting and browsing this Website, no automatically recorded data allows Users to be identified by name. However, certain information, such as the type of Internet browser, operating system, and IP address from which the Website is accessed, is collected and stored in the Controller’s systems to enhance User browsing and Website management. Additionally, the Website may use cookies and similar technologies, requiring Users’ consent as per the Cookies Policy.

Notwithstanding the above, for using specific content or services offered on the Website, the Controller may request certain personal data from the User (e.g., name, surname, national identity card number or foreigner’s identity number, address, telephone number, mobile phone number, email address, or other data provided by Users in the open fields of the forms on the Website). In such cases, the Controller will furnish the User with necessary information before processing their data.

In the event the User provides third-party data, the User affirms having their consent or adequate legitimacy and commits to transferring the information contained in this Privacy Policy to the respective data owner, thereby releasing the Controller from any liability. However, the Data Controller may perform necessary verifications to verify this, implementing corresponding due diligence measures in line with applicable data protection regulations.

Moreover, the User ensures being over eighteen (18) years old and that the provided data is true, accurate, complete, and up-to-date. The User is responsible for data accuracy and will keep the provided information duly updated to reflect reality.

Ultimately, the User is accountable for any false or inaccurate information provided through the Website and any resulting direct or indirect damages to the Controller or third parties.

3. Mandatory data submission

Fulfilling the purposes outlined in section 4 below necessitates the provision of data through the forms available on the website. Generally, this data is obligatory (unless otherwise indicated in the respective field). Failure to furnish accurate and truthful information in these forms will render the submission unacceptable to the Owner. Consequently, it is imperative to provide the required data to ensure compliance with the intended objectives.

4. Objectives of data processing

In addition to handling requests for information and content, or delivering services expressly sought by users or with their consent, the Owner possesses a legitimate interest in utilizing the gathered or generated information for the following purposes:

– Managing user contact requests through the designated channels on the website.
– Overseeing the contracting of services conducted within the website’s framework, encompassing payment management and order dispatch.
– Enhancing the website’s functionality, administration, and security.
– Administering the transmission of commercial communications related to the Owner’s services, unless the user opts otherwise by selecting the corresponding option or expresses opposition to such treatment.
– Sending commercial communications (offers, promotions, etc.) to the user through electronic and/or traditional means, featuring products and services from collaborating third-party companies, contingent on user consent by marking the corresponding checkbox.
– Conducting studies to analyze the relevance and utilization of the website, utilizing anonymized information.
– Addressing user requests, complaints, and incidents conveyed through the contact channels incorporated on the website.
– Understanding user behavior on the website to identify potential cyber threats or attacks.
– Adhering to directly applicable legal obligations that regulate the Owner’s activities.

5. Marketing communications and advertising

A key objective of the Data Controller in processing users’ personal data is to transmit electronic communications containing information pertaining to services, promotions, offers, events, or noteworthy news. Such communications are exclusively directed to users who have not previously declined to receive them or have explicitly granted authorization.

To execute this task, the Data Controller may analyze acquired data to formulate user profiles, facilitating a more precise definition of services likely to pique user interest.

Should a user opt to cease receiving commercial or promotional communications from the Owner, they can initiate the service cancellation process by clicking on the designated link within the body of the commercial communications or by sending an email to [email protected], clearly expressing their refusal. This can also be communicated by using the designated checkbox in the data collection form or by selecting the unsubscribe option available in each commercial communication received.

6. Legal foundation and data retention

The processing of user-provided personal data is grounded on the following legal foundations that validate it:

– Users’ voluntary access and navigation of the website.
Data processing for the engagement of services offered on the website is essential for fulfilling the contractual relationship between the user and the owner.
– User-initiated requests for information, specific content, or services.
– Fulfillment of legal obligations by the owner.
– Legitimate interest in enhancing website functionality and security, as well as conducting studies and analyses on website operation and usage.
– When a user consents or when the owner’s legitimate interest applies, the transmission of information related to the services offered on the website.

Data will be retained as long as legal obligations stemming from services or content requested by users persist, and subsequently, until the conclusion of legal or contractual responsibilities mandating retention (e.g., until the termination of liability arising from data protection or cybersecurity regulations). However, the data controller may securely retain the data for compliance with potential administrative or jurisdictional responsibilities even after blocking access to it.

7. User rights

Website users have the opportunity to assert the following rights at any given time, in accordance with prevailing legislation:

– The right to access their personal data, gaining insight into the ongoing processing and related operations.
– The right to rectify any inaccuracies present in their personal data.
– The right to erase their personal data whenever possible.
– The right to request limitations on the processing of their personal data in situations where doubts arise regarding accuracy, lawfulness, or the necessity of processing. In such cases, data may be retained for the purpose of claims’ exercise or defense.
– The right to transfer their personal data, provided the legal foundation enabling us to process this data is based on the contractual relationship or consent.
– The right to object to the processing of personal data when our legal basis for processing is a legitimate interest. In this context, data processing will cease unless there is a compelling legitimate interest or for the establishment, exercise, or defense of legal claims.
– The right to withdraw consent at any given time.

To effectively exercise these rights, users must communicate in writing to the email address [email protected]. Identity verification requires submission of their full name, a photocopy of their National Identity Card or an equivalent identification document, a clearly articulated request, a designated address for notifications, and the date and signature of the requester.

Additionally, users have the option to file a complaint with the Spanish Data Protection Agency, the competent regulatory authority in Spain for this matter, especially if a satisfactory resolution is not achieved in the exercise of their rights. Complaints can be submitted to C/ Jorge Juan, nº 6, 28001 – Madrid, or through the website: www.agpd.es.

8. Cookie usage

The Owner will only employ data storage and retrieval devices, commonly known as “Cookies,” upon the User’s prior consent. This consent is obtained in accordance with the instructions presented in the User’s browser pop-up window during their initial access to the Website and under the conditions specified in the Owner’s Cookies Policy.

9. Information disclosure

User data will not be shared with third parties unless required by competent authorities in the execution of their responsibilities. As an exception, the Website may utilize cookies from third-party companies, adhering to the provisions outlined in the Cookies Policy and subject to the User’s consent.

10. Security safeguards

The Data Controller implements necessary measures to ensure the security, integrity, and confidentiality of data, in alignment with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, commonly known as the General Data Protection Regulation (GDPR). Additional compliance is sought through Organic Law 3/2018, dated 5 December, on the Protection of Personal Data and the guarantee of digital rights, Royal Decree 1720/2007, dated 21 December, approving the Regulation implementing the Organic Law on Data Protection, and Law 34/2002, dated 11 July, on Information Society Services and Electronic Commerce.

Hence, the Data Controller treats user data with absolute confidentiality, maintaining their secrecy in line with applicable legislation. Necessary technical and organizational measures are implemented to ensure data security, prevent alteration, loss, unauthorized processing or access, considering the technological landscape, the nature of stored data, and the associated risks.

11. Privacy policy changes

To ensure continual alignment with prevailing legal requirements, the Data Controller reserves the right to modify this Privacy Policy. Such changes are made to adhere to the legal standards applicable at any given time.