This Policy applies to all Clients to whom the Responsible provides services that involve the processing of personal and professional data.

5. Data transfers to third parties and international transfers

For the management of the purposes inherent to the development and fulfillment of the object of the contract and to adequately provide the services that you request, it may be necessary and mandatory for the provision of the service that your data have to be communicated to the different providers, such as companies. airlines, shipping companies, hotels, local car rental agencies, and other service providers related to your request, who will be obliged to use the data, solely and exclusively, to comply with the object of the contract.

These providers, depending on the country of destination of your trip, may be located in third countries for which an international data transfer is necessary. The Company asks those companies with whom we share your personal information to apply the same degree of information protection as we do.

Your data will be transferred to public administrations and bodies of the judicial system or security forces or bodies when the Company is required to present information.

We will not communicate your data to third parties except those indicated above, without your authorization, unless said transfer must be produced by legal imperative or because it is essential to comply with the contractual relationship.

6. Data retention criteria

Personal and professional data will be kept during the provision of contracted services, and as long as the right of deletion is not exercised. Once the contractual relationship is concluded or the right of deletion has been exercised, we will keep the information in security conditions, as long as you do not request your withdrawal or express your desire not to receive advertising. The information that for legal reasons we must keep in accordance with Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing, will be stored for a maximum period of 10 years from the end of the contractual relationship , mandatory conservation period established by said rule.

If the information is necessary for the exercise of legal or contractual actions, it could be exceptionally kept for a period longer than that indicated. After the deadline, the data will be destroyed.

7. Subcontracting

The Client expressly authorizes the Responsible Party to contract the services totally or partially with third parties whose intervention he deems appropriate for the proper development of the services. In this case, the Responsible Party undertakes to sign a contract with the subcontracted third party that stipulates the obligations that it must comply with in relation to the protection of personal data, especially it will be required to comply with the same protection obligations. of data to which the Responsible with its clients has committed, as well as the sufficient guarantees of application of appropriate technical and organizational measures so that the treatment is in accordance with the applicable regulations.

The Responsible will be diligent in the selection of suppliers by applying mechanisms to verify the level of compliance with the data protection regulations, with the aim of mitigating the risks that may affect the security of the information.

8. User Rights

The RGPD includes a series of rights in favor of the people whose data is processed. This section provides information on how to exercise your rights as a Client regarding your personal data. All the rights mentioned below, you can exercise them by sending your request to the email: directorcomercial@flyforvacations.com, accompanying a copy of your identity document. Please note that we may ask you for additional information to verify your identity before proceeding with your request. The interested party, without prejudice to any other administrative remedy or legal action, will have the right to file a claim with the Spanish Agency for Data Protection through the electronic headquarters at: www.agpd.es.

1. Right of access:
   The right of access allows the interested party to know and obtain free information about their personal data subjected to treatment. You can ask us to tell you what information we keep about you.
2. Right of rectification:
   This right is characterized because it allows correcting errors, modifying the data that turn out to be inaccurate or incomplete and guaranteeing the certainty of the information being processed. You must inform us of any changes to your data and will be responsible for updating your information.
3. Right of cancellation / deletion / oblivion:
   The right of deletion allows data that turns out to be inappropriate or excessive to be deleted, unless the data must be kept by legal imperative or or be subject to legal or judicial action.
4. Right of objection:
   The right of opposition is the right of the interested party not to carry out the processing of their personal data or to cease it for certain purposes. You can oppose the processing of your data indicating the specific purposes object of opposition.
5. Right of Portability:
   The right to portability will allow you to request a copy in a structured format, commonly used and mechanical reading of your personal data..
6. Right of Limitation:
   The right to data limitation allows you to limit the use and request restrictions on the processing of your personal data.

9. Medidas de seguridad

In the treatment of your information we apply adequate security measures according to the type of data. Our goal is to prevent unauthorized third party access, theft, loss or unauthorized disclosure of your information. However, even if we apply all possible security measures, the risk of a technical or human failure with respect to the information will never completely disappear, for this reason we ask that if you detect any incident or have indications that your information may be in risk, please contact us so we can investigate and provide solutions. The measures we apply to protect your information are mainly the following:

1. We keep a record of processing activities referred to in article 30 of Regulation (EU) 2016/679.
2. We have implemented identification and authentication systems to prevent unauthorized access;
3. When possible and resources permit, we implement pseudonymisation.
4. We encrypt personal data and confidential information for those sensitive data that we access due to the service provided;
5. We implement measures to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services such as antivirus, firewalls;
6. We implement a backup and recovery system to be able to restore the availability and access to personal data quickly in the event of a physical or technical incident.;
7. We maintain a control of the accesses made to the information that may be processed during the services;
8. We implement an effective incident management procedure, which allows detecting incidents related to the confidentiality of the information, and their immediate resolution;
9. We adequately inform and train employees and managers in confidentiality obligations and in maintaining the technical and organizational measures implemented, collecting their confidentiality and compliance commitments in writing.
10. We have approved a Policy on Data Protection and Management of Business Resources, known and accepted by all members of the organization.
11. Applicable law and jurisdiction.

This Policy will be governed by Spanish and European legislation, especially by the RGPD. Any controversy will be resolved before the courts corresponding to the Madrid domicile.