| +356 21583451

Privacy Policy – Hotel Santana

Contact email:

The Hotel Santana collects and processes personal information in accordance with The General Data Protection Regulation (EU) 2016/679, which replaces the current EU Data Protection Directive of 1995 and UK Data Protection Act 1998 and supersedes all previous laws and instructions. All data processed by us will be managed in according with the Principles and Rights of the GDPR.

Partners and any third parties working with, or for Hotel Santana and who have, or may have access to personal data, will also be expected to operate in accordance with the GDPR.

The GDPR applies to all controllers and processors that are established in the EU (European Union). It will also apply to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.

Purpose and Collection

We collect personal data in order to provide accommodation, associated services, venue hire for events and for facilitating suppliers and other services. Data may be provided directly by the data subject, by using our website by emailing us, or via third party agents who provide booking services. (Please refer to the third party providers for information relating to how they process your data). Guests will be required to complete a “registration” form on arrival at the hotel.

Categories of data subjects

  • Customers & Guests at the hotel
  • Other users of our services
  • Transport providers
  • Suppliers of goods and services

Types of Personal Information Collected

  • First name
  • Surname
  • Date of Birth (only where relevant)
  • Gender
  • Contact phone numbers
  • email address
  • Address information
  • Credit card / Debit card details
  • Passport Information

Special categories of data processed may include Disability and Health information where provided by the Data subject in order that we may accommodate special requirements.
Lawful basis for processing

Article Lawful basis As applies to Hotel Santana

6.1(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes Services arranged for by the hotel such as Taxi and other services as requested by you. Or where you have provided specific consent for other purposes such as requesting assistance for health and disability conditions

6.1(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Accommodation and services provided directly by the hotel for guests and event organisers

6.1(c) processing is necessary for compliance with a legal obligation to which the controller is subject This applies to statutory retention and storage in accordance with Tax Laws, Company Law and any other legal requirements

6.1(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person This would only apply if a guest or member of staff were taken ill and we were required to disclose information to medical staff, or if we had to access contact details

6.1(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller This is unlikely to be required for the Santana but we would be obliged to disclose information if requested by an official organisation such as the government or the IDPC

6.1(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child This may include previous booking for clients so that we can provide the best quality service. This may also cover information related to special offers or other communications that you may opt out of at any time using the contact information above

Geographical Location

All data collected by us is stored within our operating office in Malta. Data processed by Third party booking services will be stored within their own environment but will not be stored outside the EU unless they have expressly communicated that.

The Hotel Santana will not transfer your data outside the EU – unless you are located outside the EU and you have initiated communication or it is required to fulfil a service or booking arrangement.


The Hotel Santana has applied appropriate Technical and Organisational controls to protect your data, including secure computer systems adopting least privilege access to individuals in order to prevent unauthorised access, disclosure, modification, or destruction of Data. Any hard copy documents are locked in a secure cabinet, and destroyed once no longer required

The Principles

  • The GDPR principles state that data should be:-
  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  • Accurate and, where necessary, kept up to date
  • Personal data shall not be kept for longer than is necessary for that purpose or those purposes for which it was originally collected
  • Processed in a manner that ensures appropriate security of the personal data

The Rights of the Data Subject

Data subject have the following rights under the GDPR

To withdraw consent – where they have previously given their consent to the processing of their Personal Data.
Access their Data – to determine if what data is being held on the, to obtain disclosure regarding the processing and obtain a copy of that data.
Rectification. Where data is incorrect or incomplete, data subjects have the right to verify the accuracy of their Data and ask for it to be up-dated or corrected
Erasure or Right to be forgotten – Unless there is an overriding legal or statutory obligation, data subjects have the right to have data deleted or where that isn’t possible, anonymised
Restrict Processing – under certain circumstances, to restrict the processing of their Data. In this case, the processor or controller will not process their Data for any purpose other than storing it.
Portability – Where the data has been provided directly by the Data Subject, is processed by automated means and the processing is based on the User’s consent, or for contract – they have the right to receive their information in a structured, commonly used and machine readable format and, if technically feasible, to have it
transmitted to another controller.
Object – this right would commonly be applied to data processing where the legal basis was Legitimate Interest.
Withdrawal of consent would constitute an objection in itself. Objection where the legal basis is contractual will result in the controller not being able to fulfil that contract with the data subject, which may have adverse effects.
Automated Decision Making – this applies where a decision is made based information provided such as job profiling / on line tests. The data subject has the right to be advised of that automated decision-making and provided the means to request human intervention.
Lodge a complaint. – Data Subjects have the right to lodge a complaint initially with the Data Controller but also with either the supervising authority in their member state, place of work or place of alleged infringement. The
IDPC is the supervising authority for Malta
Note: The UK Information Commissioners Office have provided extensive information relating to Rights which apply across the EU (here)

How to exercise these rights

Any requests to exercise User rights can be directed via our contact email address at the head of this document.
These requests may be exercised free of charge and will be fulfilled within 1 month unless the request is
complicated or where there may be other factors but the data subject would be advised accordingly.

Date Retention

Where consent has been provided, we will retain Personal Data until consent is withdrawn. We may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority as indicated below.

  • Companies Act, of the Laws of Malta
  • Accounting records, minimum 10 years
  • Income Tax – no less than 9 years
  • Employee Records – for a period of 3 years subsequent to the date of the relevant record.

Therefore, the right to erasure cannot be enforced in those cases.

Additionally other rights cannot be fulfilled after expiration of the retention period, as the data will have been deleted.

Additional information about Data collection and processing


Should any changes affect processing activities performed, we will inform you prior to making those changes and obtain consent where appropriate

IP Addresses and Cookies

For operation and maintenance purposes, our website and any third-party services may collect IP addresses.

Where web sites are used to make booking arrangements, the site may apply cookies to your browser to provide a better user experience.

These cannot be used without other information to identify individuals.

Changes to this privacy policy

We reserve the right to make changes to this privacy policy at any time by giving notice on our website or sending a notice to data subjects.

We do recommend that you check this privacy policy, which will refer to the date of the last modification listed at the bottom.

Definitions and legal references

Personal Information (or Data)

Personal Information or Personally Identifiable information is any information related to a natural person or ‘Data Subject’ that can be used to “directly or indirectly identify” a person. It can be anything from a name, a photo, an email address (personal or business), bank details, posts on social networking websites, medical information, or a computer IP address.

Data subject

Any living individual who is the subject of personal data held by an organisation.

Data controller / Controller / Co-Controller

A person or organisation who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be processed.

Data Processor / Processor/ Sub-Processor

A natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller and or primary processor.


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This includes filing systems and dormant information.

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Legal information

This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

Date of Issue: 14th June 2018