Privacy Policy

The purpose of this Privacy Policy is to provide you with detailed information on how we process your personal data and protect your privacy and the information you provide us with.  

Who is the controller of your data?  

  •  Identity: Belagua Málaga, S.L. Tax ID no.: B72917115.
  • Address: Paseo del Club Deportivo, 1, 28223 Pozuelo de Alarcón (Madrid, Spain).
  • Email address:

Why do we process your data?  

We process the personal data you provide us with for the following purposes: 

  • To manage our relationship with our clients; to provide, invoice and receive payments for our services; and to manage bookings. It is mandatory for our clients to provide data for this purpose; otherwise, we would be unable to execute the contract.  
  • To manage our relationships with our suppliers, as well as to invoice and pay for services. For this purpose, suppliers must provide us with their details; otherwise, we would be unable to execute the contract. 
  • To filter requests for information, suggestions and claims that may be sent to us, and to contact the sender of the information in order to respond to their request or query and follow up on it. Providing data for this purpose is voluntary, although if you choose not to, we will not be able to respond to your request, query or claim. Therefore, disclosing personal data for this end is necessary in order for us to respond to your request. 
  • To send marketing communications regarding our services, offers and activities. If you are a client, we will send you these types of communications unless you express your desire to not receive them by marking the corresponding box when you provide us with your data or by informing us of this desire by any means at a later date.  
  • If you wish to send us your CV, we will process it in order to access the information of those who wish to perform an internship and/or work with us so that we can undertake the corresponding employee selection processes.  
  • If you become our friend or follower on social media, we will process your data to keep you informed of our activities and promotions via said channels. Providing data for this purpose is voluntary, although if you choose not to, you will not be able to be our friend or follower on the corresponding social media platform. The data processed for this purpose are of the identification data category. 
  • The data collected by the security cameras located in the hotel are processed in order to control access to and monitor the premises. 

For how long will we process your data?  

We only store your data for as long as necessary to fulfil the purpose for which they were collected and to meet applicable legal obligations and responsibilities that may derive from meeting the purpose for which the data were collected.  

Data provided for the purpose of managing client and supplier relations and for invoicing and receiving payment for services will be stored for as long as this contract remains in force. Upon termination of the relationship, where applicable, the data may be stored for as long as may be required by applicable laws, and until any liability deriving from the contract expires.

Data provided for the purpose of sending marketing communications regarding our services, offers and activities will be stored indefinitely, until you inform us of your desire to erase them or to stop receiving these communications. 

Data processed in order to respond to requests, petitions, queries or claims will be stored for as long as necessary to respond to them and to bring them to a satisfactory conclusion. Subsequently, they may be stored as a record of communication for one year, unless you request their erasure before this time has elapsed.  

Data provided during participation in our employee selection processes shall be added to our jobs board and stored for as long as the selection process lasts and, subsequently, either until the data subject exercises their right to erasure or for a maximum of two years from the last time the data subject updates their data, allowing us to consider them for possible future processes. For this purpose, the data subject must keep the personal data they provide to us up to date, particularly those regarding education and professional experience.  

Data provided via social media will be stored as long as you remain a friend or follower of our account on the corresponding social media platform.   

Data collected by security cameras will be stored for at least one month, unless it is necessary to store them for longer in order to clear up an offence or illegal act that may have been committed. 

What are the legitimate grounds for processing your data?  

The lawful basis for processing your data is the execution of the contract for accommodation and complementary services that you have requested.  

The prospective offer of products and services to our clients is based on our legitimate interest in offering our clients the opportunity to contract other products and services and to gain their loyalty. This legitimate interest is contemplated by current applicable regulations (the General Data Protection Regulation, or GDPR), which expressly permits the processing of personal data for direct marketing purposes. However, we remind you that you have the right to oppose the processing of your data, which you may exercise via any of the means stipulated in this clause. 

Personal data processing in order to respond to requests for information, petitions, queries and claims is based on the consent of the data subject. This consent may be withdrawn at any time, without affecting the validity of any processing performed prior to the withdrawal.  

The lawful basis for the processing of data used in employee selection processes is consent, which is granted by sending us a CV or by participating in the selection process, although this consent can be withdrawn at any moment. However, data processing performed prior to the withdrawal of consent will not become unlawful as a result. In addition, it is possible that more data is collected during interviews or employee selection processes, and the processing of this data will also be based on consent. 

Data provided via social media will be processed on the lawful basis of your consent. This can be withdrawn at any moment, although all data processing performed prior to the withdrawal of consent will not become unlawful as a result.  

The categories of data processed in each case are those that are requested in the form or contract used to provide us with your data.  

The lawful basis for the processing of the images captured by the security cameras is the public interest, in accordance with Article 6.1.e) of the General Data Protection Regulation (GDPR), which justifies that it is necessary for the data to be collected in order for you to access the hotel.  

To whom will your data be disclosed? 

Your data may be disclosed to the entities listed below: 

  • The relevant public administrations, including courts of law, in the cases and for the purposes set forth in the applicable law. As part of these disclosures, images captured by the security cameras may also be sent.
  • The financial institutions through which payments and collections are managed. 
  • The other companies in Grupo Belagua, which you can see at  The purpose of this disclosure is to enable the centralised management of our activities and the performance of our internal administrative tasks, including the processing of our clients and employees’ personal data. 

Although this is not considered a data transfer, companies who act as providers for us may be granted access to your information in order to perform their service. These data processors may access your data following our instructions, and they will not be able to use them for any different purpose, agreeing to maintain strict confidentiality and signing a contract that compels them to comply with current data protection regulations at all times. 

What rights do you have when you provide us with your data?  

Everyone has the right to receive confirmation of whether or not we are processing any of their personal data. Data subjects have the right to access their personal data, and to request the correction of any inaccuracy or, if applicable, the elimination of data if they are no longer needed for the purposes for which they were collected, among other reasons.  

Subject to the requirements set forth in the General Data Protection Regulation, data subjects may request the portability of their data and to restrict their processing, in which case their data will be kept exclusively to file or defend against any claims.  

Under certain circumstances, and for reasons related to their specific situation, data subjects may object to the processing of their data. If you have given your consent for some specific purpose, you have the right to withdraw your consent at any time, which, however, will not affect the validity of any processing carried out based on this consent prior to its withdrawal. In such an event, we will cease processing your data or, as applicable, cease processing them for that specific purpose, unless there is an impending legitimate cause or a need to file or defend against potential claims. 

In addition, under data protection regulations, you have the right not to be subject to solely automated decisions, if applicable.  

Regarding the aforementioned rights: 

  • They can be exercised free of charge, except in the case of requests that are clearly unfounded or excessive (such as repeated requests), in which case you may be required to pay a proportion of the administrative costs incurred or the controller may refuse to take action. 
  • You may exercise your rights directly or via a legal representative or volunteer, who must provide proof accrediting that they can act on your behalf. 
  • We must answer your request within one month, although this may be extended by a further two months if there is a large volume of requests or if your request is particularly complex. 
  • We are obliged to inform you of the channels via which you can exercise your rights, which must be easily accessible, and we are not able to prevent you from exercising your rights simply because you have opted for a different channel. If the request is submitted digitally, we will also provide you with information digitally wherever possible, unless you request otherwise. 
  • If your request has not begun, for whatever reason, we will inform you within one month of the reasons for this and provide you with the option to file a complaint with a supervisory authority. 

In order to allow you to exercise the aforementioned rights, please find links to the forms for requesting each of them below (in Spanish): 


All the rights mentioned above may be exercised via any of the contact methods indicated at the start of this clause. 

All the rights mentioned above may be exercised via any of the Company’s contact methods indicated at the start of this clause. 

In the event of any violation of your rights, especially if they have not been exercised to your satisfaction, you may file a complaint with the Spanish Data Protection Agency (contact data available at or any other relevant supervisory authority. You may also contact any of these entities to obtain more information on the rights available to you. 

How do we protect your personal data? 

We are firmly committed to protecting the personal data that we process. We use physical, organisational and technological measures, controls and procedures that are reasonably reliable and effective in order to preserve the integrity and security of your data and guarantee your privacy.  

In addition, all employees that may access personal data have been properly trained and are fully aware of their obligations regarding the processing of your personal data. 

In the contracts that we enter into with our providers, we include clauses that require them to maintain secrecy with regards the personal data that they have access to as a consequence of the service they provide to us, as well as to implement the necessary technical and organisational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and personal data processing services they provide. 

All of these security measures are regularly reviewed to ensure their suitability and effectiveness.

However, we are unable to guarantee complete security and currently there is no impenetrable security system available, meaning that, if any data processed by us and under our control is compromised as a result of a security breach, we will take all suitable measures to investigate the incident and notify the supervisory authority and, if applicable, the users that may have been affected so that we can take the correct measures.  

What responsibilities do you have as a data owner?  

By providing us with your personal data, you are guaranteeing that you are over 14 years of age and that the data provided are true, exact, complete and up-to-date.  

To this end, the data subject vouches for the veracity of the data and undertakes to keep them duly updated so that they reflect their real situation, being responsible for any false and inexact information that they may provide, as well as any damage, whether direct or indirect, that this may cause. 

Should you disclose data belonging to third parties, you will be responsible for previously informing the third party about the contents of Article 14 of the General Data Protection Regulation, as per the terms set forth therein.