Schedule 1 — Details of Processing

Go up

Annex I: Data Processing Overview

A. List of Parties

Data Exporter (Customer):

  • Name: The Customer identified in the Agreement or Terms & Conditions.
  • Address: As specified in the Agreement.
  • Contact person: Customer’s designated Data Protection Officer or representative.
  • Role: Controller (or Processor acting on behalf of a third-party Controller).
  • Signature & Date: Deemed executed upon acceptance of the Agreement and/or use of the Services.

Data Importer (Hotelinking):

  • Name: Hotelinking S.L.
  • Address: Parc Bit – Edificio Disset, 3rd floor, D9, Palma de Mallorca, Illes Balears, España.
  • Contact person: Data Protection Officer – dataprotection@hotelinking.com.
  • Role: Processor.
  • Signature & Date: Deemed executed upon mutual Agreement effective date.

B. Description of Processing / Transfer

Category Details
Nature and Purpose of Processing Processing Customer Personal Data to deliver the contracted Services:

1- GuestMaker – marketing and CRM data capture via captive portal.
2- Deskforce – digital check-in, ID verification, payments.
3- WiFiBot – IT network status monitoring (limited personal data).
Categories of Data Subjects 1- Hotel guests (WiFi users, guests completing check-in/out, email recipients).
2- Hotel staff and administrators (WiFiBot users).
Categories of Personal Data 1- Names, surnames, email addresses, IP/MAC addresses.
2- Nationality, language, reservation metadata.
3- Digital ID document images (auto-deleted), payment tokens (via third-party processor).
4- WiFi system user IDs or access credentials (staff only).
Special Categories of Data Not intentionally collected. The Customer agrees not to transmit health, biometric, or similarly sensitive data through Hotelinking Services unless explicitly authorized in writing.
Legal Basis Determined by the Customer. Typically includes guest consent, performance of a contract, and/or legitimate interest for operational data handling.
Frequency of Processing Continuous, for the duration of the Agreement.
Retention Period 1- GuestMaker and Deskforce data retained for duration of the contract + 30 days unless otherwise instructed.
2- Backups retained for 14 days post-deletion.
3- WiFiBot metadata stored only while active alerts/issues are unresolved.
Sub-Processors (if applicable) See Schedule 3 (Sub-processor List)
Transfers outside the EEA Only as permitted by applicable law and safeguarded by SCCs or equivalent mechanisms (see Section 12).
Supervisory Authority The supervisory authority of the Customer’s establishment in the EEA; or if not established in the EEA, the AEPD (Agencia Española de Protección de Datos) in Spain.

Go up