helios-logo
helios-logo

PRIVACY POLICY

LAST MODIFICATION: 27/11/2025

The Privacy Policy forms part of the General Terms and Conditions that govern the Website www.helioshotels.com together with the Cookie Policy and the Legal Notice.

HELIOS HOTELS, reserves the right to modify or adapt this Privacy Policy at any time. Therefore, we recommend that you review it each time you access the Website. If you have registered on the website and access your account or profile, you will be notified of any substantial changes regarding the processing of your personal data.

Who is the data controller?

The data collected or voluntarily provided to us through the Website, whether through browsing, or any data you may provide in contact forms, via email or by telephone, will be collected and processed by the HELIOS HOTELS group (and all the companies that comprise it), whose details are indicated below:

HELIOS LLORET DE MAR, Avda. Just Marlés Vilarrodona, 29, 17310-Lloret de Mar (Girona).
COBU SA, CIF: A17016197
Avda/Just Marlés Vilarrodona, 29, 17310-Lloret de Mar (Girona).
Registered in the Mercantile Registry of Girona, Volume 116, Folio 119, Sheet GI-2140

HELIOS MALLORCA HOTEL AND APARTMENTS, C/ Carabela 7, 07610, Can Pastilla (Palma de Mallorca), Illes Balears.
HOTEL HELIOS CAN PASTILLA SA, CIF: A01012764
Av. Just Marles Vilarrodona, 29, 17310-Lloret de Mar (Girona).
Registered in the Mercantile Registry of Girona, Volume 80, Folio 96, Sheet GI-1432

HELIOS COSTA TROPICAL, Paseo San Cristóbal, 12, 18690, Almuñécar (Granada).
HOTEL COSTA TROPICAL SA, CIF: A18077875
Paseo Flores, Hotel Helios, SN-18690, Almuñécar (Granada).
Registered in the Mercantile Registry of Granada, Volume 409, Folio 162, Sheet GR-1586

HELIOS BENIDORM, Av. Filipinas, 12, 03503, Benidorm (Alicante).
HOTELES VASCO CATALANES SA, CIF: A01007137
Av. Just Marles Vilarrodona, 29, 17310-Lloret de Mar (Girona).
Registered in the Commercial Registry of Girona, Volume 84, Folio 134, Sheet GI-1516

Contact information for HELIOS HOTELS regarding personal data protection

Tfno: 971 26 42 50

Mail: [email protected]

If, for any reason, you wish to contact us regarding any matter related to the processing of your personal data or privacy (with our Data Protection Officer), you can do so through any of the means indicated above.

What data do we collect through the website?

By simply browsing the Website, HELIOS HOTELS will collect information regarding:

  • IP address
  • Browser version
  • Operating system
  • Duration of the visit or browsing on the website.

This information is stored using Google Analytics, so we refer you to Google’s Privacy Policy, as they collect and process this information. http://www.google.com/intl/en/policies/privacy/

Similarly, if the Website provides access to Google Maps , it may access your location, if you allow it, to provide you with more specific information about the distance and/or routes to our offices. In this regard, please refer to the Google Maps Privacy Policy to learn about the use and processing of such data http://www.google.com/intl/en/policies/privacy/

The information we handle will not be linked to any specific user and will be stored in our databases for the purpose of conducting statistical analyses, improving the website, our products and/or services, and helping us to refine our business strategy. This data will not be shared with third parties.

User registration on the website/ Form submission

To access certain features, such as contact, the user must complete a form. The registration form requests a series of personal data. This data is necessary and mandatory for registration. Failure to provide this information will result in the cancellation of the registration.

In this case, browsing data will be associated with the user’s registration data, identifying the specific user browsing the website. This allows us to personalize the products and/or services offered to best suit the user, in our opinion.

HELIOS HOTELS ‘, databases, along with their transaction history, and stored there until the user’s account is deleted. Once an account is deleted, this information will be removed from our databases. Transaction data will be retained for 10 years without being accessed or altered, in order to comply with applicable legal requirements. Data not related to transactions will be retained unless consent is withdrawn, in which case it will be deleted immediately (always respecting applicable legal retention periods).

The legal basis for processing your personal data is the performance of a contract between the parties.
Regarding the sending of communications and promotions electronically and the response to requests for information, the legal basis for processing is the user’s consent.

The purposes of the treatment will be the following:

  • a) Manage your access to the Website.
  • Keep you informed about the processing and status of your applications.
  • Manage all the utilities and/or services that the platform offers to the user.

Therefore, we inform you that you may receive communications via email and/or on your phone, in order to inform you of possible incidents, errors, problems and/or the status of your requests.

For the sending of commercial communications, the user’s express consent will be requested at the time of registration. In this regard, the user may revoke this consent by contacting HELIOS HOTELS using the means indicated above. In any case, each commercial communication will include the option to unsubscribe from receiving further communications, either via a link and/or email address.

Newsletter subscription (Helios Rewards)

The website offers the option to register for HELIOS REWARDS to enjoy exclusive benefits. To do so, you will need to provide us with some personal information and an email address to which the information will be sent.

This information will be stored in a database, where it will remain registered until the interested party requests its removal or, if applicable, HELIOS HOTELS ceases sending it.

The legal basis for processing this personal data is the express consent given by all those interested parties who subscribe to this service by checking the box designated for this purpose.

Email data will only be processed and stored for the purpose of managing the sending of the Newsletter to users who request it.

To receive the newsletter, users will be asked for their explicit consent during registration by checking the designated box. Users may revoke this consent at any time by contacting HELIOS HOTELS, using the methods described above. In any case, each newsletter will include an option to unsubscribe, either via a link or email address.

If you belong to any of the following groups, please consult the dropdown information:

For what purposes will we process your personal data?

  • To answer your questions, requests, or petitions.
  • Manage the requested service, answer your request, or process your petition.
  • Information via electronic means, regarding your request.
  • Commercial or event information by electronic means, provided there is express authorization.

What is the legal basis for processing your data?

The acceptance and consent of the interested party: In those cases where to make a request it is necessary to complete a form and click on the “submit” button, doing so will necessarily imply that you have been informed and have expressly given your consent to the content of the clause attached to said form or acceptance of the privacy policy.
All our forms include a checkbox with the following text to submit the information: “□ I have read and agree to the Privacy Policy.”

For what purposes will we process your personal data?

  • Budget preparation and monitoring through communication between both parties.
  • Information via electronic means, regarding your request.
  • Commercial or event information by electronic means, provided there is express authorization.
  • Manage the administrative, communications and logistics services performed by the Manager.
  • Carry out the corresponding transactions.
  • Billing and filing of appropriate taxes.
  • Control and recovery management.

What is the legal basis for processing your data?

The legal basis is your consent and the execution of a contract.

Recipients and suppliers

In general, personal data will not be communicated to third parties, except where legally required (for example, to the Tax Agency, financial entities or Security Forces when required by applicable regulations).

However, for the proper provision of the services offered on this website and within the framework of the contractual relationship with clients, certain providers acting as Data Processors may have access to the data, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR). These include, but are not limited to:

  • Google Analytics (web analytics service). This may involve international transfers to the United States under the aforementioned safeguards.
  • WhatsApp Business (messaging channel for communication with customers and users). Use of this service implies the application of Meta Platforms , Inc. ‘s privacy policies and may involve international data transfers.

In all cases, these providers act following our instructions, do not process the data for their own purposes and are contractually bound by a processing agreement in accordance with Article 28 GDPR and Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

For what purposes will we process your personal data?

  • Manage your booking, including pre-booking, confirmation, modification or cancellation.
  • To provide accommodation services and associated services (check -in, stay, complementary services, guest services, etc.).
  • Necessary communications during your stay, including those related to your booking, special requests or incidents.
  • Compliance with the legal obligations of traveler registration, in accordance with the applicable regulations on public safety.
  • Administrative, accounting and tax management, including invoicing and tax filing.
  • To carry out the collections and transactions corresponding to the contracted services.
  • Customer satisfaction surveys and service quality monitoring.
  • Sending commercial or promotional information , provided there is express authorization from you.
  • Internal control, auditing, fraud prevention and debt collection procedures, where applicable.

What is the legal basis for processing your data?

The legal bases that legitimize the processing are:

  • The execution of a contract, to manage the reservation, the stay and the associated services.
  • Compliance with legal obligations, especially those arising from traveler registration, tax and accounting regulations.
  • Your consent, when necessary for sending commercial communications or for certain optional treatments.

Recipients and suppliers

Generally, your personal data will not be shared with third parties, except:

  • Legal obligation, for example:
    • State Security Forces and Corps (traveler registration), Tax Agency, financial entities for the management of collections and payments, courts and tribunals, when appropriate.

For what purposes will we process your personal data?

  • Information via electronic means, regarding your request.
  • Commercial or event information by electronic means, provided there is express authorization.
  • Manage the administrative, communications and logistics services performed by the Manager.
  • Billing.
  • Carry out the corresponding transactions.
  • Billing and filing of appropriate taxes.
  • Control and recovery management.

What is the legal basis for processing your data?

The legal basis is the acceptance of a contractual relationship, or failing that, your consent when contacting us or offering us your products by any means.
Filing the appropriate taxes.

What is the legal basis for processing your data?

The legal basis is contractual, the acceptance of a contract either for the purchase and sale of shares or similar, or participation in the formation of the company.

For what purposes will we process your personal data?

  • Manage your registration and participation in the Helios Rewards program, including the creation and maintenance of your user account.
  • Apply the benefits, special conditions, discounts and preferential rates associated with the loyalty program.
  • Manage the accumulation and redemption of points or benefits , according to the program conditions.
  • To send you informational communications related to your membership in the program (updates, changes in conditions, point reminders, etc.).
  • Send personalized commercial communications, promotions and exclusive offers for program members, provided you have given express consent.
  • Analyze habits and preferences, in an aggregated way and always within the law, to improve the quality of the program and better personalize the benefits offered.
  • Prevent fraud and ensure program security, as well as conduct internal audits when necessary.

What is the legal basis for processing your data?

The legal bases that legitimize the processing are:

  • Your consent, given when you register with Helios Rewards and accept its terms and conditions.
  • The execution of the contractual relationship, necessary to manage your participation in the program, apply benefits and maintain your loyalty account.
  • The hotel’s legitimate interest in ensuring the security of the program and preventing fraud, always within the limits of Article 6.1.f) of the GDPR.

For what purposes will we process your personal data?

  • To answer your questions, requests, or petitions.
  • Manage the requested service, answer your request, or process your petition.
  • Connecting with you and building a community of followers.

What is the legal basis for processing your data?

Acceptance of a contractual relationship within the relevant social network environment, and in accordance with its Privacy policies:

  • Instagram: https://es-la.facebook.com/help/instagram/155833707900388;
  • Facebook: http://www.facebook.com/policy.php?ref=pf
  • Whatsapp: https://www.whatsapp.com/legal/#privacy-policy

How long will we keep personal data?

We can only access or delete your data in a limited way because it’s tied to your specific profile. We will process your data for as long as you allow us to by following us, being friends, or clicking “like,” “follow,” or similar buttons.
Any corrections to your data or restrictions on information or publications must be made through your profile or user settings on the social network itself.

For what purposes will we process your personal data?

  • Video surveillance of our facilities.
  • Control of our employees.
  • Sometimes they can be handed over to the courts and tribunals for the exercise of legitimate actions.

What is the legal basis for processing your data?

The legal basis for the processing is the legitimate interest of the controller, in accordance with Article 6.1.f of the GDPR and Article 22 of the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).

For what purposes will we process your personal data?

  • Organization of selection processes for hiring employees.
  • To schedule job interviews and evaluate your application.
  • If you have given us your consent, we may share it with partner or affiliated entities, with the sole purpose of helping you find employment.

What is the legal basis for processing your data?

The legal basis is your unequivocal consent, given by submitting your CV and receiving and signing information regarding the treatments we will carry out.

How long will we keep personal data?

Your resume will be stored for one year, after which, if we have not contacted you, it will be deleted.

For what purposes will we process your personal data?

  • Manage the employment relationship, including the creation and maintenance of your employee file.
  • Carry out all the necessary administrative, tax, accounting and Social Security procedures to comply with our obligations as an employer, in accordance with labor, occupational risk prevention, tax and accounting regulations.
  • Manage payroll and other compensation payments through the corresponding financial institution.
  • Manage time tracking, using timekeeping systems such as cards, personal codes, employee platforms or portals, or any other system enabled by the company.
  • Manage group insurance, social benefits or pension plans in which the workforce may be included.
  • Manage staff training, both subsidized and non-subsidized training, as well as mandatory actions in the area of occupational risk prevention.
  • Manage incidents, permits, absences, sanctions and any action derived from the employment relationship.
  • Ensure compliance with internal regulations , internal audit controls and fraud prevention measures, to the extent permitted by law.

What is the legal basis for processing your data?

The legal bases that allow the processing are:

  • The execution of the employment contract and the application of pre-contractual measures (art. 6.1.b) GDPR).
  • Compliance with legal obligations applicable to the employer in matters of labor, Social Security, prevention of occupational risks, taxation and accounting (art. 6.1.c) GDPR).
  • The worker’s consent is only required for those treatments that are not covered by the employment relationship or a legal obligation (for example, certain voluntary benefits or optional training actions).
  • The legitimate interest of the employer , in cases such as internal controls, audits or fraud prevention, always within the limits of art. 6.1.f) GDPR.

Do we include personal data of third parties

No, as a general rule we only process data provided to us by the data subjects. If you provide us with data from third parties, you must first inform them and obtain their consent; otherwise, you release us from any liability for failure to comply with this requirement.

And what about data on minors?

We do not process data of children under 14 years of age, therefore, please refrain from providing it if you are not that age.

Will we be communicating electronically?

They will only be used to process your request, if it is one of the contact methods you have provided to us.
If we send you commercial communications, they will have been previously and expressly authorized by you.

What security measures do we apply?

The Data Controller declares that it has adopted the necessary technical and organizational measures to guarantee a level of security appropriate to the risk, in compliance with the provisions of Article 32 of the GDPR and the LOPDGDD.

In particular, the following measures, among others, are applied:

  • Encryption of communications and data in transit using secure protocols (TLS/SSL).
  • Access control based on personal and non-transferable credentials, with the principle of least privilege.
  • Segregation of data by client and project, preventing unauthorized cross-access.
  • Registration and monitoring of access and operations, with periodic reviews to detect unauthorized access or incidents.
  • Encrypted backups, with recovery procedures and periodic verification.
  • Confidentiality policies signed by the people with access to the information.
  • Regular updating and patching of the systems and services used.
  • Periodic security reviews and audits, including internal verification tests and, where appropriate, data protection impact assessments (DPIAs) when the type of processing so requires.

These measures are reviewed periodically and adapted to the state of the art, the nature of the data processed and the risks detected.

To what extent will decision-making be automated?

HELIOS HOTELS does not use fully automated decision-making processes to establish, develop, or terminate a contractual relationship with the user. Should we use such processes in a particular case, we will inform you and communicate your rights in this regard, as required by law.

Will profiling take place?

In order to offer you products and/or services tailored to your interests and improve your user experience, we may create a “business profile” based on the information you provide. However, no automated decisions will be made based on this profile.

To whom will your data be communicated?

Your data will not be shared with third parties, except where legally required. Specifically, it will be shared with the Spanish Tax Agency and banks and financial institutions for the collection of payment for the service provided or product purchased, as well as with the data processors necessary for the execution of the agreement.

In the event of a purchase or payment, if you choose any application, website, platform, bank card, or any other online service, your data will be transferred to that platform or processed within its environment, always with maximum security.

If you have given us your consent to the processing of your name, images and other information related to the activity of HELIOS HOTELS, it will be disclosed on the different social networks and website.

International transfers.

Generally, the Data Controller strives to ensure that personal data is stored and processed within the European Economic Area (EEA). However, for the proper provision of the services described in this policy, it may be necessary to use technology providers located outside the EEA.

In such cases, the appropriate safeguards provided for in Chapter V of the GDPR will always be applied, ensuring a level of protection equivalent to that of the European Union. The mechanisms applied include:

  • Adequacy decisions of the European Commission, such as the EU-US Data Privacy Framework, when the provider adheres to that system.
  • Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by transfer impact assessments and, where appropriate, additional safeguards.

In particular, it is reported that certain services used (e.g., Zcal, AI model providers such as OpenAI, or Google Analytics) may involve transfers to the United States. These transfers are carried out under the aforementioned safeguards.

Likewise, in the event of using cloud storage systems or shared folders (e.g., Dropbox, Google Drive, Microsoft OneDrive, Amazon Web Services, Apple iCloud, HubSpot or other similar providers), the above mechanisms will be applied to ensure an adequate level of protection in accordance with the GDPR.

What rights do you have?

To find out whether we are processing your data or not.
To access your personal data.
To request the correction of your data if it is inaccurate.
To request the deletion of your data if it is no longer necessary for the purposes for which it was collected or if you withdraw the consent you have given us.
You may request the limitation of the processing of your data in some cases, in which case we will only keep them in accordance with current regulations.
You have the right to data portability, meaning your data will be provided to you in a structured, commonly used, and machine-readable format. If you prefer, we can send it to the new data controller you designate. This right is only valid in certain circumstances.
To file a complaint with the Spanish Data Protection Agency if you believe we have not treated you correctly.
To revoke consent for any treatment for which you have consented, at any time.
If you change any information, please let us know so we can keep it up to date.

Do you want a form for exercising your rights?

We have forms for exercising your rights; request them by email, or if you prefer, you can use those prepared by the Spanish Data Protection Agency or third parties.
These forms must be signed electronically or accompanied by a photocopy of the ID card.
If you are represented by someone, you must attach a copy of their ID, or have them sign it with their electronic signature.
Forms can be submitted in person, sent by letter, or emailed to the address of the Responsible Party at the beginning of this text.
You have the right to file a complaint with the Spanish Data Protection Agency if you believe that your request for your rights has not been properly addressed.

The maximum time to resolve is one month, starting from the effective receipt of your request by us.

You have the right to withdraw your consent at any time for any of the treatments for which you have given it.

Do we use cookies?

If we use any cookies other than those strictly necessary, you can consult our cookie policy via the link at the bottom of our website.

How long will we keep your personal data?

Your personal data will be kept as long as you remain associated with us.

Once you unsubscribe, the personal data processed for each purpose will be kept for the legally established periods, including the period in which a judge or court may require them taking into account the statute of limitations for legal actions.

The data processed will be kept until the aforementioned legal deadlines expire, if there is a legal obligation to maintain it, or if there is no such legal deadline, until the interested party requests its deletion or revokes the consent given.

We will keep all information and communications relating to your purchase or the provision of our service, for as long as the product or service warranties last, in order to address any potential claims.

For each type of data processing, we provide a specific period, which you can consult in the following table:

Data relating toDocumentConservation
Customers and suppliersBy way of example and without limitation, some of the most significant documents are listed below. Invoices (issued by the company and drawn on the company). Contracts between merchants (sales, commission, transport, provision of services, etc.). Contracts with individuals. Real estate contracts (leases of business premises, sales, exchanges, etc.). Business correspondence. Bank contracts and documentation (current accounts, deposits, leasing, renting, etc.). Expense reports.Obligation to keep documentation for a minimum of 6 years. It is advisable to keep it depending on the statute of limitations. Article 30 of the Commercial Code establishes that businesses must keep books, correspondence, documentation, and supporting documents related to their business for six years from the date of the last entry made in the books. However, this rule only establishes a minimum period of time during which, in the interest of the general public, businesses must keep the documents generated during the course of their business.
Documents and records of tax significance

General Tax Law arts. 66 to 704 previous exercises (years)

VAT returns and other indirect tax returns should be kept for 10 years (harmonization with the EU).

Entities subject to the Law on the Prevention of Money Laundering, documentation proving compliance with AML obligationsLaw 10/2010 art. 2510 years
Human ResourcesPayroll, Social Security Contribution Settlement Receipt (formerly TC1), Nominal List of Workers (formerly TC2), etc.General Social Security Law
Royal Decree-Law 5/2000
Labor violations: 3 years
Social Security violations: 5 years
General employment documentation: 4 years (6 years recommended)
ResumesUntil the end of the selection process, and for up to 2 years longer unless the interested party revokes consent or requests deletion.
Worker trainingArticle 5.2, Order TAS/2307/2007
4 years
Workday RecordsArt. 10 RDL 8/2019 and art. 34 ET modified by Law 4/2023
4 years
Documents regarding severance pay.
Contracts
Data on temporary workers.		RD 425/2005 section 3 Additional Provision 1
4 years
Article 30 of the Commercial Code establishes a minimum period of 6 years. Organic Law 7/2012 recommends keeping it for 10 years.
Employee file.Up to 5 years after leaving employment (Royal Legislative Decree 5/2000, of August 4, which approves the consolidated text of the Law on Infringements and Sanctions in the Social Order).
Documentation or computer records proving compliance with occupational risk prevention regulationsRoyal Decree-Law 5/2000 art. 4
5 years
MarketingDatabases or website visitors.For the duration of the treatment.
Access control and video surveillanceVisitor registrationInstruction 1/1996 AEPD
Art. 22 LOPDGDD
30 days

Video surveillanceImages/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture.

The recordings will be destroyed within a maximum period of one month from their capture, unless they are related to serious or very serious criminal or administrative offenses in matters of public safety, with an ongoing police investigation or with an open judicial or administrative proceeding

Instruction 1/2006 AEPDArt. 22 LOPDGDD
30 days
AccountingAccounting books and documents. Annual accountsPartner agreements and board of directors, company statutes, minutes, board of directors regulations and delegated committees.
Financial statements, audit reports
Records and documents related to grants		Commercial Code art. 30:6 years
Corporate Documentation

Articles of incorporation of the company together with the articles of association, deeds of adoption of corporate resolutions, of granting/renewal of powers of attorney, deed of sale of shares, deed of sale of assets, of shares, of dissolution/liquidation, etc.)Minutes books of meetings of the general meeting and the board of directors (commercial companies), register of normative shares, register of partners, register of contracts with the sole partner, other books.

Other types of corporate documentation (private contracts for the purchase and sale of shares, participating loans, pledges of shares, etc.)

It is recommended to keep these documents for the entire life of the company, from its incorporation until at least six years after its dissolution and liquidation. If the deeds incorporate rights or obligations for the company, it is recommended to adhere to the aforementioned limitation periods.Obligation to keep documentation for a minimum of 6 years, starting from the date of the last entry made in the books. These documents must be kept for the entire life of the company, from its incorporation until at least 6 years after its dissolution and liquidation.

It is recommended to keep them for the entire life of the company, from its incorporation until at least 6 years after its dissolution and liquidation.

Fiscal/Tax

Managing the administration of the entity, rights and obligations related to the payment of taxes.Administration of dividend payments and tax withholdings.

All documents that justify the tax actions of the taxpayer (proof of income and expenses), including both the accounting and the supporting documentation thereof (contracts, invoices, receipts, delivery notes…) All types of tax returns.

Obligation to retain documentation: Minimum 4 years. Articles 66, 67, and 68 of the General Tax Law. The general statute of limitations for tax obligations is 4 years. With regard to tax returns, the 4-year statute of limitations begins to run from the day on which the voluntary filing period ends. If there has been any subsequent action by the Tax Administration (inspection, partial verification) or by the taxpayer (amended return, appeal) that has interrupted the statute of limitations, a new 4-year period begins from that action. However, it is advisable to keep tax documentation. Organic Law 7/2012 recommends keeping it for 10 years. Order EHA/962/2007 allows for the destruction of invoices received on paper if a certified digitization process has been carried out beforehand, obtaining electronically signed digital copies.
Safety and Health

Medical Records.Employee Medical Records

Health data of Spa clients ( wellness treatments ).

Article 17.1 of Law 41/2002 of November 14, on patient autonomy and rights and obligations regarding information and clinical documentation
5 years
InsuranceInsurance policies

6 years (general rule)2 years (damages)

5 years (personal)

10 years (life)

LegalIntellectual and Industrial Property Documents.
Contracts and agreements.		5 years
Permits, licenses, certificates6 years from the expiry date of the permit, license or certificate.10 years (statute of limitations)
Confidentiality and non-compete agreementsAlways the duration of the obligation or confidentiality
Data protection regulations.Once the retention period has expired, the data must be blocked (art. 32 LOPDGDD) and kept only at the disposal of competent authorities during the limitation periods of responsibilities, after which it will be permanently deleted.Records and documents proving compliance with data protection regulations (audits, reports, processing agreements, etc. )While the data processing lasts and afterwards during
3 yars
Documentation proving that requests for the exercise of rights by interested parties are being addressedDuring
3 years after the application
Logs / Access records to information systems2 years
If the processing is based on the data subject’s consent, proof of consentWhile the data processing lasts and afterwards during
3 years
Traffic data relating to internet connections, emails and calls sent or received from landline telephonesUser identifier, IP address (source/destination), telephone number, IMSI and IMEI (source/destination), date and time of communication (start/end), identification of the type of service or communication used (voice, data, SMS or MMS)Article 5 of Law 25/2007, on the preservation of data relating to electronic communications and public communications networks.
1 year
Biometric data (fingerprints, facial recognition), if applicable, will be collected in accordance with the guidelines published by the Spanish Data Protection Agency (AEPD). Currently in Spain, there is no legal basis for its use for access control or employment purposes.Biometric data is recorded in the tool/software enabled for this purpose by the entity, in the event of having carried out a positive Impact Assessment, within the current legal framework.

In compliance with the principle of storage limitation, personal data may be processed no longer than necessary for the purposes of processing. Therefore, taking into account the provisions of Article 34.9 of the Workers’ Statute, the company will retain the records for four years, and they will remain available to employees, their legal representatives, and the Labor and Social Security Inspectorate. The user will be responsible for notifying and initiating the final termination procedure.Building access control: 30 days, files to control access (Inst. 1/1996 AEPD)

INACTIVE FOOTPRINTS: 6 MONTHS OF INACTIVITY. RECORDS: EMPLOYEES, 4 YEARS; NON-EMPLOYEES: 30 DAYS

Academic data, academic record, student identification data, attendance data, sanctions, psycho-pedagogical reports, continuous assessment data and final results, application for scholarships and grants.Academic record, personal data file of the educational center, academic history, reports and disciplinary records, evaluation minutes and grade reports, application and resolution files for scholarships

Academic record and history: permanently.Disciplinary reports and records: 5 years.

Evaluation records and report cards: permanently for records and 5 years for report cards.

Application and resolution files for scholarships: 6 years from the resolution.

GuestsCheck – in of travelers/guests .3 years (Organic Law 4/2015 on the protection of citizen security, Order INT/1922/2003 and in Royal Decree 933/2021, of October 26 (documentary registration obligations and information of natural or legal persons who carry out accommodation activities).
helios-logo