Privacy policy

1. Who are the data controllers? (Triple co-responsibility)

In accordance with the provisions of Article 26 of the GDPR, the personal data collected through the PID Platform are processed on a co-responsibility basis by the following entities, which jointly determine the essential purposes and means of the processing:

Co-responsibility agreement

MITUR, SEGITTUR, and the member Destinations have formalised the corresponding co-responsibility agreements, which transparently determine the functions and responsibilities of each of the parties in relation to compliance with the obligations derived from the GDPR, especially in matters of information, exercise of rights, security, and legitimation of the processing.

The essential content of these agreements is available to data subjects in accordance with the provisions of Article 26 of the GDPR.

2. Who can use the Platform?

The Smart Destination Platform (PID) is aimed exclusively at people over 18 years of age.

No functionalities are designed specifically for minors, nor is personal data of minors deliberately collected. In the event that data of minors is detected in error, it will be deleted immediately.

3. What data are processed?

Depending on the modules and services activated at each Destination, the following categories of personal data may be processed:

• a) Identification and contact data, such as name, surname, email address, telephone number, or user identifiers.
• b) Data on use and interaction with the Platform, such as accesses, browsing, searches, contents consulted, favourites, ratings, and comments.
• c) Profile and preference data, such as language, age range, nationality, or other personalisation parameters, generally processed in an aggregated or pseudonymised form.
• d) Data derived from integrated services, such as the information necessary to manage bookings for public services or equivalent functionalities when these modules are enabled.
• e) Technical data, including IP addresses, logs, session identifiers, and device data used to ensure the security and proper functioning of the Platform.
• f) Aggregated or anonymised data will be processed for training and improvement of the tool.

4. For what purposes do we process your data?

The personal data are processed jointly by the joint controllers for the following purposes:

• To enable the registration and management of users of the Platform.
• To facilitate the provision of tourism and digital services offered through the PID by the member Destinations.
• To manage the user's interaction with the Platform and with the available services and content.
• To carry out analysis, exploitation of tourism data and indicators, including usage, behaviour, and demand studies, for the purposes of planning, evaluation, and improvement of tourism services and public policies.
• To send communications, notices, or notifications, when the user has given his/her consent or when it is necessary for the provision of the service.
• Development, training, and enhancement of algorithmic models and digital assistance systems linked to the PID platform with anonymised or aggregated data.
• To ensure the security, integrity, and correct use of the Platform, including the prevention of misuse or fraudulent use.

5. What is the legal basis for the processing?

The applicable legal bases, depending on the specific purpose, are:

• Mission carried out in the public interest (art. 6.1.e GDPR), in the framework of the competences of the MITUR, SEGITTUR, and the Destinations in terms of tourism policies and digitalisation of the sector.
• Execution of a relationship requested by the user (art. 6.1.b GDPR), when accessing personalised services or specific functionalities.
• Consent of the user (art. 6.1.a GDPR), for example, for sending communications or newsletters.
• Compliance with legal obligations (art. 6.1.c GDPR).
• Legitimate interest (art. 6.1.f GDPR), especially in processing activities linked to the security of the Platform, duly weighed against the rights of the user.

6. Who can access your data?

The following may have access to your personal data:

• The joint controllers within the scope of their respective competences.
• Technology providers acting as processors or sub-processors, under contract in accordance with Article 28 GDPR.
• Public administrations or competent authorities where there is a legal obligation.

No international transfers of data outside the European Economic Area are envisaged, unless the appropriate safeguards provided for in the GDPR are adopted.

7. How long do we keep your data?

Personal data will be kept for the time required to:

• fulfil the purposes for which they were collected,
• maintain the user's relationship with the Platform,
• and comply with applicable legal obligations.

Subsequently, the data will be securely deleted or anonymised.

8. Rights of users

You may exercise your rights of access, rectification, deletion, opposition, limitation, portability, as well as withdraw the consent granted, by contacting any of the joint controllers:

• Ministry of Industry and Tourism, through its official channels or e-Office: https://www.mincotur.gob.es/es-ES/Contacto/Paginas/Contacto.aspx
• SEGITTUR, by email to DPD@segittur.es
• The Destination, through the contact details provided on the Platform.

The joint controllers will coordinate to ensure a single, coherent, and timely response.

You can also file a complaint with the Spanish Data Protection Agency (www.aepd.es).

9. Nature of the data

Appropriate technical and organisational measures are in place to ensure the confidentiality, integrity, and availability of personal data and to prevent unauthorised access, accidental loss, or improper treatment.

10. Changes to the Privacy Policy

This Privacy Policy can be updated to adapt to regulatory, jurisprudential, or functional changes of the Platform. The current version will always be available on the PID website or APP, indicating the date of the last update.