Can't find your booking reference?
The booking reference can be found in the confirmation email, which should be in your inbox.

We have received your request correctly.

You will receive an email with a summary of your bookings.

Can't find it? Leave us your email and we'll send you a summary of your bookings.

Data protection and privacy policy

As part of your application to become a provider for CIVITATIS, you will be required to provide the necessary data and information regarding your entity or personnel in the corresponding registration form. In light of this, we provide you with this Privacy Policy to inform you in detail about how we process your personal data, protect your privacy, and safeguard the information you provide.

Below, we present in a question-and-answer format the conditions under which our entity processes your personal data:

1. Who's responsible for the processing of your data?
  • Identity: Civitatis Tours, S.L. NIF: B-86899440
  • Mailing address: C/ Coloreros, 28013 – Madrid.
  • Email address: dpo@civitatis.com.
2. Who's the Data Protection Officer (DPO) of the entity and how can they assist you?

The DPO is a legally established role whose main functions are to inform and advise our entity on the obligations related to the protection of personal data and to supervise compliance with these obligations.

Additionally, the DPO acts as a point of contact for any matters related to the processing of personal data. Therefore, if you have any questions, doubts, or suggestions regarding how we use your personal data, you can reach out to them at: dpo@civitatis.com. 3. What's the purpose of processing your personal data?

We process the personal data you provide to analyze your application to become a supplier. The provision of data for this purpose by suppliers is mandatory; otherwise, CIVITATIS will not be able to evaluate the application.

If, after analyzing the information provided, CIVITATIS agrees with the services and characteristics of the provider, it will proceed to manage their registration, for which the General Terms and Conditions for Suppliers of CIVITATIS must be accepted.

The data will be treated confidentially, and their security will be ensured by adopting the appropriate security measures required by current legislation.

4. How long will we process your data? providers_privacy_policy_4_content 5. What is the legal basis for processing your data?

The legal basis for processing your data is the adoption of pre-contractual measures, in accordance with Article 6.1(b) of the General Data Protection Regulation (GDPR).

6. To whom will your data be communicated?

The data will not be communicated to any third party, except, where applicable, to the competent Public Administrations, including judges and courts, in cases provided for by law and for the purposes defined therein.

Although this is not a data transfer, it's possible that third-party companies acting as our providers may access your information to provide the service. These processors access your data following our instructions and may not use it for any other purpose, maintaining the strictest confidentiality and based on a contract in which they commit to comply with the requirements of current legislation on the protection of personal data.

7. Are there any international data transfers?

CIVITATIS contracts its virtual infrastructure for storing its database through a cloud computing model via Google Drive, with the information stored in the U.S., under the Data Privacy Framework agreement - Information available at:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active 8. What are your rights when you provide us with your data?

Any person has the right to obtain confirmation as to whether we are processing personal data concerning them or not. Individuals have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data are no longer necessary for the purposes for which they were collected.

Under the conditions provided for in the General Data Protection Regulation, individuals may request the limitation of the processing of their data or their portability, in which case we will only retain them for the exercise or defense of claims.

In certain circumstances, and for reasons related to their particular situation, individuals may object to the processing of their data. If you have given consent for a specific purpose, you have the right to withdraw it at any time, without affecting the lawfulness of the processing based on consent before its withdrawal. In these cases, we’ll stop processing the data or, if applicable, stop doing so for that specific purpose, except for compelling legitimate reasons or the exercise or defense of potential claims.

Furthermore, data protection regulations allow you to object to being subject to decisions based solely on automated processing of your data when applicable.

The aforementioned rights are characterized as follows:

  • Their exercise is free of charge, unless it concerns manifestly unfounded or excessive requests (e.g., repetitive in nature), in which case a fee proportional to the administrative costs incurred may be charged, or the request may be refused.
  • You may exercise the rights directly or through your legal or voluntary representative.
  • We must respond to your request within one month, although, considering the complexity and number of requests, the period may be extended by an additional two months.
  • We have the obligation to inform you about the means to exercise these rights, which must be accessible, and we cannot deny you the exercise of the right solely because you choose another method. If the request is submitted electronically, the information will be provided through these means when possible, unless you request it otherwise.
  • If, for any reason, the request is not processed, we will inform you, no later than one month, of the reasons for this and the possibility of filing a complaint with a Supervisory Authority.

To facilitate the exercise of the aforementioned rights, we provide below links to the request form for each of them:

All the aforementioned rights can be exercised through the contact means listed at the beginning of this clause.

In the event of any violation of your rights, especially if you have not obtained satisfaction in exercising them, you can file a complaint with the Spanish Data Protection Agency (contact details available at www.aepd.es) or another competent supervisory authority. You can also obtain more information about the rights that assist you by contacting these organizations.

9. How do we protect your personal data?

We are firmly committed to protecting the personal data we process. We implement reasonably reliable and effective physical, organizational, and technological measures, controls, and procedures aimed at preserving the integrity and security of your data while ensuring your privacy.

Additionally, all personnel with access to personal data have been trained and are aware of their obligations regarding the processing of such data.

Contracts with our providers include clauses requiring them to maintain confidentiality regarding any personal data they access as part of their service. They must also implement the necessary technical and organizational security measures to ensure the ongoing confidentiality, integrity, availability, and resilience of personal data processing systems and services.

These security measures are periodically reviewed to ensure their adequacy and effectiveness.

However, absolute security cannot be guaranteed, and no security system is entirely impenetrable. In the event that any processed information under our control is compromised due to a security breach, we will take appropriate measures to investigate the incident, notify the relevant Supervisory Authority, and, if necessary, inform affected users so they can take appropriate action.

10. What's your responsibility as the data owner?

The Provider is responsible for the accuracy of the data provided and must keep it properly updated to reflect their actual situation. The Provider will be liable for any false or inaccurate data they may provide, as well as for any direct or indirect damages that may arise as a result.

If the Provider provides data concerning third parties, they assume the responsibility of informing them in advance of all provisions outlined in Article 14 of the General Data Protection Regulation (GDPR) under the conditions established in said regulation.