Privacy Policy

This Privacy Policy applies to the HR data processing of the company ESTE CASTILLO OPERATIONS, SLU. Please read it carefully. In it you will find important information about the processing of your personal data, the rights recognized by the current legislation on the subject and the obligations that correspond to you.
This policy is published on and can be consulted in the HR department, where you can request a copy.
We reserve the right to update our privacy policy at any time due to business decisions, as well as to comply with possible legislative or jurisprudential changes. If you have any questions or need any clarification regarding our Privacy Policy or your rights, you can contact us through the channels indicated below.
You declare that the data you provide us, now or in the future, are correct and truthful and you agree to inform us of any changes to them. In the event of providing personal data of third parties, you undertake to obtain the prior consent of those concerned and to inform them of the contents of this policy.

1. Who is responsible for the processing of your data?
The person in charge of the treatment of your data is ESTE CASTILLO OPERATIONS, SLU, (the COMPANY, hereinafter) with address at C/ Av. Doctor Arce, 14, 28002, Madrid (Spain).
For any questions about data protection you can contact the Privacy Officer at .

2. What will we process your data for and on what legal basis?

2.1 HR Management
The COMPANY will process your data for the management, administration, organization, planning and training of its human resources.
What data are processed for this purpose and how are they obtained? The categories of data that the COMPANY processes for this purpose are the following:
– Data of an identifying and contact nature, such as DNI/NIE, name and surname, residence permit (if applicable), address, telephone, e-mail, signature, image/voice, SS/Mutuality No.; The cell phone number you have provided will be used for the reciprocal sending of operational communications via WhatsApp or the messaging application agreed with the Company.
– Personal characteristics data, such as marital status, date of birth, nationality or languages;
– Academic and professional data;
– Employment details data;
– Bank and payroll data,
– Data on transactions of goods and services;
– Data generated by the employment relationship itself, including the employment contract or the contract regulating your secondment or your status as an intern or trainee and its eventual addenda and employment records, for example, the time and attendance register.
– Special categories of data: we process health data necessary for the fulfillment of our obligations in the field of labor law, occupational risk prevention, social security or integration of people with disabilities, for example, data on registrations and cancellations, existence of disability and percentage of disability; where appropriate, we may also process data relating to your union membership for the payment of your union dues, if you have requested us to do so. In this case, the processing of your union membership data will be based on the consent you have given, which you may revoke at any time by requesting it to the HR department.

The processing of this data is necessary for the execution of the employment contract or the one that regulates your provision or your status as an intern or trainee, as appropriate, and compliance with the legal obligations of the COMPANY in labor matters, prevention of occupational hazards, social security or social integration of people with disabilities.
Bank data, payroll and transactions of goods and services generated by the employment relationship will be processed for accounting and administrative management purposes and compliance with the legal obligations of the COMPANY in accounting and tax matters.
All these data are obtained directly from you or generated by the contractual relationship itself.

2.2 Time control
We will treat the data incorporated in the working day register for the control of your working hours in compliance with the provisions of Article 34.9 of the Workers’ Statute.
Depending on the department of which you are a member, if applicable, the COMPANY will process the mathematical pattern calculated from the reading of your fingerprint for verification purposes against the Company’s time recording system. The use of a biometric verification system is based on our legitimate interest in authenticating the people who register their working day in a fast and efficient way.
How has this interest been weighed against your rights and freedoms? For this weighting, the following has been determined:
– Art. 20.3 of the Workers’ Statute establishes the employer’s power to adopt the surveillance and control measures it deems most appropriate to verify the worker’s compliance with his obligations and duties.
– The processing is compatible with the reasonable expectations of the data subjects, as it is a common practice in companies.
– The impact on the privacy of data subjects is limited, as the fingerprint pattern is used for verification purposes only and not for biometric identification. Likewise, the biometric enrollment system does not store the image of the fingerprint, nor can it be obtained from the stored mathematical pattern.

2.3 Security and labor control through video surveillance systems
We will process the data obtained from the video surveillance cameras installed, for purposes of video surveillance and security of the facilities, as well as for the exercise of the functions of control of the workers in the fulfillment of the obligations and labor duties and in the non-commission of disciplinary punishable behaviors.
This treatment is based on the relationship formalized through the employment contract and the legal powers of control granted to the employer (art. 20.3 of the Workers’ Statute).
The presence of video surveillance cameras is properly announced through the different informative signs existing in the facilities of the COMPANY and they will only capture images of the indispensable spaces for labor control and, in no case, they will be located in areas of changing rooms, bathrooms and spaces of rest or recreation of the workers. The cameras shall not capture sound.
How has the proportionality between the purpose pursued and the way in which the images are processed been weighted? The following has been determined for this weighting:
 Art. 20.3 of the Workers’ Statute establishes the employer’s power to adopt the surveillance and control measures he deems most appropriate to verify the employee’s compliance with his obligations and duties.
 The processing is compatible with the reasonable expectations of the interested parties, taking into account the type of business activity;
 The impact on the privacy of the interested parties is limited as the images captured are deleted within a maximum period of one month, except when they have to be kept to prove the commission of acts against the integrity of persons, goods or facilities; Security measures are implemented to prevent unauthorized access to the images, as the system for viewing the images will be located in a restricted access place and the images will only be accessed by duly authorized personnel.

3. To whom may we disclose your information?
We may disclose data about our human resources in the following circumstances:
– When it is necessary for the performance of the contract. For example, in the case of training, the personal data of the employees concerned may be disclosed to the relevant training companies.
– Because of the relationship between the Company and Hyatt, Corp. as franchisees and franchisor, we will disclose your name and position so that you can be assigned a GID to allow you access to Hyatt’s operational systems. This disclosure is necessary for the performance of your employment relationship with the Company and may involve an international transfer of data as Hyatt, Corp. has locations outside the European Economic Area (EEA).
– To comply with our legal obligations. For example, your personal data may be communicated to public administrations or entities, such as the labor authority, health authorities, Social Security or the Tax Agency, as well as, where appropriate, to the company’s health and safety committee, prevention delegates, Works Council or Staff Representatives, on a non-limiting basis.
– The personal data necessary to make payments to our HR will be communicated to the financial institution in charge of processing the corresponding transfers, only for that purpose. The direct debit of your payroll is based on the existence of a legitimate interest in facilitating the management of payments. In weighing this interest against your rights and freedoms, it has been determined that the processing had a limited impact on the privacy of data subjects, corresponded to reasonable expectations of data subjects as it is a generalized practice and did not pose significant threats.

4. How long will we keep your data?
In general, your data will be kept for the duration of your relationship with us and in any case for the periods provided for in the applicable legal provisions and for the time necessary to meet any liabilities arising from the processing. We will cancel your data when they are no longer necessary or relevant for the purposes for which they were collected.
The data relating to an employee’s file will be kept for at least the periods required by labor regulations. The records of employees on sick leave will be kept for 6 years from the date of sick leave.
The data of the time controls will be kept for as long as the statute of limitations period for misconduct as indicated in the applicable Collective Bargaining Agreement or in the labor legislation in force, and in any case for a minimum period of four years.

5. What are your rights?
You have the right to obtain confirmation as to whether or not we are processing your personal data and, if so, to access it. You can also ask for your data to be corrected when they are inaccurate or to be completed when they are incomplete, as well as to request their deletion when, among other reasons, the data are no longer necessary for the purposes for which they were collected.
In certain circumstances, you may request that we restrict the processing of your data. In this case, we will only process the data concerned for the formulation, exercise or defense of claims or for the protection of the rights of others.
Under certain conditions and for reasons relating to your particular situation, you may also object to the processing of your data. In this case, we will stop processing the data except for compelling legitimate reasons that override your interests or rights and freedoms, or for the formulation, exercise or defense of claims.
Also, under certain conditions, you may request the portability of your data to be transferred to another data controller.
You may revoke the consent you have given for certain purposes, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.
You also have the right to object to automated individual decisions that produce legal effects on you or significantly affect you in a similar way, where this right is provided for in Article 22 of Regulation (EU) 2016/679.
You also have the right to file a complaint with the Spanish Data Protection Agency or any other competent data protection authority. You can consult the list and contact details of the European data protection agencies on the European Commission’s website at
To exercise your rights, you should send us a request by post or e-mail to the addresses indicated in the section Who is the controller of your data?
You can obtain more information about your rights and how to exercise them on the website of the Spanish Data Protection Agency (

6. What are your obligations?
You declare that the data you provide us, now or in the future, are correct and truthful and you undertake to inform us of any changes to them.
For the development of the functions inherent to your job, you may have access to personal data processed by the COMPANY, as well as other information generated by its activity. Such files are subject to compliance with the provisions of current regulations on the protection of personal data. You agree to keep full confidentiality of personal data processed by the COMPANY, even after the relationship between the parties is terminated.
You also undertake to comply with and enforce the security measures applied to the processing systems, as well as to respect the rules of use of digital media that are made available to you.
The internal procedures of the entity, their definition and implementation, as well as the working methods, schemes, templates and, in general, everything that is part of the “know how” of the company, is the property of the entity. In this sense, you agree not to reproduce, copy, distribute, publish or disclose to third parties, and not to use on your own, either in part or in whole, any of the aforementioned information. In addition, the employee expressly waives any right to all documentation produced by him/her as a result of the work performed for the entity, in favor of the latter.

You also undertake to comply with and enforce the security measures applied to the processing systems, as well as to respect the rules of use of the computer systems that are made available to you. In general, it is forbidden to use the organization’s computer and communication systems for personal matters or for any other purpose not directly related to the performance of your job, and you must not use these means to store, process or transmit content on which you have any expectation of privacy. In order to ensure the proper use of the technical and computer means that the company makes available to its employees, the following shall be observed:
– Should you have, now or in the future, a username and password to access system(s) of the organization, you are hereby informed that you must comply with the following obligations:
– As long as the system permits, you must change your password the first time you log on to the system.
– Never communicate your username and password to another person.
– Never write down your password, others could read it and use it.
– You must log off when you leave the computer workstation you are using.
– You are responsible for what others do with your identification.
– The e-mail account of an employee, as well as his or her system user account, may be accessed by superiors or colleagues in the event of his or her sudden absence or for operational and task control reasons, based on operational criteria and with the prior authorization of the Security Manager, who will inform the user and record it as an incident.
– The interception and/or unauthorized use of other users’ electronic mail or e-mail is expressly forbidden.
– The user has access to the company’s e-mail for the duration of his or her relationship with the company. At the time of termination of the relationship between the parties, access to your mailbox will be interrupted. The technical services may access the mailbox to forward professional messages to the users determined by the system security manager.
– Internet Access
– Internet addresses likely to endanger the entity’s computer resources, such as P2P websites, etc., must not be accessed.
– Under no circumstances should Internet addresses with pornographic content that is offensive or offensive to human dignity be accessed.
– The content of the laws of intellectual or industrial property must be complied with, so users must carefully check, before using the information from the network, if it is protected by the rules of the aforementioned laws.
– The company reserves the right to prevent, by means of proxies or other mechanisms, access to those web page addresses that offer content prohibited by these regulations or whose visit would harm the performance or security of the system.

The data protection policies, rules and procedures defined by the organization are mandatory. You undertake in particular to consult and comply with the rules and procedures that affect your job and that are made available to you through the appropriate mechanisms.

Select the date for your booking