Data Collection Consent / Clause for camp attendees

DATA COLLECTION CONSENT CLAUSE FOR CAMP ATTENDEES

Article 11. Transparency and information to the data subject.

1. When personal data is obtained from the data subject, the data controller may comply with the duty of information established in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following section and indicating an electronic address or other means that allows easy and immediate access to the remaining information.
2. The basic information referred to in the previous section shall contain, at least: a) The identity of the data controller and their representative, where applicable. b) The purpose of the processing. c) The possibility of exercising the rights established in Articles 15 to 22 of Regulation (EU) 2016/679.

If the data obtained from the data subject is to be processed for profiling purposes, the basic information shall also include this circumstance. In this case, the data subject must be informed of their right to object to the adoption of automated individual decisions that produce legal effects on them or similarly significantly affect them, where this right applies in accordance with the provisions of Article 22 of Regulation (EU) 2016/679.

The controller of your personal data is CASTILLO DE LAYOS S.L.

Main purposes: (i) Management of the user registry on our App and website [GG1] (ii) Responding to inquiries submitted, (iii) Development, fulfillment, and execution of the pre-contract and, where applicable, contract for the provision by CASTILLO DE LAYOS of the camp services requested. (iv) Should you provide us with your CV, including you in a selection process and, if you accept, including you in our candidate file, (v) Should you grant your consent, using the data in order to inform users about advantages, discounts, and promotions of associated third parties through electronic means.

You have the right to access, rectify, limit the processing of, delete your data, and request its portability.

This Privacy and Data Protection Policy is intended to provide the user with all the information they need to understand the scope and purpose of the data processing, so that the acceptance — absolutely necessary in order to access and use the website and App — is based on perfectly informed consent as set out in the data protection regulations applicable at any given time.

---

1. Who is the controller of your data?

• Name: Castillo de Layos, S.L. (hereinafter "CASTILLO DE LAYOS")
• Registered address: C/ Garza 11, postal code 28023 – Madrid.
• Telephone: 91 357 2564
• Email: INFO@LAYOCAMP.COM

CASTILLO DE LAYOS wishes to provide, in a transparent manner, information about the data processing it carries out, the legal basis for it, as well as the rights available to the data subject regarding the processing of their personal data. Accordingly:

• The data subject has at their permanent disposal all the information in this Privacy and Cookies Policy so that it may be consulted whenever deemed appropriate, and, in addition,
• The data subject will be informed about each processing of their personal data as they interact with CASTILLO DE LAYOS.

2. What personal data do we process and for what purposes?

Depending on whether the data subject reserves a course or camp stay, contracts it, authorizes the sending of commercial communications, or wishes to work for CASTILLO DE LAYOS, or simply contacts us or requests some kind of information, CASTILLO DE LAYOS will need to process certain data, which generally, depending on the case, will be the following:

• Identification data of the user and possible camp attendee such as, for example, name, surname, contact details, ID card or passport details if necessary, etc.

In any case, we remind you that the personal data CASTILLO DE LAYOS processes is the personal data collected from the data subjects during the contracting of the course or camp. During the maintenance of the contractual relationship, CASTILLO DE LAYOS will normally need to process data of third-party minors that the client (hereinafter, "campers"), parent exercising parental authority, or guardian, may provide. In this regard, CASTILLO DE LAYOS will under no circumstances use the data the client has provided about the camper outside of the services exclusively contracted, and only when such data is necessary for the contracting and/or management of the same.

The very safety and protection of the camper requires parents exercising parental authority or guardians to provide any information related to their health or special needs so that CASTILLO DE LAYOS may diligently manage the course or camp accordingly. The omission of any information in this regard releases CASTILLO DE LAYOS from any responsibility it would have assumed had it known such data.

• Economic and transactional information (for example, payment data or card data). On this point, CASTILLO DE LAYOS informs that personal data of credit cards will be stored on the point-of-sale terminals that manage online payment, not on its platform.
• Connection and browsing data, since like many websites and online services, CASTILLO DE LAYOS uses cookies and other technologies to keep a record of your interaction with our services. Cookies help to manage a range of functions and content, as well as to store searches and re-present your information when reserving a new trip, for example. For more information about the types of cookies and similar technologies we use, why, and how you can control such technologies should you interact with us, see further information in the Cookies Policy.
• In the event you have expressly authorized the processing of your image or that of the underage camper of whom you are the parent exercising parental authority or guardian, the image may be disseminated publicly and privately on pages managed by CASTILLO DE LAYOS, on its intranet, or on its profiles on the various Social Networks, with educational and/or commercial purposes, in which the data subject is engaged in course or camp activities.

When CASTILLO DE LAYOS requests certain personal data from the data subject, in order to grant access to a feature or service of the website, it will mark some fields as mandatory, since this is data necessary for CASTILLO DE LAYOS to be able to provide such service. Failure to provide the required data may mean that the requested registration, the reservation of the selected trip, or the completion of the contracting cannot be finalized.

Depending on how the data subject interacts with the website, CASTILLO DE LAYOS will process personal data for the following purposes:

• To manage user registration on the website and/or App: In this case, CASTILLO DE LAYOS will need to process the data subject's personal data in order to identify them as a user of the same and grant them access to its different features and services available to them as a registered user. The data subject may cancel their registered user account by contacting CASTILLO DE LAYOS through any of the channels indicated above.
• For the development, fulfillment, and execution of the contract for the course or camp contracted with CASTILLO DE LAYOS through the website: This purpose includes the processing of your data for, mainly:
  • Contacting the user regarding updates or informative communications related to the contracted service.
  • Managing the camp reservation and, should it proceed, the subsequent payment for it.
  • Should the data subject have only contacted CASTILLO DE LAYOS, CASTILLO DE LAYOS will process their data to attend to the requests or queries for information they make regarding the contracted camp. CASTILLO DE LAYOS will only process the personal data strictly necessary to manage or resolve the request or query.
• For commercial purposes: This purpose includes the processing of your data for, mainly:
  • The user, once they become a client of CASTILLO DE LAYOS, will receive news about camps and similar services that match and are analogous to those they have already contracted. However, the client is informed that they may object at any time by contacting CASTILLO DE LAYOS through the channels already indicated.
  • When the user has unequivocally consented, CASTILLO DE LAYOS may send them commercial communications and news that, as a registered user or client, may be of interest. The user may also object at any time.
• In the event the data subject has submitted their data to become part of the CASTILLO DE LAYOS team, the purpose of the processing is the selection of candidates for the job positions offered by CASTILLO DE LAYOS. Should you provide us with references from third parties for verification of the information supplied, you must have informed and previously obtained the consent of these persons to be contacted by CASTILLO DE LAYOS.

3. What is the legal basis for processing your data?

The legal bases for processing your data are the following:

• The unequivocal consent of the data subject themselves, based on Article 6.1.a) of the GDPR:
  • Obtained through the "contact" web form or through the website user registration, and requested in order to provide responses and advice in relation to information requests;
  • Obtained through website user registration and requested in order to make reservations of services offered on the website;
  • Obtained through the web checkbox provided, for the sending of commercial communications;
  • Obtained when the data subject provides their CV, so that CASTILLO DE LAYOS may keep it in its Database.
  • Obtained in case of express authorization of the processing of the image of the student undertaking the course or camp.
• Management of pre-contractual measures and, where applicable, contractual ones, based on Article 6.1.b) of the GDPR.
  • In order to manage the registration of the data subject, the processing of their personal data is necessary, as well as for the execution of the terms governing the use of the website.
  • Processing necessary to manage the reserved and, where applicable, contracted camp. This section also includes health data and special needs that have had to be provided so that CASTILLO DE LAYOS may manage the course or camp adapting it to the camper.
  • Regarding the CVs received, the processing is carried out within the framework of an offer made by CASTILLO DE LAYOS and acceptance by the interested job applicant.
• Legitimate interest based on Article 6.1.f) of the GDPR:
  • For the sending of commercial communications to the user who is a client, provided they relate to products similar to those contracted by them, and without prejudice to the right to object to such sending at any time;
  • To attend to the requests or queries submitted through the various existing means of contact. CASTILLO DE LAYOS understands that the processing of this data is also beneficial for the data subject, since it allows for adequate attention and resolution of the queries submitted.
  • To carry out the necessary checks to detect and prevent possible fraud when the client makes a payment. This processing is positive for all parties involved when payment for a purchase takes place; above all, the client is protected, since CASTILLO DE LAYOS can put in place measures to protect them against fraud attempts made by third parties.
• Compliance with legal obligations, based on Article 6.1.c) of the GDPR.
  • In cases where the data subject exercises the rights indicated below, or in claims related to the services offered by CASTILLO DE LAYOS, what legitimizes CASTILLO DE LAYOS to process the data subject's personal data is the fulfillment of legal obligations on its part.

4. How has your data been obtained?

It has been provided by the data subject themselves through registration as a user on the website, through their request for information, or through their reservation request. Normally this data is provided through the website, but the user may have made contact by email or telephone.

CASTILLO DE LAYOS wishes to remind you again that the personal data CASTILLO DE LAYOS processes is the personal data collected from the data subjects during the contracting of course or camp services. During the maintenance of the contractual relationship, CASTILLO DE LAYOS will normally process data of third-party minors that the client — parent exercising parental authority or guardian — may provide, as is normally the case for the minors who undertake the contracted courses or camps. In this regard, the client undertakes to inform all these persons of the provisions set out herein regarding data protection. For its part, CASTILLO DE LAYOS will under no circumstances use the data the client has provided about these third parties outside of the services exclusively contracted, and only when such data is necessary for the contracting and/or management of the same.

5. How long do we keep your data?

CASTILLO DE LAYOS processes the data for the time strictly necessary to fulfill the corresponding purpose. Afterwards, we will keep it duly blocked and protected for the time during which liabilities arising from the processing may arise, in compliance with the regulations in force at any given time. Once the possible actions in each case have lapsed, the personal data will be deleted.

• Regarding the data obtained through registration as a user on the website, CASTILLO DE LAYOS will process the data for the time the user remains registered, that is, until they unsubscribe.
• Regarding the data obtained through the "contact" tab of the website, it will be kept for a maximum period of 12 months from when it was obtained, provided the data subject does not object to its processing.
• The personal data provided by data subjects at the time of making a reservation of the services offered by CASTILLO DE LAYOS will be kept until the course and/or camp is confirmed and during the term of the contract, without prejudice to the fact that, if the data subject is registered as a user, it will be kept while that status is maintained.
• If, after the reservation, the trip has not been confirmed and the money is returned to the data subject, they may unsubscribe by contacting through any of the channels indicated above.

In the event the data subject has submitted their data to become part of CASTILLO DE LAYOS, the data will be used during the selection process. Subsequently, it will be kept for a period of 3 years, should the data subject have authorized this. Afterwards, it will be deleted.

6. To which recipients is your data communicated?

The data obtained through the CASTILLO DE LAYOS website will only be communicated to providers and service suppliers of CASTILLO DE LAYOS for the organization of the courses and/or camps. These third parties may be:

• Financial institutions with which CASTILLO DE LAYOS has signed contracts for online point-of-sale terminals or other payment gateways.
• Insurance entities.
• Technology service providers.
• Where applicable, schools and institutions where the courses are held, in which case the data will necessarily be transferred for the stay that has been contracted. In these cases, these schools or institutions will be Joint Controllers of the processing. In each case, the data subject will be informed of this circumstance.
• Service providers and collaborators such as wholesalers, transport providers, or local destination management companies in the country of origin.

For the efficiency of the service, some of the providers mentioned are located in territories outside the European Economic Area that do not provide a level of data protection equivalent to that of the European Union, such as the United States. In such cases, we inform you that we transfer your data with adequate guarantees and always safeguarding the security of your data:

• With other providers, CASTILLO DE LAYOS has signed Standard Contractual Clauses approved by the Commission, the content of which you can consult at the following link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contractstransfer-personal-data-third-countries_en

International data transfers to providers established in the U.S. (Meta Platforms Ireland Ltd., Google Ireland Ltd.) are covered by the Standard Contractual Clauses (SCCs) approved by the European Commission and, in the case of certified providers, by the EU-U.S. Data Privacy Framework (DPF), in force since July 2023.

7. What are your rights when you provide us with your data?

1. Right of access: Any person has the right to obtain information about whether at CASTILLO DE LAYOS we are processing personal data concerning them, or not.

2. Right of rectification and erasure: Every data subject has the right to request the rectification of inaccurate data or, where applicable, request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

3. Right to limitation of processing: In certain circumstances, data subjects may request the limitation of the processing of their data, in which case we will only keep it for the exercise or defense of claims.

4. Right to object: In certain circumstances and for reasons related to their particular situation, the data subject may object to the processing of their data. CASTILLO DE LAYOS will cease processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims. With regard to processing based on the obtaining of your consent, you may revoke it at any time, by writing to the following email address:

5. Right to portability: Where applicable, you may request the portability of your data.

6. Right not to be subject to automated decisions.

In any case, you may file a complaint with the Spanish Data Protection Agency, especially when you have not obtained satisfaction in the exercise of your rights. The Agency's address is C/ Jorge Juan 6, 28001, and its website is www.agpd.es.

---

A few translation notes:

• "Patria potestad" → I rendered as "parental authority" (the standard legal equivalent in EU/comparative law contexts). Some translators use "parental rights" or "parental responsibility"; pick whichever fits your jurisdictional audience.
• "Cámper" → kept as "camper" since the document defines it that way in Spanish too.
• The Privacy Shield reference: worth flagging that Privacy Shield was invalidated by the Schrems II ruling in 2020 and replaced by the EU-U.S. Data Privacy Framework (which the document does mention later). The Spanish original keeps the outdated reference, so the translation does too — but you may want to update the source text.

 

Advertising exclusion of existing customers (Meta Custom Audiences)

As a family business running camps since 1985, we don't want to bother you with ads for something you have already booked. So when you register for one of our camps, we may upload your email address hashed (SHA-256) to Meta Platforms Ireland Ltd. to create a Custom Audience that we use only as an EXCLUSION: that is, to stop showing you ads for the place you have already purchased. We do not use this audience to show you more advertising.

Data controller: Castillo de Layos, S.L., Calle Garza 11, 28023 Madrid (Spain). Contact: info@layoscamp.com.

Data processed: only your email address, hashed with SHA-256 before being sent. We do not upload any data about the registered minor (name, age, health) to Meta: the only data processed is that of the adult who acts as the contracting party.

Purpose: to suppress or reduce advertising for camps you have already purchased, so we don't show you irrelevant ads.

Legal basis: legitimate interest (Art. 6.1.f GDPR). We have carried out the balancing test required by the GDPR and concluded that excluding you from advertising for a product you already own benefits you and does not adversely affect your rights. You may object at any time (see below).

Joint controllership (Art. 26 GDPR): with regard to creating and managing the audience, Castillo de Layos, S.L. and Meta Platforms Ireland Ltd. act as joint controllers, under the terms of Meta's Controller Addendum (available at facebook.com/legal/controller_addendum).

International transfer (EU → US): part of Meta's processing takes place in the United States. The transfer relies on (i) the EU-US Data Privacy Framework —Meta Platforms, Inc. is listed as a certified entity at dataprivacyframework.gov— and (ii) the Standard Contractual Clauses approved by European Commission Decision (EU) 2021/914.

Retention: your hashed email stays in the audience only while the relevant advertising campaign is active. We delete the Meta audience as soon as that campaign closes, and at the latest within 30 days of closure. After that period the data is no longer processed for this purpose.

Your rights: you can exercise your rights of access, rectification, erasure, restriction, portability and objection by writing to info@layoscamp.com. In particular, you may object to this processing at any time via that same email, and we will stop including your email in the audience. You may also lodge a complaint with the Spanish Data Protection Agency (aepd.es) or, if you reside in another EU/EEA country, your local supervisory authority.