top of page

PRIVACY POLICY

1. Introduction

1.1. Purpose of the data processing information

The purpose of this Data Protection Notice (hereinafter referred to as the “Notice”) is to present in a transparent and detailed manner how we process personal data during the activities of Adan Tour Tenerife (hereinafter referred to as the “Data Controller”), and to provide information on the rights of data subjects and how to exercise them.

 

1.2. Legal compliance (GDPR, Act CXII of 2011)

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR): sets out uniform EU rules on the protection of personal data.

  • Act CXII of 2011 (Info Act): the law that forms the basis of Hungarian data protection regulation, which deals with the right to informational self-determination and freedom of information.

This Notice seeks to comply with the requirements of the above legislation.

 

2. Data controller data

2.1. Name and contact details of the data controller

  • Name: Neagu-Bodnár Adrienn Adan Tours Tenerife

  • Registered office: 38626 Valle de San Lorenzo, Avenida Valle San Lorenzo 18. Arona, Santa Cruz de Tenerife

  • Company registration number: RGE/205088/2025

  • Tax number: Y7899359T

  • Representative: Adrienn Neagu-Bodnár

  • Email: info@adantours.com

  • Phone number: +34614669155

 

2.2. Availability of the data processing information

This Notice is available in electronic form atwww.adantours.com can be viewed on the page.

3. Definitions

 

3.1. GDPR basic concepts

  • Personal data: any information relating to an identified or identifiable natural person (“data subject”).

  • Data controller: the natural or legal person who determines the purposes and means of the processing of personal data.

  • Data processor: the natural or legal person who processes personal data on behalf of the Data Controller.

  • Contribution: the voluntary and explicit expression of the data subject's will, by which he or she gives his or her consent to the processing of personal data concerning him or her.

  • Affected: any identified or identifiable natural person to whom personal data relates.

 

3.2. Definition of a data breach

A data protection incident is any event that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed.

 

4. Data processing guidelines

 

4.1. Legal bases and principles

  • Legality, due process and transparency: We only process data for specified and legitimate purposes.

  • Purposefulness: Only for a predetermined purpose, to the extent necessary to achieve the purpose.

  • Data saving: We only collect and process personal data that is essential to achieve the goal.

  • Accuracy: We ensure that the personal data we process is accurate and, where necessary, kept up to date.

  • Limited storage capacity: Personal data is only stored for the time necessary to achieve the purpose.

  • Integrity and confidentiality: We use appropriate technical and organizational measures to protect personal data.

 

4.2. Data accuracy and security

  • Both the Data Controller and the data subject are responsible for regularly updating the data; the latter is obliged to notify if there has been a change in their personal data.

  • The Data Controller makes every effort to ensure that the recorded data is accurate and protects it from unauthorized access with appropriate security measures.

5. Data processing purposes and legal bases

 

5.1. Website registration

  • Purpose: Creating a user account and providing related services.

  • Legal basis:

    • Consent (GDPR Article 6 (1) point a)) in the event that registration is voluntary and requested by the data subject.

    • Performance of a contract (GDPR Article 6 (1) point b)), if registration is a prerequisite for the provision of the service.

  • Scope of data processed: Name, email address, password (encrypted), registration date, IP address.

 

5.2. Order management

  • Purpose: Processing orders, contract fulfillment, invoicing and delivery.

  • Legal basis: Performance of a contract (GDPR Article 6 (1) (b)).

  • Scope of data processed: Name, shipping and billing address, contact details (phone number, email), order details.

 

5.3. Invoicing

  • Purpose: Compliance with current accounting legislation (e.g. Act C of 2000).

  • Legal basis: Compliance with a legal obligation (GDPR Article 6 (1) point c)).

  • Scope of data processed: Name/company name, address, tax number (in case of a legal entity), other data necessary for invoicing.

 

5.4. Sending newsletters

  • Purpose: Marketing communication, information about new products and promotions.

  • Legal basis: Consent (GDPR Article 6 (1) point (a)).

  • Scope of data processed: Name, email address.

  • Comment: You can unsubscribe from the newsletter at any time by clicking on the link at the bottom of the newsletter or by contacting the Data Controller directly.

 

5.5. Use of cookies

  • Purpose: Ensuring the proper functioning of the website, improving the user experience, analyzing traffic data, marketing purposes.

  • Legal basis:

    • Consent (GDPR Article 6 (1) point a)) – for all cookies that are not essential for the functioning of the website.

    • Legitimate interest or performance of a contract (GDPR Article 6 (1) f) or b)) – in the case of technical cookies that are essential for operation.

  • More details: See the section “Use of Cookies” of this Notice (section 11).

 

5.6. Data management on social media sites

  • Purpose: Keeping in touch, sharing information (Facebook, Instagram, etc.).

  • Legal basis: Voluntary decision, consent (GDPR Article 6 (1) a)).

  • Comment: The social platforms' own data management practices should be viewed in the data management information of the given platform.

6. Scope of processed data

6.1. Types of personal data

  • Identification data: name, username, password (encrypted).

  • Contact information: email address, phone number, address.

  • Technical data: IP address, browser type, cookies, login time.

  • Billing information: billing name, address, tax number (for companies).

 

6.2. Data storage method and duration

  • In electronic form on protected servers, equipped with a password and other protection solutions.

  • On paper (if any) at the headquarters or site, in a locked location.

  • Storage period: until the legal obligations and the purpose of data processing are fulfilled, or until consent is withdrawn. After that, the data will be deleted or anonymized.

 

7. Rights of data subjects

7.1. Right to information

The data subject has the right to request information about the purpose, legal basis, source, duration and who has access to the personal data concerning him/her.

 

7.2. Right to rectification

If the data subject believes that the personal data processed are inaccurate or incomplete, he or she may request their correction or completion.

 

7.3. Right to erasure (“right to be forgotten”)

The data subject may request the deletion of their personal data if the data is no longer needed for its original purpose, or if the data subject withdraws their consent and there is no other legal basis for the data processing.

 

7.4. Right to data portability

The data subject has the right to receive the data provided by him or her in a widely used, machine-readable format, or to request that they be transmitted to another data controller.

 

7.5. Right to object

  • The data subject may object to the processing of his or her personal data at any time, if the legal basis for the processing is the legitimate interest of the Data Controller.

  • The data subject has the separate right to object to the processing of personal data for direct marketing purposes.

8. Data security

 

8.1. Protection of electronic data

  • Multi-level authorization system.

  • Regular backups.

  • Virus protection and firewall use.

 

8.2. Technical and organizational measures

  • Use of a closed office network and secure Wi-Fi.

  • Storing paper-based documents in a locked cabinet.

  • Regular data protection training for data processors.

 

9. Handling data protection incidents

 

9.1. Reporting an incident to the authorities (72-hour rule)

In the event of a data protection incident, the Data Controller shall notify the National Authority for Data Protection and Freedom of Information (NAIH) without undue delay and, if possible, no later than within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of data subjects.

 

9.2. Informing stakeholders in case of high risk

If the incident is likely to result in a high risk to the rights and freedoms of data subjects, the Data Controller shall inform the data subjects without delay, explaining the nature of the incident and the measures taken.

 

10. Data processors and third parties

 

10.1. Hosting provider

  • Name: Wix.com Ltd

  • Headquarters: Yunitsman 5 Tel Aviv Israel Tax ID: N9135367B

  • Availability: +1 415-639-9034

  • Data processing activity: operation of the web server, technical maintenance. Processes personal data only on the instructions of the Data Controller.

 

10.2. Accountant and other partners

The Data Controller may use an accountant, courier service, marketing agency and other partners to process personal data.

 

Accountant: Ferae Consulting SL Edificio Kanal, Local B, C/ Hermano Pedro de Bethencourt 13 Los Cristianos 38650

Activity: accounting, payroll, and taxation-related tasks.

The Data Controller always enters into written contracts with these partners (data processors) in accordance with the requirements of the GDPR. The contracts stipulate that the partners may process the data only on the instructions of the Data Controller, for the specified purpose and for the necessary period.

11. Data Protection Officer

 

11.1. Conditions and tasks of appointment

Pursuant to Article 37 of the GDPR, the Data Controller is not obliged to employ a data protection officer.

12. Rights of data subjects

12.1. Filing a complaint with the National Data Protection and Freedom of Information Authority (NAIH)

If the data subject believes that the processing of his or her personal data violates the applicable laws, he or she may file a complaint with the National Data Protection and Freedom of Information Authority:

12.2. Possibility of judicial remedy

In the event of a violation of the rights of the data subject, he or she may apply to court. The lawsuit may also be initiated at the court of his or her place of residence or residence, at the choice of the data subject.

13. Legislation on which data processing is based

13.1. GDPR (EU Regulation 2016/679)

Regulation (EU) 2016/679 of the European Parliament and of the Council, which aims to protect natural persons with regard to the processing of personal data and to ensure the free flow of such data within the EU.

13.2. Act CXII of 2011 on the right to informational self-determination

The Hungarian Data Protection Act, which regulates the domestic principles and limits of the processing of personal data.

13.3. Other relevant Hungarian legislation

  • Act C of 2000 on Accounting.

  • Act V of 2013 on the Civil Code (Civil Code).

  • Act XLVIII of 2008 on the basic conditions of economic advertising activities.

 

14. Final provisions

14.1. Scope of the data processing information and possibilities for its modification

  • This Notice is effective from April 1, 2025.

  • The Data Controller is entitled to unilaterally amend the Notice, in particular to take into account changes in legislation, the introduction of new data processing activities or the recommendations of the supervisory authority.

  • The amendments will be published on the website, and after they come into effect, the data subjects accept the new rules by continuing to use the services.

 

Date: Valle de San Lorenzo, 04/01/2025

 

Adrienn Neagu Bodnár Adan Tours Tenerife
 

bottom of page