In the event that the Traveller provides third-party data, he/she declares that it has the third party’s consent and undertakes to provide the interested party -the data holder- with the information contained in this Privacy Policy, duly exonerating the Company from any liability in this regard. However, the Company may carry out the necessary verifications to verify this fact, adopting the corresponding due diligence measures, in accordance with the data protection regulations.

3.1 Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process personal data by purpose. In this section, you can find additional details of the lawfulness of the processing.

• Consent (article 6.1(a) of the GDPR): The Traveller may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action. The Traveller may withdraw their consent at any time, as set out in Section 6.

• Consent (article 9.2 (a)) of the GDPR): Despite we do not request this type of information, the Traveller may provide by contacting the Company through any means (e.g. website, WhatsApp, email, third party's platforms, etc.) information related to its health condition it may consider necessary in order to have the most enjoyable stay at Company's or its Affiliates premises. 

• Legitimate interest (of the Company or any third parties) (Article 6.1(f) of the GDPR): The Company pursues the following legitimate interests which override the fundamental rights and freedoms of the Traveller, given that the processing is within the Traveller's reasonable expectations based on their relationship with the Company:

  • Daily management of a multinational group of companies and internal administration, which means sharing information with companies within the group, and

  • Creation of a secure information system infrastructures for preventing unlawful or malicious activities that may compromise the personal data stored in the information systems.

In any event, the Traveller may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to hotel@maishanungwi.com.

• Legal obligation (Article 6.1(c) of the GDPR): The Company needs to process the personal data to comply with legal obligations. Failure to provide the personal data requested could result in the impossibility for the Company to comply with such legal obligations.

• Execution of a contract (article 6.1(b) of the GDPR): Failure to provide the personal data requested by the Company could result in the impossibility of executing or maintaining such contract.

3.2 Recipients of personal data

The following is a list of the different categories of recipients to whom the Company may provide the personal data identified by purpose in the table in Section 3, and additional information about them, where applicable:

• Affiliates of the Company: Maisha Marefu SL, Limited. Is the company managing Maisha Nungwi hotel and Maisha Nungwi beach bar located in Nungwi, Zanzibar (Tanzania).

• Providers of products and services: for example, payment, insurance and IT service providers.

The Company's website may include social network plugins, which can be recognised by the social network's logo or name, so that users can access Company's profile on these platforms. By clicking these buttons, users' personal data (including, IP address and browsing data) will be transferred to the providers of said social networks. The Company will not be liable for any further processing that the providers of the social networks may carry out with this personal data. The purpose and scope of the collection of data and its subsequent processing and use by the providers of these social networks, as well as the related rights and the possibilities of configuring privacy settings can be consulted in the data protection information of each of these companies.

• Potential investors or purchasers.

• Business Partners: for example those offering activities and experiences, such as snorkelling, boat trip, among others.

• Competent authorities: we disclose personal data to law enforcement to the extent that it is required by law or is strictly necessary for the prevention, detection or prosecution of criminal acts and fraud, or if we are otherwise legally obligated to do so. We may need to further disclose personal data to competent authorities to comply with a legal obligation (for instance, under short term rental laws), to protect and defend our rights or properties, or the rights and properties of our business partners.

The Company will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, the Company and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable). Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from the Company at hotel@maishanungwi.com.

The Company does not share personal data with any other third party unless required by the applicable law or authorised by the data subject.

3. Retention period

The Company will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

4. Sources of personal data

In addition to the personal data that the Traveller provides directly to the Company, the Company may obtain their personal data from other sources.

Personal data obtained directly from the individual:

The Company may obtain personal data provided directly from the Traveller when contacting the Company directly for the different purposes described in Section 2 (for example (i)  making a reservation in the hotel through the different means provided (e.g. website, whatsap, email, social media, etc.), (ii) contacting the Company for different purposes (e.g. requesting information, providing personal information), or (ii) booking an activity, etc.).

Personal data obtained from different sources:

The Company may be provided with personal data from other third parties for the same purposes as described in Section 2, such as (i) Online Travel Agencies (OTAs), (ii) Travel Agencies, or (iii) the Travellers.

5. Data protection rights

The following data protection rights are applicable under the GDPR. The Company undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.