Legal notice

The owner of this website is the Golf in Costa Brava Association (hereinafter Golf in Costa Brava), with registered office and for notification purposes at Carretera Palafrugell a Torroella de Montgrí Km. 345, 17257 Torroella de Montgrí, Girona (Spain).

For any queries or contacts, users can contact the following email address

Who is the controller of personal data?

The Controller of personal data is in each case the group company with which the customer or supplier has a relationship. Each company is accountable to its customers and suppliers for compliance with data protection regulations and guarantees their rights.

Who is the Data Protection Officer?

The Data Protection Officer (DPD) supervises compliance with the data protection policy of Golf in Costa Brava, ensuring that personal data are properly processed and that the rights of individuals are protected. Its functions include dealing with any queries, suggestions, complaints or claims from data subjects. You can contact the Data Protection Delegate by writing to Golf in Costa Brava at the following e-mail address

For what purpose do we process the data?

We process personal data for the following purposes:


To deal with enquiries from people who contact us via contact forms on our websites. We use them only for this purpose.

Telephone service

To deal with people who contact us by telephone. In order to offer a better quality of service, conversations can be recorded by informing the person we are communicating with in advance.


Receipt of CVs sent to us by those interested in working with us and management of the personal data generated by participation in personnel selection processes, in order to analyse the suitability of the candidates’ profiles in terms of vacant or newly created positions. Our approach is to keep the data of people who are not hired for a maximum period of one year, in case a new vacancy or job vacancy arises in the short term. In the latter case, however, we will delete the data immediately if the data subject requests us to do so.

Customer services

Register new customers and additional data that may be generated as a result of the business relationship with customers. In the contracting process, the essential information is requested, including bank details (current account or credit card number), which will be communicated to the banks that manage the payment (they can only use them for this purpose). The relationship of provision of tourism services entails other processing, such as incorporating the data into accounting, invoicing or information to the tax authorities. Customers of our accommodation establishments can enter the customer area, where they can access information about Golf in Costa Brava and, among other functions, find out the status of enquiries made through this channel. Access to the customer area provides us with information about the user’s activity in this service.

Information about our services

While there is a relationship with its clients, Golf in Costa Brava uses their contact details to communicate information related to this relationship, information that may circumstantially include references to our services, whether of a general nature or referring more specifically to the characteristics and needs of the client.

Other information on services

With the explicit authorisation of the customers, after the contractual relationship has ended, the contact data is retained to send advertising related to our services, general information or information specific to the characteristics of the customer. This information is sent to anyone who, despite not having been a customer, asks us for it or accepts it by filling in our forms.

Publicity of the services of Golf in Costa Brava members

Always with the prior and explicit authorisation of the persons indicated in the previous section, the contact details are used to send advertising, both of a general nature and adapted to the characteristics of the person, of the services of the companies in our group. Furthermore, with the data subject’s explicit consent, the contact details may be communicated to these companies so that they can directly send advertising for their services.

Management of our suppliers’ data

We record and process the data of suppliers from whom we obtain services or goods. This can be data of persons acting as self-employed persons and also data of representatives of legal persons. We obtain the data that are essential to maintain the business relationship, we use them only for this purpose and we use them in accordance with this type of relationship.

Users of our website

The navigation system and the software that enables the operation of our websites collects data that is normally generated in the use of Internet protocols. This category of data includes, among other things, the IP address or domain name of the computer used by the person connecting to the website. This information is not associated with specific users and is used for the sole purpose of obtaining statistical information on the use of the website. Our website uses biscuits that allow the identification of specific individuals, users of the site. You can read more information about the use of cookies from this link.

Other data collection channels

We also collect data through face-to-face relationships and other channels such as receiving emails, through our social media profiles and during the registration process for wifi services. In all cases the data are used only for the explicit purposes justifying the collection and processing.

What is the legal entitlement to process the data?

The data processing that we carry out has different legal bases, depending on the nature of the processing.

In fulfilment of a pre-contractual relationship. This is the case of the data of potential customers or suppliers with whom we have relations prior to the formalisation of a contractual relationship, such as the preparation or study of budgets). This is also the case of the processing of data of persons who have sent us their CVs or who participate in selection processes.

In fulfilment of a contractual relationship. Case of relations with our customers and suppliers and all the actions and uses that these relations entail.

In compliance with legal obligations. The communication of data to the tax authorities is established by rules governing commercial relations. It may be the case that data must be communicated to judicial bodies or law enforcement agencies also in compliance with legal regulations that oblige them to cooperate with these public bodies.

On the basis of consent. When we send information about our services, we process the contact details of the recipients with their explicit permission or consent. The browsing data that we may obtain through cookies are obtained with the consent of the person visiting our website, consent that can be revoked at any time by uninstalling these cookies. It is also with the prior consent of each individual that we communicate your data to other companies in our group.

Legitimate interest. The images we obtain with video surveillance cameras are processed in the legitimate interest of our company to preserve its property and facilities. Our legitimate interest also justifies the processing of data we obtain from contact forms.

To whom is the data communicated?

As a general rule, we only disclose data to public administrations or public authorities and only in compliance with legal obligations. The identification data of persons staying in our establishments are communicated to the General Directorate of the Police (in compliance with Order IRP / 418/2010, of 5 August, on the obligation to register and communicate to the General Directorate of the Police the persons staying in hotel and catering establishments).

When issuing invoices to customers, the data can be communicated to banks. In addition, where consent has been given, the data may be disclosed to other companies in our group for the purposes set out above. No data are transferred outside the European Union (international transfer).

In another sense, for certain tasks we obtain the services of companies or individuals who provide us with their experience and expertise. In some cases these external companies may have to access personal data for which we are responsible. This is not a transfer of data as such, but a commissioning of processing. Services are only contracted from companies that guarantee compliance with data protection regulations. Their confidentiality obligations are formalised at the time of recruitment and their performance is monitored. This may be the case for data hosting services, computer support services or legal, accounting or tax consultancy services.

How long do we keep the data?

We comply with the legal obligation to limit the data retention period as much as possible. For this reason, they are kept only as long as necessary and justified by the purpose for which they were obtained. In certain cases, such as data contained in accounting documentation and invoicing, tax regulations require them to be retained until the statute of limitations expires. In the case of data that are processed on the basis of the consent of the data subject, they are retained until the data subject revokes this consent. The images obtained by the video surveillance cameras are kept for a maximum of one month, although in the case of incidents that justify it, they will be kept for the time necessary to facilitate the actions of the security forces or judicial bodies.

What rights do individuals have in relation to the data we process?

As provided for in the General Data Protection Regulation, individuals from whom we process data have the following rights:

Whether they are treated. Any individual has, in the first place, the right to know whether we process his or her data, irrespective of whether there has been a previous relationship.

To be informed at collection. When personal data are obtained from the data subject himself/herself, at the time of providing them, he/she must have clear information on the purposes for which they will be used, who will be responsible for the processing and the other aspects derived from this processing.

To be accessed. A very broad right which includes the right to know precisely what personal data are processed, the purpose for which they are processed, the communications to other persons that will be made (if any) or the right to obtain a copy or to know the intended period of retention.

To ask for its rectification. This is the right to have inaccurate data processed by us rectified.

To call for its deletion. In certain circumstances, there is a right to request the erasure of data when, among other reasons, they are no longer necessary for the purposes for which they were collected and which justified the processing.

To request the limitation of processing. The right to request the restriction of data processing is also recognised in certain circumstances. In this case, they will no longer be processed and will only be kept for the exercise or defence of claims, in accordance with the General Data Protection Regulation.

To portability. In the cases provided for in the regulations, the right is recognised to obtain one’s personal data in a structured, commonly used, machine-readable format, and to transmit them to another data controller if the data subject so chooses.

To object to treatment. An individual may invoke grounds relating to his or her particular situation, which will lead to the data no longer being processed to the extent or to the extent that it is likely to cause prejudice, except for legitimate reasons or for the exercise or defence of claims.

Not to receive commercial information. We will promptly comply with requests to stop sending marketing information to those who have previously given us permission to do so.

How can rights be exercised or defended?

The rights listed above may be exercised by sending a written request by e-mail to, indicating in all cases “Protection of personal data”.

If a satisfactory response has not been obtained in the exercise of rights, it is possible to file a complaint with the Spanish Data Protection Agency, by means of the forms or other channels accessible from its web page