b) Financial and Asset Data.
The financial and asset data collected from our guests and customers such as: credit card number, bank account, monthly income, and additional revenue streams, will be used to analyze their financial profile and grant them access to promotions and programs based on their economic characteristics. Additionally, Mexico’s Federal Law to Prevent Money Laundering (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita LFPIORPI), may require the collection of additional financial data and information related to clients’ assets. For these purposes and in compliance with Mexican Privacy Law, we will request their express written consent at the time of data collection, notifying them about the legal scope of their consent.
III. Data transfer.
The personal data collected by “Ocean Blue” can be transferred to companies that help us provide some of the goods and services requested by our customers. These transfers are necessary to comply with the provision of contracted services. Therefore, it will not be necessary to obtain their express consent for these transfers in accordance with Article 37, Section VII of the LFPDPPP, as well as the provision contained in Article 49 of the GDPR.
Except in the cases listed above, and unless the conditions set forth by Articles 37 of the LFPDPPP and 49 of the GDPR are updated, the data provided by our visitors, partners, guests, vacation club members and referred visitors will not be transferred under any circumstances.
IV. Trademarks.
“Ocean Blue” will be able to provide its services through the following trademarks:
● Yucatán Holidays
● Regreso al Paraíso
● Cancun Escapes
● Return to Paradise
● Cancun Cards
● Sand Destination
● Enjoy your Travel
Use of images.
To document and communicate information about the activities and events held throughout the year such as: award ceremonies and rewards, as well as news, “Ocean Blue” can use, print, reproduce and publish the images of our guests, vacation club members, beneficiaries, and people referred to in print or electronic media, newsletters, publications, photographic memories, in all their forms and expressions, performances, editions, phonograms, video and broadcasts for the purposes outlined herein. These images will not be commercially exploited by “Ocean Blue”.
The information that we collect from our guests, vacation club members, and customers may be used for advertising, marketing and/or market research, according to the relationship existing between them and “Ocean Blue.” When “Ocean Blue” intends to use the images for these purposes, the company will request your express written authorization before their use.
V. Restrictions on the use or disclosure of personal data
In accordance with Article 16, Section III of the LFPDPPP and Article 18 of the GDPR, those who wish to limit the use and disclosure of their personal data, or who no longer wish to receive communications regarding the non-essential purposes detailed in this privacy notice, may send an email to protecciondatos@mxrru.com to request no further contact for these purposes.
VI. Withdrawal of consent and rights of Access, Rectification, Cancellation and Opposition.
As stated in the LFPDPPP as of January 6, 2012, as well as in Articles 15, 16, 17, 18 of the GDPR, the holders of personal data collected by “Ocean Blue” may request: access, correction, cancellation (should this be legally appropriate) and opposition to the use of their personal data, as well as to withdraw their consent. To exercise these rights, they must follow this procedure:
1) They must send an application by email to our Privacy Office at protecciondatos@mxrru.com stating the right they want to exercise: access, correction, cancellation and/or opposition, which must indicate their full name, the legal or commercial relationship with ”Ocean Blue”, the type of right they wish to exercise, accurately identifying the data for which they request access, correction, cancellation or opposition, or those for which they decide to withdraw their consent, attaching any of the official identification documents (valid passport or current immigration document), in order to prove their identity.
2) In the case of personal data whose owners are underage or people who cannot legally give consent themselves, this request must be made by the person who legally represents their rights, either through the accreditation of parental rights; or through his/her legally appointed guardian or tutor.
3) Data owners must send their application for the exercise of the aforementioned rights and may attach all the documents that are relevant to their request. For correction applications, it will be necessary to precisely specify the changes requested, including the documentation that supports their claim.
4) Applications for the exercise of these rights must be submitted during working hours and on business days in accordance with the Mexican Federal Law of Administrative Procedure.
5) The request must be sent to the email address mentioned above in point No. 1, and an acknowledgment of receipt will be sent with the corresponding date of receipt. Should the application not fulfill the legal requirements, we will contact the holder within five (5) business days to ask to amend the application for up to ten (10) business days. Otherwise, the application will be considered as not submitted.
6) If the request has been sent on Friday or on a non-business day, it may be received on the following business day.
7) The request will be answered via email within a period of twenty (20) business days from the date of receipt. This period may be extended for twenty (20) additional business days when there are adequate reasons, and this situation will be notified to the holder under the terms of the provisions of Article 97 of the LFPDPPP Regulations.
8) If the request is made in accordance with the LFPDPPP and other current regulations, access will be granted, the data will be corrected or canceled, the right of opposition will be effective, or the consent will be revoked within fifteen (15) business days following the date on which the request was answered. This period may be extended for fifteen (15) additional days for adequate reasons, and this situation will be notified to the holder under the terms of the provisions of Article 97 of the LFPDPPP Regulations.
9) In all cases where the request is appropriate, in accordance with the terms of Articles 32, 33, 34 and 35 of the LFPDPPP, the data will be sent free of charge through the holder’s email address for said purpose. In case the information should be required to be sent through another form of delivery, payment must be made for the cost of shipping and/or the cost of reproduction of copies or other formats that may be incurred.
VII. Online data management.
This section describes the use of the personal data in the following websites:
www.cancun-escapes.com
www.yucatan-holidays.com
www.cancuncards.com
www.sanddestinations.com
www.enjoyour.travel
Online Privacy Policy
Our policy regarding the information related to the use of our websites is described below. You should review this Privacy Policy regularly because it may change at any time at our discretion. When you access the websites listed above, “Ocean Blue” registers your IP address (which is usually temporary and is assigned by your internet service provider when you log in), as well as the type of operating system and browser you use. In addition, we can trace the pages of the site you are visiting.
The information we collect is used to improve our website’s user experience, and the whole process takes place without any knowledge of your name or any other information that will allow us to identify you. While visiting any of the websites listed in this section, unless users decide to identify themselves to us, their navigation is anonymous.
“Ocean Blue” does not require that customers provide personal data to use any of the websites listed in this section unless it is necessary. Some applications may require that customers disclose any personal information. Moreover, our contact forms may require customers’ email addresses to register and answer comments, requests, questions, or suggestions, and to contact them if necessary. On these forms, we will not require name, financial or asset data, and/or sensitive data. Any disclosure of this information is the responsibility of the users. Regardless of the above, if they voluntarily provide any of this information, “Ocean Blue” assures it will be used with strict confidentiality.
Cookies
A cookie is information that an internet portal sends to a user’s computer and is stored on its hard drive. The next time users visit our website, we may use the information stored in the cookie to facilitate the use of our websites. A cookie does not allow us to know a user’s personal identity unless they explicitly choose to provide it. Most cookies expire after a period or can be deleted at any time. Also, users can configure their browser to notify them when they receive a cookie so they can either accept or reject it.
Social Media
The data and information posted by the users of our social media is published on their own account and is subject to the terms and conditions established by the social media provider. “Ocean Blue” will use this information to answer the requests and questions asked by the users and to contact them in case they request it.
The contact data of the users who request information about travel packages, tours and other services will be shared with our Customer Service Center to give them personalized attention by email or by phone. The information provided by those users who decide to participate in our contests will be used to contact them in case they win, and their image may be published.
Data Portability
In Accordance with Article 20 of the GDPR, data owners have the right to transfer their personal information to another supplier or controller without hindrance from the controller to which the personal data has been provided if the legal processing of their data has been carried out by automated means. “Ocean Blue” ensures the strictest confidentiality and security to carry out the data transfer.
VIII. Complaints regarding the use of your personal data.
Data owners who believe that their data protection rights have been violated by any conduct, act, or omission regarding the attention of their requests or in the use of their personal data, can submit a complaint with the National Institute for Access to Information and Data Protection (INAI). For more information, visit www.inai.org.mx.
IX. More Information – Privacy Office.
For questions regarding the content, interpretation, or scope of this Privacy Notice, data owners may contact us through our Privacy Officer at: protecciondatos@mxrru.com.
X. Updates.
This Privacy Notice is effective from January 1st of 2012 and may be modified on a discretionary basis by the Data Controller. If you have any questions about the scope and content of the privacy notice you can contact our privacy office.
Last Updated: April 1st, 2021