Menu opener
Country and language
Country
Other countries
Language
English
Currency
EUR
Currency
EUR
  1. B&B HOTELS
  2. Protection of personal data
  3. Protection of personal data - Spain
BackYour staySelect your dates to see availabilitiesChange datesSelect rooms and travelersClose
Select your dates to see availabilities
Please fill in the destination field
There are no suggestions
Allow geolocation in your browser settings, or type the destination
Please select period of 20 days max
Start date cannot be set in the past.

Please select period of 20 days maxStart date cannot be set in the past.

From
To
Clear dates
Rooms
-+
+ Add another roomValidate
Discount code
Valid Breakfast voucher to be added at checkout
Add a discount code
  • Destination
  • FromTo
    FromTo
  • 1 room, 1 adult
  • 1 room, 1 guest

Protection of personal data - Spain

PDF

General Personal Data Protection Policy  (B&B HOTELS www.hotel-bb.com mobile  and web application)  

Last update: 10.03.2026  

Preamble  

In the course of its activity, B&B HOTELS collects and processes the personal data of  its contacts, customers, potential customers, suppliers and partners. The main  purpose of this document is to inform its recipients of the conditions under which their  data will be processed.  

This policy is addressed to users (hereinafter, "Users") of the website  https://www.hotel-bb.com/en/es (hereinafter, "Website") and of the application for  mobile devices of B&B HOTELS (hereinafter, the "Application") through which the B&B  HOTELS ONLINE BOOKING PLATFORM (hereinafter, the "Platform") operates.  

Our purpose is to inform, pursuant to Regulation (EU) of the European Parliament and  of the Council of 27 April 2016 on the protection of natural persons with regard to the  processing of personal data and on the free movement of such data (hereinafter  referred to as the "Regulation" or "GDPR"), to all Users about how their personal  information collected through our Website and Application will be processed. in  relation to room bookings in those countries where B&B HOTELS has hotel  establishments, as well as B&B HOTELS B&me Club and B&me loyalty programs.  

Ensuring proper protection of personal data is a priority for B&B HOTELS, which is why  we are committed to doing so in strict compliance with applicable regulations and  laws. 

1. Definitions  

Application: B&B HOTELS mobile application available for IOS and Android devices.  

Platform: central online reservation system enabled by the B&B HOTELS Group on its  Website and Application.  

Data controller: the company B&B Hospitality España, S.L.U., in its capacity as Data  Controller, is responsible for managing the data processing operations carried out  through the Website or Application in Spain.  

Services: set of services offered by B&B HOTELS through its Platform. All the available  services are detailed in the Terms and Conditions of Use (TCU) document, which can  be accessed through the following link Term & conditions 

Website: B&B HOTELS website, available through the following link https://www.hotel bb.com/en/es 

User: any person who accesses or browses the Website or the Application, regardless  of whether they are a customer, operator or any Internet user who has or does not  have a personal user account, will be considered as such.  

2. Data controller  

The company responsible for the processing of personal data collected through the  Website and the Application in Spain is B&B Hospitality España, S.L., with registered  office at Calle Luís Pasteur s/n. CP 28703 San Sebastián de los Reyes (Madrid) and  contact email esp-privacy@hotelbb.com (hereinafter, “B&B HOTELS”). The user can  contact the Data Protection Officer through dpdhotelbb@lexing.es

B&B HOTELS operates through a central online reservation system shared by the  hotels listed at the following link Hotels in Spain – B&B HOTELS  

As part of the booking process carried out via the Website or the Application, B&B  HOTELS is the controller of personal data managed in the hotels in which the bookings 

are made. Through the following link you can consult the list of hotels Hotels in Spain  – B&B HOTELS  

2.1. Joint Controllers.  

Other companies within the B&B HOTELS Group intervene as joint controllers for the  processing of personal data for the following purposes:  

1. Management of the Platform and processing of bookings made through it;  2. Direct marketing management;  

3. Management of the centralised booking system;  

4. Management of the free B&Me loyalty program and the B&Me Club program;  5. Management of the whistleblowing channel;  

6. Management of website cookies.  

The companies on the list accessible here act as joint controllers for:  

(i) Management of the Platform and the processing of bookings made through it;  (ii) Direct marketing management;  

(iii) Management of the centralised booking system.  

The companies on the list accessible here act as joint controllers for the management  of the free B&me loyalty program and the B&me Club program.  

B&B HOTELS has signed joint responsibility agreements with the data controllers,  which establish their respective obligations. The general lines of which are available  upon request by email to the B&B HOTELS at the following address: esp privacy@hotelbb.com or to its Data Protection Officer address:  dpdhotelbb@lexing.es.  

3. Transparent and legitimate collection of personal  data 

In order to comply with the values of fairness and transparency, B&B HOTELS ensures  that it informs the data subjects about the processing operations it carries out,  informing them of this at the time of collecting their personal data.  

All data is obtained lawfully. No data will be collected without the knowledge or  consent of the person concerned.  

4. Fair and proportionate use of personal data

  When B&B HOTELS processes your personal data, it does so for specific purposes:  each data processing operation therefore pursues a legitimate, specific and explicit  aim.  

For each of the operations carried out, B&B HOTELS undertakes to collect and use  only the data that is relevant, relevant and strictly necessary in relation to the purposes  for which they are processed.  

B&B HOTELS guarantees that the data will be kept up to date and will apply procedures  that allow the deletion or rectification of data that are incorrect.  

5. Data processed  

B&B HOTELS collects and processes the following categories of personal data for the  purposes indicated in the following section:  

● Identification data: name, surname, address, telephone, email, date of birth, age  and customer code.  

● Professional data: company in which you carry out your professional practice  and management of the same.  

● Browsing Data: logs and connection data, computer hardware identification  data, language preferences, geo-location data, data relating to the use of the  Platform and Services, including data provided to our computers when you  make requests (language preference, etc.), and data collected through cookies  or other trackers.  

● Data in relation to the reservation: arrival and departure dates, details of the  other people who will occupy the reserved room (name and age, preferences  such as whether they want a smoking room, floor, etc.),. In the case of 

requesting the invoice in the name of a company with a different address than  its personal address, its name, address, applicable VAT, etc. must be indicated.  ● Transactional data: transaction number, details of the means of payment,  details of the purchase, subscription or service subscribed, details of the  payment of invoices, payment terms, discounts granted, receipts, balances and  unpaid invoices. The bank card number, expiry date and encryption code are  processed exclusively by our service provider Adyen, which only provides an identification number (token) to guarantee and pay for bookings. 

 ● Data on the history of bookings made at B&B HOTELS.  

6. Purposes, legal bases and data retention periods 

 Each processing operation carried out by B&B HOTELS responds to an express,  legitimate and specific purpose, which is based on the performance of a contract,  compliance with a legal or regulatory obligation, the User's consent or even a  legitimate interest. However, the data will only be kept for the time strictly necessary  for the purposes for which they are to be used.  

The purposes for which Users' personal data may be processed, their legal basis and  the period of their retention are detailed below: 

 

PurposeLegal BasisRetention Period
Handling reservations and supervising the commercial relationship with customers in all related aspects, including the management of complaints, if any. Execution of the contract between the clients and B&B HOTELS.Data kept for the time necessary for the execution of the contract. Payment card data kept for 13 months (or 15 for deferred debit cards).
Evaluation of customer service quality levels / Preparation of internal reports and audits.Compliance with a legal obligation (Law 10/2025, of December 26, regulating customer services). Minimum of 5 years where data constitutes part of the evaluation system documentation required by the Customer Services Law.
Creating and managing user accounts on the website; Improved services offered by B&B HOTELS.User Consent.Time necessary for the execution of the contract.
Surveys of satisfaction and feedback management received on the services provided.B&B HOTELS' legitimate interests.The time required to conduct satisfaction surveys or to manage customer reviews.
Compilation of commercial statistics.B&B HOTELS' legitimate interests.Time necessary to achieve the purposes or until the User exercises his or her right to object.
Registration of the accounting and Tax Obligations.Compliance with legal obligations.Legally established period for each of the obligations (e.g. accounting data are retained for 10 years).
Commercial studies: Sending of Newsletter, customer acquisition campaigns, and invitations to Events. User's consent (electronic) or Legitimate interests (post/non-automated operations).Until the owner revokes their consent or for a period of 3 years from the last communication.
Administration and management of subscriptions to the B&B HOTELS Club loyalty program.Execution of the contract concluded with B&B HOTELS.Duration of the subscription to the program.
Management of requests from the Users to exercise their rights in relationship with their personal data.Compliance with the obligation imposed by Article 15 et seq. of the GDPR.During the time necessary for the processing of the application.
Proper operation and improvement of the Platform, including quantifying the audience. Legitimate interest (security/functioning) or User's consent for cookies.Tracker life limited to 6 months; data retained for a maximum of 25 months.
Management of the B&Me loyalty program (granting benefits and loyalty points).Execution of the contract entered into with B&B HOTELS.For the duration of the membership to the program.
Management of requests for assistance and contact via the website form.User consent.Until consent is revoked or 3 years from the last communication.

7. Data recipients  

Within the limits of their respective competences and for the purposes referred to in  section 6 of this Policy, the following persons may have access to your personal data:  

Authorized personnel belonging to the reservations, marketing, sales, administration,  logistics and IT departments, who are responsible for improving our Services,  relationships with customers, potential customers and quality controls.  

Authorised staff of subcontractors and service providers of B&B HOTELS, including,  in particular, providers of cloud hosting and storage, payment services, software for  checking identity documents and verifying identity online using facial recognition, mail  services, IT support services and, finally, market research.  

Authorised personnel of the companies jointly responsible for the processing of the  same.  

The competent authorities, upon request, and in particular public bodies, courts, as  well as mediators, accountants, auditors, lawyers, judicial officers, police officers, debt  collection agencies. They will have access exclusively to comply with legal  obligations, as well as to search for the perpetrators of infringements committed on  the Internet. 

Third parties who may implant cookies, with their consent, on the Users' devices. For  more information, you can consult our Cookies Policy.  

8. Transfer of data outside the European Union  B&B HOTELS belongs to the B&B HOTELS Group, which offers its services in numerous  countries.  

In this regard, and for the purposes set out in section 6 of this Policy, personal data  may be transferred to people belonging to the Group or not who are located outside  the European Union.  

In the absence of an adequacy decision, B&B HOTELS will only transfer data outside  the European Union if the appropriate safeguards are met, i.e. the standard contractual  clauses defined by the European Commission and in strict compliance with current  regulations.  

You can access all safeguards and documents relating to the transfer of personal data  outside the European Union by contacting our Data Protection Officer through the  following email address esp-privacy@hotelbb.com or by post addressed to "Data  Protection Officer B&B HOTELS" C. Luis Pasteur, s/n, 28703 San Sebastián de los  Reyes, Madrid.  

9. Security of personal data  

B&B HOTELS pays particular attention to the security of the processing of personal  data. Consequently, it has implemented the necessary protection measures for this  purpose, both technical and organisational, considering the degree of sensitivity of the  data collected, in order to guarantee the integrity and confidentiality of the same and  protect them against malicious interference, loss, alteration or disclosure to  unauthorised third parties. 

However, the security and confidentiality of data depends on the good practices of  each person. Data subjects are therefore encouraged to keep abreast of the situation.  

10. Subcontracted companies  

When B&B HOTELS works with service providers, it will only transfer personal data  when it has obtained commitment and guarantees from them to comply with the  confidentiality and security requirements required for this purpose.  

In compliance with their legal obligations, the contracts signed between B&B HOTELS  and the subcontracted companies include, in a precise manner, the terms and  conditions under which the personal data will be processed in accordance with the  applicable legislation for this purpose.  

11. Cookies  

The use of cookies is included, in particular, in the Cookies Policy.  12. Social Media  

Our Twitter, Facebook, Instagram, TikTok and Youtube accounts can be accessed by  clicking on the corresponding icon of each of them through our Website or  Application.  

Social media helps to improve the usability of the Website and our App, as well as  helping to promote it when shared.  

By clicking on the aforementioned icons, B&B HOTELS may have access to the  personal information that the User has indicated as public and accessible from their  Twitter, Facebook, Instagram, TikTok and YouTube profiles. However, B&B HOTELS  does not create or use any separate databases of Twitter, Facebook, Instagram,  TikTok and YouTube, or data relating to your private life. 

To limit third parties' access to your personal information on Facebook, Twitter,  Instagram, TikTok or YouTube, it is advisable to change the settings of your user  profiles and/or the nature of your posts to limit your audience.  

13. Exercise of data protection rights  

B&B HOTELS is particularly committed to respecting the rights of Users in the context  of data processing, and its intention is to ensure fair and transparent processing of  the same, taking into account the specific circumstances and the context in which  they are processed.  

13.1 Right of access  

In this regard, the User will have the right to obtain confirmation as to whether or not  their personal data is being processed. If so, you have the right to access the data  being processed and the following information:  

The purposes of the processing.  

The category of personal data concerned.  

The addressees or categories of recipients to whom they are communicated, in  particular where they are located in third countries or are international organisations.  

Where possible, the expected period of data retention. Otherwise, the holder will be  informed of the criteria followed to determine the aforementioned period.  

The existence of the right to request the Controller to rectify or delete personal data,  to limit the processing or to oppose it.  

● The right to lodge a complaint with the competent authorities.  

● Information on the origin of the data obtained when these have not been obtained  directly from the owner. 

The existence of automated decisions, including profiling and useful information on  the logic applied for this purpose, as well as the significance and expected  consequences of this processing for data subjects.  

13.2 Right to rectification  

The User shall have the right to request B&B HOTELS to rectify inaccurate, ambiguous  or obsolete personal data concerning him/her. In addition, the data subject shall have  the right to have his/her personal data completed when he/she considers that these  are insufficient.  

13.3 Right to erasure  

The User will have the right to request B&B HOTELS to delete the personal data of  which they are the owner, when the requirements of current legislation are met.  

It should be borne in mind that the right to erase data is not a general right and can  only be invoked if any of the grounds provided for in the applicable regulations are  met.  

13.4 Right to restriction of processing  

The User shall have the right to obtain from the Data Controller the limitation of the  processing of the data when the conditions provided for in the applicable regulations  for this purpose are met.  

13.5 Right to object  

The User have the right to object at any time, for reasons relating to their particular  situation, to the processing of personal data of which they are the owner when the  legal basis for such processing is the legitimate interest pursued by the Data  Controller.  

If the User exercises their right to object, B&B HOTELS will stop processing their  personal data, unless legitimate reasons can be demonstrated to continue with such 

processing. These grounds must override the interests, rights and freedoms of the  User or be justified by the recognition, exercise or defense of a right.  

13.6 Right to data portability  

The data subject shall have the right to the portability of their data. However, this is  not a general right and can only be invoked when the processing has been carried out  by automated means, being excluded in those cases in which the data have been  processed manually or on paper.  

In addition, this right is limited to cases where the processing of the data is based on  the user's consent, the execution of pre-contractual measures or a contract.  

This right does not apply when the data is derived or inferred, i.e. when it is personal  data created by B&B HOTELS.  

13.7 Right to revoke consent  

When the processing of data by B&B HOTELS is based on the User's consent, the User  has the right to revoke their authorisation at any time. In this way, B&B HOTELS will no  longer process your personal data without affecting previous operations for which you  have given your consent.  

13.8 Right to make a complaint  

The User shall have the right to lodge a complaint with the competent authorities,  without prejudice to the exercise of other legal or administrative actions that he/she  deems necessary, through the following address: https://www.aepd.es/  

The User may submit the complaint using the following standard form: Standardised  form  

13.9 Right to Advance Directives 

The User may define his/her wishes, in the event of death, in relation to the storage,  deletion and communication of personal data. He will also have the right to appoint a  person of his trust to carry out his will, being empowered to request the Controller to  execute such provisions.  

The User may communicate their wishes regarding the destination of the personal  data processed by B&B HOTELS in the manner described, which may be modified or  revoked at any time.  

13.10 How to exercise your rights?  

All the rights described in the previous sections may be exercised as follows:  

− Via the web form by selecting the reason for replying ‘Personal data’. If you have a  digital account on the B&B HOTELS website https://www.hotel-bb.com/en/es, you  can access ‘My personal and connection settings’ and delete your personal data from  your account there. To do this via the B&B HOTELS App, you can go to ‘My profile  information’ and click on the option ‘Delete Account’.  

− Through the email address esp-privacy@hotelbb.com.  

− By ordinary mail sent to C/ Luis Pasteur, s/n, 28703 San Sebastián de los Reyes,  Madrid.  

In order to attend to your request, it will be necessary to prove your identity by any  means. 

 

  1. B&B HOTELS
  2. Protection of personal data
  3. Protection of personal data - Spain