Send
Select the days of stay
First, tell us how many days you plan to visit
Choose a type of visitor
Whether you're traveling solo, as a couple, with family, or friends?
Your origin
Select your origin. Where are you travelling from?
Do you have accommodation?
If you already know where you'll be staying, simply select it from the list and we'll use it as a starting point to suggest nearby plans and activities. If you haven't decided yet, we'll also recommend suitable accommodation options.
Accommodations
Pre-established plans
We offer the following pre-set plans to choose from or you can continue creating your own trip.
Include restaurants?:
What would you like to see?:
Points of interest
Events
Routes
Experiences
Afternoon
Types of cuisine:
Add visit
Restaurants:
Our suggestion:
Here?s a suggestion based on your preferences and the dates you selected. You can rearrange the elements to better suit your needs. If there?s anything you?re not interested in, you can remove it and add something else. Please note that travel times are not included in this suggestion This suggestion does not include travel times.
Select one of the days to see the route on the map, and one of the buttons below to define the mode of transportation to use.
Name and Contact Details of the Data Controller:
· Name: Comillas Town Council
· Tax ID (CIF/NIF): P3902400E
· Phone: +34 942 72 00 33
· Address: Plaza Joaquín del Piélago, No. 1, 39520 Comillas (Cantabria), Spain
· Website URLs: www.aytocomillas.es | www.comillas.es
· Data Protection Officer (DPO): dpd@comillas.es
The Comillas Town Council (hereinafter, “the Controller”) assumes the highest responsibility for establishing, implementing, and maintaining this Data Protection Policy. We are committed to continuous improvement in compliance with Regulation (EU) 2016/679 (GDPR) and applicable Spanish personal data protection laws and sector-specific regulations.
Principles of Our Data Protection Policy
Under the proactive accountability principle, the Controller is responsible for compliance and must demonstrate it to supervisory authorities. The following principles guide all processing activities:
1. Data Protection by Design: Implementation of organizational and technical safeguards—such as pseudonymization—during system design and processing.
2. Data Protection by Default: Only data strictly necessary for each specific processing purpose are processed by default.
3. Lifecycle Protection: Security measures are applied throughout the data’s lifecycle.
4. Lawfulness, Fairness & Transparency: Personal data are processed legally, fairly, and transparently.
5. Purpose Limitation: Data are collected for explicit, legitimate purposes and not processed further inconsistently.
6. Data Minimization: Only the data strictly necessary for the stated purpose are collected.
7. Accuracy: Data are accurate and kept up-to-date; inaccurate data is rectified or deleted without delay.
8. Storage Limitation: Data are kept no longer than necessary for the purposes for which they were collected.
9. Integrity and Confidentiality: Appropriate security measures safeguard data against unauthorized or unlawful processing, including loss or damage.
10. Information & Training: Staff involved in data processing receive regular training on obligations.
11. Impact Assessments: Data protection impact assessments are conducted prior to processing activities involving potential risks.
12. Risk-Based Processing: High-risk processing operations are identified through risk analysis and mitigated with appropriate safeguards.
Scope of Application
This policy applies to:
· Visitors to the Controller’s websites: www.aytocomillas.es and www.comillas.es (including any language versions).
· Individuals who voluntarily contact the Controller via email or complete online forms.
· People requesting information about our products or services.
· Individuals entering a contractual relationship by procuring services.
· Users of any online service involving data communication or access.
· Persons who have given explicit consent to data processing for purposes covered by this policy.
Note: Use of our products or services requires explicit acceptance of this policy. Users confirm they are of legal age under Spanish law. If minors’ data are provided, prior parental or legal guardian consent is required.
Users are obliged to supply accurate personal data corresponding to their identity and are solely responsible for its accuracy.
Supplementary Nature
This Privacy Policy is secondary to any specific data protection terms provided in registration forms, contracts, or service terms. It complements those provisions where not specifically addressed.
Information and Consent
By accepting this Privacy Policy, the user provides free, informed, specific, and unequivocal consent to the processing of their personal data by the Controller.
Purpose of Data Processing
The Controller processes personal data for the following purposes:
· Managing enquiries and maintaining professional or commercial relationships.
· Delivering contracted services and managing those relationships.
· Processing user requests, incidents, claims, or consultations.
· With consent, informing users about news, events, and updates.
· Managing cookies as outlined in our Cookie Policy (see URLs below).
· If acting as a data processor, processing on behalf of clients under GDPR Article 28 terms.
In compliance with Spanish Law 25/2007, data concerning electronic communications may be retained and provided to authorities when legally required.
Data Retention
Personal data related to contractual relationships are retained as long as the contract is active and beyond as required by applicable laws and until liabilities expire. Data is processed until contract termination or objection by the user.
Types of Data Collected
The Controller may collect:
· Identification and contact data
· Geolocation data
· IP addresses and browsing data
· Information from mobile devices or other legitimate sources
· Any other data necessary for service provision, provided directly or obtained during the course of service-related activities
If users supply third-party data, they must have obtained consent and shared this Privacy Policy. The Controller may verify compliance through due diligence checks.
Data Recipients
Personal data may be shared with:
· Controller’s employees processing data within their roles
· Service providers involved in service delivery
· Courts, administrative authorities, or law enforcement in compliance with legal obligations
Data Subject Rights
Under GDPR, users may at any time exercise the following rights:
· Withdraw consent
· Confirm processing of personal data
· Access their data
· Rectify inaccurate data
· Request deletion of data no longer needed
· Restrict processing in certain circumstances
· Request data portability
· Lodge a complaint with the Spanish Data Protection Agency via https://www.aepd.es
Requests may be sent by email to ayuntamiento@comillas.es or by post to: Ayuntamiento de Comillas, Plaza Joaquín del Piélago, 1, 39520 Comillas, Cantabria, Spain. In case of manifestly unfounded or excessive requests, the Controller may charge administrative fees or deny requests under GDPR Article 12.5.
International Data Transfers
If services require international data transfers, such transfers will be disclosed in the applicable Specific Conditions, which users must explicitly accept.
Data Processor Role
Under GDPR Article 28, if the Controller processes client data in their role as a data processor:
· Data is processed only per client instructions
· Data are deleted after service completion
· Confidentiality obligations are maintained during and after processing
· Appropriate security measures are ensured
· Access via client premises or remotely must comply with client security policies
· The Controller keeps a record of processing activities as required by GDPR
Subcontracting
The Controller is permitted to subcontract storage, backup, or security services per GDPR Article 28.4. Clients may request information about sub-processors and subcontracting arrangements.
Permitted Actions
Clients authorize the Controller to perform essential functions, including:
· Processing data on portable devices by authorized users only
· Processing data outside client or Controller premises by authorized staff
· Entry and removal of personal data outside client premises
· Executing data recovery procedures when necessary
Limitation of Liability
The Controller is not liable for non-compliance with GDPR obligations by users/customers in activities beyond its control. Liability for breaches remains with the responsible party under contract and law.
Security Measures
The Controller processes user data confidentially and securely. Security measures are technical and organizational, consistent with the state of technology and risks, to prevent alteration, loss, damage, or unauthorized access.
Policy Updates
This Privacy Policy will be reviewed and updated as needed to remain compliant with evolving data protection laws. Staff is informed and trained accordingly, and the policy applies to all municipal employees responsible for data handling.