This Personal Data Protection Notice (Privacy Policy) was last updated on July 14, 2026.
Welcome to Palace Hotel & SPA! We are delighted that you have taken the time to visit our website and thank you for your interest in our services. Protecting your privacy and the security of your personal data are a priority for us.
This Personal Data Protection Notice (the “Notice”) explains transparently which personal data we collect, for what purposes we process it, on what legal basis, with whom we share it, and what your rights are. We act in accordance with Law No. 124/2024 “On the Protection of Personal Data” (fully harmonized with the EU General Data Protection Regulation — GDPR 2016/679) and with the decisions and guidelines of the Commissioner for the Right to Information and Protection of Personal Data.
The controller of personal data, within the meaning of Law No. 124/2024, is:
| Entity | Palace Hotel & SPA |
|---|---|
| Business ID (NUIS) | L82314009N |
| Address | Rruga Pavarësia 54, Durrës, Albania |
| Phone | +355 52 909 090 |
| Mobile | +355 68 405 5549 |
| info@palacehotel.al | |
| Legal representative | Luan Bregasi (Administrator) |
For any question or request regarding the processing of your personal data or the exercise of your rights, you may contact our Data Protection Officer:
| Officer (DPO) | MHconsulting — Meald Habazaj |
|---|---|
| Business ID | M61614047I |
| Certifications | GDPR, CISA, CRISC, ISO 27001 Lead Auditor |
| DPO e-mail | support@mhconsulting.al |
| DPO phone | +355 69 522 4573 |
You may contact the DPO directly regarding any privacy concern, without having to justify your request.
We process personal data in accordance with the following principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
Depending on the circumstances, we base our processing on one or more of the following legal grounds:
Data is retained only for as long as necessary for the purpose for which it was collected or as required by legal obligations (e.g. accounting and tax obligations). Once the purpose is fulfilled, data is securely deleted or anonymised.
When you visit our website, our servers automatically record technical data necessary to display the site and ensure its stability and security, such as: IP address, date and time of access, browser type and version, operating system, and referring page.
Legal basis: our legitimate interest in the technical functioning and security of the site. This data is not used to personally identify you and is deleted within a limited period.
Our website is developed and maintained by Evolve Web Agency (evolve.al) and hosted with a server service provider. These entities act as processors on our behalf, under a data processing agreement (DPA), and are bound by confidentiality and security obligations. The hosting provider processes the technical data necessary for the operation of the site.
Our website uses cookies and similar technologies to ensure the site functions properly, to remember your preferences, and — only with your consent — for statistics and marketing purposes.
You may give, refuse, or withdraw your consent at any time via the cookie banner and the “Cookie preferences” link, available on every page of the site.
For the full, detailed list of individual cookies we use — including their name, provider, purpose, and duration — please see our separate Cookie Policy.
Our website does not currently offer subscription to an automated newsletter. However, we may send you promotional communications (offers, packages, service announcements) by e-mail, only if you have given your consent for this purpose or, where permitted by law, in relation to services similar to those you have used as a guest.
Legal basis: your consent or our legitimate interest in direct marketing. You may withdraw your consent or object to receiving communications at any time, free of charge, via the “unsubscribe” link in the e-mail or by writing to us at info@palacehotel.al.
When you make a reservation — directly via the booking engine on our website, by phone, e-mail, or via third-party platforms (OTAs) such as Booking.com — we process: your first and last name, contact details, stay dates, room preferences, payment data and any special requests.
Legal basis: performance of the accommodation contract. Recipients: OTA platforms act as independent/joint controllers under their own terms; we receive from them only the data necessary to fulfil the reservation.
At check-in, in accordance with legal obligations for guest registration, we verify your identity via an identity document (ID card or passport) and record the data required by applicable law.
During your stay we process data related to the services used (restaurant, minibar, additional services) for billing and stay management.
Legal basis: compliance with a legal obligation and performance of the contract.
For the provision of certain SPA treatments, we may ask you for information classified as a special category of personal data (health data), for example: existing medical conditions, allergies, pregnancy or physical limitations, in order to ensure the safety and suitability of the treatment.
Legal basis: your explicit and specific consent. This data is processed only by authorised SPA staff, stored separately and under enhanced security measures, and is not used for any other purpose. You may decline to provide this information, but this may affect our ability to offer the treatment under safe conditions.
Payments are made via POS terminals or secure online gateways. Card data is processed by the payment service provider in accordance with security standards (PCI-DSS). We retain only the data necessary for billing and accounting/tax obligations, not full card details.
Legal basis: performance of the contract and compliance with legal obligations.
When you use our WiFi network, technical connection data (device MAC address, connection time, data volume) may be recorded for administration, network security and compliance with legal obligations. This data is retained for a limited period and is not used for profiling.
The hotel’s common areas are covered by a video surveillance system for the security of persons and property. Cameras are not placed in private areas (rooms, toilets, areas where privacy is expected). Covered areas are marked with visible pictograms.
Legal basis: our legitimate interest in security. Footage is retained for a limited period (as set by internal policy and the Commissioner’s guidelines) and is accessed only by authorised staff, or made available to the competent authorities as provided by law.
When you contact us via the contact form, e-mail or phone, or submit an enquiry for events, weddings or conferences, we process the data you provide (name, contact, enquiry details) to respond to you and prepare the offer.
Legal basis: pre-contractual measures and our legitimate interest in responding to enquiries.
Palace Hotel & SPA is present on Facebook, Instagram and LinkedIn. Our website displays selected images that, when clicked, take you to our Instagram profile. Only if you choose to click and visit these profiles will your data be processed by the respective platforms under their own privacy policies, over which we have no control.
To help you find our location, our website uses the Google Maps service (provided by Google). When the map loads, your IP address may be transferred to Google, including outside Albania. This element is activated only after your consent via the cookie banner and is subject to the safeguards described in Section 15.
The promotional video on our website is hosted on our own servers. Viewing it does not transfer data to third-party platforms such as YouTube.
Our website is built on WordPress, using WooCommerce (bookings/webshop functionality), Elementor (page building), and WPML (multi-language support). For statistics and marketing, our website may use Google Analytics, Google Fonts and Facebook (Meta) tools; these are activated only after your consent via the cookie banner, which you may withdraw at any time. Full technical detail on each tool is available in our Cookie Policy.
We are also present on review platforms such as TripAdvisor and Booking.com, where guests may leave public comments.
Personal data is transferred outside the Republic of Albania only where an adequate level of protection is guaranteed, in accordance with Chapter IV of Law No. 124/2024 — for example through standard contractual clauses approved by the Commissioner, or where the recipient country provides adequate protection. You may request information on the safeguards applied by contacting the DPO.
In accordance with Articles 13–20 of Law No. 124/2024, you have the following rights:
To exercise these rights, contact us at info@palacehotel.al or the DPO. You also have the right to lodge a complaint with the Commissioner for the Right to Information and Protection of Personal Data (www.idp.al).
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure — including access control, secure storage, staff training and incident management procedures. In the event of a data breach posing a risk to your rights, we act in accordance with the notification obligations under the law.
SSL/TLS encryption. Our website uses SSL/TLS encryption to protect data transmission. An encrypted connection is indicated by the “https://” prefix and the padlock symbol in your browser. When this encryption is active, the data you send us cannot be read by third parties.
Data protection rules and practices are subject to change. We may update this Notice from time to time and will transparently inform you of material changes. We encourage you to review the latest version periodically.
Palace Hotel & SPA
Rruga Pavarësia 54, Durrës, Shqipëri
Albania
Website: https://palacehotel.al
Email: info@palacehotel.al
Phone number: +355 52 909 090
Effective date: July 14, 2026. Version 1.1 — Palace Hotel & SPA.
