Please be informed that,
pursuant to art. 13 of the GDPR no. 2016/679 (hereafter, “GDPR”), any personal data collected from you shall be processed based on the principles of correctness, lawfulness, transparency and protecting your confidentiality and your rights;
a) Our organisation, as a legal entity, holds the dual role of data controller and data processor;
b) The data controller and data processor (see contact details on the last page), following an in-house assessment of the case in question, has not designated a data protection officer as there was no obligation to do so, pursuant to art. 37, paragraph 1 of the GDPR no. 2016/679.
Your data shall be processed
c.1) pursuant to art. 6 paragraph b) and c) , for the purposes of performing a contract or implementing pre-contractual measures and fulfilling the legal obligations to which the data controller is subject; e.g. the data processing necessary to manage requests, quotes and bookings, fulfil all contractual, accounting and tax obligations, manage payments also via credit cards, POS devices and advanced online services offered by the respective credit institutions or agencies and to manage disputes; furthermore, for all legal obligations; e.g. regulations, EU and local legislation or orders from authorities, registering and sending data to authorities and managing any disputes; in addition, to pursue the legitimate interest of the data controller or of third parties under the conditions provided for by the GDPR;
c.2) pursuant to art. 7, with your freely-given consent, for other service and marketing purposes; e.g. the data processing necessary to send promotional offers regarding our services and other events, updating prices, other quotes as well as sending birthday and Christmas wishes; to provide additional services such as sending data relating to your stay to third parties for the sole purpose of allowing goods, messages and telephone calls addressed to you to be received;
in order to process specific categories of personal data to offer a better standard of hospitality; e.g. food intolerances, allergies or other specific data;
in order to process advanced online services; e.g. registering with our management programme so we may use your e-mail address to send the final balance, receipt or invoice, to manage loyalty scheme points and other similar services;
c.3) pursuant to art. 7, with your freely-given consent, for other purposes; e.g. the data processing necessary to LOG-ON to our public WIFI/LAN network in order to surf the internet;
as well as the processing of the data that are necessary to use our company website and that must be transmitted in order to use internet communication protocols. This data is not collected to be associated with specific individuals, but could, for its very nature, allow the users to be identified if processed and associated with data held by third parties; e.g. this category of data includes the IP addresses or the domain names of the devices used by those visiting the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to issue the request to the server, the size of the file received in response, the numerical code indicating the status of the reply given by the server and other parameters relating to the operating system and the user’s computing environment;
this data is used for the sole purpose of gathering anonymous statistical information on the use of the WIFI/LAN network and the company website; e.g. to check that our IT infrastructure is working correctly and to improve the service; likewise, data could be used by the competent authorities, e.g. to establish responsibility in the case of potential computer crimes or damages to our WIFI/LAN network, our IT system and our company website.
d) pursuant to art. 6, paragraph 1, letter f), considering the reasonable expectations of the parties, for the purposes of the legitimate interests pursued by the data controller or by a third party;g. data to prevent fraud (monitoring attendance, registering entries, biometric data, images from CCTV, etc.) and for direct marketing purposes.
Recipients and categories of recipients of your data are as follows:
e) natural or legal persons, public authorities, collaborators such as employees, professionals, service providers, bodies and associations.
Your personal data may be transferred to another country or to an international organisation
f) in view of the above, in addition to being processed in paper format in our organisation’s archives or on third-party premises, data are mainly processed and stored in electronic format on our mass storage devices inside our facilities or within the EU through hosting, server and cloud services. It is nonetheless understood that the data controller, if necessary, shall have the right to move its hosting servers, servers and cloud services to countries outside of the EU; likewise, the data controller hereby guarantees that data shall only be transferred to countries outside of the EU in compliance with applicable legal provisions, subject to standard contract clauses being drawn up as provided for by the European Commission.
Your data shall be processed in a correct and transparent way, with the data being collected, registered, organised, stored, consulted, processed, modified, selected, extracted, compared, used, interlinked, blocked, disclosed, cancelled and destroyed, as necessary. Your personal data shall be subject to both paper and electronic and/or automated processing.
Data may be processed, only for the purposes referred to by the previous points c/i, c/ii, c/iii and d, also by employees and collaborators of the data controller or by other institutions based in Italy or in other European countries, by third-party companies or other bodies; e.g. by means of example but not limited to: credit institutions, professional firms, insurance companies to provide insurance services, IT service companies and telephone operators or other organisations providing services/products on behalf of the Data controller, in their role as external persons in charge of processing. In accordance with art. 14 of the GDPR, if personal data have not been obtained from the data subject, then the data controller must provide the specific information required within one month; in your case, on the other hand, reference should be made to this information notice.
The period for which your personal data will be stored is defined
a) as being the time necessary for the aforementioned purposes and, in any case,for no longer than 10 years from the end of the relationship for the purposes referred to by the previous point c/i, and for no longer than 2 years from when data was collected for the purposes referred to by the previous points c/ii, c/iii and d.
As a data subject, you may exercise the following rights by sending a registered letter or e-mail to the data controller:
b) right of access,referred to by art. 15 of the GDPR, to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and
information; for any further copies of data requested, the data controller reserves the right to charge you a reasonable fee based on administrative costs;
right to rectification, referred to by art. 16 of the GDPR, to obtain without undue delay the rectification of inaccurate personal data concerning you;
right to erasure, referred to by art. 17 of the GDPR, to obtain the erasure of personal data concerning you without undue delay;
right to restriction of processing, referred to by art. 18 of the GDPR, to obtain restriction of processing;
right to data portability, referred to by art. 20 of the GDPR, to receive the personal data concerning you, which you have provided to a controller, in a structured format and have the right to transmit those data to another controller without hindrance;
right to object, referred to by art. 21 of the GDPR, to object at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
c) right to withdraw consent,for the cases provided for by the GDPR, at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) right to lodge a complaint with a supervisory authority,in ITALY the “Garante della Privacy” (Data Protection Authority), PIAZZA DI MONTE CITORIO no. 121 00186 ROMA, e-mail: firstname.lastname@example.org
e) How data is provided and the consequences of refusing to reply
Providing data for the purposes referred to by the previous point c/i is mandatory, likewise, you must agree to providing data considering the purposes of the legitimate interests being pursued as referred to by the previous point d; failure to provide said data shall mean that our organisation cannot guarantee it will be able to provide services and satisfy your expectations. Without the need for specific consent, said data may be processed by the Authorities, by insurance companies to provide insurance services, by professional firms also for the management of disputes, as well as by any bodies which must receive said data by law in order to fulfil the stated purposes. These organisations shall process the data in their role as independent data controllers. Your data shall not be disseminated. Providing data for the purposes referred to by the previous points c/ii and c/iii is, on the other hand, voluntary. You may therefore decide not to provide any data or subsequently refuse for any data provided to be processed: in this case, you will not be able to receive newsletters, or marketing and advertising material relating to our services, and you won’t be able to use the internet connections of our public WIFI/LAN network nor a series of advanced services available on our company website. You shall nevertheless continue to have the right to the services referred to by the previous point c/i
f) It is your right not to be subject to a decision based solely on automated processing referred to by the previous points c/ii and c/iii, including profiling which produces legal effects concerning you or similarly significantly affects you. Data subjects may therefore decide to only receive communications using traditional means, or only automated communications or neither of these two types of communications.