INFORMATION NOTICE FOR THE PROCESSING OF PERSONAL DATA

HOTEL VILLA ROSA S.R.L., as the Data Controller, informs you pursuant to Articles 13 and 14 of EU Regulation No. 679/2016 (GDPR) that your personal data will be processed according to the methods and for the purposes described below.

Definitions

• Personal Data is “any information relating to an identified or identifiable natural person, referred to as the Data Subject.” An “identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person” (Article 4 GDPR).
• Special Categories of Personal Data (also known as sensitive data) are data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health, or a natural person’s sex life or sexual orientation.
• Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Data Controller determines the purposes and means of the processing of personal data.
• Data Processor is the entity that processes personal data on behalf of the Data Controller.

Purposes of Processing, Legal Basis, and Data Source

Please note that additional information regarding data processing is provided concurrently and before the insertion of information within the specific service made available on this website (e.g., chatbot service).

The Data Controller processes personal data as communicated in the exercise of its business activities as described in the Italian Business Register (R.I.). Therefore, the data is communicated for the conclusion of contracts (written or oral) or for the execution of agreed terms. Data provided by the client, including potential clients, which may be a company, may concern the legal representatives (or other operators) of the same client company.

The updating, verification, and use of personal data may also occur through public registers designated for this purpose, for example, for members of a company with access to public registers in which the client company is registered (e.g., Business Register - Official Archive of the Chamber of Commerce, INI-PEC).

Personal data is processed for the following reasons:

• To carry out the agreed activity (the legal basis is pre-contractual or contractual; the contract may be written or oral, for example, processing data for the execution of the requested hotel or restaurant activity, so-called contractual and pre-contractual purposes);
• To pursue the legitimate interests of the Data Controller: within the limits of what can be reasonably expected, the Data Controller has the right to effectively conduct its business, such as sending communications, responding to received requests, exercising a right, or defending itself in court. It is possible that personal data is legitimately and freely communicated to the Data Controller without being requested. In such cases, the data is received within the general scope of the Data Controller’s business activity and processed on the legal basis of legitimate interest.
• With reference to data provided freely by the Data Subject, without being requested, such data may be lawfully processed based on the Data Subject’s consent, where explicitly expressed.
  In the absence of explicit consent, the processing takes place only if it can be based on a properly balanced legitimate interest, in accordance with what the Data Subject may reasonably expect.
  The Data Controller specifies that the entity providing the data must be entitled to do so, and that data processed in violation of the law must not be sent to the Data Controller. Minors must not provide any information to the Data Controller. By law, minors under 14 years old cannot consent to the processing of their personal data in connection with the direct offer of information society services.
• To comply with a legal obligation;
• Only with the specific and separate consent of the Data Subject to receive advertising communications from the Data Controller for other products and services (so-called indirect marketing purposes).

Types of Data Processed

For the purposes outlined in this notice, the Data Controller processes common personal data (so-called ordinary data) which include, for example, identification and contact data (name, surname, tax code, address, phone number, email, and other contact details). When booking specific services, it is possible to receive information on particular needs related, for example, to allergies or medical conditions. These health-related informations are used solely to provide an adequate service; in this case, the request related to the service is covered by explicit consent.

Any information requests may involve the collection and subsequent further processing of your personal data (such as name, surname, email, etc.). In particular, the collection of personal data may occur through the completion of the contact form provided on the website or through communication, for example, by sending an email.

In the case of using contact forms, the provision of data is necessary for the Data Controller to fulfill the related requests. The failure, partial or incorrect provision of personal data marked as mandatory will make it impossible to perform the requested service. If one or more mandatory personal data is omitted, an error message will appear.

Categories of Recipients

Without prejudice to communications made in compliance with legal and contractual obligations, all collected and processed data may be communicated exclusively for the above-specified purposes to external companies or professional firms that provide assistance in fulfilling legal obligations and exercising rights arising from the conducted business activity (e.g., accountants, lawyers, labor/security consultants), credit institutions, public administrations for performing institutional functions within the limits established by law or regulations (e.g., Revenue Agency, Police Headquarters, Ministry of the Interior, Territorial Entities). Recipients of the data also include IT companies or IT operators that provide IT services or IT assistance (e.g., cloud storage services, hosting-related services, data traffic managers), entities responsible for communication (e.g., Social Media Managers).

For the pursuit of the above-described purposes, personal data is known to individuals authorized by the Data Controller to process personal data. These individuals assist or operate for the Data Controller to enable the efficient conduct of its activities (e.g., administrators, collaborators, employees, or assimilated personnel). Individuals belonging to the above categories may, in some cases, act as Data Controllers. Further clarifications can be obtained by contacting the Data Controller.

Retention Period of Your Personal Data

Personal data will be processed by the Data Controller for the time necessary to establish and manage the existing relationship. Data subject to legal retention obligations or potentially necessary for the protection of rights arising from the relationship will be retained in accordance with the relevant regulations. The retention period is generally 10 years. Data will be used by the Data Controller for sending advertising information (indirect marketing) for the duration of the company or until consent is revoked.

Processing Methods

The processing of personal data will be carried out using tools suitable to ensure their security and confidentiality in accordance with the provisions of Article 32 GDPR.

Communication of Intent to Transfer Data Outside the EU

The transfer of personal data outside the EU is governed by specific contracts designed to impose on the recipient the respect of the adequate safeguards provided by the current privacy legislation, or to entities that benefit from an adequacy decision (Articles 44 et seq. GDPR); a copy of the adequate safeguards can be requested by contacting the Data Controller and obtained in the event of a transfer having taken place.

Nature of Provision and Consequences

Failure to provide the data requested for contractual and pre-contractual purposes makes it impossible for the Data Controller to fulfill the requested services and its legal obligations.

The Data Controller cannot use personal data for the aforementioned indirect marketing purpose in the absence of the Data Subject’s specific consent.

No consequences are anticipated for the failure to provide data for the aforementioned legitimate interest purposes.

Cookie Policy

Cookies are small text files that are stored on the computer’s hard drive through a web page and the browser to store small amounts of information about the page for a limited period. There are different types of cookies.

The IT systems and software procedures used to operate this Website acquire, during their normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols. These are information not collected to be associated with identified Data Subjects, but which by their very nature could, through processing and association with data held by third parties, allow the identification of users. This category of data includes IP addresses or domain names of the computers used by users connecting to the Website, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.), and other parameters related to the user’s operating system and IT environment.

The cookies used on this website fall into the following categories:

1. Technical (Essential) Cookies

Technical cookies (referred to in the banner as essential) do not require the visitor’s consent and are automatically installed following access to the site.

These cookies are necessary for navigation and to provide a service requested by the user. They are not used for any other purposes.

Without these cookies, some operations could not be performed or would be more complex or less secure.

We use technical cookies that allow the site to function correctly and keep it secure.

2. Analytical (Analytics/Functional) Cookies

Analytical cookies (referred to in the banner as functional) collect information, for example, about the number of visitors to the website and the path visitors take to reach the site.

Analytical cookies are considered technical cookies when:

2.a) They are used for site optimization purposes directly by the site owner, who collects statistical information in aggregated form about the number of users and how they visit the site;

2.b) The processing of such statistical analyses is entrusted to third parties, user data is previously minimized, and it cannot be combined with other processing or transmitted to additional third parties, as such transmission would increase the risk of user identification.

This website uses Google Analytics (third-party analytical cookies), a web analytics service provided by Google Inc. ("Google"). Google Analytics uses “cookies,” which are text files placed on your computer to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States.

Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for operators of the site, and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.

You can refuse the use of cookies by selecting the appropriate settings on your browser or by visiting the Google page dedicated to currently available functions or by disabling them (x) in the cookie management on this website. In this way, some functionalities related to this website will be disabled.

For more information: Wikipedia - Google Analytics and Google Analytics Support.

3. Profiling (Marketing) Cookies

Profiling cookies (referred to in the banner as marketing) record user preferences and actions. Based on this information, a user profile is created. This is used to combine advertising messages with the user's interests, thus enabling more targeted advertising for specific target groups. In many cases, the site operator uses third-party cookies to transmit personalized advertising.

Third-Party Cookies: Technical, Analytical, and Profiling

Through this website, third-party cookies may also be installed where necessary for the provision of specific functions.

For more information on third-party cookies, you can visit Your Online Choices.

Additional Information on Google

Data transfers conducted by Google outside the European Union are based on standard contractual clauses (SCC) pursuant to Article 46(2)(c) GDPR or otherwise through transfers compliant with current laws (Articles 44 et seq. GDPR). Specifically: “Google relies on standard contractual clauses (SCC) for the transfer of personal data related to online advertising and measurement outside Europe. For services for which Google acts as the data controller, the Google Ads data processing terms include, as necessary for appropriate data transfers, the relevant SCC issued by the European Commission (to help legitimize data transfers under GDPR) and the UK SCC (to help legitimize data transfers under GDPR as incorporated into UK law). In any case, Google has committed to always act with a 'legal basis for data transfers in compliance with current data protection laws.'”

Consent for Cookies

Visitors to the site have the right to withdraw their consent at any time. Non-essential cookies or those not essential for the website's operation do not require consent. Functional cookies, which are considered essential, can still be disabled at any time by the user in the dedicated area on this website (Privacy Settings section).

This website uses a technology called CMP (Consent Management Platform) to manage this right. When accessing the site, a banner appears informing the user about the use of cookies, offering various consent options (accept all cookies, specific categories of cookies, or each cookie individually), and providing detailed information about the different types. The CMP stores the user's choices and applies them to subsequent visits to the site.

How to Prevent the Installation of Cookies Directly via Browser

How to Prevent Cookies from Being Installed Directly Through Your Browser
Browsers allow customization procedures, such as:

1. Click the menu and then select Settings.
2. Select the Privacy panel.
3. In the History section, choose Use custom settings.
4. In the options that appear, remove the checkmark from “Accept Cookies.”
5. Click OK.

For more detailed information, for example:

• Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
• Safari (macOS/iOS): https://support.apple.com/guide/safari/sfri11471/mac
• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

The retention period for cookies will not exceed 14 months, unless longer retention is required by law for specific needs, such as determining responsibility for cybercrimes against the site or third parties.

Data Subject Rights

As a Data Subject, you are entitled to all rights provided by personal data protection laws. With particular reference to Articles 15 to 21 GDPR, the following rights are highlighted:

• Right of Access (Article 15 GDPR): The right to obtain confirmation as to whether personal data concerning you is being processed, and, if so, access to the personal data and a copy of it.
• Right to Rectification (Article 16 GDPR): The right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data.
• Right to Erasure (Right to be Forgotten) (Article 17 GDPR): The right to obtain, without undue delay, the erasure of personal data concerning you in accordance with the terms stipulated by EU Regulation No. 679/2016.

• Right to Restriction of Processing (Article 18 GDPR): The right to obtain the restriction of processing when:

  a) You contest the accuracy of your personal data;

  b) The processing is unlawful and you oppose the erasure of your personal data and request instead that its use is restricted;

  c) Although the Data Controller no longer needs the personal data for processing, it is necessary for you for the establishment, exercise, or defense of a legal claim;

  d) You have objected to the processing, as outlined above, pending verification of whether the legitimate grounds of the Data Controller override your legitimate grounds as a Data Subject.

• Right to Data Portability (Article 20 GDPR): The right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another Data Controller without hindrance, where the processing is based on consent and carried out by automated means. Additionally, the right to obtain that your personal data be transmitted directly from the Data Controller to another Data Controller, where technically feasible.
• Right to Object (Article 21 GDPR): The right to object, at any time, to the processing of personal data concerning you based on the condition of lawfulness of the legitimate interest, including profiling, unless there are legitimate grounds for the Data Controller to continue the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
• Right to Withdraw Consent: You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint with the Supervisory Authority: You have the right to lodge a complaint with the Data Protection Authority (Garante per la protezione dei dati personali). For more information, you can visit the Data Protection Authority’s website: www.gpdp.it.

Primary Method of Exercising Rights

You may exercise your rights at any time through the contact channels provided. For greater certainty of receipt, it is recommended to send a registered letter with return receipt to HOTEL VILLA ROSA S.R.L., Lungolago Cesare Battisti No. 89, CAP 25015, Desenzano Del Garda (BS) or via certified email (PEC) to hotelvillarosasrl@legalmail.it.

Data Controller and Additional Contact Information

The Data Controller is HOTEL VILLA ROSA S.R.L., registered in the Brescia Business Register, VAT No., Tax Code, and Registration No.: 03741690238, share capital: €15,000.00, with its registered office at Lungolago Cesare Battisti No. 89, Desenzano Del Garda (BS), phone +39 030 9141974, email amministrazione@villarosahotel.eu, PEC hotelvillarosasrl@legalmail.it.

Data Protection Officer (DPO) Contact Information

The Data Controller has appointed Avv. Valentina Remonato as the Data Protection Officer, who can be contacted at the following addresses: email studiolegale@valentinaremonato.it, phone +39 338 8785457.