INFORMATION ON THE PROCESSING OF PERSONAL DATA

HOTEL VILLA ROSA S.R.L. (hereafter Controller) informs, pursuant to Article 13 of EU Regulation 2016/679 (hereinafter GDPR), that personal data will be processed according to the methods and for the purposes indicated below.

1. Definitions

• Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

• Controller determines the purposes and means of the processing of personal data.

• Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4 GDPR).

• The sensitive data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (special data, art. 9 GDPR).

2.Object of the processing

The Data Controller processes personal data communicated to him for the performance of its business as described in the Business Register (Registro delle imprese) and primarily focused on the provision of hotel and catering services.

3. Purpose of the processing and legal basis

1. Personal data are processed for the following purposes:

• Perform contracts or pre-contractual measures (processing of data necessary for the execution of the hotel activity requested or specifically agreed in written or oral form, such as room reservations and ancillary services). The lawfulness of the processing is based on article 6, point 1(b), GDPR.

With the booking, it is possible that information related, for example, to allergies or specific needs is provided. The data thus freely provided, concerning health, are used only to provide the requested service. In this case, there is explicit consent (article 9, point 2(a)).

• Fulfil legal obligations (for example, fulfilling tax obligations arising from the existing relationship with you). The lawfulness of processing pursuant to art. 6, point 1(c), GDPR.

1. Only with your specific and distinct consent, in order to receive from the Controller advertising communications about other products and services (so-called indirect marketing). The lawfulness of the processing is based on article 6, point 1(a), GDPR.
2. The data are also processed to pursue the legitimate interest of the Controller (article 6, point 1(f), GDPR): within the limits of what can reasonably be expected, the Controller has the right to carry out his business effectively, for example by sending communications, responding to requests received, exercising a right or defending itself in court. It may happen that personal data are legitimately and freely communicated to the Controller without having been requested; in this case the data are received by the Controller within its general business activity and processed for legitimate interest. The data freely sent by the data subject are also processed lawfully on the basis of his consent.

The Controller specifies that the person who communicates data must be entitled to do so. It should be noted that data cannot be sent to the Controller if this would violate the law. Minors must not communicate information to the Controller. By law, minors under 14 years of age cannot even express their consent to the processing of their personal data in relation to the direct offer of information society services.

4. Modalities of data processing

Your personal data will be processed using paper, computer, and telematic tools, with logic strictly related to the aforementioned purposes and, in any case, adopting appropriate methods to ensure security and confidentiality in compliance with the provisions of art. 32, GDPR.

5. Storage life

Your personal data will be processed by the Controller for the time necessary to establish and manage the existing relationship. Data subject to legal retention obligations or potentially necessary for the protection of the rights deriving from the existing relationship will be retained in compliance with the applicable regulations, generally for 10 years. The data will be used by the Controller for sending advertising information (marketing activities) until consent is revoked.

6. Categories of recipients

Without prejudice to the communications made to comply with legal and contractual obligations, all data collected and processed may be communicated exclusively for the purposes indicated above to companies or external professional firms that provide assistance for exercising rights and fulfilling the legal obligations arising from the existing relationship (e.g. accountants, lawyers, employment consultants), entities responsible for managing payments and related functions (e.g. banks, online payment systems), public administrations for the performance of institutional functions within the limits established by law or regulations (e.g. Revenue Agency, Territorial Bodies – Police Headquarters – Ministry of the Interior). The recipients of the data may also be IT companies or IT service providers that offer IT services or IT support (e.g. cloud storage services, hosting services, data traffic management), as well as parties that carry out social media management activities. For the pursuit of the aforementioned purposes, your personal data become known to persons authorized by the Controller to process personal data; these subjects assist or work for the Controller to ensure efficient business operations (e.g. managers, collaborators, employees or similar personnel). The subjects belonging to the above categories operate, in some cases, as independent data controllers. The data are not subject to dissemination. More details can be obtained by contacting the Controller.

7. Communication of the intention to transfer data outside the EU

The possible transfer of personal data outside the EU is governed by specific contracts aimed at imposing on the recipient compliance with adequate guarantees provided for by current privacy regulations, or made in favor of parties that benefit from an adequacy decision (pursuant to articles 45 – 46 GDPR). In the event of a transfer, a copy of the adequate guarantees can be requested from the Controller.

8. Consequences of failure to provide the data

• For the purposes referred to in point 3, letter A of this notice, failure to provide data makes it impossible for the Controller to fulfill the requested obligations and legal requirements.
• If you do not give consent specifically and distinctly for the purposes referred to in point 3, letter B, the Controller cannot carry out indirect marketing activities. Consent is always revocable.
• No consequences are foreseen for failing to provide data for the purposes of legitimate interest referred to in point 3, letter C, or for freely provided information.

9. Right of the data subject

As a data subject, you have all the rights provided for by personal data protection legislation. With particular reference to articles 15 to 21 GDPR, the following rights are highlighted: right of access; right of rectification; right to erasure (right to be forgotten); right to restriction of processing; right to data portability; right to object at any time to the processing of personal data for direct marketing purposes based on the condition of legitimate interest, including profiling. Except in situations not related to marketing, where the Controller has legitimate grounds for continuing the processing that prevail over the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of a legal claim. You also have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Furthermore, you have the right to lodge a complaint with the supervisory authority (Garante per la protezione dei dati personali). For more information, you can consult the Garante’s website at garanteprivacy.it.

10. First recommended method
The data subject may at any time to exercise his rights contacting the data controller, to be secure that the request will be received the Controller suggests using the follows methods: a registered letter with return receipt to HOTEL VILLA ROSA S.R.L. Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs) or a written notice sent by certified email (PEC) to hotelvillarosasrl@no-spam.legalmail.no-spam.it.

11. The controller and more contact information
The Controller is HOTEL VILLA ROSA S.R.L., company register at the Brescia Chamber of Commerce, Italian VAT number, tax code and registration number: 03741690238, registered capital of €15,000.00 with registered office in Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs) tel. +39 030 9141974, e-mail amministrazione@no-spam.villarosahotel.no-spam.eu, pec hotelvillarosasrl@no-spam.legalmail.no-spam.it.

12. Contact details of the data protection officer
The Controller has designated adv. Valentina Remonato his DPO, e-mail studiolegale@no-spam.valentinaremonato.no-spam.it, tel. +39 338 8785457. UPDATE 19/07/2022