HOTEL VILLA ROSA S.R.L. (hereafter Controller) informs as required pursuant to articles 13 EU Regulation 2016/679 (hereinafter GDPR) that personal data will be processed with the modalities and for the purposes indicated below.

1. Definitions

  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
  • Controller determines the purposes and means of the processing of personal data.
  • Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4 GDPR).
  • The sensitive data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited (special data, art. 9 GDPR)

2. Object of the processing
The Data Controller processes personal data communicated to him for the performance of its business as described in the Business Register (Registro delle imprese).

3. Purpose of the processing and legal basis

A. Personal data are processed for these following purposes:
• Perform contracts or pre-contractual measures (processing of data to carry out activities necessary for the execution of the hotel activity requested or specifically agreed in writing or orally form, such as room reservations and ancillary services. The lawfulness of processing according to art. 6 p. 1.b GDPR).
• With the booking it is possible that information related for example to allergies is provided, the data thus freely provided and concerning health are used only to provide the requested service, in this case there is explicit consent (Article 9, p. 2a).
• Fulfil legal obligations (for example fulfilment of tax obligations deriving from existing relationships with you). The lawfulness of processing pursuant to art. 6, point 1.c, GDPR.

B. Only with your specific and distinct consent to receive advertising communications from the Controller for other products and services (so-called indirect marketing purpose). Lawfulness of processing according to Article 6, p. 1.a GDPR.

C. The data are also processed to pursue the legitimate interest of the Controller (the lawfulness of the processing pursuant to art. 6 point 1.f, GDPR): within the limits of what can reasonably be expected, the Controller has the right to carry out effectively his business, such as sending communications, responding to requests received, exercising a right or defending in court. It is possible that personal data may be legitimately and freely communicated to the Controller without a previous request. In this case, the data is received by the Controller as part of its general business activity and processed for legitimate interest. The data freely sent by the data subject are processed lawfully also considering his consent.
The Data Controller specifies that the person who communicates the data must be able to communicate them, It should be noted that data cannot be sent to the Data Controller if it happens in violation of the law. Minors must not communicate information to the Data Controller. By law, minors under the age of 14 cannot even express consent to the processing of their personal data in relation to the direct offer of information society services.

4. Modalities of data processing
The processing of your personal data will take place using paper, computer and telematic tools, with logic strictly related to the indicated purposes and, in any case, with methods suitable for guaranteeing security and confidentiality in accordance with the provisions of art. 32, GDPR.

5. Storage life
Your personal data will be processed by the Controller for the time necessary for the establishment and management of the existing relationship. The data are prone to conservation obligations established by law or potentially necessary for the protection of the rights deriving from the relationship, and it will be kept in compliance with the reference law standards, usually 10 years. The data will be used by the Controller for sending advertising information (marketing activities) until consent is revoked.

6. Categories of recipients
Without prejudice to the communications in fulfilment of legal and contractual obligations, all data collected and processed may be communicated exclusively for the purposes specified above to companies or external professional firms that provide assistance for the exercise of rights and the fulfilment of the legal obligations deriving from the relationship with you in place (e.g. accountants, lawyers, labour consultants), credit institutions, public administrations for the performance of institutional functions within the limits established by law or regulations (e.g. Revenue Agency, Territorial Bodies - Police Headquarters - Ministry of the Interior). The recipients of the data may also be IT companies or IT operators that provide IT services or IT assistance (e.g. cloud storage services, hosting services and data traffic managers). For the pursuit of the purposes described above, your personal data are known by the subjects who operate as persons authorized by the Controller to process personal data, these subjects assist or work for the Controller in order to allow him to carry out the business efficiently (e.g. collaborators, employees or similar personnel). The subjects - belonging to the above categories - operate, in some cases, as controllers. The data is not disclosed. More details can be obtained by contacting the Controller.

7. Data transfer
Personal data transfer outside the EU is regulated by specific contracts, that impose upon the recipient the respect of the adequate guarantees in compliance with the current legislation on Privacy, or to subjects who enjoy a decision of adequacy (under art. 45 – 46 GDPR); in the case of transfer, a copy of the adequate guarantees can be obtained contacting the Controller.

8. Consequences of failure to provide the data
• For the purposes referred to in point 3 letter A of this information: not providing the data will make impossible for the Data Controller to fulfil the requirements and its legal obligations.
• In the absence of your consent – that is requested expressly and specifically for the purposes referred to in point 3 letter B – the Controller will not be able to carry out indirect marketing activities. The consent is always revocable.
• No consequences are expected for failure to provide data for the purposes of legitimate interest referred to in point 3 letter C.

9. Right of the data subject
As data subject, you have recognized all the rights provided for the protection of personal data law, the following rights are highlighted with particular reference to art. 15 to 21 GDPR: right of access; right of rectification; right to erasure (right to be forgotten); right to limitation of the processing; right to data portability; right to object and therefore objecting at any time to the processing of personal data for direct marketing purposes based on the condition of the lawfulness of the legitimate interest including profiling. Unless, in cases not related to marketing purposes, there are legitimate reasons for the Controller to continue the processing that prevail over the interests, rights and freedoms of the data subject, or for the assessment, exercise or defence of a right in court; right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You are also entitled to lodge a complaint with the supervisory authority (Garante per la protezione dei dati). For more information, you can consult the website of the italian supervisory authority for the protection of personal data:

10. First recommended method
The data subject may at any time to exercise his rights contacting the data controller, to be secure that the request will be received the Controller suggests using the follows methods: a registered letter with return receipt to HOTEL VILLA ROSA S.R.L. Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs) or a written notice sent by certified email (PEC) to

11. The controller and more contact information
The Controller is HOTEL VILLA ROSA S.R.L., company register at the Brescia Chamber of Commerce, Italian VAT number, tax code and registration number: 03741690238, registered capital of €15,000.00 with registered office in Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs) tel. +39 030 9141974, e-mail, pec

12. Contact details of the data protection officer
The Controller has designated adv. Valentina Remonato his DPO, e-mail, tel. +39 338 8785457. UPDATE 19/07/2022

Read more
Villa Rosa Hotel
Lungolago C. Battisti, 89
25015 Desenzano del Garda (BS) // Italy
VAT no.: IT03741690238
T +39 030 9141974 //