DATA PROTECTION POLICY pursuant to
EU Regulation 2016/679
We would like to assure you that the processing of your personal data, those of your family members and / or members of your group will be based on principles of fairness, legality and transparency, as well as the protection of your privacy and your rights, in compliance with the mentioned regulation.
Pursuant to article 13 of GDPR 2016/679, therefore, we would like to provide the following information:
The Data Controller is Stabilimento Termale Ermitage Hotel S.p.A., with registered office in 35037 Teolo (PD), via Monteortone n. 50, tel. 049 8668111, e-mail firstname.lastname@example.org
The Data Protection Officer (DPO) appointed by the Data Controller is attorney Ms Carmen Pegoraro. Her domicile for this purpose is at the registered office of the Data Controller and she can be contacted at the following e-mail address: email@example.com
Subject of the processing
The Data Controller collects the following identification data of individuals:
- Personal details (such as, without limitation, name and surname, e-mail address, phone number and home address, credit card data);
- Information on your stays, including arrival and departure dates, special requests and your Service preferences (type of room, services and schedules, and other);
- Health status data and data on your needs which you are requested to supply in order for us to provide a better level of service in our hotel and protect your vital interests and those of the people travelling with you.
Purposes and lawfulness of processing
The Data Controller shall process the personal data supplied by the Hotel Customers:
- A) without your explicit consent for the following purposes:
- A-1) obtain and confirm your booking for room ,board and accessory, non health related services, and to provide said services – as their processing is necessary in order to execute and implement the relevant contract;
- A-2) comply with all legal, regulatory or community obligations or order by other Authorities, including, without limitation, administrative, accounting and tax activities;
- A-3) send greetings messages with the new price lists, promotions and corrections to the price of services already enjoyed by You in previous occasions, by e-mail or regular mail. These direct marketing activities are based on the legitimate interest of the Data Controller and therefore do not require your explicit consent. It is our duty to inform you, however, that we will always do our best to balance your data protection rights and interests against our own;
- A.4) comply with the obligation laid down in the Italian “Public safety consolidating act” (article 109 of the R.D. n. 773 of 18.6.1931) which requires us to communicate the details of customers staying at our hotel to the Police Headquarters, for public security purposes, in accordance with the procedures established by the Ministry of the Interior (Decree January 7, 2013).The provision of such data is mandatory and does not require your consent, and in case of refusal to provide them we shall be unable to welcome you to our hotel; the data collected for this purpose will not be retained in our hotel systems, unless you expressly authorise it.
Please be advised that, with regard to the purposes of processing A-1), A-2) and A-3), the provision of data is discretionary, but that their failed, partial or incorrect provision will, as a result, make it impossible to confirm your booking or provide the requested services.
- B) with your explicit consent, which you can revoke at any time, to:
- B-1) send, by e-mail, surveys, newsletters, promotional messages and/or invitations to events the Data Controller participates in or organises;
- B-2) to provide hotel services such as external communication of data on your stay exclusively for the purpose of allowing the hotel to receive objects, messages and phone calls addressed to you during your stay. This processing shall be terminated upon your departure;
- B-3) to facilitate the registration and check-in procedures in the course of subsequent stays in our hotel.
With regard to items B-1), B-2) and B-3), it should be specified that provision of personal data is discretionary. You may therefore decide to refuse consent to the processing and storing of already provided data: in this case, you will not receive objects, messages and phone calls during your stay, you will not be able to enjoy fast check-in procedures in the event of your return to our hotel and you shall not receive invitations to events, newsletters and surveys or promotional messages by e-mail. In any case, you will continue to be entitled to the Services referred to in letter A).
Data processing modalities
The processing of your personal data is performed by means of the operations indicated in art. 4 no. 2) of the GDPR, namely: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Your personal data are processed on paper, electronically and/or digitally, following organisation and processing logics that are strictly related to the purposes for which they are being processed and in any case in such a way as to guarantee the security, integrity and confidentiality of the data.
Access and communication
Your data may be made accessible and/or communicated:
- to employees and collaborators of the Data Controller, in their capacity as people in charge and/or internal data processors and/or system administrators;
- to third party companies or other subjects, contractually bound to the Data Controller (such as, without limitation: cloud providers, suppliers, hardware and software support technicians, forwarding agents and carriers, credit institutions, professional firms, etc.) who perform outsourced activities on behalf of the Owner, also in their capacity as data processors pursuant to art. 28 of GDPR;
- to supervisory bodies, judicial authorities as well as to all other subjects to whom communication is mandatory by law for the performance of the above purposes.
Your data will not be disclosed.
Your personal data shall be managed and stored within the European Union on servers of the Data Controller and / or third companies chosen and duly appointed as data processors, located in Italy.
Personal data storage period
The Data Controller shall process the collected data:
- for the purposes of item A-1) and A-2): for the time necessary to achieve the purposes for which the data were collected and, in any case, for no longer than required by legal compliance;
- for the purposes of item A-3) and B-1): for no longer than 2 years after their collection;
- for the purposes of item A-4): data collected for this purpose shall not be stored on the premises;
- for the purposes of item B-2): the processing shall case upon the customer’s departure;
- for the purposes of item B-3): for no longer than 10 years after their collection.
Rights of the data subjects
The data subject can, at any time, exercise the following rights:
- request access to the personal data: art. 15
- request and obtain rectification of inaccurate personal data: art. 16
- request the erasure of the processed personal data, where applicable (right to be forgotten): art. 17
- request the restriction of processing of their personal data: art. 18
- obtain data portability, where applicable: art. 20
- object to the processing: art. 21
- not to be subject to automated decision-making processes: art. 22
- revoke consent, if applicable; such revocation shall not prejudice for the legitimacy of any processing done on the basis of the previous consent;
- lodge a complaint with the Data Protection Authority, piazza Venezia 121, 00186 Roma: art. 77.
Your rights may be exercised by sending a request by email to firstname.lastname@example.org
Policy updated as at 30th July 2019
THE DATA CONTROLLER
Stabilimento Termale Ermitage Hotel S.p.A.