Pursuant to current legislation on the protection of personal data – art. 13 of EU Regulation 2016/679, hereinafter GDPR – we wish to inform you that the processing of your personal data will be carried out correctly and transparently, for lawful purposes and protecting your privacy and your rights as provided for by art. 5 of the aforementioned regulation, guaranteeing the protection of natural persons pursuant to Art. 1 paragraph 2 of the aforementioned Regulation, respecting “the fundamental rights and freedoms of individuals”.
1. DATA CONTROLLER
The Data Controller is Italy Lodge S.r.l. with registered office in Piazza Verbano, 22 – 00199 Rome and operational headquarters in Loc. Rocca Ripesena, 62 – 05018 Orvieto (TR) VAT number / Tax Code 09281981002. Website www.altroccawineresort.com.
The Legal Representative is Sabrina Ceprini.
The list of internal and external Data Processors is constantly updated and conserved at the headquarters of the Data Controller.
2. TYPES OF DATA PROCESSED
The data being processed are personal and identifying: for accounting and tax purposes.
The acquired data are necessary for the resolution of the agreements between the parties, such as: name, surname, email address, telephone number, place and date of birth, domicile, gender, tax code and data relating to the personal identification document.
The data are also of an accounting and fiscal nature necessary for the resolution of agreements between the parties such as: company name, VAT number, tax code, bank data, etc..
Furthermore, images from the video surveillance system will be collected.
The Data Controller uses channels and web networks as social networks. Please note that the processing of users’ personal data responds to the policies in use on the platforms used (Twitter, Facebook, YouTube, etc.). The data shared by users through private messages sent directly to the channels of the Data Controller will be processed in compliance with the data protection laws in force.
The treatments are carried out in a mixed way: on paper and with the aid of IT means.
4. PURPOSE OF THE TREATMENT
The data processing is carried out for the following purposes:
- to acquire and confirm your booking of accommodation and ancillary services, and to provide the requested services;
- to fulfill the obligation set out in the “Consolidated Law on Public Security Laws” (article 109 of RD 18.6.1931 n. 773), which requires us to communicate to the Police Headquarters, for public safety purposes, the general information of the customers accommodated according to the established modalities by the Ministry of the Interior (Decree of 7 January 2013);
- to comply with current administrative, accounting and tax obligations;
- to speed up the registration procedures in case of subsequent stays at our facility;
- to carry out the function of receiving messages and telephone calls addressed to you, during your stay, if required or necessary;
- to send you our promotional messages and updates on the rates and offers made by marketing and promotions by the Owner;
- to protect the person, his or her property and company assets for the purpose of protecting people, property and company assets through a video surveillance system of some areas of the structure, identifiable by the presence of special signs. For this treatment, your consent is not required, as it pursues our legitimate interest in protecting people and property against possible aggressions, thefts, robberies, damages, acts of vandalism and for purposes of fire prevention and work safety. The recorded images are deleted after 24 hours, except on holidays or other cases of closure during the year, and in any case are held no later than one week. They are not subject to disclosure to third parties, unless a specific investigative request from the judicial police authority must be adhered to.
5. LEGAL BASIS
The provision of data for the purposes expressed in the previous points 1., 2., 3., 7., is necessary and is mandatory for all that is required by legal and contractual obligations and by the regulations in force in Italy; therefore any refusal to provide it, in whole or in part, may result in the inability to provide the requested services.
The treatment will cease on your departure, but some of your personal data may or must continue to be processed for the purposes and in the manner indicated.
The provision of data for the purposes expressed in letters 4., 5., 6., are optional and can be made at your discretion on the basis of clearly expressed consent, that is, through the explicit approval of this information and in relation to the purposes described. Your consent can be revoked at any time. Any refusal will result in the inability to provide the services described.
The data acquired for these purposes are kept by us for the time required by the respective regulations and therefore 10 years.
6. STORAGE PERIOD
Your data will be processed for as long as necessary to resolve the purposes referred to in point “4-Purpose of the Treatment”, after acquiring your written consent. The data will be kept for 10 years following the acquisition.
7. CATEGORIES OF RECIPIENTS
Without prejudice to the communications made in fulfillment of legal and contractual obligations, all the data collected and processed may be communicated exclusively for the purposes specified above to the following categories of interested parties:
- The accounting consultant who processes your data for accounting and tax compliance;
- Internal and External Managers;
- Supervisory and control authority;
within the management, those Authorized to perform the Processing who are identified in writing and to whom specific instructions have been provided may become aware of your data.
8. DATA TRANSFER
Your data are used by the Data Controller and are not transferred for use by third party countries. Personal data are stored on servers located in Italy. In any case, it is understood that the Owner, if necessary, will have the right to move the servers even outside the EU. In this case, the Data Controller ensures as of now that the transfer of non-EU data will take place in accordance with the applicable legal provisions, subject to stipulation of the standard contractual clauses provided by the European Commission.
9. RIGHTS OF THE INTERESTED PARTY
In relation to the treatments described in this Information, as an interested party you can, under the conditions provided by the GDPR, exercise the rights according to articles 15 to 21 and, in particular, the following rights:
right of access – article 15 GDPR: right to obtain confirmation that personal data processing is or is not being processed and, in this case, obtain access to your personal data, including a copy of the same.
right of rectification – article 17 GDPR: right to obtain, without undue delay, the deletion of personal data concerning you.
right to deletion (diritto all’oblio) – article 17 GDPR: diritto di ottenere, senza ingiustificato ritardo, la cancellazione dei dati personali che La riguardano.
right to limitation of treatment – article 18 GDPR: right to obtain the limitation of treatment, when:
- the interested party disputes the accuracy of personal data, for the period necessary for the owner to verify the accuracy of such data.
- the treatment is illegal and the interested party opposes the elimination of personal data and instead requests that their use be limited.
- personal data are necessary for the interested party to ascertain, exercise or defend a right in court.
- the interested party opposed the treatment pursuant to art. 21 GDPR, in the waiting period of the verification regarding the possible prevalence of legitimate reasons of the data controller with respect to those of the interested party.
Right to data portability – Article 20 GDPR: right to receive, in a structured format, commonly used and readable by an automatic device, the personal data concerning you provided to the Owner and the right to transmit them to another holder without impediments, if the treatment is based on consent and is carried out by automated means. Furthermore, the right to obtain that your personal data are transmitted directly by the Bank to another holder if this is technically feasible.
Right to object – Article 21 GDPR: right to object, at any time for reasons related to your particular situation, to the processing of personal data concerning you based on the condition of lawfulness of the legitimate interest or of the performance of a public interest task or the exercise of public powers, including profiling, unless there are legitimate reasons for the Data Controller to continue processing, which prevails over the interests, rights and freedoms of the interested party or for the assessment, exercise or defense in a court of law. Furthermore, the right to object at any time to the processing, if personal data are processed for direct marketing purposes, including profiling, insofar as it is connected to such direct marketing.
The aforementioned rights may be exercised against the Data Controller by citing the references described above.
Right of revocation: The interested party has the right to withdraw his consent at any time. The withdrawal of consent does not affect the lawfulness of the treatment based on consent before the revocation.
Right of complaint: The interested party has the right to lodge a complaint with the Guarantor Authority for the protection of personal data by writing to Piazza di Montecitorio n. 121 – 00186 Rome (RM)
10. METHODS TO EXERCISE RIGHTS
For further information, and to assert the rights recognized by the European Regulation, you may contact the Data Controller at the following addresses:
Postal Address: Italy Lodge S.r.l. – Piazza Verbano, 22 – 00199 Rome
PEC email: firstname.lastname@example.org
The Data Controller