DETAILED NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)
The data controller releases the following notice pursuant to articles 12, 13 and, where applicable, 14 of the GDPR with regard to the processing of personal data provided by the Customer/data subject by filling in and signing the Contract for the purchase of the products/services offered for sale by the data controller, by spontaneously uploading personal data to this website (in particular by filling in forms) or simply by browsing the site.
1. Data controller and contact details
The data controller is HOTEL CASTELLO – SARA S.r.L., with its registered office in Modena (MO), Via Armando Pica 321, tax code 01806630362, VAT number 01806630362, tel. +39 059 361033, fax +39 059 366024, e-mail firstname.lastname@example.org, web www.hotelcastello-mo.it (hereinafter the Site).
2. Principles that apply to processing
Pursuant to the provisions of the GDPR, the data controller endeavours constantly to ensure that the personal data are:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures;
- processed, if based on consent given by a freely taken decision by the Customer/data subject, on the basis of a request for consent presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The data controller shall adopt appropriate technical and organisational measures to ensure the protection of the personal data by design and to guarantee that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
The data controller shall collect and take utmost account of the instructions, observations and opinions of the Customer/data subject sent to the aforementioned addresses, in order to implement a dynamic privacy management system which ensures the effective protection of persons with regard to the processing of their data.
This notice may be amended, in accordance with the evolution of the reference regulations and of the technical and organisational measures that are adopted by the data controller at any given time; the Customer/data subject should, therefore, visit this section of the Site periodically to read the updates made to the Notice over time.
3. Modalities of processing of personal data
The personal data shall be processed manually and with electronic tools, using logics strictly for the purposes stated above and in such a way as to guarantee the security and confidentiality of the data.
4. Purposes of processing of personal data
(4a) Purposes which require the processing of data
The personal data provided by the Customer/data subject shall be processed mainly for the performance of the Contract and the management of credit and, more generally, for the management of the relationship arising from the Contract.
The provision of data in the Contract or subsequently, during the contractual relationship, for the purposes of the processing in question is mandatory; therefore, failure to provide such data or their partial or incorrect provision shall render the establishment and/or the performance of the Contract impossible. The Customer/data subject will not be able to use the products/services offered by the data controller, potentially exposing the Customer/data subject to liability for breach of contract.
The personal data provided by the Customer/data subject may also be subject to processing if this is necessary for the fulfilment of a legal obligation of the data controller, in order to safeguard the vital interests of the Customer/data subject or of another natural person, for the performance of a task of public interest or linked to the exercise of public powers with which the data controller is tasked, or to satisfy a legitimate interest of the data controller or of third parties, on the condition that the rights and fundamental freedoms of the Customer/data subject do not prevail; also in those cases, the provision of data is mandatory and, therefore, failure to provide such data or their partial or incorrect disclosure may expose the Customer/data subject to liabilities and sanctions as foreseen by the Law.
(4b) Additional purposes of the processing of data following the specific and explicit consent of the Customer/data subject.
Other than the aforementioned purposes of processing, the personal data provided/acquired may be processed, with the consent of the Customer/data subject to be granted by selecting the box “I consent” on the Contract or the Site (or using other social or web applications of the data controller), also for market research and for commercial and promotional communications over the telephone (also using the mobile number provided) and by automated contact systems (e-mail, SMS, MMS, fax, etc.) regarding products/services offered by the data controller or by companies of the Group to which the data controller may belong.
Consent for the purposes of processing under this point (4b) is optional; therefore, following refusal to grant such consent, the data will be processed exclusively for the purposes under the previous point (4a), except for the cases mentioned below with reference to the legitimate interests of the data controller or of third parties.
5. Categories of personal data processed
The data controller shall process mainly identification/contact data (name, surname, addresses, type and number of identity documents, telephone numbers, e-mail addresses, tax/invoicing data, among others) and, if commercial transactions are envisaged, financial data (related to banking, especially details of current accounts, credit card numbers, and other data related to the aforementioned commercial transactions).
The processing carried out by the data controller, both for the execution of the Contract and based on the express consent of the Customer/data subject, shall not concern, in general, particular categories of personal data that are recognised as sensitive (that reveal racial or ethnic origin, political opinions, religious convictions, the state of health or sexual orientation, etc.), or genetic and biometric data or so-called judicial data (related to criminal convictions and offences).
However, it cannot be ruled out that the data controller, in order to fulfil the obligations arising from the Contract, may be obliged to store and/or process sensitive, genetic, biometric or judicial data of the Customer/data subject or of third parties, which the Customer/data subject holds in his/her capacity as data controller; in the case in question, the processing by the data controller shall be mandatory, under the conditions and within the limits of the appointment of the data controller as data processor by the Customer/data subject.
In his capacity as data controller with reference to the Site and, potentially, as data processor appointed (under the aforementioned terms) by the Customer/data subject, the data controller shall also process so-called browsing data. Computerised systems and software procedures dedicated to the operation of websites acquire, throughout their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated to identified subjects but which, by its very nature, may allow the identification of the data subject. This category of information includes geolocalisation data, IP addresses, the type of browser, the operating system, the domain name and the website addresses from which the site was accessed or exited, information on pages visited by the users inside the site, the time of access, the duration of presence on an individual page, the analysis of internal browsing and other parameters related to the user’s operating system and IT environment. This is, therefore, information that, by its nature, allows, through elaboration and association with data held by third parties, the identification of users.
Further, the Site may use both session cookies (that are not stored on the data subject’s computer and disappear once the browser has been closed) and persistent cookies, for the transmission of personal information, or, in any case, systems to track the data subjects.
6. Source of personal data
The personal data processed by the data controller are collected directly by the data controller from the Customer/data subject at the time of and during his/her browsing of the Site or by using other social or web applications of the data controller) or, also via its own advertisements, on the occasion of or following the signature of the Contract, during its performance or from public sources.
As mentioned above, the data controller, as data processor charged therewith and in order to fulfil the obligations arising from the Contract, may store and/or process data, especially browsing data and potentially also sensitive, genetic, biometric and judicial data which the Customer/data subjects holds in his/her capacity as data controller, acquired with the consent of said third parties, at the time of or during the browsing by said third parties of the Site (or by using other social or web applications of the data controller).
7. Legitimate interests
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for the processing, on the condition that the interests or the rights or the fundamental freedoms of the data subject do not prevail. In general, such legitimate interests may arise from a pertinent and appropriate relationship between the data controller and the data subject, for example where the data subject is a customer of the data controller. The following, in particular, shall constitute a legitimate interest of the data controller for the processing of the personal data of the Customer/data subject: for the purposes of prevention of fraud, for purposes of direct marketing, to ensure the free circulation of such data inside the Group of undertakings to which the data controller may belong, or related to the traffic, in order to guarantee the security of networks and of the information, i.e. the ability of a network or a system to resist unforeseen events or illegal acts that may compromise the availability, authenticity, integrity and confidentiality of data.
8. Circulation of personal data
(8a) Disclosure of personal data – categories of recipients
Aside from the employees and various partners of the data controller (who have been authorised by the data controller to process data based on adequate written operational instructions, in order to guarantee the confidentiality and security of the data), certain processing operations may also be carried out by third parties, to whom/which the data controller entrusts certain activities or part thereof, useful for the purposes under point (4a), i.e. in fulfilment of both contractual and legal obligations, among which the following are worthy of mention, by way of a non-limiting example: commercial and/or technical partners; companies that provide banking and financial services; companies that provide document archiving services; debt recovery companies; auditing and financial statement certification companies; rating companies; persons who carry out activities of professional support and consultancy for the data controller; companies that provide customer care services; factoring companies, companies who securitise receivables or credit transfer companies; companies of the Group to which the data controller may belong; persons who provide commercial information; IT service companies. The persons belonging to the aforementioned categories shall process the persona data in question as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of the data controller; the data controller shall provide the data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, so as to guarantee the security and confidentiality of the data.
Certain processing operations may be carried out by third parties, to whom/which the data controller entrusts certain activities or part thereof, useful also for the purposes under point (4b), among which the following are worthy of mention, by way of a non-limiting example: commercial and/or technical partners; companies that provide marketing services institutionally; advertising agencies; persons who carry out support and consultancy activities with regard to competitions and sweepstakes. The persons belonging to the aforementioned categories shall process the persona data as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of the data controller; the data controller shall provide the data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, so as to guarantee the security and confidentiality of the data.
The periodically updated list of data processors with whom/which the data controller maintains relationships is available on written request addressed to the registered office of the data controller.
Personal data may also be communicated, on request, to the competent authorities, in fulfilment of obligations arising from binding provisions of the law.
(8b) Transfer of personal data to Third Countries
The personal data of the Customer/data subject may also be transferred abroad, both in European Union Countries and Countries outside the European Union and, in the latter case, either based on a decision of adequacy or in the context and with the adequate guarantees provided for by the GDPR (i.e., in particular, in the presence of model contractual clauses for the protection of data approved by the European Commission) or, other than the aforementioned circumstances, under one or more of the derogations provided for by the GDPR (in particular, following the explicit consent of the Customer/data subject or for the performance of the Contract concluded by the Customer/data subject, or for the implementation of a contract stipulated between the data controller and another natural or legal person in favour of the Customer/data subject, notably for the performance of activities required of the data controller for the performance of the Contract concluded with the Customer/data subject). In the event of transfer of data to Countries outside the European Union, the Customer/data subject may, on written request addressed to the registered office of the data controller, get to know the adequate guarantees or the derogations that justify the cross-border transfer.
It goes without saying that, in the event of transfer of the data to Countries outside the European Union, for all requests concerning the data and for the exercise of the rights granted to the Customer/data subject by the GDPR, the latter may always address the data controller.
9. Criteria for the determination of the time of retention of the personal data
For the purposes under point (4a) above, the time of retention of the personal data provided by the Customer/data subject and their eventual subsequent processing shall coincide with the statutory limitation period of the rights/obligations (legal, tax, etc.) arising from the Contract: i.e. usually 10 years, unless in the case of acts that interrupt the limitation period which could, in fact, prolong it.
For the purposes under point (4b) above, the time of retention of the personal data provided by the Customer/data subject and their eventual subsequent processing shall end with the withdrawal of the consent provided by the Customer/data subject or, in the absence of consent, one year after the end of all relationships between the data controller and the Customer/data subject.
10. Rights of the Customer/data subject
The data controller recognises – and facilitates the exercise by the Customer/data subject of – all the rights granted by the GDPR, especially the right to request access to the personal data that concern him/her and to obtain a copy thereof (article 15 of the GDPR), the right to rectification (article 16 of the GDPR), and to the erasure of the data (article 17 of the GDPR), the rights of restriction of the processing that concerns him/her (article 18 of the GDPR), the right to the portability of the data (article 20 of the GDPR, if the requirements are met) and the right to object to the processing that concerns him/her (articles 21 and 22 of the GDPR, for the cases mentioned above and, in particular, in case of processing for marketing purposes or that is carried out via an automated decision-making process, including profiling, which produces legal effects that concern him/her, if the requirements are met).
The data controller also recognises, in cases where the processing is based on consent, the right of the Customer/data subject to withdraw said consent at any time, without prejudice to the lawfulness of the processing based on the provided consent prior to the withdrawal. In order to do this, the Customer/data subject may at any time unregister from the Site (or other social or web applications of the data controller) either by using the link at the bottom of all commercial communications received, or by contacting the data controller at the aforementioned addresses.
The data controller shall also inform the Customer/data subject of the right to lodge a complaint with the Personal Data Protection Authority in its capacity as supervisory authority in Italy and to bring court proceedings both against a decision of the Data Protection Authority and against the data controller and/or a data processor.
11. Security of systems and of personal data
Bearing in mind the state of the art and the implementation cost, as well as the nature of the subject, the scope and the purposes of processing, as well as the risk, in terms of probability and severity, to the rights and freedoms of natural persons, the data controller shall adopt the technical and organisational measures that can guarantee a security level appropriate to the risk presented, especially by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services (also through the encryption of the personal data, where necessary) and the ability to promptly restore the availability of the data in case of physical or technical incident, and by adopting internal procedures aiming at regularly testing, verifying and assessing the efficacy of the technical and organisational measures adopted.
In assessing the adequate level of security, the data controller shall take into account the risks presented by the processing and which arise, in particular, from the unauthorised destruction, loss, modification, disclosure of or the accidental or illegal access to the personal data transmitted, stored or in any way processed.
The data controller shall endeavour to ensure that any one who acts under his authority and has access to personal data does not process them unless he/she has been authorised to by the data controller.
Having said this, the Customer/data subject understands and accepts that no security system guarantees certain and absolute security; therefore, the data controller shall not be liable for acts or deeds by third parties who may access the systems while not duly authorised, despite the adequate protections that have been adopted.
12. Automated decision-making processes, including profiling
The data controller may carry out automated processing, including profiling, in relation to the purposes under point (4b) above, to optimise the browsability of the Site (or the usability of other social or web applications of the data controller) and to improve the purchasing experience, without prejudice to what has been mentioned above with regard to the rights of objection and withdrawal of consent by the Customer/data subject.
The term “profiling” shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s personal preferences, interests, location, also in order to create profiles, or homogeneous groups of persons by characteristic, interest or behaviour.
The data controller shall not carry out any automated processing that produces legal effects which concern the Customer/data subject or which impinge significantly on his/her person, except where this is necessary for the conclusion or the performance of the Contract, is authorised by the law or is based on the explicit consent of the Customer/data subject, always recognising the latter’s right to obtain human intervention, to express his/her opinion and to appeal against the decision.