INFORMATION ON THE PROCESSING OF PERSONAL DATA

HOTEL VILLA ROSA S.R.L. as Controller, informs the data subjects as required pursuant to articles 13-14 EU Regulation 2016/679 (hereinafter GDPR) that personal data will be processed with the modalities and for the purposes indicated below.

Definitions

• Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4 GDPR).

• Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

• Controller determines the purposes and means of the processing of personal data.

• Processor processes personal data on behalf of the controller;

Purposes of the processing, legal basis, data sources

The Controller processes the personal data communicated to him during the exercise of his activity as described in the Companies Register (R.I., CCIAA). Therefore, the data are communicated for the conclusion of contracts (written or oral), for the execution of what was agreed. Data are communicated by the customer also potential, which can be a company, these data may concern the legal representatives (or other operators) of the same our client. The updating, verification and use of personal data relating to members of a company may also be consequence of the access to the public registers where the company is registered (e.g. Companies Register at the Chamber of Commerce – CCIAA).

Personal data are processed for these following purposes:

• Perform the agreed activity (pre-contractual measures or contract that can be written or oral, for example data processing to fulfil pre-contractual needs, hotel or restaurant activities necessary for responding to requests, c.d. contractual and pre-contractual purpose).

• Pursue a legitimate interest: The Controller is entitled to effectively carry out his business, within the limits of the reasonably expected, such as sending communications, responding to requests received or establishment, exercise or defense of legal claims. It is possible that the personal data are legitimately and freely communicated to the Controller without prior request. In this case, the data is received by the Controller in the context of its general activities and treated for legitimate interest if the request is legitimate (c.d. purpose of legitimate interest). The data sent by the data subject are treated lawfully also for his consent.

• Fulfill a legal obligation (for example, compliance with tax obligations).

• Only with the specific and distinct consent of the data subject to receive advertising communications from the Controller for other products and services (so-called indirect marketing purpose).

Data collected from the website

Browsing this website may involve the collection and subsequent further processing of your personal data as specified in the Cookie policy made available on it. Any requests for information may involve the collection and subsequent further processing of your personal data (such as name, surname, e-mail, etc.). In particular, the collection of personal data can take place by filling in the contact form made available on the website or through other way, for example by sending your e-mail.

If the contact forms are used, the provision of data is necessary for the Controller to satisfy the related requests. Failure, partial or incorrect provision of personal data marked as mandatory does not make it possible to perform the requested service. In the event that it has been omitted to provide one or more mandatory personal data, an error message will appear.

Categories of personal data

For the purposes mentioned above, the Controller processes ordinary personal data (Controller not process sensitive data). Ordinary data are, for example, identification data and contact details (name, surname, fiscal code, address, telephone number, e-mail and other contact data). For the purposes mentioned above, the Controller processes ordinary personal data (Controller not process sensitive data). Ordinary data are, for example, identification data and contact details (name, surname, fiscal code, address, telephone number, e-mail and other contact data). With the booking for specific services is possible to receive information about specific needs related for example to allergy or medical condition, this information concerning health is used to give adequate service only, in this case, the request related to the service is covered by explicit consent.

Categories of recipients

Without prejudice to the communications made in compliance with legal and contractual obligations, all the data collected and processed may be communicated exclusively for the purposes specified above to external companies or professional offices that provide assistance for the exercise of rights and compliance of legal obligations related with the business activity of the Controller (e.g. accountants, lawyers, specialized consultants); credit institutions, public administrations for institutional functions in compliance with the limits established by law or regulations (e.g. Italian Revenue Agency, Police Headquarters, Ministry of the interior, Territorial Authorities).

Data recipients may also be IT companies or IT operators that provide IT services or IT assistance services (e.g. cloud storage services, hosting services and data traffic managers), subjects in charge of communication activities (e.g. Social Media Manager). For the purposes described above, personal data are known to those who work as authorized persons by the Controller, such subjects help the Controller to carry out his activities efficiently (e.g. collaborators, employees or subjects with similar functions and corporate bodies, including the board of auditors, exercising their functions.). The subjects belonging to the categories listed above operate, in some cases, as controllers. More details can be obtained by contacting the Controller.

Storage life

The personal data will be processed during the period necessary to establish and manage the existing business relationship. The data will be conserved for the time established by law or for the time potentially necessary for the protection of the rights deriving from the relationship, always in compliance with the reference standards. The storage period therefore generally corresponds to 10 years. The data will be used by the Controller for sending advertising information (marketing activities) until consent is revoked.

Modalities

Personal data will be processed using instruments that guarantee security and confidentiality in accordance with the provisions of the article 32 GDPR.

Data transfer

Personal data transfer outside the EU is regulated by specific contracts that impose upon recipient the respect of the adequate guarantees in compliance with the current legislation on Privacy, or to subjects who enjoy a decision of adequacy (article 44 et seq. GDPR); a copy of the adequate guarantees will be obtained, in the case of transfer, contacting the Controller.

Possible consequences of failure to provide the data

For the Controller will be impossible comply with the requests received and his legal obligations in case of failure to provide the data requested for contractual and pre-contractual purposes. The Controller cannot use personal data for the marketing purposes described above in the absence of the data subject’s explicit consent. No consequences are expected for failure to provide data necessary for the purposes of the legitimate interest described above.

Right of the data subject

The Controller recognizes to the data subject all his rights and faculties, with particular reference to art. 15 to 21 GDPR, the following rights are highlighted:

• Right of access by the data subject, article 15, GDPR: the right to obtain confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data and obtain a copy.

• Right to rectification, article 16, GDPR: the right to obtain from the controller without undue delay the rectification of inaccurate personal data and the right to have incomplete personal data completed.

• Right to erasure (‘right to be forgotten’), article 17 GDPR: the right to obtain from the controller the erasure of personal data without undue delay and the controller have the obligation to erase personal data without undue delay where one of the regulation grounds applies.

• Right to restriction of processing, article 18 GDPR: the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing for legitimate interest and pending the verification whether the legitimate grounds of the controller override those of the data subject.

• Right to data portability, article 20 GDPR: the right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means; the right to have the personal data transmitted directly from one controller to another, where technically feasible.

• Right to object, article 21 GDPR: the right to object at any time to processing of personal data which is based on legitimate interest, including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

• Right to lodge a complaint to the supervisory authority (Garante per la protezione dei dati personali with office in Piazza di Montecitorio n. 121, 00186, Roma). For further details please visit www.gpdp.it website.

Recommended method

The data subject may at any time to exercise his rights contacting the data controller, to be secure that the request will be received the Controller suggests to use the follows methods:

– a registered letter with return receipt to HOTEL VILLA ROSA S.R.L. Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs)

– or a written notice sent by certified email (PEC) to hotelvillarosasrl@legalmail.it.

All contact information

The Data Controller is HOTEL VILLA ROSA S.R.L., company register at the Brescia Chamber of Commerce, Italian VAT number, tax code and registration number: 03741690238, registered capital of € 15,000.00 with registered office in Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs tel. +39 030 9141974, e-mail amministrazione@villarosahotel.eu, pec hotelvillarosasrl@legalmail.it.

Contact details of the data protection officer

The Controller has designated adv. Valentina Remonato his DPO, e-mail studiolegale@valentinaremonato.it, tel. +39 338 8785457.