INFORMATION NOTE ON TREATMENT AND ON THE PROTECTION OF PERSONAL DATA
In the exercise of one's own business activity Hotel Borgo Antico reserve maximum attention to protection and to the protection of personal data of all those who work with it or interact (hereinafter referred to as " Interested " and / or " User "), adopting for this purpose every suitable, adequate and necessary procedure and system of safety.
Believing firmly in the principles of transparency and correctness, this information is therefore provided in order to provide all interested parties with a complete description about the methods and purposes of the processing of personal data that comes carried out in the provision of services and / or in the marketing of own assets (hereafter for the sake of brevity and together with each other " Services "), and this also in accordance with the provisions of Regulation (EU) no. 2016/679 in subject of protection of individuals with regard to data processing personal data, as well as the free circulation of such data (hereinafter referred to for the sake of brevity " GDPR ").
II. Owner and Manager of data processing personal
Holder of the processing of
personal data is Hotel Borgo Antico, based in VIA DI LUCIGNANO, recorded
at the Chamber of Commerce of SI to the number
Data processing only personal data provided to the Data Controller for the use of the Service Booking Engine (hereinafter referred to as " Web Booking ") will take place on behalf of of the same Controller of the Treatment (in the role therefore of responsible of the treatment pursuant to art. 28 of the GDPR) from the company Passepartout S.p.A., a company governed by San Marino law which predominantly operates in production and distribution of software and related services, based in the Republic of San Marino in Dogana (Cap 47891) in Via Consiglio dei Sessanta n. 99, registered with the Register of Companies under no. 6210 on 6 August 2010, with Economic Operator Code n. SM03473, share capital euro 2,800,000 i.v., contacted, for the purpose of this information, at the e-mail address or at the phone number 800 414243 (hereinafter also referred to as " Passepartout " and / or " Responsible of the Treatment ").
Passepartout S.p.A. has designed (i) as a representative in the European Union, pursuant to art. 27 of the GDPR, the company Paci Rappresentante Privacy Srl registered at the Chamber of Commerce of Romagna, share capital euro 10,000.00, based in Rimini, in P.tta Gregorio da Rimini n. 1, contactable, for the purposes of this statement, at the e-mail address or telephone number 0541 902128 (hereinafter referred to as " Sales Representative "); as well as (ii) a data protection officer (referred to in Chapter IV, Section 4 of the GDPR) that can be contacted at the e-mail address or at the phone number 800 414243.
III. Personal data
For personal data yes mean all information concerning an identified natural person or identifiable by reference to elements such as the name, the extremes of the identity document, the physical, physiological, genetic identity, economic, cultural or social status of that person, as well as through the extremes identifiers on its location.
Personal data as above described above are mainly dealt with when the interested party makes use of the Services and / or Web Booking.
The supply of all other personal data is optional but may be necessary to be able to use the Services and / or the Web Booking, like the data to make proposals, buy or sell that are necessary to complete an operation contractual.
Personal data are given directly from the Interested and / or acquired automatically through i devices when the Services and / or Web Booking are used, when they come provided the data in a web form on our sites, when it is created and / or updated an account or when the interested party contacts us in each other manner or provide your personal data expressly and with your consent, all as detailed below.
IV. Type and category of data treated
Personal data as above described, and for the provision of the Web Booking, the Data Controller (e for it the Data Processor) only collects the following types.
Personal data collected concern:
a) identifying information as a name, surname, date and place of birth, place of residence, social security number, lot number VAT and address, iss code, telephone number, e-mail address (also by post certified electronics), username, password, gender, or other data that we are kept or authorized to collect and process, in accordance with the law current, in order to authenticate or identify the User or to verify the information provided and collected;
b) IP address and navigation data and any other data concerns the interaction of the User with the Services and / or the Web Booking, for example when viewing or searching for content, you create or access the own account and / or a reserved area. Data is also collected relating to the devices and / or computers used by the User to access the Services and / or Web Booking, including the type of browser, unique code of the device, language, operating system, reference Web page, le pages visited, location and information about cookies, data on your computer and connection (for example, statistics on page views, traffic in and out of the sites, URL of origin).
c) data relating to offers, purchases or sales relating to Services and / or Web Booking provided during a pre-contractual negotiation and the its subsequent completion and any other data supplied with reference to such operations;
d) billing data (and any shipment) of the Services and / or of the Web Booking;
e) financial data taking into account that some Services and / or the Web Booking support payments and transactions with third parties. To this end it could it is necessary to provide certain data for identification and verification the identity of the interested party and the means of payment used, such as example the name, surname, credit / debit card number, date of expiry of the card. Such data where collected by the Responsible of the Treatment will only be saved in encrypted form. In some cases to allow the User to speed up new and similar in the future payment transactions, Passepartout could only store the last ones four digits of the card number;
f) geo location data, in particular through use of mobile devices;
g) cookies and similar technologies. In the provision of the Services and / or of the Web Booking, cookies, unique identifiers and others are used similar technologies to acquire data on pages and links visited and other similar actions, within the advertising or e-mail contents, the all in terms, according to the modalities and conditions foreseen in the appropriate policy available at the following link: https://www.passepartout.net/utility/cookie;
h) Treatment of special categories of personal data (cd "sensitive data")
They are not collected in any way and therefore are not treated, categories details of personal data such as data revealing the origin racial or ethnic, political opinions, religious beliefs or philosophical, or union membership, as well as processing genetic data, data biometrics designed to uniquely identify a natural person, data relating to the health or sex life or sexual orientation of person.
V. Purpose and modality of the data processing
Data processing personal data collected only and exclusively for the following purposes:
a) execute contracts related to the Services and / or the Web Booking.
Through the information and data communicated, we are able to execute the activities and contractual services provided for in the Services contracts and / or from the Web Booking requested by the Interested Party (also in the name and / or on behalf of third parties) or to carry out referable pre-contractual measures and / or negotiations the same Services and / or Web Booking, including administrative activities and accounting, management of tax obligations, payments and invoicing.
The information collected will also be used to contact the User in relation to his / her account or in any case regarding his / her contractual position, solve problems in the account and / or reserved area, resolve a dispute, carry out debt collection activities.
Personal data may also be processed to verify and resolve any anomalies in the functioning of the Services and / or Web Booking; to perform data analysis and testing, to conduct research and investigations and to develop new features services in order to provide the user with an ever better experience.
b) Offer security and protection to both personal data received and security systems adopted.
The collected data are also used to verify the identity and authenticate Users, allow to make and / or receive payments, protect against possible frauds and / or abuse, respond to a request or a complaint, perform checks, to prevent, detect mitigating and / or ascertaining security breaches and / or activities that are even potentially prohibited, illegal and / or illegal.
c) Communicate with the interested party.
The data could be used to contact the User for the purposes contained in this information and in the cases provided by law. The contact and communication could be via e-mail (also with certified e-mail), telephone, SMS, paper mail, push notifications on mobile devices.
We may use your information to send service communications and / or respond to your requests, to offer discounts and special promotions, to get to know your opinions via surveys or questionnaires.
d) Perform marketing activities.
With the express and specific consent of the User to be expressed according to the modalities specifically indicated from time to time, we may use the User's information to promote new products or services to which it might be interested, carry out marketing activities through telephone calls, and -mail (also with certified e-mail) or SMS, via paper mail, notifications push on mobile devices, as well as through third parties specifically charged.
In any case, the User may revoke the express consent on marketing activities by following the appropriate instructions included in the same tools used (eg newsletter, e-mail etc.) or by sending an email email@example.com.
The processing of personal data collected will be lawful and correct in accordance with the rules of the GDPR, using manual or automated systems that allow you to store, manage and transmit (both in paper and electronic format) the same data only for the purposes indicated in this information.
Only duly authorized personnel can access the personal data collected.
VI. legal basis of data processing
The legal bases by which we process the personal data of the interested party may be different, namely:
a) contracts established or to be established (with the interested parties) to use the Services; as well as
b) the consent of the interested party. This consent it may be revoked according to the terms and according to the methods indicated in the following section X , lett. a);
c) our legitimate interests [with respect to which it is possible propose opposition pursuant to the following paragraph X , lett. a) ], 752/5000 for example, by understanding the interest: to prevent fraud; to carry out direct marketing activities, improvement, customization and development of the Services; to carry out the marketing of new services or products that could be of interest to the User; to carry out the promotion of security and data protection; to carry out the processing of data within a group of companies or entities connected for internal administrative purposes, without prejudice to the general principles and regulatory requirements for the transfer of personal data within an entrepreneurial group also towards an enterprise located in a Third Country (for this reason a country is not belonging to the European Union).
The processing of personal data relating to traffic is also a legitimate interest, to the extent strictly necessary and proportionate to ensure network and information security, meaning the ability of a network or information system to resist, to a given security level, unforeseen events or illicit or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted and the security of the related services offered or made accessible through such networks.
d) Data collected from third parties or through other sources;
We may collect additional personal data or integrate those already in our possession with other data and information collected by third parties (for example our suppliers or business partners), also using data and information in the public domain, information collected through appropriate databases or further information contact details, credit verification data and information relating to the solvency provided by the offices in charge, in compliance with current legislation.
We may also collect data through the social media used by the User. In fact, where the User links his / her account to the respective social media site, these social media may authorize us to automatically access certain data in their possession. With this possibility, the interested party provides us with express access to sites with the various contents provided for therein.
VII. Data Processor
As already anticipated in the previous ParagraphII, the processing of the personal data provided to the Data Controller for use of the Web Booking will be made by Passepartout, a company that owns the software program concerning the Web Booking and licensed for use to the Data Controller.
This processing of data will take place in accordance with the terms and conditions of the contract between the Data Controller and the Data Processor and in any case in full compliance with the provisions of this information sheet (hereinafter referred to as " Holder Agreement - Responsible for processing ").
Passepartout will process and store personal data collected on the servers at its disposal (also in the Republic of San Marino). In this regard, it should be noted that in the regulation of the Holder-Processor Agreement (recependole integrally) the guarantees required by the GDPR (ex art.46) were taken into account for the transfer of personal data to countries outside the European Union.
VIII. How to share information with third parties
The personal data provided may be shared with third parties only in the following cases:
a) Consent of the interested party:
The interested party may authorize us to share (or disclose) his / her data with (and to) other third parties, for example where you use our community (such as forums or other social media) or where he has expressed his intention to be contacted and / o contacted for any need or clarification regarding the Services.
b) Treatment by external entities:
Personal data may be provided to affiliated entities and / or affiliated to our company, to service providers and / or business partners who treat them according to instructions from us (ie partners providing customer support services, information technology, payment management and / or sales, marketing, data analysis, and research and investigation).
Personal data may also be shared with:
. Our suppliers who perform: payment processing, advertising customization, prevention, detection, verification of potentially illegal acts, breaches of the Services; invoice collection; consultancy, training and organization of events;
. third-party suppliers of shipping services (eg, DHL, UPS, GLS, Poste Italiane etc.) with whom we share delivery addresses, contact information and shipment codes;
. suppliers of websites, applications, services and tools with which we collaborate for the provision of the Services and / or Web Booking.
c) Justice, legal and / or protection requirements.
We may retain or disclose personal data where necessary to meet the needs of justice, for example because requested by an administrative authority, a supervisory and / or supervisory authority or in the context of a judicial proceeding or, in any case, in compliance with provisions law, or in any case for the exercise of legal rights or for defense against complaints and / or legal actions or to prevent, detect or investigate illegal activities, frauds, abuses, violations of subjective legal positions or where there are even potential threats to the security of the Web Booking or to the physical security of any person.
IX. Data retention period
The retention period of personal data is determined (or determinable) depending on the purpose or the legal basis under which the processing should take place.
The personal data to execute the contract that has as object, inter alia, the Web Booking, will be retained for the time necessary to properly and fully perform the services provided in the contract itself (including those closely connected and connected to its termination) and in any case for a period of time not exceeding n. 10 (ten) years from the termination of the Web Booking.
Personal data processed for marketing and commercial purposes will be retained until such time as the interested party has not expressed the intention to withdraw consent for this purpose.
It remains the case in which the interested party has expressly expressed, even for different reasons, the consent for a longer period (in which case the retention period will correspond to that allowed) or if one has to satisfy one's legitimate interests as identified above ( in which case the retention period will correspond to that in which such interest is satisfied).
It also remains the case where the greater (or lesser) retention of data must be carried out to meet the needs of justice, for example to comply with a request from the administrative authority, supervisory and / or supervisory authority or for the exercise and / o for the protection (by judicial and / or extrajudicial) of their rights or to exercise their defense against complaints and / or legal actions.
Once the retention period is over, your personal data will be removed safely.
X. The rights of the interested party
All the interested parties to whom the personal data processed refer, in accordance with the terms and methods established by the GDPR, may exercise the rights described below.
a) Right of access, rectification and deletion of data, limitation and opposition to the use of data and right of withdrawal of consent.
Except as provided for above in terms of conservation, the interested party may at any time obtain access to their personal data, as well as obtaining the update, modification, limitation of processing or request cancellation.
If you choose to delete the data, please note that although most of the information stored will be deleted within 60 (sixty) days, it may take up to 180 (one hundred and eighty) days to delete all data entered into our systems due to dimensions or complexity of the systems and procedures used.
Where the processing of data is based on the consent issued by the Data Subject, this consent may be revoked at any time. Therefore, we can always oppose the sending of newsletters and the processing of data for all or only some of the marketing or commercial purposes.
The data subject may also object to the processing of data even if made with respect to our legitimate interests.
If you are asked to withdraw your consent, to limit the use of the data or to delete the previously provided personal data, we may no longer be able to provide the Services.
In any case, requests for cancellation of data are subject to current legal requirements and to the conservation of documents required by law or regulation.
b) Right to portability
The Data Subject has the right to receive personal data concerning him / her provided to a data controller in a structured, commonly used and readable form by automatic device and has the right to transmit such data to another data controller.
c) Right to propose a complaint
The interested party will always have the right to lodge a complaint with the competent Supervisory Authority, where he finds problems concerning the use of his personal data.
d) Automated decision-making process
Automated technologies are used for decision making or profiling. In any case, automated decisions will not be taken on the interested party that could have significant consequences for him, except in circumstances in which such decision is necessary to execute a contract or because the User has expressly given his consent.
The exercise of the rights described above may be requested by the Interested party via communication to the e-mail address:firstname.lastname@example.org.
XI. Security measures
It ensures the implementation and maintenance of appropriate technical and organizational measures to ensure a level of safety appropriate to every possible risk, also constantly carrying out a series of technical, administrative and physical checks to keep the personal data of the interested party confidential and secure
XII. Completeness and modifications
This privacy statement is issued to complete and complete replacement of any other regulation that may exist before today in terms of protection of the personal data of the User treated for the same purposes contained herein.