Information Article 13 of EU Regulation no. 2016/679
1. Data Controller and Data Protection Officer
The Data Controller is Hotel Delizia sas (Tax Code / VAT 10712610152) with registered office in Via Archimede, 86/88 – 20129 Milan (MI), operational headquarters in Via Archimede, 86/88 – 20129 Milan (MI).
The Data Protection Officer can be contacted at the Company at the following email address: email@example.com.
2. Purpose and legal basis of the processing
The Hotel Delizia sas Company processes the personal data of individuals, legal entities, individual companies and / or freelancers (“Interested”), groups and / or associations, entities, for the following purposes, in accordance with the corporate purpose:
- the need to perform a contract of which the interested party is a party or to perform pre-contractual activities with the same. This need represents the legal basis that legitimizes the consequent processing. The provision of data necessary for these purposes represents, as appropriate, a contractual obligation or a requirement necessary for the conclusion of the contract; in the absence of them, the Company would be unable to establish or execute the relationship;
- the need to comply with legal obligations (e.g. obligations under the anti-money laundering legislation, provisions issued by the Supervisory Authority, the Judiciary, etc.). This need represents the legal basis that legitimizes the consequent processing. The provision of data necessary for these purposes represents a legal obligation; in the absence of them, the Company would be unable to establish relationships and may have the obligation to make reports;
- promotion and sale of Hotel Delizia sas products, including market research (so-called direct marketing). The legal basis that legitimizes the consequent processing is the consent of the interested party, who is free to give or not and who can, however, withdraw at any time. The provision of the data necessary for these purposes is not mandatory and the refusal to provide them does not determine any negative consequence, except for the impossibility of receiving commercial communications;
- promotion and sale of “dedicated” products of the Hotel Delizia sas company specifically identified through the processing and analysis, including through the use of automated techniques or systems (eg big data), information relating to preferences, habits, choices of consumption, aimed at dividing interested parties into homogeneous groups for specific behaviors or characteristics (customer profiling) also implemented through the enrichment of data with information acquired from third parties (enrichment). The legal basis that legitimizes the consequent processing is the consent of the interested party who is free to give or not and who can, however, withdraw at any time. The provision of the data necessary for these purposes is not mandatory and the refusal to provide them does not determine any negative consequence, except for the impossibility of receiving dedicated commercial communications;
- sending newsletters and information material, periodic communications relating to the Company’s products and / or events. This need represents the legal basis that legitimizes the consequent processing.
3. Categories of data processed
The Company processes personal data collected directly from the interested party, or from third parties, which include, by way of example, personal data (e.g. name, surname, address, date and place of birth, tax code, VAT number, headquarters), information on the financial situation (e.g. balance sheet, insolvency status, credit information pertaining to credit requests / reports), image data (e.g. photo ID card, chamber of commerce certificate, durc) and others data attributable to the categories indicated above.
The Company does not request and does not process on its own initiative particular data of the interested party who contacts it (e.g. data that reveal racial or ethnic origin, political opinions, and religious or philosophical beliefs, belonging trade union, genetic data, biometric data – intended to uniquely identify a natural person, data relating to the health or sexual life or sexual orientation of the person). If the Company comes into possession for purposes completely unrelated to those referred to in point no. 2 of these data, we inform you from now on that these data will be deleted as they do not comply with the aforementioned purposes.
4. Processing methods
Natural and legal persons appointed as Data Processors and natural persons authorized to process the data necessary for carrying out the tasks assigned always in accordance with the purposes referred to in point no. May become aware of the data of the interested party. 2 of this.
Personal data will be processed both manually and in paper form, and with IT and telematic tools and inserted in the relevant databases / archives, to which the employees expressly designated by the Data Controller as Data Processors and Persons in charge will be able to access, and therefore become aware of them of personal data, which may carry out filing, classification, consultation, use, processing, comparison and any other appropriate operation, including automated operations, in compliance with the legal provisions necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in accordance with the stated purposes.
5. Rights of the interested parties
The current data protection legislation attributes specific rights to the interested party, who, for the exercise of the same, can contact the Data Controller directly and at any time.
The rights exercisable by the interested party, described below, are:
- Right of access;
- Right to rectification;
- Right to cancel;
- Right of limitation;
- Right to portability;
- Right to object.
Interested parties and legal persons, bodies and associations can at any time modify the optional consents whenever they wish, by communicating this will to the Company.
5.1. Right of access
The right of access provides the possibility for the interested party to know which personal data referring to him are processed by the Company and to receive a free copy.
The information provided indicates the purposes of the processing, the categories of data processed, the expected retention period or, if not possible, the criteria used to define this period, as well as the guarantees applied in case of transfer of data to third countries and rights exercisable by the interested party.
5.2. Right to rectification
The right of rectification allows the interested party to obtain the updating or correction of inaccurate or incomplete data concerning him.
It can be exercised at any time and the interested party, to exercise it, must send a written communication (by e-mail or by registered mail with return receipt) indicating the object and type of correction requested. The Company will notify the interested party of the requested change.
5.3. Right of cancellation (so-called “oblivion”)
The right of cancellation, or to be forgotten, allows the interested party to obtain the cancellation of their personal data in the following particular cases:
- personal data are no longer necessary for the purposes for which they were collected and processed;
- the interested party revokes the consent on which the treatment is based, if there is no other legal basis that could otherwise legitimize it;
- the interested party opposes the processing and there is no further legitimate reason to proceed with the processing carried out by the owner for;
- the pursuit of a legitimate interest of one’s own or of third parties and there is no prevailing legitimate reason for the owner to proceed with the processing,
- direct marketing purposes, including related profiling;
- the personal data of the interested party have been unlawfully processed.
This right can be exercised even after the withdrawal of consent.
5.4. Right of limitation
The right of limitation can be exercised by the interested party in the event:
violation of the conditions of lawfulness of the processing, as an alternative to the deletion of data;
request for rectification of the data (pending correction) or opposition to their treatment (pending the decision of the owner).
Without prejudice to conservation, any other treatment of the data whose limitation is requested is prohibited.
5.5. Right to portability
The right to portability allows the interested party to use their data held by the Company for other purposes.
Each interested party may request to receive personal data relating to him or request their transfer to another holder, in a structured, commonly used and legible format.
In particular, the data that may be subject to portability are personal data (e.g. name, surname, address, date and place of birth, residence) and bank and payment data. This right does not apply to non-automated processing (e.g. archives or paper records).
5.6. Right to object
The right of opposition allows the interested party to oppose at any time, for reasons related exclusively to his situation, to the processing of personal data concerning him.
5.7. Exceptions to the exercise of rights
The data protection legislation recognizes specific exceptions to the rights granted to the interested party.
The Company must however continue to process the personal data of the interested party when one or more of the following conditions apply:
- execution of a legal obligation;
- resolution of pre-litigation and / or litigation;
- internal and / or external investigations / inspections;
- requests from the Italian and / or foreign public authorities;
- reasons of relevant public interest;
- execution of an existing contract;
- any other technical blocking conditions / status identified by the Company.
5.8. Exceptions to the exercise of rights
Each interested party, in order to exercise their rights, may contact the company at the e-mail address firstname.lastname@example.org. or submit your request in writing to Hotel Delizia sas, Via Archimede, 86/88 – 20129 Milan (MI). The deadline for replying is 30 days, extendable by 60 days in cases of particular complexity; in these cases, the Company provides at least interlocutory communication within 30 days.
The exercise of rights is free of charge for the interested party.
The Company has the right to request further information necessary for the identification purposes of the applicant.
6. Data retention period
The Company processes and retains the personal data of the interested party for the entire duration of the contractual relationship, for the execution of the related and consequent obligations, for compliance with the applicable legal and regulatory obligations, as well as for its own defensive purposes, up to expiry of the data retention period.
The retention period of personal data, therefore, can extend up to a maximum of 10 years from the acquisition of the data by the Company.
In any case, the Data Subject must communicate to the Company by e-mail or by registered letter with return receipt within the aforementioned deadline if he intends to obtain the return of the data concerning him or if his cancellation is requested.
After the expiry of the aforementioned deadline, if the interested party has not communicated to the Company any explicit request regarding the return of the data, the Company will delete the data by informing the interested party of the cancellation.
7. Transfer of data to third countries
Personal data may also be transferred to countries not belonging to the European Union or to the European Economic Area (so-called “Third Countries”) recognized by the European Commission having an adequate level of protection of personal data or, otherwise, only if it is contractually guaranteed by all Fineco suppliers located in the Third Country an adequate level of protection of personal data with respect to that of the European Union (e.g. by signing the standard contractual clauses provided by the European Commission) and that operation is always ensured of the rights of the interested parties.
8. Scope of communication and dissemination of data
For the pursuit of the purposes referred to in paragraph no. 2 of this information, the personal data provided will be processed by persons appointed by the Data Controller, or employees, collaborators and internal and external consultants of the Company appointed in writing as Data Processors or External Managers.
Personal data may be communicated and transferred:
- to subjects to whom the right to access personal data is recognized by provisions of the law and secondary legislation or by provisions issued by authorities legitimated by the law;
- to client companies or associates of Hotel Delizia sas.
Communication and / or transmission to client companies outside the European Union will only take place with the explicit consent of the interested party.
Personal data will not be disclosed.
9. Rights of the interested party
We inform you that the articles 15 and following of the GDPR give the interested parties the exercise of specific rights towards the Data Controller.
In particular, the interested party will be able to:
- obtain confirmation of the existence of personal data concerning him, even if not yet registered, and ask to know their origin without prejudice to the rights of third parties, as well as the purposes, the storage times, the methods of treatment and the logic applied in the case of treatments carried out with automated tools;
- withdraw any consent given in relation to the processing of their personal data, without prejudice to the lawfulness of the processing put in place up to that moment;
- receive in a structured format, commonly used and readable by an automatic device, the personal data processed and, unless it is not technically feasible, directly transmit their data to another Data Controller;
obtain the cancellation, transformation into anonymous form or blocking of data which need not be kept for the purposes for which the data were collected and processed;
- obtain the updating, correction and integration of the data processed;
- object, in whole or in part and for legitimate reasons, to the processing of personal data concerning him, even if pertinent to the purpose of the collection;
- lodge a complaint with the supervisory authorities.
The exercise of these rights must not affect and / or damage the rights and freedoms of others, including industrial and corporate secrecy and intellectual property.
In particular, the right of access is limited to the personal data you provide and does not extend to the professional processing that may be carried out by the Company which becomes the exclusive owner. However, in the event that you exercise the right to delete your data, these processing will be canceled and / or anonymized in order to make you in no way unidentifiable.
You can exercise these rights at any time you can contact the Company by e-mail email@example.com or by registered mail with return receipt to be addressed to: Hotel Delizia sas, Via Archimede, 86/88 – 20129 Milan (MI).
It is understood that, where requests are submitted by electronic means, the information will be provided free of charge and in a commonly used electronic format.
10. Complaint or report to the Guarantor for the protection of personal data
If the interested party believes he has suffered a violation of his rights, he can lodge a complaint or make a report to the Guarantor for the Protection of Personal Data or appeal to the Judicial Authority.
The contacts of the Guarantor for the Protection of Personal Data are available on the website www.garanteprivacy.it.