Under the terms of art. 13 Italian Legislative Decree No. 196/2003 (hereafter ‘Privacy Code’) and art. 13 EU Regulation No. 2016/679 (hereafter GDPR),
RAG.SOCIALE: LE PETIT HOTEL DI MILAN MONICA P.IVA: 04635420278
(hereafter ‘Data Controller’) wishes to provide you with the following information:
1. SUBJECT MATTER AND SCOPE OF APPLICATION.
Personal data that may be collected are the following:
2. PURPOSE OF PROCESSING.
The personal data collected (“Data”) may be processed for the following purposes:
a) giving execution to a specific user request or provide the requested service (“Service”);
b) allowing the Company to perform surveys on customers satisfaction (“Customer Satisfaction”) related to the quality of Company goods and services according to the Company legitimate interest;
c) subject to your express consent, sending commercial communications as well as sending advertising on Company products and services, or performing market researches (“Marketing”);
f) improving the user experience on the Company websites.
If the data controller intends to process your data for purposes different from those described in this paragraph, you will be informed in advance.
3. DATA CONTROLLER’S LEGITIMATE INTERESTS.
These comprise observance of the contractual obligations entered into by the parties. Under the terms of art. 6 GDPR processing is lawful when consented to by the party involved.
4. ACCESS TO DATA AND THEIR COMMUNICATION.
Access may be granted for the purposes described in clause 2:
A. to the data controller’s employees and associates in charge of and/or responsible for in-house data processing and/or system managers;
B. to third parties (banks, couriers, external professionals and consultants (e.g. tax consultants) for the sole purpose of protecting credit and managing individual business relationships) who perform outsourced operations on behalf of the data controller as independent external operators or processors nominated by the data controller.
Without your express consent (art. 24 a), b), d), Privacy Code and art. 6 b) and c) GDPR) the data controller may communicate your data for the purposes described in clause 2 A. to watchdog bodies, judicial authorities and all other subjects which by law require such communication in order to achieve the purposes in question. Such subjects will hold data as independent data controllers.
Your data will not be disseminated.
Data will be managed and stored on servers (located within the European Union) used by the data controller and/or third parties duly appointed as data processors. The data will not be transferred outside the European Union.
5. OPTIONAL / COMPULSORY DATA PROVISION.
Providing data for the purposes described in clause 2. A. is compulsory in as far as it is required by legal and contractual obligations. Refusal to provide data or failure to authorise their processing will preclude the data controller from entering into contractual relationships (the subject involved will not receive a service, contractual non-fulfilment and due liability, non-fulfilment of legal obligations and due legal sanctions, etc.). Providing data for the purposes described in clause 2. B. is optional and failure to provide them or to authorise their processing will preclude sending newsletters, commercial communications and/or advertising materials regarding the data controller’s products and services and surveying the degree of satisfaction regarding the quality of
6. DATA STORAGE TIMES.
Subject to the five or ten year terms for storing documents containing data regarding civil, accounting and tax matters, as foreseen by current legislation, any other data will be stored for five years after the business relationship ceases, unless you withdraw your consent or require us to erase your data.
7. DATA SUBJECT’S RIGHTS.
Subject to cases involving legal obligations, public interest or public authorities, you have the right at any time to revoke your consent, without compromising the lawfulness of processing based on consent before its withdrawal. Art. 7 of the Privacy Code and art. 15 of the GDPR grant you specific rights, which include that of obtaining confirmation as to whether or not personal data concerning you exist, communication of such data in intelligible form; the right to be informed of the source of the data, the purposes and methods of processing, the logic applied to the processing, identification concerning data controllers and the subjects to which the data may be communicated; the right to obtain updating, rectification or integration of the data, their erasure, anonymisation or blocking of unlawfully processed data; the right to object on legitimate grounds to the processing of data concerning you.
The GDPR grants you the following rights: data erasure (art. 17), restriction of processing (art. 18), data portability (art. 20) and in the case of automated processes (profiling), processing by the data controller’s human intervention (art. 22).
These rights can be exercised in any way and without charge.
8. RESPONSE TIME.
If you request information about your data the data controller shall respond promptly – unless this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than 30 days from the request. The data controller will justify any inability to meet the request, or delay in doing so.
If you consider that any of your rights listed in clause 7 have been violated you may file a complaint with the Garante (using the procedures and instructions published on the Authority’s website www.garanteprivacy.it) or lodge an administrative or judicial appeal.
10. DATA CONTROLLER.
The data controller is RAG.SOCIALE: LE PETIT HOTEL DI MILAN MONICA P.IVA: 04635420278, which can be contacted for requests, enquiries or information, including exercising your rights as described in clause 7.