1. DATA HOLDER, CONTACT DETAILS AND PLACE OF TREATMENT
1.1 This information is provided by HOTEL GARDEN S.P.A. (P.IVA 00898530282 – PEC email@example.com – e-mail firstname.lastname@example.org), based in Corso delle Terme, 7, Montegrotto (35036 -PD). 1.2 Responsible for data protection is Avv. Francesco Cecchinato (C.F. CCCFNC89M07G224U – PEC email@example.com – e-mail firstname.lastname@example.org) with address for service in Padova (35129 – PD), Via San Crispino n. 82.
2. PERSONAL DATA AND PURPOSE OF THE TREATMENT
2.1 In accordance with the provisions of Reg. EU 2016/679, of D. Lgs. 196/2003 (as amended by D. Lgs. 101/2018), of the Provisions and indications of the Guarantor Authority and, in general, of the legislation on the confidentiality of personal data, this section of the website processes navigation data and use of the site (in addition to any other information deriving from cookies and similar tools). Furthermore, in particular with reference to the booking procedure and request for information, personal/identification data of the user are processed (name, surname, date of arrival and number of nights, etc.), the relative contact details (by way of example, the e-mail address and, in the booking procedure, the telephone number and address) and, with reference only to the booking procedure, the data relating to the payment systems. 2.2 The collection of common personal data (personal data, e-mail, telephone number, address etc.) can be finalized with the specific consent of the interested user through the appropriate functionality of the site, to commercial promotion activities with the sending of advertising material, direct sales, carrying out commercial research and commercial communication, with particular reference to the processing of the e-mail address or telephone number, also for the purpose of newsletters or text messages (short message service SMS) as well as, in the absence of opposition from the interested party, for traditional marketing purposes (such as telephone call with operator or sending paper mail to the address indicated by the interested party). 2.3 The collection of common personal data (such as name, surname, contact details, date of arrival and number of nights, data relating to payment systems, etc.) can be aimed at measures necessary for booking a stay at the hotel. The personal data collected will also be processed for purposes related to legal obligations and defence of the Data Holder or third parties in court or comparable. 2.4 The data entered in the appropriate information request form (personal data, contact details, arrival date and number of nights etc.) are functional to respond to requests sent by e-mail to the Data Holder, as well as for the exercise of any rights of the interested party also in terms of privacy. Once contacted spontaneously by the user, the Data Holder will be able to acquire and process the data entered for the aforementioned purpose.
3. METHOD AND LEGAL BASIS OF THE PROCESSING
3.1 The processing can be carried out with or without the aid of electronic or automated tools, always in accordance with the provisions of the legislation on the confidentiality of personal data, with particular reference to the provisions of art. 32 EU Reg. 2016/679 which requires the adoption of technical/organizational measures appropriate to the risk. The processing is carried out by the individual data processors specifically appointed/authorized and/or by the various specifically appointed data processors, in any case under the supervision and according to the indications of the Data Holder. 3.2 With reference to the marketing/commercial promotion purposes, the legal basis of the processing can be found in the specific consent of the interested party, issued through the specific functionality of the site (Article 6 of EU Reg. 2016/679 letter A). With reference to traditional marketing, the legal basis of the processing is found in the legitimate interest of the Data Holder (Article 6 of EU Reg. 2016/679 letter F also in consideration of Recital 47 of the Regulation). 3.3 With reference to the personal data collected/managed when booking stays at the hotel, the legal basis of the processing is the execution of pre-contractual/contractual measures at the request of the interested user (Article 6 of EU Reg. 2016/679 letter B). With regard to the execution of legal obligations, the legal basis of the processing concerns precisely the fulfilment of these obligations (Article 6 of EU Reg. 2016/679 letter C) while with regard to the defence of the rights of the Data Holder or of third parties in the judicial or comparable, the legal basis of the processing is found in the legitimate interest of the Data Holder, in the relevant public interest and in the corresponding right of defence (Article 6 of EU Reg. 2016/679 letter E and Article 9 of EU Reg. 2016 / 679 letters F and G). 3.4 The legal bases of the processing reside, with reference to the data transmitted to the Data Holder through the information request form, in the execution of a contract to which the interested party is a part (if any) or pre-contractual measures at the request of the interested party (art. 6 EU Reg. 2016/679 letter B). In the marginal case in which the contact of the interested party does not fall within the previous provisions, the processing will take place on the legal basis of the legitimate interest of the Data Holder (Article 6 of EU Reg. 2016/679 letter F).
4. PROVISION OF DATA
4.1 With reference to the personal data collected/managed for commercial promotion or traditional marketing purposes, the provision is not mandatory (neither contractually nor legally), but it is necessary for the performance of these purposes. Any refusal by the interested party to provide the related personal data, or the incorrect communication of such data, makes it impossible to carry out the aforementioned activities (if the data entry fields were marked with “*”) or the reduced operation of the same (if the data entry fields were not marked with “*”). For the interested party, it will always be possible to revoke the consent originally provided at any time (for commercial promotion, by way of example the newsletter), or to oppose the processing (for traditional marketing), with consequent immediate interruption of the processing of the data provided. 4.2 With reference to the personal data collected/managed when booking stays at the hotel and through the form for requesting information, the provision is not mandatory (neither contractually nor legally), but it is necessary/functional for the implementation of pre-contractual measures/contractual requests from the User concerned. Any refusal by the interested party to provide the related personal data, or the incorrect communication of such data, makes it impossible to carry out the aforementioned activities (if the data entry fields were marked with “*”) or the reduced operation of the same (if the data entry fields were not marked with “*”).
5. EXPIRY OF TREATMENT
5.1 In the case of mere pre-contractual measures or related services not related to an already concluded contract of which the interested user was a party or in whose execution he was also indirectly involved, if the cancellation/opposition is not legitimately requested, the data will be kept only for the period necessary for the provision of the requested service and, in any case, to an extent and for a period not exceeding that necessary to guarantee the Data Holder any defence of his rights. For the interested party, it will be possible to request the Data Holder, at any time, to immediately interrupt the processing of the data provided (except for any legitimate interest of the Data Holder in conservation for the defence of their rights). In the event that the processing takes place in execution of a contract of which the interested user was a party or participant, if the cancellation/opposition is not legitimately requested, the data will be kept for a period of 10 years from the moment of termination/conclusion, for any reason of the mutual contractual relationship. In the event that, after the termination / conclusion of the relationship, further processing of the data is necessary for similar purposes or related to them, the data will be kept until the achievement/termination of the purposes referred to in the new processing and for a further 10 years. 5.2 For marketing or traditional marketing purposes, in the event that the deletion of data/opposition to the processing / termination of the service is not required, the data will be kept, for the purposes set out above, for a period equal to the duration of the corresponding service.
6. COMMUNICATION AND DIFFUSION
Personal data may be disclosed for the aforementioned purposes to consultants and freelancers, also in associated and specifically appointed form (by way of example, business consultants, law firms, etc.), public/private entities for which communication is mandatory or necessary. in fulfilment of legal or functional obligations for the execution of the contract, if existing or even potential (such as, by way of example, the managers of company administrative software). The personal data collected are not subject to disclosure.
7. RIGHTS OF THE INTERESTED PARTY
EU Reg. 2016/679 grants the interested party specific rights, including the right to access their personal data and make them available in an intelligible form; the interested party also has the right to obtain the updating, rectification (if erroneous), integration (if incomplete) or deletion of data (in case of unlawful processing), data portability (right to receive or have transmitted data to another holder in a structured format, commonly used and readable by automatic device) revocation of consent (if legal basis for processing) transformation into anonymous form or blocking/limitation of data processed in violation of the law; the interested party has the right to oppose, for legitimate reasons, to the processing of data. With reference to the processing of the data provided, in the event that the interested party identifies violations of the Privacy Legislation, he will have the right to lodge a complaint with the Privacy Guarantor. The interested party may exercise his rights by making a request to the Data Holder or the Data Protection Officer (also by requesting them to receive the complete list of appointed Managers).