PERSONAL DATA PROCESSING POLICY
Pursuant to Art. 13 of EU Regulation 2016/679 of 27/04/2016
Pursuant to Article 13 of EU Regulation 2016/679 of 27/04/2016, hereinafter referred to as GDPR (General Data Protection Regulation) Riva del Sole Resort & SPA, with registered office in Castiglione della Pescaia loc. Riva del Sole, as the controller of the processing of personal data, informs you of the following:
Data controller and data processor
The data controller is Riva del Sole Resort & SPA, in the person of director pro-tempore
Purpose of data processing
The personal data provided by you will be processed exclusively for the following purposes:
a) Provision of hotel hospitality service and other services offered by Riva del Sole Resort & SPA or;
b) fulfilment of the obligations established by law, regulations, applicable legislation and other instructions given by authorities invested by law and by supervisory and control bodies.
The processing of personal data for the aforementioned purposes does not require your express consent [Article 6, points b) and e) of the GDPR];
c) carrying out marketing and promotional activities for the products and services of the data controller, commercial communications, both by automated means without operator intervention (e.g. SMS, fax, MMS, e-mail, etc.) or by traditional means (via telephone, mail);
d) preparation of studies and market research;
e) retention of personal data of the data subject in order to speed up the registration procedures in case of subsequent stays;
f) possibility of communicating, by authorized staff, to third parties who request it, the presence of the data subject in the accommodation facility and transfer to the person concerned the telephone calls or message coming from outside.
The processing of personal data for the aforementioned purposes requires your express consent [Article 7 of the GDPR]. This consent concerns both the automated and the traditional methods of communication described above. You will always have the right to easily and freely object, in whole or in part, to the processing of your data for said purposes, for example by excluding the automated methods of contact and expressing your desire to receive commercial and promotional communications exclusively through traditional forms of contact.
Compulsory or optional nature of data provision and the consequences of any refusal to provide personal data
The data required for the purposes referred to in the preceding points a) and b) must be provided for the fulfilment of legal obligations and/or for the conclusion and execution of the contractual relationship and provision of the requested services. Therefore your eventual refusal, even partial, to provide such data would make it impossible for the supplier to establish and manage the relationship itself and to provide the requested service.
The provision of personal data necessary for the purposes referred to in points c) and d) above is optional, therefore your refusal to provide such data would make it impossible to carry out the activities described therein.
Data processing methods
The processing of personal data is carried out by means of the operations indicated in Art. 4, No. 2) of the GDPR, for the aforementioned purposes, both on paper and computerised media, by means of electronic or automated tools, in compliance with the regulations in force, in particular on privacy and security and in accordance with the principles of correctness, lawfulness and transparency and protection of customer’s rights.
The processing is carried out directly by the controller’s organisation, by its processors and/or by persons in charge.
Communication and dissemination
Your personal data may be disclosed, within the limits strictly inherent to the aforementioned obligations, duties and purposes and in compliance with relevant current legislation, to the following categories of entities:
1) entities to which such communication must be carried out in order to fulfil or demand the fulfilment of specific obligations provided for by laws, regulations and/or EU legislation;
2) external physical and/or legal persons providing services instrumental for the activities of the data controller for the purposes referred to in paragraph 1 above (e.g. call centres, suppliers, consultants, companies, institutions, professional firms). These entities will act as data processors.
Personal data will not be disseminated.
Personal data retention period
Personal data will be retained for the entire duration expressed by the contract stipulated with the controller; at the end of that period, the data will be retained for completion of the terms provided by law for the conservation of administrative documents and will then be deleted.
Personal data is stored on servers located within the European Union. In any case, it is understood that, if necessary, the data controller will have the right to move the servers even outside the EU. In the latter case, the data controller guarantees that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to stipulation of the standard contractual clauses provided for by the European Commission.
Rights of the data subject
In your capacity as data subject, you have the rights set forth in Art. 15 of the GDPR and specifically the rights of:
- obtaining confirmation of whether or not personal data that concerns you exist, even if they have not yet been recorded, and their communication in an intelligible format;
- obtaining information on:
- the origins of the personal data;
- the purposes and methods of processing;
- the logic applied in the case of processing carried out with the aid of electronic instruments;
- the identifying details of the controller and processors;
- the entities or categories of entity to which the personal data may be communicated, or who could learn about it as appointed representatives in the territory of the State, as processors or persons in charge;
- the updating, rectification or, when interested, integration of data;
- the deletion, anonymisation or blocking of data processed unlawfully, including data which need not be kept for the purposes for which the data were collected or subsequently processed;
- confirmation that those to whom the data are communicated or disclosed, also regarding their content, are notified of the actions referred to under points (a) and (b), unless fulfilment thereof proves impossible or involves using methods that are clearly disproportionate to the right being protected;
- object, in whole or in part:
- for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose for which it was collected;
- to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and/or through traditional marketing methods by telephone and/or paper mail. It should be noted that the right to object of the data subject expressed in the previous point;
- for direct marketing purposes through automated methods, extends to traditional methods, and in any case the possibility remains open to the data subject of exercising the right to object, even only in part. Therefore, the data subject may decide to receive only communication using traditional methods or only automated communication or none of the two types of communication. Where applicable, you also have the rights referred to in Articles 16-21 of the GDPR (right to rectification, right to erasure, right to restrict processing, right to data portability, right to object), as well as the right to lodge a complaint with Italian Data Protection Authority
For exercise of the rights referred to in Art. 15 of the GDPR or for questions or information regarding the processing of your data and the security measures taken, you can in any case forward the request to our company at the following address:
Riva del Sole Resort & SPA
Loc. Riva del Sole, 58043 Castiglione della Pescaia GR