PERSONAL DATA PROCESSING POLICY
Pursuant to Art. 13 of EU Regulation 2016/679 of 27/04/2016
Pursuant to Article 13 of EU Regulation 2016/679 of 27/04/2016, hereinafter referred to as GDPR (General Data Protection Regulation) Riva del Sole Resort & SPA, with registered office in Castiglione della Pescaia loc. Riva del Sole, as the controller of the processing of personal data, informs you of the following:
Data controller and data processor
The data controller is Riva del Sole Resort & SPA, in the person of director pro-tempore
Purpose of data processing
The personal data provided by you will be processed exclusively for the following purposes:
a) Provision of hotel hospitality service and other services offered by Riva del Sole Resort & SPA or;
b) fulfilment of the obligations established by law, regulations, applicable legislation and other instructions given by authorities invested by law and by supervisory and control bodies.
The processing of personal data for the aforementioned purposes does not require your express consent [Article 6, points b) and e) of the GDPR];
c) carrying out marketing and promotional activities for the products and services of the data controller, commercial communications, both by automated means without operator intervention (e.g. SMS, fax, MMS, e-mail, etc.) or by traditional means (via telephone, mail);
d) preparation of studies and market research;
e) retention of personal data of the data subject in order to speed up the registration procedures in case of subsequent stays;
f) possibility of communicating, by authorized staff, to third parties who request it, the presence of the data subject in the accommodation facility and transfer to the person concerned the telephone calls or message coming from outside.
The processing of personal data for the aforementioned purposes requires your express consent [Article 7 of the GDPR]. This consent concerns both the automated and the traditional methods of communication described above. You will always have the right to easily and freely object, in whole or in part, to the processing of your data for said purposes, for example by excluding the automated methods of contact and expressing your desire to receive commercial and promotional communications exclusively through traditional forms of contact.
Compulsory or optional nature of data provision and the consequences of any refusal to provide personal data
The data required for the purposes referred to in the preceding points a) and b) must be provided for the fulfilment of legal obligations and/or for the conclusion and execution of the contractual relationship and provision of the requested services. Therefore your eventual refusal, even partial, to provide such data would make it impossible for the supplier to establish and manage the relationship itself and to provide the requested service.
The provision of personal data necessary for the purposes referred to in points c) and d) above is optional, therefore your refusal to provide such data would make it impossible to carry out the activities described therein.
Data processing methods
The processing of personal data is carried out by means of the operations indicated in Art. 4, No. 2) of the GDPR, for the aforementioned purposes, both on paper and computerised media, by means of electronic or automated tools, in compliance with the regulations in force, in particular on privacy and security and in accordance with the principles of correctness, lawfulness and transparency and protection of customer’s rights.
The processing is carried out directly by the controller’s organisation, by its processors and/or by persons in charge.
Communication and dissemination
Your personal data may be disclosed, within the limits strictly inherent to the aforementioned obligations, duties and purposes and in compliance with relevant current legislation, to the following categories of entities:
Personal data will not be disseminated.
Personal data retention period
Personal data will be retained for the entire duration expressed by the contract stipulated with the controller; at the end of that period, the data will be retained for completion of the terms provided by law for the conservation of administrative documents and will then be deleted.
Personal data is stored on servers located within the European Union. In any case, it is understood that, if necessary, the data controller will have the right to move the servers even outside the EU. In the latter case, the data controller guarantees that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to stipulation of the standard contractual clauses provided for by the European Commission.
Rights of the data subject
In your capacity as data subject, you have the rights set forth in Art. 15 of the GDPR and specifically the rights of:
For exercise of the rights referred to in Art. 15 of the GDPR or for questions or information regarding the processing of your data and the security measures taken, you can in any case forward the request to our company at the following address:
Riva del Sole Resort & SPA
Loc. Riva del Sole, 58043 Castiglione della Pescaia GR
Telephone: +39 0564-928111