Hotel Helvetia Thermal SPA Srl., with registered office in Piazza Vittorio Veneto 11 fraz.Porretta Terme , Alto Reno Terme (BO), CF e P.IVA 03715191205 (later described as “Holder”), as owner of the data processing, inform You under Article 13 D.Lgs. 30.6.2003 n. 196 ( later described as “Privacy Code”), and the Article 13 UE Regulation n. 2016/679 ( later described as “GDPR”) that Your data will be processed with the following modes and purposes:
1) Subject of the data processing and purposes
This data processing sees as subject all the personal data, biographical and/or identifying, given from You at the moment to the conclusion of the contract for the services offered by the Holder.
Moreover, further data may be automatically gathered and processed, such as technical data ( for example IP address, browser type, location data) and/or cookies ( please go to section “Cookie”).
Your data is used for:
a) Ensuring the access to the services You negotiated by contract and providing You with the concerning assistance (for example messaging service with the Hotel and/or the generic Customer Care services);
b) Communicate our commercial initiatives (for example promotional and marketing material about new services and events)
c) Conduct analysis activities and reports connected to the use of the negotiated services;
The possible refusal to give your consent to the data processing for the unique “purposes of provisionof the service” – reported sub a) – will make it impossible to use the service itself.
Your data will never be used for purposes other than those above indicated.
2) Processing mode
The processing of Your personal data is implemented through the operations indicated under the Article 4 of the Privacy Code and Article 4 n.2) GDPR and precisely: data gathering, registration, organization, conservation, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, block, communication, cancellation and destruction. Your personal data are subject to paper and electronic and/or automated processing.
Data is gathered by the subjects indicated in point 4, under the indications of the relevant legislation, with particular attention to the security measures under the GDPR (art.32) for its processing through computer, manual and automated tools and with logics closely related to the purposes explained above in point 1, and anyway to ensure the data safety and confidentiality.
The data processing is carried by the Holder and/or the controller and/or sub processor.
3) Retention period
For the purposes in point a) the Holder will retain the personal data for the necessary period to fulfil the above objectives, while complying with current laws, and in any case not over the legislative deadline under Article 2946 c.c. (10 years).
For purposes of direct marketing and possible profiling- as in point b) and c) – personal data will be retained for a maximum period equal to the one provided for in the applicable rules, i.e. 24 and 12 months.
Invoices, accounting documents and data concerning the commercial activities, will be retained, according to the law, for a maximum period of 10 months.
4) Entities data can be transmitted to
Your data are available for the purposes shown in Article 1:
a) To the employees and collaborators of the Holder in their quality of responsible and/or officer in charge and/or internal sub processors of the data processing
b) Companies playing a role strictly connected and useful to the efficient operation – also technical – of the services offered by the Holder, like for example providers of the services of direct marketing and/or generally companies offering technical units to the provision of some service functions.
c) Institutions and government authorities as required by law.
The personal data will be retained on servers located in the European Union, subject to the Holder’s faculty to transfer its location. The personal data can be transferred towards Countries belonging to the European Union and towards third party countries outside of the European Union, exclusively under the purposes stated in point 1.
In this case, we ensure that the transfer takes place in the accordance of the existing legislation and that an adequate level of protection for the data processing is guaranteed, based on an adequacy decision, on standard clauses defined by the European Commission or Binding Corporate Rules.
5) Rights of the data subject
As subject concerned, is entitled to exercise its rights under the Article 7 of the Privacy Code, and Article 15 and ss. GDPR, and precisely can:
a) Obtain from the Holder, at any moment, information about the existence of his personal data, its origin, the purposes and processing mode, and when available, to obtain access to the personal data and to the information under Article 15 of the GDPR;
b) Ask for the update, rectification, integration, cancellation, limitation of the data processing in the event that any of the following conditions under Article 18 of the GDPR is fulfilled, the anonymous transformation or the block off the personal data, processed infringed the law, including those in which it is not necessary the storage concerning the purposes the data has been gathered and processed for.
c) Oppose, totally or partly, for legitimate reasons, to the data processing, albeit relevant to the goal of the gathering and processing of the personal data for the purposes of commercial information or to send advertising material or of direct sale, i.e. the completion of market research or business communication.
Every user has also the right to withdraw his consent at any moment, without prejudice to the lawfulness of the data processing based on the consent given before the withdrawal.
d) Receive the personal data, submitted knowingly and actively through the enjoyment of the service, in a structured format, customary and machine readable, and transmit it to another holder of the processing without obstacles.
e) Lodge a complaint to the Responsible Authorities for the protection of personal data in Italy.
6) Procedures for the right exercise
You will be able at any moment to exercise Your rights sending a registered letter a.r to Hotel Mediolanum srl, i.e a pec (email from a certified email address) to the address email@example.com
7) Holder, responsible and DPO
Not concerning the list specified under Article 37 of the UE Regulation 2016/679, considering also the indications of the guideline WP243, the person in charge for the data protection has not been designated.