The company Hotel Helvetia Thermal SPA Srl, with registered office in Piazza Vittorio Veneto 11 in the hamlet of Porretta Terme, Alto Reno Terme (BO), Fiscal Code and VAT number 03715191205 (hereinafter, "Owner"), as data controller, informs you pursuant to art. 13 Legislative Decree 6/30/2003 n. 196 (hereinafter, "Privacy Code") and art. 13 EU Regulation no. 2016/679 (hereinafter, "GDPR") that your data will be processed in the manner and for the following purposes:
1. Object of the Processing and Purpose.
This data processing process concerns all personal data, personal data and/or identification data, communicated by you when concluding the contract for the services offered by the Data Controller.
They may also be collected and processed automatically further data, such as technical data (e.g. IP address, browser type, data relating to your current position) and/or cookies (refer to the relevant "Cookies" section).
Your data is used to:
- guarantee you the access to the services contractually agreed upon by you and provide you with assistance in relation to them (e.g. messaging services with the hotel and/or Customer Care Services in general);
- communicate our commercial initiatives to you (e.g. promotional activities and/or or advertising on new services and events)
- conduct analysis and reporting related to the use of the agreed services;
Any refusal to give consent to the processing of data for the sole " purpose of providing the service” – reported under a) – will make it impossible to use the service itself.
In no case will your data be used for purposes unrelated to those indicated above.
2. Processing methods.
The processing of your personal data is carried out by means of the operations indicated in art. 4 Privacy Code and art. 4 no. 2) GDPR and precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is subjected to both paper and electronic and/or automated processing.
The data is collected by the subjects indicated in point 4, according to the indications of the reference legislation, with particular regard to the security measures envisaged by the GDPR (art. 32) for their treatment using IT, manual and automated tools and with logic strictly related to the purposes indicated in point 1 and in any case in order to guarantee the security and confidentiality of the data.
The data processing is carried out by the Data Controller and/or by the Data Processor and/or by the Sub-Data Processors.
3. Storage period.
For the purposes referred to in point a) the Data Controller will process personal data for the time strictly necessary to fulfill the aforementioned purposes, in compliance with current regulations, and in any case no later than the legal term established by art. 2946 of the civil code (10 years).
For direct marketing and possible profiling purposes - referred to in points b) and c) - personal data will be kept for a maximum period equal to that established by applicable legislation, i.e. 24 and 12 months respectively.
Invoices , accounting documents and data relating to commercial transactions will be kept, in accordance with the law, for a maximum period of 10 years.
4. Subjects to whom the data may be communicated
Your data may be made accessible for the purposes referred to in art. 1:
- to employees and collaborators of the Data Controller in their capacity as persons in charge and/or managers and/or internal sub-managers of the treatment;
- companies that perform functions strictly connected and instrumental to the operation - including technical ones - of the services offered by the Data Controller, such as, for example, direct marketing and customer care service providers, companies that provide archiving, administrative, payment and invoicing services, associated companies and/or in general companies that supply technical components for the provision of some features of the service
- administrative and judicial bodies and authorities by virtue of legal obligations.
Personal data will be stored on servers located in the European Union, without prejudice to the right of the Data Controller to transfer their location. Personal data may be transferred to European Union countries and to third countries with respect to the European Union exclusively for the purposes referred to in point 1.
In this case, we ensure that this transfer takes place in compliance with current legislation and that an adequate level of protection of personal data is guaranteed based on an adequacy decision, on standard clauses defined by the European Commission or on Binding Corporate Rules.
5. Rights of the interested party
In your capacity as interested party, you have the right to exercise the rights referred to in art. 7 Privacy Code and articles 15 et seq. GDPR and precisely can:
- obtain from the Data Controller, at any time, information about the existence of their personal data, the origin of the same, the purposes and methods of treatment and, if present, to obtain access to personal data and to the information referred to in article 15 of the GDPR;
- request the updating, rectification, integration, cancellation, limitation of data processing in the event that one of the conditions envisaged in article 18 of the GDPR occurs, the transformation in anonymous form or the blocking of personal data, processed in violation of the law, including those whose retention is not necessary in relation to the purposes for which the data were collected and/or subsequently processed
- oppose, in whole or in part, for legitimate reasons, to the processing of data, even if pertinent to the purpose of collecting and processing personal data for the purposes of commercial information or the sending of advertising or sales material direct or for carrying out market research or commercial communication. Each user also has the right to withdraw the consent at any time without prejudice to the lawfulness of the treatment based on the consent given before the revocation
- to receive their personal data, provided knowingly and actively or through the use of the service, in a structured format, of common use and readable by automatic device, and to transmit them to another data controller without impediments
- propose a complaint to the Guarantor Authority for the protection of personal data in Italy.
6. How to exercise your rights
You can exercise your rights at any time by sending a registered letter with return receipt. to Hotel Helvetia Thermal Spa or a pec to firstname.lastname@example.org, or an email to email@example.com.
7. Owner, manager and DPO
Not falling within the case specified by art. 37 of the reg. EU 2016/679, also taking into consideration the indications of the WP243 guideline, the Data Protection Officer has not been designated.