PERSONAL DATA PROCESSING POLICY
General Data Protection Regulation n. 2016/679/UE (”GDPR”) and Leg. Decree n. 101/2018
The General Data Protection Regulation n. 679/2016/UE ("GDPR") that applies to all Member States, acknowledges the protection of personal data that could be processed by third parties as an expression of respect for human dignity and fundamentals rights and freedoms of every person. Based on the provisions of the aforementioned Regulation we wish to inform you that the processing of your data will be carried out in full compliance with the principles of lawfulness, correctness, relevance, proportionality, transparency and protection of the confidentiality of your data and rights in accordance with the provisions of these provisions of law. It is also specified that for the establishment and / or execution of existing contractual relationships and for the fulfillment of specific legal obligations, we need to acquire your personal data, or we will need to acquire them subsequently, without the need for your further consent, implicit in the stipulation of the contract / agreement between the parties and / or assignment of the assignment in question. Therefore, based on the provisions of the European and internal regulations in force, we provide the following information.
For the purposes of this policy, the subjets concerned are informed that the Data Controller is G.A.M. s.p.a. (later identified as "The Controller"), in the person of its legal representative, with registered office in via Papiniano n. 45, 20123 Milan, as manager of the hotels "Altafiumara Resort & Spa", in C.da Santa Trada in Villa San Giovanni (RC), and "Regent Beach Hotel & Apartments", in Via Mercato 9 Lungomare Catona, in Reggio Calabria.
Joint Data Controller
The Joint Data Controller (later identified as "the Co-controller") is RI.AL. s.r.l., in the person of its legal representative with registered office in via Agnello n. 5, 20121 Milan, as a subsidiary of the Controller and as manager of the "Grand Hotel Excelsior" in Reggio Calabria on via Vittorio Veneto n.66.
When it is necessary to refer to both controllers later in this document, the term "the Co-Controllers" will be used.
Legal basis and purpose of the data processing
The different types of personal data provided by the subjects will be processed exclusively for the purposes for which they are collected.
The provision of data is mandatory in order to offer the user the services and to respond to specific requests, as well as to fulfill the obligation that requires us to register and communicate to the Police the details of the clients staying; to comply with current administrative, accounting and tax obligations, any refusal or wrong, inaccurate or partial provision of data would result in the impossibility of staying at our facility.
The provision of data for our marketing activity, for promotional purposes and for sending future communications about reserved offers and promotions is optional and the subject has the right to revoke his/her consent to this kind of data processing at any time.
The joint data controllers do not intend to process personal data for purposes other than those for which they were collected, nor they will provide the data to third parties without the consent of the subjects - except in those cases where the transfer is required by the fulfillment of a legal obligation - nor they will transfer data to a non-UE country or organization.
Pursuant to Article 6 of the GDPR, the lawfulness of the processing is based on the consent of the interested party as well as on the applicable principles referred to in Article 5 of GDPR.
Data collection and processing methods
The data are processed with the help of electronic devices and/or analogic instruments. If requested by the subject, his/her information may be referred orally, provided the identity of the interested party is proven by other means.
The processing will consist in the acquisition of the data voluntarily provided by the subject and in their registration through the management software in use at the facility.
The data will be kept for the time necessary for the fulfillment of the processing purposes and will be able to circulate, according to the needs, in the operating centers of the facilities managed by the Co-Controllers, for organizational and administrative-accounting purposes.
Type of data processed
The processing will involve the following kind of data:
- Personal data (name, surname, year of birth)
- Addresses of residence and / or domicile
- Phone numbers
- Email addresses
- Copy of the identity document
Duration of processing.
The processing will last for the time that is strictly necessary for the management of the procedures and, in any case, not exceeding 5 years. When due, the data will not be usable anymore.
Subjects authorized to access data
The Co-controllers authorize their employees to access the guests' data in order to offer them all the services of the hotels. If necessary or if required by law, the Co-controllers may transmit the guests' data to the following categories of subjects that are outside their own organization:
Mandatory communications by law; emergencies; requests for intervention on site.
Medical and / or paramedical staff
Request for medical intervention to protect guests' health.
Mandatory tax compliance by law.
Rights acknowledged to subjects
In relation to the data processing described in this policy, the Co-Controllers will acknowledge to subjects, whose data are involved, the following rights:
- I Access (art. 15): the right to obtain from the data Co-controllers the confirmation of the data processing and to obtain access to those data.
- II Rectification (art. 16): the right to obtain the rectification of inaccurate personal data without unjustified delay and / or the integration of incomplete personal data, even providing an additional declaration.
- III Cancellation / Right to be forgotten (art. 17): the right to obtain the cancellation of personal data without unjustified delay.
- IV Processing limitation (art. 18): the right to obtain the limitation of data processing when one of the following hypotheses occurs: a) the data subject disputes the accuracy of the personal data, until the Co-controllers will verify the accuracy of such data; b) the processing is unlawful and the subject opposes to the cancellation of his/her data but he/she requests to limit its usage; c) when the subject needs his/her data to ascertain, exercise or defend a right in court, although the Co-controllers no longer need those data for processing purposes; d) the subject has opposed the processing pursuant to GDPR Article 21, paragraph 1, pending verification regarding the possible prevalence of the legitimate reasons of the data controllers with respect to those of the subject. If the processing is limited, these personal data are processed, except for storage, only with the consent of the subject or to ascertain, exercise or defend a right in court or to protect the rights of a natural or legal person or for reasons of significant public interest of the Union or of a Member State.
- V Portability (art. 20): the right to receive all the personal data in a structured file format that is commonly used and readable by automatic devices; the subject also has the right to ask to the Co-controllers to transmit such data to another data controller without impediment if the processing is based on consent or on a contract and the processing is carried out through automated tasks.
- VI Opposition (art. 21): the right to object at any time, for reasons connected to its particular situation, to the processing of own personal data and to oppose to profiling on the basis of such provisions. The Co-controllers will not process those data unless it is proven the existence of legitimate cogent reasons that prevail over the interests, rights and freedoms of the subject or to defend/verify a right in court.
- VII Automated decision-making processes for natural persons, including profiling (art. 22): the right to be excluded from decisions based only on an automated processing, including profiling, which produces legal effects that may affect the personal sphere.
The right is not acknowledged when: a) the decision is necessary for the conclusion or the execution of a contract between the subject and a data controller; b) the decision is authorized by the law of the European Union or that of the Member State that applies to the data controllers, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the subject; c) the decision is based on the explicit consent of the interested party.
In the cases referred to in letters a) and c), the Co-controllers implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, to ensure the right to obtain human intervention by the data controller, to express own opinion and to challenge the decision.
The decisions referred to in paragraph 2 shall not be based on the particular categories of personal data referred to in Article 9 (1), unless Article 9 (2) (a) and (g) applies, and insufficient measures are in force to protect the rights, freedoms and legitimate interests of the data subject.
- VIII Revocation (art. 7), the right to revoke at any time any consent expressed to the Co-controllers. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to revocation. Before giving his consent, the subject is informed of this opportunity. Consent is withdrawn as easily as it is granted.
- IX Complaint, the right to file a complaint with the Italian Data Protection Authority (“Autorità Garante per la Protezione dei Dati Personali”), Piazza di Montecitorio n. 121, 00186 Rome (ITALY).
Last update: July 24, 2019