The following information (“the Information”) is provided, pursuant to art. 13 of EU Reg. 2016/679 (“GDPR“), in order to illustrate the purposes and methods of processing personal data referable to users who access the websites www.lariohotels.com, www.albergoterminus.it, www. hotelvillaflori.it, www.postadesignhotel.com and www.vistalagodicomo.com (“the Sites”), and carried out by LARIOHOTELS SOCIETA ‘BENEFIT S.P.A
This Information exclusively concerns the processing of personal data referable to users of the Sites (“Data Subjects”), and does not concern the processing of personal data carried out when visiting pages and websites accessible through links that may be present in the Sites.
The Sites are NOT intended for navigation or use by persons under the age of 18.
In addition to this Notice, the Data Controller may provide more specific information with reference to certain treatments that are carried out through some modules contained in the Sites.
THE DATA CONTROLLER
THE DATA CONTROLLER is LARIOHOTELS SOCIETA ‘BENEFIT S.P.A (Tax Code and VAT number 00787190131), with registered office in Via Cernobbio, n. 12 – 22100 Como (CO) (“the Owner”); the contact details for the Data Controller (“Contact Details”) are as follows: e-mail: firstname.lastname@example.org
TYPE OF DATA PROCESSED AND PURPOSE OF THE TREATMENT
When the user visits the Sites, the following may be processed:
The processing of such information (such as the Internet Protocol address, the domain names of the computers and devices used by users, the browser used, the Uniform Resource Identifier and other data which, providing information on the device and connection used to visit the Sites, can indirectly allow the identification of the interested party), is essential to allow the correct functioning of the Sites and is therefore necessary to allow users to use the services offered.
Failure to provide it by the interested party prevents you from browsing the Sites and using the services offered.
The technical parameters of the Sites have been configured in such a way as to minimize the collection and use of user identification data.
These personal data are processed for the purpose of providing the services offered to the interested party through the Sites:
These processing operations only concern the e-mail address, as well as the additional information communicated in the text of the message addressed to the Data Controller.
The provision of this data is optional, but necessary for the Data Controller to respond to requests sent and to offer the requested service.
(ii) to manage online bookings and personnel recruitment and selection processes, as well as to send information and promotional communications relating to the services offered by the Data Controller.
These processing operations are described in detail in the appropriate information documents that can be easily found in the various sections of the Sites, which the User must necessarily consult before being able to make a reservation, submit their application or subscribe to the newsletter service.
C) data such as the Internet Protocol (IP) address and the technical specifications of the browser used for navigation, are collected and communicated, through the use of specific social plug-ins, to Facebook for the purpose of increasing the commercial visibility of the image of the Data Controller.
Limited to the operations indicated above, the data controller is also Facebook Ireland Ltd., with registered office in 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Republic of Ireland (EU). This implies, among other things, that the responsibility for any further processing operations carried out after the transmission of such data falls exclusively on the company just mentioned, to which the interested party can contact to exercise their rights regarding them.
This processing is carried out in pursuit of the Data Controller’s legitimate interest in promoting its services and commercial image on the aforementioned social network.
Personal data will be processed purely with automated tools (e.g. management software) and residually with non-automated means (e.g. paper archives) chosen in order to ensure the security of the data, by people who operate under the authority. directed by the Data Controller and who have been duly authorized and instructed in this regard.
The personal data provided to receive newsletter communications will be communicated to Growens S.P.A, with registered office in Via Pola 9, 20124 Milano, Italy. It is appointed Data Processing Supervisor because it supplies the Mailup service used to send the communications. Your data is stored on their servers in Italy.
PERIOD OF STORAGE OF PERSONAL DATA
The personal data processed for the purposes referred to in point A) will be kept for the time necessary to allow browsing of the Sites and in any case no later than 7 days from collection, without prejudice to the possible need for further conservation for the purpose of ascertaining crimes from part of the public authorities or for the purpose of ascertaining, exercising or defending in court a right or a legitimate interest of the Data Controller.
The personal data processed for the purposes referred to in point B) (i) are kept for the time strictly necessary to achieve the purposes for which they were collected, while the retention period of the data processed for the purposes referred to in point B) (ii) varies according to the specific treatment and is indicated in each of the specific information available on the Sites.
CATEGORIES OF RECIPIENTS OF PERSONAL DATA AND TRANSFERS TO THIRD COUNTRIES
The personal data of the interested parties may be disclosed:
– to information technology (IT) service providers, such as eg. providers of hosting, storage and cloud computing services, IT mailing, maintenance of software applications and hardware equipment used for the automated processing of personal data;
– to the collaborators and employees of the Data Controller in charge of dealing with the Sites and providing feedback to the requests made;
– to public authorities, such as police forces and judicial offices, if this is required by a law or a legitimate measure.
Where the conditions established by the GDPR are met, the Data Controller will stipulate with those recipients, among those indicated above, who receive the communication of personal data so that they can process them on its behalf (“Data processors”) specific contracts, aimed at ensuring that the operations carried out take place in full compliance with the instructions given by the Data Controller and that adequate technical and organizational measures are implemented to safeguard the security of the personal data processed. If the interested party gives consent to the processing for the purpose of receiving information and promotional communications, the communication of personal data to the categories of recipients indicated above may result in their transfer to countries not belonging to the European Economic Area (“third countries”), and in particular to the United States of America, where the mailing service provider MailChimp is based. The Data Controller will only transfer your personal data to third countries deemed adequate by the European Commission as regards the level of protection offered, or after making sure that the transfer is assisted by adequate guarantees (also by signing the so-called standard contractual clauses with the recipient) , to have a copy of which you can contact the Data Controller at any time at the Contact Details.
More information on the categories of recipients of personal data processed for the purposes referred to in point B) (ii) are available in the specific information documents.
THE RIGHTS OF THE INTERESTED PARTIES
The interested party can exercise, at any time and free of charge, the rights indicated in Articles 15 and ss. of the GDPR by contacting the Data Controller at the contact details by e-mail or registered letter. In particular, the user, as an interested party and within the limits set by the GDPR and by Legislative Decree no. 196/2003, can exercise:
· The right of access, that is, the right to obtain confirmation of the existence or otherwise of a treatment concerning one’s personal data, as well as the right to receive any information relating to the same treatment and a copy of the personal data processed;
· The right to rectification, i.e. the right to obtain the rectification or integration of their personal data subject to
processing, if they are inaccurate or incomplete with respect to the purposes of the processing;
· The right to cancellation (so-called “right to be forgotten”), ie the right to obtain the cancellation of the personal data being processed, in the cases provided for by art. 17 of the GDPR;
The right to limit the processing, i.e. the right to obtain the limitation of data processing
personal, upon the occurrence of the conditions provided for by art. 18 of the GDPR;
The right to portability, i.e. the right to receive personal data concerning the interested party and which he has provided in a structured format, commonly used and readable by an automatic device, and to obtain the direct transmission of the same in favor of a different data controller, where technically feasible;
The right to object, that is the right to object, at any time for reasons connected to his particular situation, to the processing of data concerning the interested party based on the condition of lawfulness of the legitimate interest or the execution of a task of public interest o the exercise of public powers, unless there are legitimate reasons for the Data Controller to continue the processing that prevail over the interests, rights and freedoms of the interested party or for the ascertainment, exercise or defense of a right in the office judicial;
The right to lodge a complaint with a Supervisory Authority, such as the Guarantor for the Protection of Personal Data, with offices in Piazza Venezia 11 – 00187, Rome (RM), Italy (IT), E-mail: guarantor @ gpdp. it, PEC: email@example.com.
These rights can be exercised free of charge by sending a written communication to the Data Controller at the Contact Details. However, in the event of manifestly unfounded or excessive requests, also due to their repetitiveness, the Data Controller may charge a reasonable fee contribution based on the administrative costs incurred to manage the request, or deny its satisfaction.
Over time, the Data Controller may make changes to this Information, also in order to ensure its updating or improve its clarity; in this case, the Data Controller will promptly inform the users of the Sites, using the most effective and appropriate tools for this purpose.