Ex art. 13 General Data Protection Regulation EU 2016/679
A. Who are we and why are we giving you this document?
Hotel Shandranj S.r.l. considers very important the protection of its customers and potential customers personal data by ensuring that such personal data are processed, whether automatically or manually, in full compliance with the rights and safeguards provided by the General Data Protection Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”) and in all such other laws and regulations as may apply to the protection of personal data.
For the purposes of this Notice “personal data” is defined as in Article 4 (1) of the Regulation, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter “Personal Data”).
The Regulation requires that before Personal Data may be subjected to “processing” - meaning, as defined in Article 4 (2) of the Regulation, “any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter the “Processing”) – the person to whom those Personal Data belong must be informed of the purposes for which those data are requested and how they are going to be used.
The purpose of this Notice is accordingly to provide you, straightforwardly and intuitively, with all the information you may need before contributing your Personal Data and those of the Minor for whom you have parental responsibility so that you can make that contribution with proper understanding and in a duly informed manner and can request and obtain clarifications and/or corrections at any time.
This Notice (hereinafter the “Notice”) has accordingly been drawn up on the basis of the Principle of Transparency and of everything required by Article 13 of the Regulation; it is arranged in separate parts (“Sections”) each of which deals with one particular topic that it may be more quickly read and more readily understood.
If necessary, this Notice shall enclose a form for the granting of the consent as provided by article 7 of the Regulation, structured in accordance with the further use we would do of your Personal Data
B. Who will process your Personal Data?
The company which will be processing your Personal Data for the purposes provided by Section C of this Notice (and which will accordingly be the Data Controller as defined in Article 4(7) of the Regulation, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and the means of the processing of personal data”) is as follows:
Hotel Shandranj S.r.l., with its registered office in Tesero, Località Stava n. 36, tax code 01830900120, VAT code IVA 02289910214
(hereinafter the “Data Controller”)
C. For which main purpose will be processed your Personal Data?
The Data Controller needs to process your Personal Data as required in the registration form in order to (i) answer to your request concerning the services offered by “Hotel Shandranj” and in case complete the booking process of the services required; (ii) handle the booking and perform the services required, (iii) comply with the law obligation related to the services provided, (iv) allow the sending of newsletters. The Personal Data will be processed by Data Controller for the following purposes: to allow you to benefit of the services included in your booking, to receive newsletters, to send information queries and to benefit of all the services provided by the Data Controller. The Processing will be legally based on the contractual and pre-contractual relationship that will occur between you and Data Controller.
To allow the Data Controller Processing for the above mentioned scope it will be necessary to disclose the Personal Data marked by the symbol*. The lack of even one of the marked Personal Data shall not allow to proceed with the Processing of your Personal Data and consequently you shall not receive the services required. The lack of the non-marked Personal Data shall not have any consequences and you will benefit of the services required.
The Personal Data that will be collected for the purpose above shall be the one indicated in the form: first name, last name, home address, date and place of birth, e-mail address and telephone numbers.
The Data Controller, on the basis of his legitimate interest, wish to pursue other direct marketing purposes, therefore the Data Controller wish to make promotional and marketing activities towards you. These activities include the promotion of services performed by the Data Controller on the basis of his legitimate interest to pursue its company scope.
With reference to direct marketing activities as per point (i), according to article 6,1, point f) of the Regulation, the Data Controller shall make such activities on the basis of his legitimate interest, without your express consent and until your opposition to carrying out such Processing activities as better defined in the Preamble 47 of the Regulation in which “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. It will be possible to carry out such activities further to the evaluation carried out by the Data Controller on the prevalence of his own legitimate interest with respect to your interest, rights and fundamental freedom provided by the applicable legislation.
You may be contacted in a different ways for direct, indirect marketing and profiling, as per points (i), (ii) and (iii); such ways will concern automatic tool (e-mailing, sms, mms, fax, calls without operator) or traditional tool (calls with operator or mailing). Anyway, as better regulated in the following Section F, you can withdraw your consent, even in a partial way.
Only for the call activities, we wish to inform you that the Joint Controllers will process your Personal Data further a prior check at the Opposition Register as regulated by the Presidential Decree September 7th, 2010, no. 178 and hereinafter modifications.
D. To whom may your Personal Data be disclosed?
Your Personal Data may be disclosed to specific persons regarded as their “Recipients”; Article 4(9) of the Regulation defines such a “recipient” as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not”
That being so, in order that all the Processing activities needed for the purposes mentioned in this Notice can be carried out correctly, the Recipients who may come to process your Personal Data are as follows:
- third parties which perform part of the Processing and/or activities connected with or instrumental to the Processing on behalf of the Data Controller. Each of such persons has been designated a “Data Processor”, meaning “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller” (Article 4(8) of the Regulation);
- individuals employed by or contracted to the Data Controller and assigned one or more particular activities involved in Processing your Personal Data. These individuals (“Authorized Persons”) have been given specific instructions concerning the safety, security and proper use of Personal Data, and each is, in the definition of Article 4(10) of the Regulation, “a person who, under the direct authority of the Data Controller or Data Processor, is authorised to process the Personal Data”.
- When required by law or to prevent an offence being committed your Personal Data may be disclosed to public authorities or to the courts without such public authorities or courts being regarded as Recipients: under Article 4(9) of the Regulation, “public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients”.
E. For how long will your Personal Data be processed?
One of the principles that apply to the Processing of your Personal Data restricts the period of storage. This is governed by Article 5(1)(e) of the Regulation, which reads “Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject.”
In the light of this principle your Personal Data will be processed by the Data Controller for no longer than is needed for the purposes set out in Section D of this Notice. Specifically, your Personal Data will be processed for the shortest time necessary, as indicated in paragraph 39 of the Preamble to the Regulation; that is, until the end of the contractual relationship between you and the Data Controller – though a further period of storage may be required by some statutory or regulatory provision, as provided for in paragraph 65 of the Preamble to the Regulation.
F. Which are your rights?
Article 21 of the Regulation entitles you to access your Personal Data, and to ask for them to be rectified or updated if they are wrong or incomplete and erased if they have been collected in breach of a law or regulation, and to object on specific legitimate grounds to their Processing.
In detail, all the rights you can exercise at any time by demanding action on the Data Controller’s part are set out below:
- Right of access: you will be entitled, under Article 15(1) of the Regulation, to obtain from the Data Controller confirmation as to whether or not your Personal Data are being processed, and, where that is the case, access to the Personal Data and the following information: (a) the purposes of the Processing; (b) the categories of Personal Data concerned; (c) the Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organizations; (d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of the Processing of your Personal Data, or to object to such Processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the Personal Data are not collected from the Data Subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1, 4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
All this information can be found in the Privacy section of the website www.shandranj.com
- Right of rectification: under Article 16 of the Regulation you have the right to obtain from the Data Controller without undue delay the rectification of inaccurate Personal Data concerning you. Taking into account the purposes of the Processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
- Right to erasure: under Article 17(1) of the Regulation you have the right to obtain from the Data Controller the erasure of your Personal Data without undue delay and the Data Controller shall have the obligation to erase your Personal Data Personal Data without undue delay where one of the following grounds applies: (a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you have withdrawn the consent on which the Processing of your Personal Data is based, and there is no other legal ground for their Processing; (c) you have objected to the Processing pursuant to Article 21(1 or 2) of the Regulation and there are no longer any overriding legitimate grounds for the Processing of your Personal Data; (d) your Personal Data have been unlawfully processed; (e) your Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject.
- In certain cases, as provided for in Article 17(3) of the Regulation, the Data Controller is allowed not to erase your Personal Data if their Processing is necessary, for instance, for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; for archiving, scientific or historical research purposes in the public interest; or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing: you will be entitled, under Article 18 of the Regulation, to restriction of Processing where one of the following applies: a) you have contested the accuracy of your Personal Data (the restriction will be for a period enabling the Data Controller to verify the accuracy of the Personal Data); b) the Processing is unlawful but you oppose the erasure of your Personal Data and request that their use be restricted instead; c) although the Data Controller no longer needs them for the purposes of the Processing, your Personal Data are required for the establishment, exercise or defence of legal claims; d) you have objected to the Processing under Article 21(1) of the Regulation pending verification whether the legitimate grounds of the Data Controller override your own.
- If the Processing is restricted your Personal Data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important reasons of public interest. We shall in any case notify you before the restriction is lifted.
- Right to data portability: under Article 20(1) of the Regulation you will be entitled at any time to ask for and receive all your Personal Data processed by the Data Controller in a structured, commonly used and machine-readable format or to ask for it to be transmitted to another Data Controller without hindrance. In such cases you will need to provide us with full and accurate details of the new Data Controller to which you would like your Personal Data transferred, and to give us your authorization in writing.
- Right to object: under Article 21(2) of the Regulation and also as stated in paragraph 70 of the Preamble, you will be entitled to object at any time to the Processing of your Personal Data if they are processed for purposes of direct marketing; this includes profiling to the extent that it is related to such direct marketing.
- Right to lodge a complaint with the competent supervisory authority: without prejudice to your right to take action in any other court or administrative body, if you feel that the Data Controller has processed your Personal Data in breach of the Regulation and/or any applicable law or regulation you will be entitled to lodge a complaint with the competent Personal Data Protection Regulator.
To exercise any of the above rights you need only contact the Data Controller in one of the following ways:
- by writing to: Hotel Shandranj S.r.l., in Tesero (TN), Località Stava n. 36;
- by e-mailing to firstname.lastname@example.org;
- by calling +39 0462 814737
G. Where will your Personal Data be processed?
Your Personal Data will be processed by the Data Controller within the European Union.
We hereby give you notice that whenever technical and/or operational considerations make it necessary to have recourse to persons outside the European Union, those persons will be appointed Data Processors as defined in Article 28 of the Regulation and with the effects provided for in that Article; the transfer of your Personal Data to those persons, which will be limited to the performance of specific processing activities, will be governed in accordance with the provisions of Chapter V of the Regulation. All necessary precautions will accordingly be taken to guarantee the fullest protection of your Personal Data, since the transfer in question will be based on: (a) decisions of the European Commission as to the adequacy of the recipient non-EU country in question; (b) appropriate safeguards provided by the third-party recipient in accordance with Article 46 of the Regulation; (c) binding corporate rules. You can in every case get further details from the Data Controller whenever your Personal Data have been processed outside the European Union, by asking for an explicit account of the specific safeguards in place.
Version: May 2018