Information pursuant to Articles 13 and 14 of EU Regulation 679/2016

This page represents the “Privacy Policy” for this site and is intended to provide information on how the personal data of users who visit the site and make use of the services it provides will be processed, in addition to providing the information required by Articles 13 and 14 of EU Regulation 679/2016.

This information has been provided exclusively for this site and no other websites consulted by the user through the links present in the pages of this website.

EU regulation 679/2016, concerning the protection of personal data (hereinafter the “Regulation”), establishes standards relating to the protection of individuals with regard to the processing of their personal data, in addition to standards regarding to the free circulation of this data and protects the fundamental rights and liberties of individuals, with particular regard to the right to the protection of their personal data.

Article 4 no. 1 of the Regulation stipulates that “Personal Data” is to be understood as any information that may concern an identified or identifiable individual (hereinafter the “Data Subject”).

“Processing” is to be understood as the operation of complex of operations, performed with or without the assistance of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organisation, structuring, preservation, adaptation or amendment, extraction, consultation, use, transmission, dissemination or any other form of disclosure, comparison or interconnection, restriction, deletion or destruction (Article 4 no. 2 of the Regulation).

Pursuant to Articles 12 and following, it also stipulates that the Data Subject must be made aware of the appropriate information relating to the Processing activities to be performed by the Data Controller and of the rights of the Data subjects.

Data controller

Hotel alla Posta - Piazza 28 Aprile, 1 - 11027 - Saint Vincent (AO)
info@hotelpostavda.it

Purposes of processing and legal basis for processing

The user’s personal data will be processed in pursuit of purposes and on the legal basis indicated below:

1. for the conclusion and correct execution of the contract in which the Data Subject is one of the Parties, or the execution of precontractual measures adopted on their request, for requested information and/or services/products, including subscriptions to newsletters; the legal basis for the processing listed is represented by Article 6 paragraph 1 letter b) of EU Regulation 679/2016;
2. to respond to requests sent by the user by mail and/or forms present on the website; the legal basis for the listed processing is represented by Article 6 paragraph 1 letter b) of EU Regulation 679/2016;
3. to send, periodically, commercial communications concerning services, products and activities offered by the Data Controller using remote technologies (mail, telephone, SMS, WhatsApp); the legal basis is represented by consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
4. to send, periodically, commercial communications concerning services, products and activities offered by the partners and sponsors of the Data Controller via remote technologies (mail, telephone, SMS, WhatsApp); the legal basis is represented by consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
5. to carry out retargeting activities and/or the use of email to exploit social media profiles (Facebook, Instagram) for personalised marketing campaigns; the legal basis for which is represented by the consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
6. to send commercial and promotional information concerning the sale of our products/services, of the same type as those previously purchased by the Data Subject, unless processing is refused by them, enforceable at all times; the legal basis for this type of processing is represented by the legitimate interest of the Controller as stipulated by Article 6 paragraph 1 letter f);
7. to carry out market research in order to develop and improve the range of products services and activities offered by the Controller and their partners; the legal basis for this is represented by consent, as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
8. to make navigating the site functional and possible, as well as ensuring that it has an adequate degree of availability; the legal basis for this type of processing in represented by the legitimate interests of the Controller as provided for by Article 6 paragraph 1 letter f);
9. the analysis of statistical data on aggregated or anonymous data for the purpose of monitoring that the site, traffic usability and interest is functioning correctly; the legal basis for this type of processing is represented by the legitimate interest of the Controller, as stipulated by Article 6, paragraph 1 letter f);
10. to ascertain, exercise or defend a right in court; the legal basis for this type of processing is represented by the legitimate interests of the Controller, as provided for by Article 6 paragraph 1, letter f);
11. to fulfill obligations stipulated by the law, regulations or EU legislation or court order; the legal basis for this type of processing is represented by the legitimate interests of the Controller, as stipulated by Article 6, paragraph 1, letter c);

Type of Data

The Data necessary for the pursuit of the objectives described above will be collected and processed:

• identifying data
• contact information
• data relating to the contractual relationship
• data relating to the preferences and interests of the Data Subject

Navigation Data

Computer systems and software processes responsible for the functioning of this website will acquire certain personal data in the course of their normal use, for which transmission is implied when using internet communication protocols.

This concerns information that is not collected in order for it to be associated to identified Data Subjects, but which due to their same nature could, through processing and association with data held by third parties, enables users to be identified.

Falling into this category is data such as the IP addresses or domain names of the computers used by users visiting the site, addresses in the URI (Uniform Resource Identifier) notation of the requested resources, the time requested, the method used to make the request to the server, the size of the file received in response, the numeric code indicating the status of the response given by the server falls into this category (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment.

This data is used exclusively to pull anonymous statistical information concerning the use of the site and to monitor that it is functioning correctly and is immediately deleted after processing.

The data could be used to ascertain liability in the event of hypothetical cyber crimes against the site.

Refusal to Provide Data

Apart from what is specified for the navigation data, user/visitors are free to provide their own personal data. The provision of Data is required in some cases, as any refusal to provide it could lead to a failure to conclude, or the incorrect fulfillment of the contract of which the Data Subject is a party and/or a failure to comply with legal obligations that the Controller is subject to.

The provision of Data for processing requiring consent is optional, failure to provide it will not lead to users being unable to benefit from the products/services offered by the Controller. Even in the event where consent is provided, the Data Subject will in any case be entitled to subsequently object, fully or in part, to the processing of their personal data for the above purposes, simply by making a request to the Controller at the above contact details.

Sources of Data

Data will be provided by the Data Subject or collected from third parties.

Data Processing Methods

With reference to the provisions of Article 5 of the regulation, the Personal Data subject to processing will be:

1. processed in compliance with the law, correctly and transparently in relation to the Data Subject;
2. collected and recorded for the established purposes, explicitly and legitimately, and subsequently processed in terms that are compatible with this purpose;
3. suitable, pertinent and limited to what is necessary in relation to the purposes for which it has been processed;
4. accurate and, if necessary, updated;
5. processed in a manner that ensures an adequate level of security;
6. stored in a form that enables the identification of the Data Subject for a period of time no longer than required for the purpose for which it being processed.

Processing will be carried out using both manual and/or computerised and electronic methods using organisational and processing logic strictly related to the purpose itself and in any case in such a way that guarantees the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures stipulated by the provisions in effect.

Communication of Data

Personal Data may be communicated to parties authorised for processing, as well as to external managers appointed for processing by the Controller (the full list of external managers is available from the Controller), responsible for managing the purposes described above.

With their consent, the Data may also be communicated to the Controller’s third party sponsor companies and/or commercial partners who may use it for the purposes described in no. 3) of the Article concerning “Purposes of Processing” cited above.

In the context of pursuing the purposes stated above, the Data may be communicated to other parties acting as autonomous Controllers.

Dissemination of Data

Personal data will not be subject to dissemination.

Transfer of Data to Other Countries

For the purposes stated above,Personal Data will be processed within the European Economic Area (EEA). If it were to be transferred to a Third Party country, in the absence of an adequacy decision by the European Commission, the provisions stipulated by the applicable legislation concerning the transfer of Personal Data to Third Party Countries will be complied with, such as the European Commission’s Standard Contractual Clauses.

Storage of Data

In general, Personal Data will be stored for the time strictly necessary for the pursuit of the purposes for which it was collected and subjected to processing, including the storage period required by the applicable legislation and, in any case, for maximum of 10 years from the termination of the relationship with the Controller, and for a maximum of 2 years for the purposes in which consent was required, unless there is a need for the Controller to defend their rights in court.

Rights of the Data subject

In accordance with EU Regulation 2016/679, article 15 et seq. and the applicable national legislation, the Data Subject may, under the procedures and within the limits specified by the applicable legislation, exercise the following rights:

• Art. 15 Right of access by the data subject

  Description
  The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

  Grounds
  The right to obtain a copy of one's own personal data shall not adversely affect the rights and freedoms of others.

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art. 16 Right to rectification

  Description
  The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  Grounds
  Processing of inaccurate and/or incomplete data

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• A Art. 17 Right to erasure (“right to be forgotten”)

  Description
  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

  Where the controller has made the personal data public and is obliged, pursuant to the above paragraph, to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

  Grounds
  The right may not be exercised if one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) (where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years).

  The right to erasure does not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art. 18 Right to restriction of processing

  Description
  The data subject shall have the right to obtain from the controller restriction of processing

  Where processing has been restricted under the previous paragraph, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

  A data subject who has obtained restriction of processing pursuant to the first paragraph shall be informed by the controller before the restriction of processing is lifted.

  Grounds
  The right may not be exercised if one of the following grounds applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing

  Description
  The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art. 20 Right to data portability

  Description
  The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

  In exercising his or her right to data portability pursuant to the above paragraph, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

  The exercise of the right referred to in the first paragraph shall be without prejudice to Art. 17 - Right to erasure (“right to be forgotten”).

  Grounds

  The right may not be exercised if one of the following grounds applies:

  • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  • the processing is carried out by automated means

  That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  The exercising of the right shall not adversely affect the rights and freedoms of others.

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art. 21 Right to object

  Description
  The data subject shall have the right to object at any time.

  The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes

  Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

  Grounds

  The right may not be exercised if one of the following grounds applies:

  • on grounds relating to his or her particular situation,
  • at any time to processing of personal data concerning him or her which is based on point (e) of Article 6(1) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or point (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.), including profiling based on those provisions.

  How to exercise the right
  The data subject may exercise the right by sending a request by email to info@hotelpostavda.it

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

In general, to exercise rights, the data subject may contact the Controller by writing to the address shown above. Before providing a response, the controller may need to identify the data subject, by requesting a copy of an identity document. A written response will be provided without undue delay and in any case no later than one month from receipt of the request.

Template version: 4.1

Last update: 22/05/2023