Privacy

I.C.M. S.N.C. di Bruno, Cristiano e Fabrizio Maggi, with registered office in Località Romealla n. 25 – 05018 Orvieto (TR), fiscal code no. and VAT no. 00090910555, owner of the Emme Palace Hotel & Spa, as Data Controller (hereinafter, “Data Controller” or “Hotel”), hereby provides you, pursuant to and for the purposes of EU Regulation No. 2016/679 (hereinafter, “GDPR”), with information regarding the processing of personal data collected while browsing the website and booking page and during the activities of booking rooms and purchasing its products and services.

In addition, the Data Controller has appointed a Data Protection Officer, a specialised professional who will ensure that your personal data is protected. You can contact the Data Protection Officer for any needs related to data protection by writing to rpd@cnaumbria.it.

1. Personal data and source of the data

As part of the activities of booking rooms and purchasing hotel products and services, the Data Controller processes personal data and contact details (e.g., name, surname, e-mail address, mobile phone number, nationality, etc.) relating to future guests, payment and credit card details, as well as any other information indicated in the “Notes” field. All this information is provided directly by the person making the booking. With reference to the “Notes” field, the Data Controller invites you not to provide particular categories of data such as data relating to your state of health (information on any motor disabilities, allergies, intolerances, etc.), religious beliefs, sexual orientation, political and philosophical opinions.

When browsing the website and booking page, the Data Controller processes navigation data such as the IP addresses or domain names of the devices used and connected to, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.

2. Purpose, legal basis of the processing and nature of the provision of data

As part of the activities of booking rooms and purchasing hotel products and services, your data will be processed for the following purposes:

a) Allowing you to browse the website and the booking page and to use the services provided through the website, such as managing the booking and the reservation of ancillary services and products, as well as responding to any requests.

The legal basis of the processing is the performance of contractual obligations pursuant to Article 6(1)(b) of the GDPR.

The provision of personal data is necessary; therefore, the omission of the personal data requested makes it impossible to conclude and execute the room booking and the purchase of services and ancillary products.

 b) Fulfilment of regulatory obligations to which the Data Controller is subject, including but not limited to tax obligations related to the execution of the contract, other administrative/accounting obligations and obligations related to the legislation on online payments.

The legal basis of the processing is the fulfilment of regulatory obligations pursuant to Article 6(1)(c) of the GDPR.

The provision of personal data is necessary; therefore, the omission of the personal data requested makes it impossible to conclude and execute the room booking and the purchase of services and ancillary products.

 c) Defence of the Data Controller's rights in judicial and extrajudicial proceedings.

The legal basis for the processing of the data is the pursuit of the legitimate interest consisting in the protection of the interests and rights of the Hotel pursuant to Article 6(1)(f) GDPR.

The provision of personal data is necessary; therefore, the omission of the personal data requested makes it impossible to conclude and execute the room booking and the purchase of services and ancillary products. However, you may request to object at any time, by sending a motivated request to the Data Controller, to the processing of personal data carried out on the basis of legitimate interest, pursuant to and for the purposes of Article 21 GDPR; your request, in this sense, will be subject to evaluation and response by the Data Controller.

 d) Data Controller’s direct marketing purposes, using traditional and automated contact methods, consisting, for example, in sending commercial communications and advertising material, carrying out market research and surveys on the quality of the service provided and customer satisfaction.

The legal basis for the processing of the data is the consent pursuant to Article 6(1)(a) GDPR and Article 130 of Legislative Decree no. 196/2003.

The provision of personal data for this purpose is optional; therefore, failure to provide the requested personal data does not make it impossible to conclude and execute the room reservation and the purchase of additional services and products, and your right to withdraw your consent or object to such processing at any time, easily and free of charge, in the ways indicated in the “Data subject’s rights” section of this information notice and/or with those indicated in the promotional communications that will be sent to you from time to time, remains unaffected.

 e) Soft-spam activity consisting of sending to the e-mail address commercial communications relating to products or services similar to those already purchased (this also includes sending communications prior to the stay and relating to ancillary services and products).

The legal basis for the processing of the data is the pursuit of the legitimate interest consisting of sending commercial communications relating to products or services similar to those already purchased pursuant to Article 6(1)(f) GDPR.

The provision of personal data is necessary; therefore, the omission of the personal data requested makes it impossible to conclude and execute the room booking and the purchase of services and ancillary products. However, you may request to object at any time, by sending a motivated request to the Data Controller or through the specific unsubscribe feature, to the processing of personal data carried out based on legitimate interest, pursuant to and for the purposes of Article 21 GDPR.

 f) Partitioning of the Controller's database for the purpose of carrying out business intelligence activities, as well as personalisation of promotional communications sent based on information relating to the Controller's facilities and products and services used (i.e. Classification).

The legal basis for the processing of the data is the pursuit of the legitimate interest consisting of carrying out business intelligence activities and improving promotional activities pursuant to Article 6(1)(f) GDPR.

The provision of personal data is necessary; therefore, the omission of the personal data requested makes it impossible to conclude and execute the room booking and the purchase of services and ancillary products. However, you may request to object at any time, by sending a motivated request to the Data Controller, to the processing of personal data carried out based on legitimate interest, pursuant to and for the purposes of Article 21 GDPR; your request, in this sense, will be subject to evaluation and response by the Data Controller.

3. Recipients of the data

The data may be communicated for the pursuit of the aforementioned purposes to other entities such as, for example, public authorities and law enforcement agencies, law firms, accountants, etc., who will process the data as independent data controllers for their own purposes. The following subjects may also have access to the data:

• the staff of the Data Controller, who are expressly authorised to process them, in accordance with the instructions given, pursuant to Articles 29 and 32(4) of the GDPR and 2-quaterdecies of Legislative Decree no. 196/2003;
• service providers in favour of the Data Controller, appointed as Data Processors, including but not limited to booking and administrative systems providers, IT providers, e-mail marketing platform providers, etc. The updated list of Data Processors may be requested to the Data Controller.

Personal data are not disseminated.

4. Data retention periods

Personal data processed for the purposes indicated in points (a), (b) and (c) of section 2 above are kept only for the time strictly necessary to carry out the activities/purposes described above and, in particular, for the time required by the tax law (10 years) or for the period of prescription of possible legal actions.

The personal data processed for the purposes of direct marketing and soft spam indicated in points (d) and (e) of section 2 above are kept until the revocation of consent or opposition to the processing or for 24 months from the moment of the last renewal of consent and of the will not to oppose the processing.

The personal data processed for the purpose of classification indicated in point (f) of section 2 above are processed in anonymous and aggregated way.

5. Extra-EEA Data transfer

The Data Controller may transfer you personal data to the United Kingdom and/or the United States of America on the basis of the relevant Adequacy Decisions adopted by the European Commission and, in the case of the United States of America, of the recipients’ adherence to the EU-US Data Privacy Framework programme.

6. Data subject’s rights

Data subjects may assert their rights and/or request information on the processing of their data by contacting the Data Controller. The GDPR grants the right to:

1. withdraw the consent given, with the understanding that withdrawal of consent shall not affect the lawfulness of the processing based on the consent prior to the withdrawal;
2. access or obtain a copy of the personal data as well as to know the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations; where possible, the period for which the personal data are to be stored or, if this is not possible, the criteria used to determine that period; the existence of the data subject’s right to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing; the right to lodge a complaint with a supervisory authority; where the data are not collected from the data subject, all available information on their source; the existence of an exclusively automated decision-making process, including profiling, and, at least in such cases, meaningful information on the logic used, as well as the importance and the envisaged consequences of such processing for the data subject;
3. rectification and integration of inaccurate or outdated data;
4. erasure, whenever the data are no longer necessary in relation to the purposes pursued, or if the data subject decides to withdraw consent or objects to the processing and there are no other legal grounds for keeping the data, or if the data are processed unlawfully, or have to be erased because of a legal obligation;
5. restriction of processing if the data subject contests the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of the personal data; if the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that their use be restricted; even though the controller no longer needs them for the purposes of the processing, if the personal data are necessary for the establishment, exercise or defence of legal claims; if the data subject has objected to the processing, pending verification as to whether or not the legitimate reasons of the controller prevail over those of the data subject.

In cases of exercise of the rights referred to in points c), d), and e), the data subject has the right to know the recipients to whom the personal data have been transmitted and the right that the Controller communicates to them the rectification, erasure or restriction of the processing, unless this proves impossible or involves a disproportionate effort.

1. data portability, i.e. to receive in a structured, commonly used and machine-readable format the personal data concerning him/her, including the direct transfer of the same by the Controller to other Controllers, where the processing is carried out by automated means and is based on consent or contract;
2. object to the processing where the processing is based on the legitimate interest of the Controller, as already specified in point 2 above;
3. lodge a complaint to the competent Supervisory Authority (for Italy, the Garante per la protezione dei dati personali, https://www.garanteprivacy.it).

7. Contact details

You may contact the Data Controller and exercise your right listed in the previous Paragraph by sending an email to privacy@emmepalace.com.