DATENSCHUTZERKLÄRUNG

Privacy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

 

DATA CONTROLLER

The Data Controller is HNH Hospitality Spa, with registered offices at Via Saragat n°1, Mestre.

In order to exercise the rights recognised by the REGULATION (EU) 2016/679 (hereinafter “GDPR” or “Regulation”) or to ask for any clarification regarding the processing of personal data, you may contact the Data Controller at the following: telephone no.: (0415321630) or by email at: privacy@hnh.it.

SECURITY

The Data Controller has taken technical and organisational measures to ensure a level of security appropriate to the risk and compliance with the legislation on the processing of personal data.

 

INFORMATION ON THE TYPES OF DATA PROCESSED

 

(A) BROWSING DATA

When browsing the Site, a series of personal data is processed; these include the IP addresses or domain names of the computers used by data subjects, source and exit web pages, URI/URL addresses of the resources requested, date and time of the visit, information relating to the operating system and browser of the data subject, as well as further technical data relating to browsing.

Purpose and legal basis of processing (GDPR Art. 13 (1) (c)

The processing of such data – in automated and aggregate form – is carried out exclusively for purposes related to the management and administration of the Site, as well as for statistical purposes. The data could also be used to ascertain liability in the event of cybercrime to the detriment of the Site and/or of other unlawful acts.

The legal basis is the legitimate interest of the Controller (Art. 6 (1) (f) GDPR).

Scope of communication (GDPR Art. 13 (1) (e), (f)

Data are processed exclusively by duly authorised and trained personnel, as well as by the IT service providers involved in the management of the Site, identified as data processors.

Data are not disseminated and/or transferred outside the European Economic Area.

Data retention period (GDPR Art. 13 (2) (a)

Subject to necessity in the case of investigations following unlawful acts or malfunctions, data generally do not persist for more than 7 days.

Conferment (GDPR Art. 13 (2) (e)

Data are not provided by the data subject, but are automatically acquired by the technological systems of the Site.

 

  1. B) CONTACT REQUESTS

The sending of messages to the addresses on the Site and/or the use of contact forms entails the acquisition and processing by the Controller of the sender’s contact data, necessary to reply, as well as any personal data included in the text.

Purpose and legal basis of processing (GDPR Art. 13 (1) (c)

Contact data are requested and processed to provide a reply and/or contact the person concerned. The legal basis for the processing is the execution of pre-contractual measures taken at the request of the data subject (Art. 6 (1) (b) GDPR).

Scope of communication (GDPR Art. 13 (1) (e), (f)

Data are only processed by persons duly authorised and instructed to process same.

Data are not disseminated and/or transferred outside the European Economic Area.

Data retention period (GDPR Art. 13 (2) (a)

As a rule, data are kept for the time necessary to respond to the data subject. More generally, the data will be kept for a period identified according to criteria of strict necessity in view of the different purposes pursued and, in any case, in compliance with current legislation for the protection of personal data and in accordance with the logic of safeguarding the Data Controller’s rights (limitation periods as set out in the Civil Code).

Conferment (GDPR Art. 13 (2) (e)

Failure to provide data will result in the impossibility to receive replies to your requests.

 

  1. C) ROOM RESERVATIONS

The reservation of rooms (and any additional services) entails the processing of the data of the data subject for the management of contractual and pre-contractual obligations.

Purpose and legal basis of processing (GDPR Art. 13 (1) (c)

The purpose is the management of room bookings (and any additional services). The legal basis for processing is the performance of a contract to which the data subject is party or the performance of pre-contractual measures taken at the data subject’s request (Art. 6 (1) (a) GDPR).

Scope of communication (GDPR Art. 13 (1) (e), (f)

Data are processed exclusively by persons duly authorised and instructed to process same, and by external providers identified as Data Processors. The data required for the finalisation of payment may be communicated to intermediaries acting as autonomous data controllers. The Controller guarantees that, in the provision of the service, data will not be transferred outside the European Economic Area.

Data retention period (GDPR Art. 13 (2) (a)

Data will be kept for a period identified according to criteria of strict necessity in view of the different purposes pursued and, in any case, in compliance with current legislation for the protection of personal data and in accordance with the logic of safeguarding the Data Controller’s rights (limitation periods as set out in the Civil Code).

Conferment (GDPR Art. 13 (2) (e)

Failure to provide the mandatory data will result in the impossibility to finalise the room reservation.

 

D

Voluntary and optional subscription to the newsletter entails the processing of the data subject’s contact details for the purpose of sending periodic electronic communications concerning the Controller’s activities, services and offers.

Purpose and legal basis of processing (GDPR Art. 13 (1) (c)

The purpose is to complete the subscription to the newsletter in order to receive periodic electronic communications concerning the Controller’s activities, services and offers. The legal basis for the processing is the consent of the data subject (Art. 6 (1) (a) GDPR).

Scope of communication (GDPR Art. 13 (1) (e), (f)

Data are processed exclusively by persons duly authorised and instructed to process same, and by external providers identified as Data Processors.

The Data Controller guarantees that, in providing the service, data will not be transferred outside the European Economic Area (EEA). Should it become necessary to transfer data outside the EEA, including in connection with operations carried out by any sub-processors, this will be done in full compliance with the provisions laid down in Chapter V of the GDPR, guaranteeing an adequate level of protection for the data transferred.

Data retention period (GDPR Art. 13 (2) (a)

Data will be stored until the data subject requests its deletion.

Conferment (GDPR Art. 13 (2) (e)

Failure to provide compulsory data will result in the interested party being unable to subscribe to the newsletter.

 

DATA SUBJECT’S RIGHTS

Pursuant to Art. 15 et seq. GDPR, with regard to personal data concerning them, the Data Subject has the right to:

  • ask the Data Controller for access and to obtain a copy of the data, as well as to know the purpose, storage period and possible recipients of same;
  • obtain the rectification of inaccurate personal data and the integration of incomplete data, without undue delay;
  • obtain restrictions to processing, in the cases provided for in Art. 18 GDPR, only to storage or only to operations for which explicit consent is given, as well as to cases where it is necessary to safeguard rights in court, to protect public interests or the rights of third parties;
  • obtain deletion, without undue delay, if:
  • the data are no longer needed for the purposes indicated;
  • consent to treatment has been withdrawn;
  • the data have been unlawfully processed;
  • deletion is necessary to comply with a legal obligation and in other cases, as provided for in Article 17 GDPR;
  • oppose the processing of personal data concerning them, pursuant to Art. 21 GDPR, in particular for direct marketing purposes, with the resulting impossibility to process the data further for that purpose;
  • receive the data from the Data Controller, without hindrance and in a commonly used, machine-readable, structured format, in order to transmit them to another data controller (so-called right to portability);
  • revoke, at any time, the consent to data processing already given, without prejudice to the lawfulness of the processing carried out up to that point;

The aforementioned rights may be exercised by contacting the Data Controller at the addresses indicated.

 

RIGHT OF COMPLAINT

If a Data Subject considers that their personal data are being processed in breach of the GDPR, they have the right to lodge a complaint with the competent supervisory authority.