POLICY CONCERNING THE PROCESSING OF CUSTOMER PERSONAL DATA
ACCORDING TO REGULATION (EU) 2016/679 (“GDPR”)Controller
Business name: MINIHOTEL s.r.l.
Address: Via Tiziano 6, 20145 Milano
Telephone number: 02 7214791
e-mail address: email@example.com
Common Name of the Controller: MINIHOTEL s.r.l.
Types of Data, Purpose of the Processing
The collection and the processing will be performed on the following types of data:
For the following purposes:
a. Establishment and execution of the contractual relationship
b. To fulfill obligations required by law or regulations
c. If necessary, to ascertain, exercise or defence, the rights of data owner either in court or out-of-court
d. To comply with our “Public Safety Law” (Article 109 Royal Decree n. 773, 18/6/1931) which requires that we provide identification data of our guests to the police, for purposes of public safety, in the manner established by the Ministry of the Interior (Decree of 7 January 2013)
e. Marketing: eg. sms and e-mails, telephone calls with operators and traditional mail for promotional and commercial offers relating to services/products offered by the Company or reporting of company events, as well as the creation of market studies and statistical analysis f. Profiling: analysis of preferences, habits, behaviours or interests of the customer to send personalized commercial communications
Legal basis for the processing
The legal bases applicable for the treatment identified by the GDPR are:
Data retention or criteria used to determine this period
The data retention period is:
After the expiry of the storage terms, the data will be destroyed, erased, or made anonymous, compatibly with the state of the art.
Conferment of data
The conferment of data for the purposes set out in letters a), b), c) and d) above are mandatory. In case of non-conferment of this mandatory personal data will not be possible to proceed with the contractual relationship
Third recipients of personal data
The data may be transmitted to subjects other than the Data Controller (e.g. authorities and control and supervisory bodies, public or private subjects who have the right to request data).
The data may also be transmitted to subjects who process them on behalf of the Company as Data Processors on the basis of a legally binding agreement which ensure the protection of the personal data.
Categories of subject, e.g.:
a. IT providers (e.g. back-up data services, e-mail, WEB / cloud computing, hosting, network monitoring, e-mail sending, maintenance of the website, etc.)
b. consultants (e.g. payroll, attending doctor, workplace safety, professionals, etc.)
c. authorities and supervisory and control bodies, public or private entities that have the right to request data
d. other Entities of the Business Group.
The up-to-date list of those responsible for data processing in outsourcing is available at the Data Controller’s headquarter
Subjects authorised to process personal data
The data may be processed by workers in relation to their duties, expressly authorized and duly instructed to process the data.
Transfer of personal data to third countries (Extra-EU/EEA)
Personal data will not be transferred outside the European Union except on the request of the customer sending the invoice abroad. In this occasion all the legal, technical and organizational measures foreseen by the GPDR will be taken.
Data subject's rights - right to lodge a complaint with the competent supervisory authority
The interested parties have the following rights:
a. right of access:
b. correction of inaccurate data and integration taking into account the purposes of the processing,
c. cancellation in the following cases: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent if there is no other legal basis for the treatment; c) the interested party opposes the processing in the absence of prevailing contrary rights or obligations; d) personal data have been processed unlawfully; e) there is a legal obligation to do so by the Data Controller e) personal data have been collected in relation to the offer of internet services
d. limitation on processing for disputing the accuracy of the data, for unlawful processing because excessive, for the assessment, exercise or defence of a right in court (even if the holder no longer needs the data), in case of opposition (pending verification of the existence of this right in practice)
e. opposition (in case of processing necessary for the performance of a task carried out in the public interest or for legitimate interest of the data owner, including profiling) for reasons related to the particular situation of the interested party, Without prejudice to other public interest rights or under other legal or regulatory requirements
f. opposition to the receipt of commercial communications with automated methods (e-mail, etc.) for treatment with direct marketing purposes, including profiling
g. data portability in interoperable and commonly used electronic format, also directly to another operator if technically possible, in case of treatment with automated tools
h. in the cases referred to in letters b), c) and d), the data controller shall inform each of the recipients to whom the personal data have been transmitted of any corrections or cancellations or limitations on the processing performed unless this proves impossible or involves a disproportionate effort.
To exercise proper rights, may contact: Operations Manager, firstname.lastname@example.org - Via Tiziano 6, 20145 Milano
Interested parties have the right to lodge a complaint with the competent Supervisory Authority in the Member State in which they reside habitually or work or of the State in which the alleged violation has occurred.