Pursuant to Regulation (EU) 679/2016 on the protection of personal data (hereinafter also referred to as “GDPR”), with this information Terme Apollo S.p.a. wishes to describe the methods used to process the personal data (hereinafter also referred to as “Data”) of users of the website accessible through the address www.termeapollo.it, the home page of the official website of Hotel Terme Apollo (hereinafter also referred to as the “Site”). This information is provided solely for the Site of the Data Controller and not for other websites that may be consulted by the user through links.
1. Data Controller
The Data Controller (hereinafter also referred to as the “Controller”) is Terme Apollo S.p.a., VAT No. 00682880281, with registered office in Via San Pio X, 4 - 35036 Montegrotto Terme (PD), Italy. The contact details of the Controller are: tel. +39 049 8911677; fax +39 049 8910287; email address: firstname.lastname@example.org.
2. Categories of personal data
During normal operation, the IT systems and software procedures used to run this Site collect personal data and transmission of such data is an inherent feature of Internet communication protocols.
This information is not collected to be associated to identified individuals but it could, by its very nature, allow users to be identified after being processed and matched with data held by third parties. This category of data includes IP addresses or the domain names of computers used by individual users who connect to the Site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used to address the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response provided by the server (successful outcome, error, etc.) and other parameters relating to the user’s operating system and IT environment. These data are used solely for the purpose of gathering anonymous statistical information about the way the Site is used and in order to check that it is functioning correctly. The data in question are deleted immediately after processing.
Data provided voluntarily by users
The optional, explicit and voluntary sending of emails to the addresses indicated on this site and/or the compilation of a data collection form for the purpose of making reservations or obtaining specific services and/or information, involves the subsequent acquisition of the sender’s email address by the Data Controller, which is needed to respond to and process the requests forwarded, as well as any other personal data entered by the user.
3. Purpose and legal basis of the processing
Without prejudice to the information given regarding navigation data and cookies, user Data are collected and processed for the purposes indicated below.
A) Execution of pre-contractual measures at the request of the data subject and subsequent performance of the contract. The Data provided by the user are processed for purposes strictly associated with the provision of the services offered by Terme Apollo S.p.a., to respond to requests for reservations at our hotel and to send estimates, as well as informative material.
The execution of pre-contractual measures at the request of the data subject and the subsequent execution of the contract (article 6, paragraph 1, letter b) of the GDPR) constitutes the legal basis for the processing of the Data. It is therefore not necessary to obtain your prior consent to the processing.
B) Regulatory compliance
User data are processed to meet obligations required by law and/or national or EU regulations that the Controller is obliged to observe when providing the services requested (e.g. in tax and accounting matters for invoicing, book-keeping and accounting records, management of the single IT archive etc. etc.).
The need to fulfil a legal obligation (article 6, paragraph 1, letter c) of the GDPR) constitutes the legal basis of the processing.
C) Direct marketing
Subject to the user’s specific consent, the Data may be processed for marketing purposes, such as sending advertising material, commercial and/or promotional information, direct sales, market research on the products and services offered by Terme Apollo S.p.a. (hereinafter defined collectively as “Marketing activities”).
Consent (article 6, paragraph 1, letter a) of the GDPR) constitutes the legal basis of the processing.
4. Nature of data provision and consequences of refusal
Without prejudice to the information given regarding navigation data and cookies, the provision of Data is necessary for the purposes indicated in letters A) and B). Failure to provide the data, therefore, will make it impossible to fulfil the user’s pre-contractual/contractual request and to execute the contract, as well as to proceed with the provision of any services requested.
Consent to the processing of data for the purposes indicated above in letter C) is optional. Failure to consent to processing for the purposes indicated in letter C) means it is impossible to inform users of promotional and commercial activities and offers and/or verify their degree of satisfaction. Failure to consent to processing for the purposes indicated in letter C) will not prevent the execution of pre-contractual measures and the subsequent conclusion and execution of the contract, nor the use of any services requested. Even after giving consent for marketing purposes, you can request, at any time, that the processing be interrupted by sending an email without formalities to the following address: email@example.com.
5. Processing methods
Personal data are processed with electronic, computerized, telematic and/or paper means, with logic strictly related to the purposes indicated above, in full compliance with current legislation, as well as the principles of lawfulness, transparency, necessity, proportionality and non-excess, and in such a way as to guarantee the privacy of users.
Specific security measures are put into place to prevent the loss of the Data, their unlawful and incorrect use and unauthorised access.
6. Retention period
Data will be kept in order to execute the contract and related regulatory obligations, in compliance with the principle of proportionality and non-excess and, in any case, for a period of time not exceeding that strictly necessary to achieve the aims for which they were collected. Your Data, therefore, will be kept for a maximum period of 36 months from the execution of the contract.
With regard to marketing activities, your Data will be stored by the Data Controller for a maximum period of 24 months from collection. You may request that processing may interrupted for marketing activities and in this case your Data can no longer be processed for these purposes>
7. Data recipients
The personal data communicated by users may also be processed by third parties on behalf of Terme Apollo S.p.a., duly appointed as Data Processors pursuant to and for the purposes of article 28 of the GDPR, belonging, by way of example, to the following categories:
a) service providers for the management of the IT system (web hosting);
b) persons who fulfil administrative and/or tax obligations;
c) persons who provide legal and/or tax consultancy services;
d) persons who the Data Controller uses for the purposes of the execution of the contract and the provision of services;
e) advertising and marketing companies for the promotion of the hotel and the services offered.
A complete and updated list of Data Processors is available upon request.
Furthermore, Data may be communicated to the judicial authority and/or to the police, or to persons to whom there is an obligation of communication pursuant to the law and/or national or community regulations>
8. Data dissemination
Personal data are not subject to disclosure.
9. Data transfer abroad
The Website may share some of the Data collected with services located outside the European Union area. In particular with Google, Facebook and Microsoft (LinkedIn) through social plug-ins and the Google Analytics service.
Transfer is authorised according to specific decisions of the European Union and the Data Protection Authority, in particular decision 1250/2016 (Privacy Shield) for which, for the purpose of transferring data collected and processed, no consent is requiong>
10. Data subject rights
We would like to inform you that the GDPR grants users, in their capacity as data subjects, the right to exercise specific rights.
In particular, at any time, data subjects may:
a) request and obtain access to their personal data, confirmation of the existence or otherwise of the same and their communication in an intelligible form;
b) obtain an indication of the origin of the personal data and verify their accuracy, request their integration and/or updating, or rectification, if they are inaccurate;
c) request and obtain the cancellation of personal data if they are no longer necessary for the purposes for which they were collected and processed, their transformation into anonymous form or the blocking of data processed in violation of the law;
d) request and obtain the limitation of the processing if the personal data are inaccurate, are no longer necessary for the purposes for which they were collected and processed or in the event of their unlawful processing;
e) oppose, on legitimate grounds, the processing of their data;
f) receive the data concerning them, given to the Data Controller and processed by automated means, and transmit them to another data controller, without hindrance by the Data controller, as well as, if technically feasible, obtain direct transmission of data from the Data Controller which they provided to another data controller.
All these rights can be exercised by writing to the email address of the Data Controller indicated above.
The Controller will process the user’s request and, without undue delay, provide the latter with information regarding the action taken regarding his/her request.
Any correction or deletion of data or processing limitations carried out upon the user’s request, unless this proves impossible or involves a disproportionate effort, will be communicated by the Data Controller to each of the subjects to whom the Data were transmitted.
Lastly, pursuant to article 13, paragraph 2, letter d) of the GDPR, data subjects may exercise their rights by submitting a complaint to the Data Protection Authority with headquarters in Piazza di Montecitorio, 12100186 – Rome, Italy.