Privacy Policy EN

Disclosure on the processing of personal data – GDPR 1.0

www.castelsantangeloluxuryrooms.com, as  “Controller”“Privacy Code”“GDPR” that your data will be processed on the site {host} with the following methods and purposes:

1. Subject of the data processing

The subject-matter of the processing is the personal, identifying and non-sensitive data (by way of example, but not limited to: name, surname, company name, address, telephone, e-mail – hereinafter referred to as  “personal data”“data”) that the Data Controller processes as it is communicated by you when registering for the {host} website, when taking part in opinion and approval surveys, filling in forms on the Website, subscribing to events organised by the Data Controller, online support or generic requests and requests to subscribe to mailing lists for the sending of newsletters.

2. Purpose of data processing

Your personal data will be processed in the following ways:

  1. A) Without your express consent (Article 24, letters (a), (b), and (c) of the Privacy Code and Article 6, letters (b) and (e) of the GDPR) for the following service purposes:
  • to manage and maintain the Website or ensure its proper functioning;
  • to allow the use of the Services that you may have requested;
  • to participate through the Site in initiatives organised by the Owner (such as events, etc.);
  • to process a request for a quote or general contact;
  • to fulfil obligations imposed by law, regulation, Community law or an order from the Authorities;
  • to fulfil the obligations connected with the management of the association and relations with its members;
  • to carry out activities related to the statutory purpose of the {azienda};
  • to prevent or detect fraudulent activities or any abuse that is detrimental to the Website;
  • to exercise the rights of the Controller, such as the right to exercise a right in court.
  1. B) Only with your specific and distinct consent (articles 23 and 130 of the Privacy Code and article 7 of the GDPR), for the following Other Purposes:
  • to send e-mails for opinion polls and opinion polls, newsletters and/or invitations to events or to subscribe to events of which you are part or which the Controller organises, promotional or commercial newsletters.

3. Processing methods

The processing of personal data is carried out by means of the operations indicated in art. 4 Privacy Code and art. 4 no. 2) GDPR and specifically: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is processed both in hard copy and electronically and/or automatically through the use of a website hosted on the Cloud or server managed by the company ENGINE LAB srls in Italy or another country, European or otherwise. The Data Controller will process the personal data for the time necessary to fulfill the aforementioned purposes and in any case for no more than 10 years from the termination of the relationship for service purposes and no later than 2 years from the collection of data for the marketing purposes.

4. Security

The Data Controller has taken various security measures to protect your data against the risk of loss, misuse or alteration. In particular: adopted the measures referred to in articles 32-34 of the Privacy Code and art. 32 GDPR and secure data transmission protocols known as HTTPS;

5. Access to the data

Your data may be made accessible for the purposes referred to in art. 2.A) and 2.B):

  • to employees and collaborators of the Data Controller, in their role as appointed persons and/or internal data processors and/or system administrators;
  • to third party companies or other parties (for example: ENGINE LAB Srl, OVH Srl, Aruba Spa, NetSons Spa, Cycom China Ltd and other website providers, Google Llc, Hotjar Ltd, other cloud providers, e-payment service providers, suppliers, hardware and software assistance technicians, forwarding agents and carriers, credit institutions, professional offices, etc.) that perform outsourcing activities on behalf of the Data Controller, in their role as data processors.
  • Third party suppliers of newsletter sending systems and other customer satisfaction services (for example: The Rocket Science Group Llc, Engine Lab Srl, Mailup Spa, Qualitando Srl

6. Data communication

Your data will not be disclosed without your consent.

Without your express consent (ex art. 24 letters. a), b), and d) of the Privacy Code and art. 6 letters. b) and c) of the GDPR), the Data Controller can instead communicate your data for the purposes referred to in art. 2.A) to Supervisory Bodies, Judicial Authorities as well as to all other subjects to whom the communication is obligatory by law for the fulfilment of the aforesaid purposes.

The site may track navigation data for Keyword Advertising activities with re-marketing functions without the same data identifying the person concerned in any way.

7. Data transfer

The management and storage of personal data will take place in Europe, using servers located in Italy (or another country) belonging to the Data Controller and/or third party companies appointed and duly named as Data Processors.

8. Nature of data provision and consequences of refusal to respond

The provision of data for the purposes referred to in Article 2.A) is mandatory. Without them, we will not be able to guarantee you registration to the Site or the Services of art. 2.A).

The provision of data for the purposes referred to in Article 2.B) is, instead, optional. You can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you will not receive invitations to events, newsletters, opinion polls and promotions via e-mail. In any case you will continue to be entitled to the Services referred to in art. 2.A).

9. Rights of the concerned party

As a data subject, you have the rights pursuant to Art. 7 Privacy Code and art. 15 GDPR and more specifically:

  • i. To obtain confirmation of the existence or non-existence of your personal data, even if it has not yet been registered, and communication of the same in an intelligible form;
  • ii. To be informed: (a) of the source of the personal data; (b) of the purposes and methods of the processing; (c) of the logic applied to the processing, if carried out with the help of electronic means; (d) of the identification of the data controller, data processors, and the representative designated in accordance with Article 5, paragraph 2 of the Privacy Code and Article 3, paragraph 1 of the GDPR; (e) of the entities or categories of entities to which your personal information may be disclosed and which could gain knowledge of it in their roles as designated representatives within the country, as data processors, or as staff members involved in data processing;
  • iii. to obtain: a) the updating, rectification or, when relevant, integration of data; b) the cancellation, transformation into anonymous form or blocking of unlawfully-processed data, including those that do not need to be kept for the purposes for which the data were collected or subsequently processed; c) certification that the operations as per letters a) and b) were made known, including their contents, to those to whom the data were communicated or disclosed, except where this is impossible or involves a commitment of resources clearly disproportionate to the protected right;
  • iv. to oppose, in whole or in part: a) for legitimate reasons, the processing of personal data concerning you, even if pertinent to the purpose of collection; b) the processing of personal data concerning you for the purpose of sending advertising materials or direct selling or for carrying out market research or commercial communication, through the use of automated calling systems without the intervention of an operator by e-mail and/or by traditional marketing methods by telephone and/or mail. It should be noted that the right of opposition of the person concerned, as set out in point b) above, for purposes of direct marketing through automated means extends to traditional ones and that in any case the possibility remains for the person concerned to exercise the right of opposition even if only in part. Therefore, the data subject may choose to receive only communications by traditional means or only automated communications or neither.

Where applicable, you also have the rights referred to in articles 16-21 of the GDPR (Right to rectification, right to erasure, right to restrict processing, right to data portability, right to objection), as well as the right to lodge a complaint with a Supervisory Authority.

10. Methods for Exercising Rights

You can exercise your rights at any time by sending:

  • a registered letter to the Company – Via del Banco di Santo Spirito 48
  • an e-mail to www.castelsantangeloluxuryrooms.com

11. Minors

This Website and the Data Controller’s Services are NOT intended for children under the age of 18 and the Data Controller does NOT knowingly collect personal information about minors. In the event that information on minors is involuntarily recorded, the Data Controller shall promptly delete it, at the request of users.

12. Data Controller, data processor and those responsible for processing

The Data Controller is www.castelsantangeloluxuryrooms.com with registered office in Via del Banco di Santo Spirito 48 .

External data processors are, respectively, Google Llc, who can also process your data autonomously in their capacity as autonomous data controllers for the purposes of their own information.

The updated list of those responsible for and in charge of the data processing is kept at the Data Controller’s head office.

13. Changes to this Disclosure Statement

This Disclosure may be subject to change. We therefore recommend that you regularly check this Statement and refer to the latest version.