POLICY CONCERNING THE PROCESSING OF CUSTOMER PERSONAL DATA
ACCORDING TO REGULATION (EU) 2016/679 (“GDPR”)
VIA TIZIANO 6 ,20145,MILANO
Phone: 02 72 14 791
DATA PROTECTION OFFICER (D.P.O.)
SQ PIU’ S.R.L.
VIA MUZIO ATTENDOLO 5, 20141, MILANO
Phone: 02 53 90 723
TYPES OF DATA, PURPOSE OF THE PROCESSING
The collection and the processing will be performed on the following types of data:
_ identification data: name, surname, tax code, etc.
_ contact details: telephone number, e-mail address, address, etc.
_ bank details: IBAN, credit card number, etc.
_ special categories of personal data (already “sensitive data”): personal data revealing racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person or data concerning a natural person’s sex life or sexual orientation
For the following purposes:
a_ Establishment and execution of the contractual relationship
b_ To fulfill obligations required by law or regulations
c_ If it is necessary, to ascertain, exercise or defence, data controller’s rights of either in court or out-of-court (ADR).
d_ To comply with the “Public Safety Law” (Article 109 Royal Decree n. 773, 18/6/1931) which requires that we provide identification data of our guests to the police, for purposes of public safety, in the manner established by the Ministry of Public Security (Decree of 7 January 2013)
e_ Marketing: eg. sms and e-mails, telephone calls with operators and traditional mail for promotional and commercial offers relating to services/products offered by the Company or reporting of company events, as well as the creation of market studies and statistical analysis
f_ Profiling: analysis of preferences, habits, behaviours or interests of the customer to send personalized commercial communications
g_ Make the stay at our facilities more comfortable for data subject.
LEGAL BASIS FOR THE PROCESSING
The legal bases applicable for the processing identified by the GDPR are:
- Performance of a contract of which the data subject is party
- Need to comply with legal obligation to which the controller is subject
- Legitimate interest of the data controller to improve the organisation and business’s management
- Data subject’s consent will be optional and revocable at any time
DATA RETENTION OR CRITERIA USED TO DETERMINE THIS PERIOD
The data retention period is:
- 10 years after the termination of the contract
- In the event of litigation for the duration of the dispute and for the terms of appeal
- For marketing purposes: 24 months from their registration
- For profiling purposes: 12 months from their registration
After the expiry of the storage terms, the data will be destroyed, erased, or made anonymous, compatibly with the state of the art.
For the purposes set out in letters a), b), c) and d) are mandatory. In case data subject doesn’t provide personal data, it will not be possible to proceed with the contractual relationship.
THIRD RECIPIENTS OF PERSONAL DATA
The data can be transmitted to subjects other than the Data Controller, even independent Data Controllers (e.g. authorities and control and supervisory bodies, public or private subjects who have the right to request data, like partners or providers).
The data may also be transmitted to subjects who process them on behalf of the Company as Data Processors on the basis of a legally binding agreement which ensure the protection of the personal data.
Categories of subject, e.g.:
a_ IT providers (e.g. back-up data services, e-mail, WEB / cloud computing, hosting, network monitoring, e-mail sending, maintenance of the website, etc.)
b_ consultants (e.g. payroll, attending doctor, workplace safety, professionals, etc.)
c_ authorities and supervisory and control bodies, public or private entities that have the right to request data
d_ other Entities of the Business Group.
AUTHORISED SUBJECTS TO PROCESS PERSONAL DATA
The data may be processed by workers in relation to their duties, expressly authorized and duly instructed to process the data.
PERSONAL DATA TRANSFER TO EXTRA-EU/EEA COUNTRIES
Personal data processed on servers located within the European Union.
In any case, it is understood that the Data Controller, if necessary, will have the right to transfer such data abroad to countries outside Europe.
In this case, the Data Controller ensures that the extra-EU data will be transferred in compliance with the applicable legal provisions.
Specifically, the data will be transferred abroad to countries outside Europe, only if the data protection level of the Third Country has been deemed adequate by the European Commission pursuant to art. 45 of the GDPR or after the adoption of adequate guarantees pursuant to art. 46, 2, lett. c) and d) GDPR (binding company clauses, standard contractual clauses, code of conduct, certification mechanism).
In the absence of an adequacy decision, the transfer of data can be carried out in the presence of one of the exceptions provided for by art. 49 of the GDPR (eg consent, transfer necessary for contractual or pre-contractual purposes in relation to a contract stipulated with the interested party or in his favor, verification, exercise or defense of a right in court, etc.).
DATA SUBJECT'S RIGHTS - RIGHT TO LODGE A COMPLAINT WITH THE COMPETENT SUPERVISORY AUTHORITY
Data subject’s have the following rights:
a_ right of access:
a) to know if data is being processed, for which purposes, on which data, recipients or categories of recipients to whom the personal data have been or will be communicated, when possible, the storage period of personal data, if not it is possible, the criteria used to determine this period, data subject's rights, information about their origin, if Automated decision-making is in progress, including profiling (at least in such cases with significant information on the logic used, importance and consequences of this process), what are the adequate guarantees if the data is transferred to a Third Country
b) to obtain a copy of the personal data being processed without affecting the rights and freedoms of others
b_ correction of inaccurate data and integration taking into account the purposes of the processing,
c_ cancellation in the following cases:
a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
b) the interested party revokes the consent if there is no other legal basis for the treatment;
c) the interested party opposes the processing in the absence of prevailing contrary rights or obligations; d) personal data have been processed unlawfully; e) there is a legal obligation to do so by the Data Controller
e) personal data have been collected in relation to the offer of internet services
d_ limitation on processing for disputing the accuracy of the data, for unlawful processing because excessive, for the assessment, exercise or defence of a right in court (even if the holder no longer needs the data), in case of opposition (pending verification of the existence of this right in practice)
e_ opposition (in case of processing necessary for the performance of a task carried out in the public interest or for legitimate interest of the data owner, including profiling) for reasons related to the particular situation of the interested party, Without prejudice to other public interest rights or under other legal or regulatory requirements
f_ opposition to the receipt of commercial communications with automated methods (e-mail, etc.) for processing with direct marketing purposes, including profiling
g_ data portability in interoperable and commonly used electronic format, also directly to another operator if technically possible, in case of processing with automated tools
h_ in the cases referred to in letters b), c) and d), the data controller shall inform each of the recipients to whom the personal data have been transmitted of any corrections or cancellations or limitations on the processing performed unless this proves impossible or involves a disproportionate effort.
To exercise proper rights, may contact the Data Controller or the DPO through the contacts listed above.
Data subjects have the right to submit a complaint with the competent Supervisory Authority in the Member State in which they reside habitually or work or of the State in which the alleged violation has occurred
SOURCE OF PERSONAL DATA
Personal data not collected by the Data Subject come from other Data Controllers, companies of the Group, other authorized by Data Subject to provide their data to Minihotel.