Privacy & GDPR Regulation
According to Article 13 of (EU) Regulation n. 679/2016 (“GDPR”)
Warmthotel s.r.l., title holder of the hotel called “WarmtHotel” with its offices in Rome, Via Prezzolini no. 5, protects the privacy of personal data of its clients and guarantees to them the necessary protection for any event in which there is a risk of violation.
The present report is the result of Article 13 of GDPR “General Data Protection Regulation” 679/2016, regarding regulations in matters of processing personal data and describing the methods of management of the warmthotel.it website, property of Warmthotel s.r.l., regarding how the personal data of users and those who consult the website is processed. Such information pertains solely to the WarmtHotel website, and excludes any other websites that the user may consult via external links. By consulting said website, any relevant data of identified and/or identifiable persons may be processed.
1. Processing Title Holder
The processing Title Holder is Warmthotel s.r.l., in the person of its legal representative headquartered in Rome, Italy, Via Giuseppe Prezzolini no. 5.
2. Responsible Party for Data Protection
The Responsible Party for data protection (RPD-DPO) is Mr. Andrea Chin, who may be contacted at the following email address: email@example.com
3. Who we are and which data we process (Art. 13, 1st Clause Letter A, Art. 15, Letter B GDPR)
Warmthotel s.r.l. operates as a Processing Title Holder and gathers and/or receives the information that regards the Interested Party, such as:
Name, Surname, Address, Nationality, Province and City of Residence, Home Phone and/or Mobile Phone Number, Fax Number, Tax or Fiscal Code, Email Address(es)
Bank Details IBAN and Bank/Postal Account Details (with the exception of the credit card number) Internet Traffic Details
Log, IP Address and Origin
Blue Globe Hotel s.r.l. does not request the Interested Party to provide “specific” details according to those established in GDPR (Article 9), such as personal details that may reveal racial or ethnic origin, political opinions, religious or philosophical convictions, or union membership, as well as genetic data, biological data intended to uniquely identify a physical person, details relating to the health, sex life, or sexual orientation of an individual. Should the service requested of Warmthotel s.r.l. dictate the processing of such details, the Interested Party will be granted the relative consent found in this report
4. For which purposes do we need the Interested Party’s data (Article 13, 1st Clause GDPR) - Definition of Consent
Data is required by the Title Holder in order to proceed with the registration request and the contract for supplying a pre-selected service and/or purchased product, manage and conduct contact requests submitted by the Interested Party, provide assistance, and adhere to the legal and regulatory obligations by which the Title Holder is bound within the confines of said conducted activity.
In no case may Warmthotel s.r.l. sell personal data pertaining to the Interested or Third Parties, nor may said data be used for purposes different to those contained within the present document.
In particular, the Interested Party’s data will be processed for:
a) Registration and questions about contact and/or with informational material; the processing of the Interested Party’s personal data for preliminary and successive activity for necessary registration, management of requests for information and for contact and/or sending of informational material, for surveys pertaining to hotel service (completion is optional), as well as for the fulfillment of all other obligations.
The Legal Basis for said processing is the fulfilment of services pertinent to the request for registration, information and contact and/or the sending of informational material while respecting legal obligations.
b) the contractual relationship’s management
The processing of the Interested Party’s personal data is for preliminary and successive activity concerning the acquisition of a Service and/or of a Product, the processing of complaints and/or the highlighting for service of assistance and the supply of the same, the prevention of fraud as well as the fulfilment of all other obligations inherent in the contract. The Legal Basis for said processing is to fulfilment services pertinent to the contractual relationship and respecting legal obligations.
c) the promotional activity for Services/Products equivalent to those bought by the Interested Party (Considering 47 GDPR).
The processing Title Holder may use the contact details provided by the Interested Party for direct sale of the same Services/Products, and also the promotional sale of to similar Services/Products, unless the Interested Party explicitly opposes it via email at: firstname.lastname@example.org
d) the commercial promotional activity for Services/Products different from those purchased by the Interested Party.
The personal details of the Interested Party may be processed for promotional commercial purposes, for surveys and market research regarding the Services/Products that the Title Holder offers, only if the Interested Party has authorized said processing and has not previously withdrawn consent or emailed: email@example.com
Such processing may come about, automatedly, as follows:
- phone contact;
and may occur:
- in the event the Interested Party has not revoked their consent for data use; - in the event said activity occurs via contact with a telephone operator and the Interested Party does not appear on the opposition register of D.P.R. no. 178/2010. The Legal Basis for said processing is the initial consent granted by the Interested Party for such activity. Said consent may be freely revoked by the Interested Party at any time via email: firstname.lastname@example.org
e) Information Security
The Title Holder, in line with the dictates of Consideration 49 of GDPR, as well as their service providers (Third Parties and/or Beneficiaries), will treats the personal data of the Interested Party pertaining to the trade, in strictly necessary and proportional measures to guarantee the security of the networks and information, such as the capacity of a network or an informational system to resist, at a given level of security, unforeseen events or illegal or harmful acts that may compromise the availability, authenticity, integrity and the privacy of saved and transmitted personal details.
The Title Holder will immediately inform the Interested Parties should there be a risk of violation of their saved data and subsequent obligations, as per GDPR Article 33 regarding the notification of personal data violation.
The Legal Basis for said processing is respecting legal obligations and the legitimate interest of the Title Holder to conduct said processing regarding the purpose of safeguarding agency holdings, as well as the security of the offices and systems of Warmthotel s.r.l. f) Profiling
The personal data of the Interested Party may also be processed exclusively for profiling reasons (such as the analysis of transmitted data and of preselected Services/Products, sending promotional messages and/or commercial offers in line with the choices made by the same) if the Interested Party has provided explicit and informed consent. The Legal Basis for said processing is the initial consent from the Interested Party for the selfsame processing, which may be freely revoked by the Interested Party at anytime via email to: email@example.com
g) The Prevention of Fraud (Consideration 47 and Article 22 GDPR) The personal details of the Interested Party, excluding those particulars (Article 9 GDPR) or legal details (Article 10 GDPR), will be processed to allow checks in order to monitor and prevent fraudulent payments by software systems making automatic and preliminary controls of Service/Product transactions.
Surpassing these controls with negative results will entail the impossibility to complete said transaction; the Interested Party will be able at every opportunity to express their opinion, obtain an explanation, or even to contest this decision by explaining their reasons via email to: firstname.lastname@example.org
The personal data collected only for anti fraud reasons, in distinction to necessary data for the correct execution of the requested service, will immediately be cancelled as per the terms of control stages.
h) The protection of minors
The Services/Products offered by the Title Holder are classified as legal subjects, as per the basis of the national normatives of referral to conclude contractual obligations. The Title Holder, in order to prevent the illegitimate access to said Services, carries out preventative measures to safeguard his legitimate interests, such as control of the fiscal code and/or other verifications if required for specific Services/Products, as well as the interests and integrity of the details of identity documents provided to the competent authorities.
Communication to Third Parties and categories of recipients (Art. 13, 1st Clause GDPR) The communication of the private data of the Interested Party is made primarily to Third Parties and/or recipients whose activity is needed to fulfil activities pertinent to the established relationship, and to respond to determined legal obligations such as: Company employees;
Accountable administrative fulfilments connected to the contractual service; Third Party providers;
The supplying of services (assistance, maintenance, the supplying of additional services, network providers and electronic communication services) connected to the requested service;
Credit and Digital payment institutes, Bank/Postal institutes;
Management of earnings, payments, and/or refunds connected to the contractual service; External professionals and consulting agencies;
Fulfilment of legal obligations, exercising rights, safeguarding said contractual rights; Financial administration, public authorities, judicial authorities, surveillance and security agencies;
Fulfilment of legal obligations, protection of rights; lists and registers kept by public authorities or similar bodies as per specified regulation relating to the contractual service; Formally delegated subjects or those of recognized legal title; Legal representatives, administrators, guardians, etc.
The Title Holder obliges the Third Party providers and those accountable for processing this material to respect the selfsame security measures adopted regarding the Interested Party, narrowing the accountable parameter of action to processing solely that connected to said requested service.
The Title Holder does not transfer personal data to countries who are not GDPR compliant (i.e. countries outside the EU jurisdiction), except in specific adverse conditions of which we will inform you and, if necessary, your consent will be sought.
The Legal Basis for said processing is the fulfilment of the inherent services of the established relationship, the respect of legal obligations and legal interests of Warmthotel s.r.l. to carry out the processing necessary to such an objective.
What happens if the Interested Party does not provide their identification details which are necessary for the execution of said requested service? (Art. 13, 2nd Clause, Letter E GDPR) The collection and the treatment of personal data is necessary to follow up the requested services as well as to supplying said service. Should the Interested Party not provide the personal data expressly established as necessary within the order or registration module, the Title Holder will not be able to fulfil said requested Service and/or pertaining to the contract and the Services/Products connected therein, nor to the fulfilments that thereon depend.
What happens if the Interested Party does not provide consent to process their personal data for promotional commercial activity for Services/Products different than those purchased? In the case the Interested Party does not present their consent to process their private data for said purpose, said processing will not take place for the selfsame purpose, unless it may affect the supply of the present request or those for whom consent has already been granted if previously requested. Should the Interested Party grant their consent and then need to revoke it at a later date or fight the service for commercial promotional activity, their data will not be processed for that activity, which may incur detrimental effects or consequences for the Interested Party and for said requested services.
How we process the Interested Party’s data (Art. 32 GDPR) The Title Holder has the use of adequate security measures in order to preserve privacy, integrity, and the availability of the Interested Party’s personal data, and dictates to their party providers and to responsible parties, the selfsame security measures.
Where do we process the Interested Party’s data The Interested Party’s personal data is conserved in paper and via informatic and telematic archives located in GDPR-compliant countries (EU countries).
How long will the Interested Party’s data be saved? (Art. 13, 2nd Clause, Letter A GDPR) Unless the Interested Party’s wish for their removal has been otherwise expressly stated, said personal data will be saved while necessary in respect to the legal objectives for which they had been collected. They will be saved for the entire duration of the registration, no longer than a period of maximum 24 (twenty-four) months of their inactivity, at the end of which period they will no longer be associated with Services and/or purchases of Products via this same registration.
In the case the data provided to the Title Holder for the objective of commercial promotion of different services than those already purchased by the Interested party, for which consent had initially been given, these will be saved for 12 months, unless the consent granted be revoked at: email@example.com
Should said data have been provided to the Title Holder for profiling purposes, it will be saved for 12 months, unless the previously granted consent is revoked. It must also be added that, in the case a customer sends personal data to Blue Globe Hotel s.r.l. that had not been requested or that was not necessary for the fulfillment of the requested service or for supplying a service strictly connected to it, Warmthotel s.r.l. will not be considered the processor of said data, and will see to its cancellation in the shortest time possible. Regardless of the Interested Party’s determination for their removal, their personal data will in every case be saved according to the terms granted by the applicable normatives and/or by national regulations, for the sole purpose of guaranteeing specific compliances, and of a few services (for example but not limited to, Wi-Fi service). Personal data will be saved for the fulfilment of obligations (i.e. fiscal and accounting) that permit that even after the end of the contract (Art. 2220 cc), the Title Holder will save only the data necessary to its relative conclusion.
They are preserved as legal representation of the rights included in the contract and/or registration; in which case the Interested Party’s personal data, exclusively for this objective, will be processed in the time necessary for said completion.
What are the Interested Party’s rights (Art. 15 – 20 GDPR) The Interested Party has the right to the following treatment from the Title Holder: a) The assurance of processing personal data and in obtaining access to said personal data and the following information:
the purpose of this processing;
the categories of personal data in question;
the recipients or the categories of recipients to whom this personal data have been or will be communicated, specifically if the recipients are of a third country or international organizations;
if available, the time personal data is expected to be conserved, or if that is not possible, the criteria used to determine said period;
the Interested Party’s inherent right to ask the processing Title Holder to correct or cancel personal data, or limit said processing personal data concerning them or their treatment; the right to submit a complaint to a supervising Authority;
if the personal data was not collected from the Interested Party, all the information available on its origin;
the existence of an automated decision process, included in the profiling, and, at least in these cases, significant information on the reasoning used, as well as the importance and the foreseen consequences for the Interested Party of said processing;
adequate guarantees provided by a third country (extra EU) or an international organization to protect any data transferred;
b) the right to obtain a copy of personal data being processed, as long as said right does not damage the rights and the liberties of others; should the Interested Party request further copies, the Title Holder may charge a reasonable fee based on the administrative costs for such an activity;
c) the right to obtain a correction from the Title Holder of inexact pertinent personal data without unjust delay;
d) the right to obtain from the Title Holder a cancellation of pertinent personal data without unjust delay, if the reasons are present as specified in Article 17 of the GDPR, amongst which for example, if they are no longer needed for the objective of said processing, or if this is accepted as illegal, and that the legal conditions are always present; and if the processing is not justified by an ulterior legitimate motive;
e) the right to obtain from the Title Holder the extent of said processing, as per the legal case of Article 18 of the GDPR, for example wherein there is no exact context, for the necessary period the Title Holder may verify this with accuracy. The Interested Party must be informative, in a timely matter, even of when the period of suspension has been completed or the reason for limiting the processing has come about and the processing itself has been revoked;
f) the right to obtain communication from the Title Holder about recipients who have received requests of eventual corrections or cancellations or limitations of the undertaken processing, except for that which are impossible or entail a disproportionate effort;
g) the right to receive a structured format of the relevant personal data, of common and legible format on an automatic device, and the right to transmit said data to another Title Holder without obstacles from the Title Holder who has provided them, as per Article 20 of the GDPR, and the right to obtain the direct transmission of personal data from one Title Holder to another, if technically feasible.
For any further information and, indeed, to send your request you must write to the Responsible Party at the email address: firstname.lastname@example.org.
In order to guarantee the aforementioned rights exercised by the Interested Party and not by unauthorized Third Parties, the Responsible Party may request the aforementioned to provide ulterior information necessary to this aim.
How and when the Interested Party may oppose the processing of their personal data (Art. 21 GDPR)
For reasons relating to the particular situation of the Interested Party, the aforementioned may at any time oppose the processing of their personal data if based on legitimate concerns or if for future promotional commercial activity, by sending a request to the Responsible party via email to: email@example.com
The Interested Party has the right to cancel their personal data if there is no legitimate motive provided by the Title Holder in consideration to the originally stated request, and should the Interested Party not be opposed to the processing of data for promotional commercial activity.
With whom may the Interested Party file a complaint? (Art. 15 GDPR) Having exhausted all other actions with the administrative and judicial branches, the Interested Party may present a complaint to the controlling authority responsible for the Italian territory (Autorità Garante, or Warranting Authority, for the protection of personal data) who may undertake the task and exercise their powers to the member state where the GDPR violation has occurred.
All updates to the present Report will be communicated in a timely manner and by means of appropriate channels, and will also be communicated if the Title Holder implements the processing of the Interested Party’s data for reasons other than those detailed within the present Report, before proceeding to follow the Interested Party’s pertinent consent, if necessary.