Information Notice on the Processing of Personal Data
What does this information notice cover?
This information notice is provided pursuant to Article 13 of Regulation (EU) 2016/679 ("GDPR") and applies to personal data collected by Albergo San Felice S.r.l., with registered office in Capri (NA), Via Li Campi, No. 13 - in its capacity as data controller (hereinafter, the "Controller", "we" or "our", as the case may be) - relating to you (hereinafter, the "Client").
What categories of personal data do we collect?
We may collect the following categories of personal data:
(1) identification data such as first name, surname, date and place of birth, address(es), information on identity document and tax code;
(2) contact data such as e-mail address(es), telephone number(s), mail address(es);
(3) information relating to reservations made and/or accommodation agreements entered into;
(4) payment and billing information such as payment methods used, bank account number, IBAN code, e-mail address for billing purposes;
(5) any other information provided voluntarily by the Client.
The provision of personal data is necessary for the pursuit of the purposes listed below; if personal data is not provided, it will be impossible for us to pursue these purposes.
How do we collect the Client's personal data?
Most of the data we collect are provided to us by the Client at the time of booking and throughout the duration of the stay. We do not use any form of exclusively automated decision-making in connection with the processing of the Client's personal data.
For what purposes and on what legal basis do we process the Client's personal data?
The Client's personal data will be processed for the following purposes:
(1) to enter into and perform the accommodation agreement to which the Client is a party, and to carry out the activities necessary to fulfil the obligations arising from the agreement or to take pre-contractual steps at the Client's request;
(2) to fulfil legal obligations to which we are subject;
(3) to ascertain, exercise, or defend a right in judicial or administrative proceedings or in the context of arbitration or conciliation proceedings;
(4) to carry out activities preparatory to or in any case connected with the execution of extraordinary transactions such as transfers, acquisitions, mergers, and demergers.
The processing of the Client's personal data for the purpose under (1) does not require the Client's consent as it is necessary for the fulfilment of contractual or pre-contractual obligations inherent in the contractual relationship, pursuant to Article 6(1)(b) of the GDPR. The processing of the Client's personal data for the purpose under (2) does not require the Client's consent as it is necessary to fulfil legal or regulatory obligations to which we are subject, pursuant to Article 6(1)(c) of the GDPR. The processing of the Client's personal data for the purposes under (3) and (4), does not require the Client's consent as it is necessary for the pursuit of our legitimate interests underlying the same purposes, pursuant to Article 6(1)(f) of the GDPR.
How do we process the Client's personal data?
We adopt security measures to protect the Client's personal data against the risks of destruction, loss, or alteration (accidental or unlawful) of the Client's personal data as well as unauthorised disclosure or access to them.
How long do we keep the Client's personal data?
As a rule, most of the Client's personal data will be retained for the entire duration of the stay and for 10 years following its conclusion. Certain personal data may be retained for a shorter period if the specific purpose for which they were collected has been fulfilled or no longer applies.
To whom are the Client's personal data communicated?
The Client's personal data may be made accessible, brought to the attention of, or communicated to the following parties, who will act as persons authorised to the processing, processors, or autonomous controllers:
(1) our employees or collaborators in any capacity;
(2) public or private entities, natural or legal persons, who carry out processing activities on our behalf or to whom we are obliged to communicate the Client's personal data, by virtue of legal or contractual obligations (e.g. lawyers, accountants, banks, service providers, judicial and police authorities, etc.);
(3) potential purchasers, in case we intend to transfer the ownership or control of all or part of our company.
You may request from us at any time, by contacting us at the mail and e-mail addresses indicated below, a list containing the names and contact details of the persons belonging to the above-mentioned categories of recipients.
As a general rule, we will not transfer the Client's personal data outside the European Economic Area (EEA). In the event that some of the entities mentioned above are based outside the EEA, we will transfer the Client's personal data – in the absence of any adequacy decisions and since none of the exceptions set out in Article 49 of the GDPR apply – on the basis of the standard contractual clauses approved by the European Commission by Implementing Decision (EU) 914/2021.
The Client’s rights under data protection legislation
Pursuant to Articles 15 to 21 of the GDPR, the Client has the right to:
(1) be informed about the purposes and methods of the processing of its personal data;
(2) access its personal data;
(3) rectify incomplete, inaccurate, or outdated personal data;
(4) obtain the deletion of its personal data;
(5) obtain, in the cases provided for by law, the restriction of the processing of its personal data;
(6) object, in the cases provided for by law, in whole or in part, to the processing of its personal data;
(7) obtain, if technically feasible, the portability of its personal data.
The Client may exercise the above rights and request any information on the processing of personal data by contacting us at the following e-mail: info@hotelsanfelice.com.
Furthermore, the Client has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it), ), in case it believes that its rights under the GDPR have been violated.