Policy pursuant to Art. 13 of EU Regulation 2016/679 for Operators/Agencies
Pursuant to Art. 13 of the EU Regulation 679/2016 (hereinafter referred to as GDPR - GeneralData Protection Regulation) and the legislation on the protection of personal data, the company Starhotels S.p.A. (hereinafter referred to as "Starhotels"), informs you of the processing of your personal data, which will be carried out in compliance with the principles of lawfulness, correctness, transparency, purpose, minimisation, accuracy and limitation of retention.
Pursuant to Art. 4(7) of GDPR 2016/679, the Data Controller is the Company Starhotels S.p.A., with administrative offices in Florence - 50144, Viale Belfiore No. 27. Tel. 055 36921 - fax 055 36924. email: firstname.lastname@example.org
Data Protection Officer
Pursuant to Art. 37 of GDPR 2016/679, STARHOTELS S.p.a. has appointed a company Data Protection Officer (DPO), who can be contacted at the following email address: email@example.com. Certified email (PEC): firstname.lastname@example.org
Where necessary for the performance of its institutional activities, Starhotels will identify and formally appoint Data Processors, i.e., in accordance with the provisions of Art. 4(8) of the GDPR, "natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller". Data subjects may, at any time, request the updated list of Data Processors from the Data Controller.
Purpose and legal basis of processing
Personal data will be processed by Starhotels for the following purposes:
- establishment, management and execution of the contractual relationship or for the execution of pre-contractual measures between the Operator/Agency and the Data Controller;
- fulfilment of regulatory obligations based on national or European Union law, including administrative and tax obligations;
- protection of an interest or a right in out-of-court and judicial proceedings.
The legal bases of the processing, for the individual purposes mentioned, are therefore to be found in Art. 6(1)(b), (c) and (f) of the Regulation.
Categories of data processed and nature of provision
For the pursuit of the described purposes, the following categories of personal data may be processed:
- so-called "common" data (e.g. name, surname, email, telephone).
The Data Controller's staff will not require and, for the purposes described, it is not necessary to process special categories of personal data as referred to in Art. 9(1) of the Regulation.
The provision of data is optional, but failure to provide it, either in whole or in part, may make it impossible for Starhotels to finalise the relationship and/or pursue the stated purposes.
Any personal data of third parties (e.g. customers of the Operator/Agency) will be acquired by Starhotels as an autonomous Data Controller with the fulfilment of all the obligations and duties provided for by current legislation.
Data processing methods
Personal data will be processed by computer, electronic and analogue means with the application of appropriate security measures to guarantee the protection and confidentiality of personal data.
Data retention times
Your personal data will be processed and retained for the time strictly necessary for the pursuit of the above-mentioned purposes. In particular, for administration, accounting, contracts, quotation management, invoicing and management of any litigation, the retention period will be 10 years.
Recipients and dissemination of personal data
The data collected will be processed exclusively for the above-mentioned purposes.
Furthermore, your data may be communicated, always in compliance with appropriate security measures, to public authorities and private parties for the fulfilment of specific legal obligations, including those of a fiscal, administrative and financial nature. Personal data will not be disseminated.
Place of data processing and areas of transfer
The data are processed at the headquarters of the Data Controller and at the Data Processors specified in the list held by the Data Controller.
Personal data will be processed within the Italian territory or in any event within the European Union and will not be subject to transfer to non-EU countries or International Organisations.
If, during the course of the relationship, a transfer should become necessary, the data controller guarantees compliance with the provisions of Chapter V of the GDPR.
Rights of the data subject
The Data Controller guarantees the exercise of the rights set out in articles 15 et seq. of the GDPR, in particular:
1. Right of access;
2. Right of rectification;
3. Right to erasure (so-called right to be forgotten);
4. Right of restriction of processing;
5. Right of portability;
6. Right of opposition.
In the event that the personal data relates to deceased persons, the aforementioned rights may be exercised, in accordance with the provisions of Art. 2-terdecies of Legislative Decree 101/2018, by those who have an interest of their own, or are acting to protect the data subject, in their capacity as their representative, or for family reasons worthy of protection.
Requests regarding the exercise of rights should be addressed to the Data Controller at: email@example.com.
Automated processing and profiling
The data controller does not carry out automated processing, including profiling.
Right to complain and protection of the data subject
Finally, we would like to remind you that if you feel that your privacy rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority, with headquarters at Piazza Venezia 11, 00187 - Rome, Tel. (+39) 06 696771, email: firstname.lastname@example.org, Certified email (PEC): email@example.com.