Policy pursuant to Art. 13 of EU Regulation 2016/679 for check in
Protecting the privacy of our guests is of paramount importance to us and we safeguard it in accordance with our obligations under current legislation. Pursuant to Art. 13 of EU Regulation 2016/679 (hereinafter referred to as GDPR - General Data Protection Regulation), the company STARHOTELS S.p.a., as Data Controller, provides you with the following information on how your personal data are processed:
Pursuant to Art. 4(7) of GDPR 2016/679, the Data Controller is the company STARHOTELS S.p.a. with registered office at Via F. Turati, 29 - 20121 Milan.
THE DATA PROTECTION OFFICER (DPO)
Pursuant to Art. 37 of GDPR 2016/679, STARHOTELS S.p.a. has appointed a company Data Protection Officer (DPO), who can be contacted at the following email address: firstname.lastname@example.org. Certified email (PEC): email@example.com
PURPOSE, LEGAL BASIS OF PROCESSING AND NATURE OF PROVISION
Your personal data and those of any accompanying persons provided during the check-in procedure (we refer to the data in your identity document) will be processed:
a) to comply with the obligations set out in the Decree of 16 September 2021, which amended the Ministerial Decree of 7 January 2013 of the Ministry of the Interior requiring us to electronically register and communicate the personal details of staying guests to the public safety authority;
b) to fulfil current administrative, accounting and tax obligations, as well as laws and regulations;
c) to fulfil their obligations under the tourist tax regime;
d) for routine customer management and the provision of requested hotel services;
e) to send promotional and commercial emails and customer satisfaction questionnaires.
For the processing referred to in a), b) and c) above, consent is not required and the provision of data is obligatory. The legal basis is covered by Art. 6(1)(c) of the GDPR, i.e. the processing is necessary for compliance with a legal obligation to which the data controller is subject.
For the processing referred to in d), consent is not required and the provision of the data is necessary to provide the services requested. The legal basis is covered by Art. 6(1)(b) of the GDPR, i.e. the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request.
Concerning your personal data that fall under the definition of special categories of personal data as defined by Art. 9 of the GDPR that you voluntarily communicate to us as instrumental to the provision of services (e.g: requests for accessible rooms, food allergies,), we inform you that they will be processed by authorised personnel with the utmost confidentiality and will not be disclosed to unauthorised third parties.
The explicit consent of the data subject is required for the processing referred to under e ). The legal basis is provided by Art. 6(1)(a) of the GDPR, i.e. the data subject has consented to the processing of their personal data for the specific purpose. Falling within the legal bases of the processing is the exercise of soft spam contemplated by Art. 130(4) of Legislative Decree 196/2003 (revised by Legislative Decree 101/2018) when the data subject, not having provided an explicit refusal to receive emails of a commercial nature has provided their email address to book then stay in a hotel.
There is a video surveillance system at the hotel and the processing of personal data (images) has as its legal basis the pursuit of the legitimate interests of the holder pursuant to Art. 6(1)(f) of EU Regulation 2016/679 namely the purposes of Security of persons and protection of property.
RECIPIENTS OF PERSONAL DATA - COMMUNICATION AREAS
Your personal data will be processed by the hotel's internal staff in charge of data processing and trained in personal data security and the right to privacy, and may be disclosed to:
a) public bodies or offices in accordance with legal and/or contractual obligations;
b) the competent public security authorities for compulsory registration of customers, according to the Ministry of the Interior's Decree of 16 September 2021;
c) the parent company Starhotels Finanziaria S.r.l., which is responsible for processing the group's corporate activities (reservations, marketing, etc.);
d) the relevant municipality in the event of failure to pay the tourist tax;
e) third parties in general, including those outside the European Union, if they require hotel staff to communicate with the customer by telephone or text message with the customer's explicit consent;
f) debt collection companies and banking institutions for the management of collections and payments arising from the execution of the stay;
g) travel agencies and intermediary companies through which the booking was made;
h) third-party suppliers (rental companies, etc.) to fulfil the provision of the services you have requested;
i) any consultants and external companies specifically appointed to perform tax and fiscal consulting services on our behalf;
j) an IT company for management and technical support on the hotel's IT system;
k) third parties that provide services to measure customer satisfaction or send newsletters.
An updated list of external data processors can be requested from the DPO of Starhotels S.p.a.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
Your personal data are not transferred to third countries or international organisations.
RETENTION OF PERSONAL DATA
The data will be processed for the duration of the contractual relationship established and also thereafter for the fulfilment of all legal obligations. Your personal details data (tax code, first name, last name, address, any company data for which you work) will be retained for tax and administrative purposes for a period of 10 years.
The data used for commercial purposes to register for the Data Controller's newsletter will be retained until the right of erasure is exercised by taking a simple step in the email received.
Personal data on video surveillance will be retained for a maximum period of 5 days.
The data controller does not carry out processing based on automated decision-making, nor does it carry out automated processing for profiling purposes, activities that produce legal effects and that may significantly affect your person.
RIGHTS OF THE DATA SUBJECT
The data subject has the right to request from the data controller access to personal data concerning them, rectification or erasure of those data, restriction of processing, portability of data, has the right to object to processing, has the right to object to profiling and to lodge a complaint with a supervisory authority.
The data subject has the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal.
For the complete and exhaustive list of rights that can be exercised by the data subject, please refer to Art. 15 et seq. of GDPR 2016/679.