This page outlines the security policies applied in relation to the processing of personal data collected and processed on the website https://www.starhotels.com by the companies of the Starhotels Group (hereinafter "Group").
DATA CONTROLLER AND DATA PROCESSORS
- Pursuant to Art. 4(7) of GDPR 2016/679, Data Controllers are the companies of the Starhotels Group namely:
- Starhotels Finanziaria S.r.l. with registered office at Via F. Turati, 29 - 20121 Milan.
- Starhotels S.p.a. with administrative offices at Viale Belfiore No. 27 - 50144 Florence, Tel. 055 36921 - fax 055 36924. email: firstname.lastname@example.org
- Pursuant to Art. 28 of GDPR 2016/679, the companies of the Group have formally designated the external parties involved in the processing as Data Processors or Sub-Processors of personal data and, in particular:
- the company TravelClick Inc. (https://www.travelclick.com), for the management of booking activities;
- the company Relactions S.r.l. with registered office at Via Taranto No. 21- 00182 Rome, also identified as System Administrator, for the management of the website;
- the company Hoox Hoox Srl with registered office at via Morandi 21, Saronno (VA), for fast check-in activities;
- the company SK Chase with registered office at 31 Palmerston Place - Edinburgh, for the purchase of gift vouchers from the website;
- the company Altamira S.r.l. with registered office at via G. Marradi No. 1, 20123 Milan, for the management of the "Careers/Work with us" section.
The full list of Data Processors and Sub-Processors can be obtained from the Data Controllers or the Data Protection Officer at the contact details above.
THE DATA PROTECTION OFFICER (DPO)
- Pursuant to Art. 37 of GDPR 2016/679 and, in particular, in accordance with the provisions of the same article in paragraph 2, the Starhotels Group has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: email@example.com. Certified email (PEC): firstname.lastname@example.org
PLACE OF DATA PROCESSING
The processing operations connected with the web services of this website take place at the premises of the data controller and of the data processors or sub-processors and are carried out only by technical personnel of the service appointed and expressly authorised for such processing.
TYPES OF DATA PROCESSED
The IT systems and software procedures used to operate this website acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website and to check its correct functioning and is deleted immediately after processing. The data could be used to ascertain liability in the event of hypothetical computer crimes against the website: except for this scenario, at present, web contact data do not persist for more than thirty days.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of emails to the addresses indicated on this site entails the subsequent acquisition of the sender's address, which is necessary to reply to requests, as well as any other personal data included in the message.
The voluntary filling in of data acquisition forms to request specific services or to subscribe to offers or to purchase services, entails the subsequent processing of the personal data provided in order to ensure the performance of a contract to which the data subject is a party or the execution of pre-contractual measures taken at their request.
In any event, unless expressly requested and necessary, personal data in the special categories as identified in Art. 9(1) of the GDPR, such as, for example, data relating to health, etc., must not be sent and communicated.
The services on this website are not intended for minors. We do not knowingly collect data, including Personal Data, relating to or referring to minors.
If we become aware that we have collected Personal Data about a minor, we will delete it immediately, unless there is a legal obligation to do so or if such processing is required by a court order. Please contact us if you believe that the Group has mistakenly or unintentionally collected information about a minor.
Personal data are processed mainly by computer for the time necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent loss of data, illegal or incorrect use and unauthorised access as well as unwanted changes.
PURPOSE, LEGAL BASIS AND NATURE OF PROVISION
The Personal Data you provide through the Website will be processed by the Data Controllers, respectively, for the following purposes:
a) to request offers, purchase gift vouchers, make a reservation and make payment by credit card. The legal basis for the processing is based on Art. 6(1)(b) of GDPR 2016/679, i.e. the processing is necessary for the performance of pre-contractual measures to which the data subject is party. Consent Not necessary;
b) to register for the free I AM STAR loyalty programme in accordance with the terms and conditions on the website. The legal basis is based on Art. 6(1)(a) of GDPR 2016/679, it requires the explicit consent of the data subject;
c) to register for the newsletter and to receive periodic promotional and commercial communications from Group companies by email. The legal basis is based on Art. 6(1)(a) of GDPR 2016/679, it requires the explicit consent of the data subject;
d) to assess possible job applications by acquiring CVs in the job opportunities section. The legal basis for the processing is based on Art. 6(1)(b) of GDPR 2016/679, i.e. the processing is necessary for the performance of pre-contractual measures to which the data subject is party. Consent Not necessary;
e) purposes of research and statistical analysis on anonymous aggregate data, aimed at measuring the functioning of the Website, measuring traffic and assessing usability and interest in order to make it more functional and perform better; Consent not necessary as there is no processing of personal data
f) profiling purposes via third-party cookies. The legal basis is to be found in Art. 6(1)(a) in accordance with Directive 2009/136/EC of 25 November 2009 and the aforementioned Cookie Guidelines adopted by the Italian Data Protection Authority on 10 June 2021. Consent required as per Cookie Banner
g) purposes relating to compliance with laws and regulations. The legal basis is set out in Art. 6(1)(c) of GDPR 2016/679, i.e. because the processing is necessary for the performance of a legal obligation to which the Data Controller is subject. Consent not required
h) purposes necessary to establish, exercise or defend a right in court or whenever the judicial authorities exercise their functions. The legal basis is identified in Article 6(1)(f) of GDPR 2016/679 i.e. insofar as the processing is necessary to protect a legitimate interest of the Data Controller represented by the action or defence in litigation proceedings. Consent not required
The data in question will be processed by guaranteeing the application of appropriate security measures and, in compliance with the principle of minimisation, only the personal data necessary for the management of operations that are indispensable to fulfil the obligations, also pre-contractual, that the Data Controllers undertake in their own sector of activity, in order to provide specific goods, services or services requested by the data subject.
TRANSFER OF PERSONAL DATA
The data controller undertakes to limit the areas of circulation and processing of personal data (e.g. storage, archiving, and preservation of data on its servers) to countries that are part of the European Union, with an express prohibition to transfer them to countries outside the EU that do not guarantee (or in the absence of) an adequate level of protection, or, in the absence of the means of protection provided for in EU Regulation 2016/679 - CHAPTER V (adequacy decision, Standard Contractual Clauses or explicit consent from the data subject).
AREAS OF PERSONAL DATA COMMUNICATION
Personal data acquired through this website may be disclosed to:
- public bodies or offices in accordance with legal and/or contractual obligations;
- banking institutions for the handling of receipts and payments resulting from e-commerce transactions;
- any specially appointed external consultants and companies providing tax and financial advice;
- couriers for the shipment of products;
- Group companies.
An updated list of the data processors appointed pursuant to Art. 28 of GDPR 2016/679 can be obtained from the Data Controller or the DPO.
RETENTION OF DATA
The data controller will process the personal data of data subjects for the time strictly necessary to achieve the purposes set out in this policy.
By way of example, the Data Controllers will process Personal Data for the newsletter service until the data subject decides to unsubscribe from the service by simply clicking on the email received (withdrawal of consent).
Notwithstanding the foregoing, the data controller shall process the Personal Data for as long as permitted by Italian law to protect its interests (Art. 2947(1)(3) Italian Civil Code).
Further information on the period of retention of Personal Data and the criteria used to determine this period may be requested by writing to email@example.com
The company does not carry out processing based on automated decision-making, including profiling, which produces legal effects or which may significantly affect the data subject.
RIGHTS OF DATA SUBJECTS
You may freely exercise your rights under articles 15 et seq. of the GDPR, namely:
- withdraw consent at any time. The User may withdraw their previously expressed consent to the processing of their Personal Data without prejudice to the lawfulness of the processing carried out until such withdrawal;
- oppose the processing of their Data. The User may object to the processing of their Data when it is done on a legal basis other than consent;
- access their Data. The User has the right to obtain information on the Data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the Data processed;
- check and request rectification. The User may check the correctness of their Data and request that it be updated or corrected;
- obtain restriction of the processing. When certain conditions are met, the User may request the restriction of the processing of their Data. In this case, the Data Controller will not process the Data for any purpose other than its retention;
- obtain the erasure or removal of their Personal Data. When certain conditions are met, the User may request the erasure of their Data by the Data Controller;
- receive their Data or have them transferred to another data controller. The User has the right to receive their Data in a structured, commonly used and machine-readable format and, where technically feasible, to have it transferred without hindrance to another data controller. This provision is applicable when the Data are processed by automated means and the processing is based on the User's consent, on a contract to which the User is a party or on contractual measures connected therewith;
- lodge a complaint. The User may lodge a complaint with the competent data protection supervisory authority or take legal action.
HOW TO EXERCISE THE RIGHTS
To exercise the above rights, the data subject may contact the Group Data Protection Officer by writing to the email address: firstname.lastname@example.org
UPDATING AND REVISION