BIANCA MARIA PALACE HOTEL MILANO
PERSONAL DATA PROTECTION NOTICE
This document details the methods and purposes of the personal data processing undertaken by Blu Seven S.r.l., in its capacity as data controller (hereinafter, also as the “Controller” or “BS”), in relation to the booking services supplied via the website www.biancamariapalace.com (“Website”) or via third party’s website, and any additional information required by law, including information on the data subject’s rights and the exercise of those rights.
The Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “Regulation”) sets rules concerning the protection of natural persons with regard to the processing of personal data, and on the free moment of such data and it protects the rights and fundamental freedoms of the natural persons, particularly with regard to the protection of personal data.
Art. 4, no. 1 of the Regulation defines “Personal Data” as any information relating to an identified or identifiable natural person (hereinafter, “Data Subject”).
On the other hand, “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (art. 4, no. 2, Regulation).
Additionally, pursuant to articles 12 et seq. of the Regulation, the Data Subject is to be provided the appropriate information concerning (i) the Processing activities carried out by the Controller and (ii) the rights of the Data Subject.
- PURPOSES OF THE PROCESSING AND LEGAL BASIS
The purposes of the Processing are the following:
Considering the processing of Personal Data, other than special categories of data, for the purposes listed under the abovementioned points (i), (ii), (iii) is needed for the purposes of performing the service and to fulfill legal obligations, the Data Subject’s consent is not required. The Processing of Personal Data for the purposes listed under point (iv) is deemed allowed pursuant to the resolution of the Italian Data Protection Authority dated 4 July 2013 no. 330.
- Punctual provision of booking services via the website or third parties’ Websites with which the controller entered agreements (“Services”),
- Reply to requests of information received via the Website,
- Fulfill obligations required by law, civil, tax and accounting regulations, as well as compliance with orders by Authorities authorized by law or by supervisory and control bodies,
- Delivery of promotional material, via email to the Data Subjects concerning similar services to those already purchased, provided the right of the Data Subject to request not to receive the abovementioned messages.
- Controller’s delivery via email or communications related to the Controller’s promotional and marketing initiatives, subject to the Data Subject’s express consent.
- METHODS OF PROCESSING AND STORAGE
Pursuant to art. 5 of the Regulation, the Personal Data subject to the Processing are:
Personal Data will be processed by the Controller with automated and non-automated means; the electronic storage of Personal Data occurs in secure servers located in controlled access areas and with restricted access.
- Processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
- Collected and recorded for specified, explicit and legitimate purposes and further processed in a manner compatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Processed in a manner that ensures appropriate security;
- Kept in a form that permits identification of the Data Subject for no longer than is necessary for the purposes for which the personal data are processed.
Specific security measures are observed to prevent data loss, unlawful or inaccurate uses and unauthorized accesses.
- NATURE OF THE DATA COLLECTION. CONSEQUENCES OF REFUSAL TO PROVIDE PERSONAL DATA.
- 3.1 Provision of Personal Data for the purposes listed under paragraph 1, points (i), (ii) e (iii) is mandatory to use the Controller’s services. Accordingly, refusal to provide Personal Data would determine the impossibility for the Data Subject to make use of the services.
- 3.2 Provision of Personal Data for the purposes listed under paragraph 1, point (iv) allows the Controller to send its communications concerning its promotional and marketing initiatives to the Data Subjects. The Data Subject refusal to receive these communications determines the impossibility for the Controller to submit them.
- 3.3 Provision of Personal Data for the purposes listed under paragraph 1, point (v) is optional and, therefore, there are no consequences should the user refuse to provide his/her own Personal Data.
- RETENTION OF PERSONAL DATA.
- 4.1 I Personal Data are retained for the time strictly necessary to fulfill the purposes for which they were collected and processed. With regards to the purposes set out under paragraph 1, points (i), (ii) e (iii), the Personal Data will be retained for the sole purpose of Processing to accurately provide the Services and fulfill the requests for information received via the Website. With regards to the purposes set out under paragraph 1, point (iv), the Personal Data will be process as long as the Data Subject will not exercise the right to object or revoked his/her own consent to the processing. In relation to paragraph 1, point (v), Personal Data will be processed for a period no longer than 24 months.
- 4.2 However, it is understood that once the purposes of the Processing have been satisfied or in case of exercise of the right to object or withdrawal of consent, the Controller will nevertheless be authorized to retain the Personal Data, in whole or in part, for certain purposes, like exercise or defend a right in a proceeding (e.g., in case of possible claims concerning the activities carried out by the Controller).
- DISCLOSURE OF PERSONAL DATA
Personal Data shall be accessible to those mandated to the Processing and to external collaborators.
- DISSEMINATION OF PERSONAL DATA.
The Personal Data are not subject to dissemination.
- TRANSFER OF PERSONAL DATA ABROAD.
The Personal Data shall not be transferred outside European Union member States.
- RIGHTS OF THE DATA SUBJECT.
The Data Subject may at any time access the Personal Data for the purpose of correcting or deleting the data and, in general, of exercising the rights expressly granted by the applicable laws on the protection of Personal Data. Those rights are: to confirmation of the existence of the Personal Data and to receive the data in an intelligible manner, to know the source of the data and the purposes and the methods of its Processing; to obtain the contact information of the Controller, of the data processors and of the individual or the categories of individuals the Persona Data may be disclosed to; to verify the accuracy of the Personal Data and to have them completed, updated or rectified; to ask for erasure, conversion into anonymous form or the blocking of access to Personal Data processed in violation of the law, and, in any case, to object, in whole or in part, for legitimate reasons to their Processing; to Personal Data portability, and the right to lodge a complaint with, or report or submit a claim to, the Italian Data Protection Authority, where appropriate. In addition, the applicable law gives a Data Subject the right to object to Personal Data processing for the purposes set forth in points (iii) and (iv) of paragraph 1 of this privacy notice, and to withdraw consent to such Personal Data Processing at any moment, without affecting, however, the lawfulness of the Processing carried out by the Controller based on consent before its withdrawal.
- DATA CONTROLLER.
The Controller is Blu Seven S.r.l., with place of business in 6 Piazza Cadorna, 20123, Milan, Italy.
- COMMUNICATIONS AND EXERCISES OF THE DATA SUBJECT’S RIGHTS.
To exercise the rights listed under paragraph 8, the Data Subject may contact at any moment the Controller, by sending an email to email@example.com