PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA (ARTICLE 13 GDPR)
This privacy notice has been prepared pursuant to Article 13 of Regulation (EU) No 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and updates the previous versions released until now.
Please note that:
- as a result of the services provided and during their performance, our company will need to collect and process your ordinary and sensitive personal data;
- for reasons of clarity, we provide the following definitions found in Regulation No 2016/679:
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Personal data any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as an identification number; Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Thus, pursuant to Article 13 of the EU Regulation, Is Morus Relais s.p.a., with registered office in Santa Margherita di Pula in Strada Statale 195 km. 37.400, (hereinafter Controller), acting as the data controller,
Wishes to inform you
that your data will be processed with the following methods and for the following purposes:
- Data subject to processing: the Controller will collect your personal information including:
- your name and surname, e-mail address, phone number and home address;
- your credit card details (type and card number, name on the card, expiry date, cvc code);
- information concerning your stays, including arrival and departure dates, your special requests and your service preferences (concerning the room, services or other aspects);
- information you provided on your marketing preferences or with regard to promotional offers;
- any other information required by the applicable local legislation.
Please note that this privacy notice does not apply to the processing of personal data on behalf of third parties and subject to their instructions, such as airlines, car hire companies and other service providers, companies organising and offering travel packages, commercial partners or business customers.
- Purposes of the data processing: your personal data will be processed for the following purposes:
- to manage customer relations (management of bookings, issuance of invoices, quotes), and comply with contractual obligations;
- to comply with regulatory requirements, in particular accounting and tax obligations;
- to handle disputes;
Only if authorised in writing by you:
- to send you promotional offers on our services, to update you on rates and offers, and to send you greetings by means of ordinary post, fax or e-mail;
- to provide you with hotel services such as external communication of data on your stay solely to enable the receipt of objects, messages and phone calls addressed to you;
- to process any sensitive data you might provide voluntarily, in order to offer you a better level of hospitality in our hotel;
- to send you by e-mail our newsletter and season’s greetings.
As concerns the purposes listed at point 2(a), our services are provided by means of a contract: use of your data might be necessary to enable us to perform your contract with us. (For example, if you use our services to make an on-line reservation, we will use your data to fulfil our obligation to complete and manage your booking, under the contract between us).
As concerns the purposes under point 2(b) and (c), we will act on the basis of legitimate interest: we will use your information for our legitimate interests, for administrative and legal purposes, or for the detection of fraud. When we use your personal data for our legitimate interests, we always balance your rights and interests in the protection of your personal data with our rights and interests.
As concerns the purposes indicated in points d), e), f) and g) according to the applicable legislation, we will ask for your consent for the purposes indicated before processing your personal information; you may withdraw your consent at any time by contacting us at the addresses mentioned at the end of this privacy notice.
- Processing arrangements: Your personal data will be processed using the operations mentioned in Article 4(2) of the GDPR, precisely: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, comparison, use, interconnection, blocking, communication, erasure and destruction of data.
Your data will be processed both in paper format and with electronic/IT/telematic tools, in full compliance with the applicable law, according to the principles of lawfulness and fairness and in a manner that protects their confidentiality.
- Data retention period: We will retain your personal data for the period necessary for us to provide you with the service, in compliance with the current laws, to handle any disputes with any third parties and, in any case, for the time necessary to perform our activities, including the detection of and protection against fraud or other illegal activities.
- Access to data: Your data may be made accessible for the purposes mentioned in Article 2:
- to the Controller’s employees and collaborators, acting as mandated parties and/or internal processors and any other mandated parties for maintenance operations under the strict control of the Controller;
- to third-party companies or other entities (by way of example, banking companies, professional firms, consultants, etc.) which perform outsourced activities on behalf of the Controller, acting as external processors.
- Communicating data: Your data will not be disclosed, sold or exchanged with third parties without your express consent. Your data will be disclosed solely to the entities having competence to perform contractual operations to discharge legal obligations. Therefore, the data might be disclosed to third parties belonging to the following categories:
- entities providing information system management services;
- consultancy firms or companies for the purposes of their assistance and advisory services;
- public authorities and entities, for compliance with legal obligations and/or with the requirements of public bodies;
- Group companies or private entities directly involved in provision of the service or entitled by law to access the data.
In any case, the above-mentioned entities will only be provided with the data strictly necessary and relevant for their legitimate data processing purposes.
- Transfer of data: Your personal data will be kept on servers located within the European Union. However, if necessary, the Controller may use servers located outside the EU. In this case, the Controller shall ensure that the transfer of the data outside the EU complies with the applicable legislation, and is performed under the standard contractual clauses established by the European Commission.
- Nature of the provision of data and consequences if you refuse to provide your data: for the purposes under point 2(a), (b) and (c), when booking a hotel stay, providing your data is mandatory and if you fail to provide them we might be unable to process your request.
For the purposes under point 2(d), (e), (f) and (g), providing your data is optional and if you do not provide them we will still provide you with the service requested (hotel stay).
- Your rights as data subject: In your capacity as data subject, you enjoy the rights laid down in Article 15 of the GDPR. More precisely, you have the right to:
- obtain confirmation as to whether or not personal data concerning you exist, even if not yet registered, and communication of such data in an intelligible form;
- obtain information on: a) the source of the personal data; b) the purposes and methods of the processing; c) the logic involved the processing, if performed by electronic means; d) the identification details of the controller, the data processors and the representative designated as per Article 3(1) of the GDPR; e) the entities or categories of entities to which the personal data may be communicated or which may become aware of the data in their capacity as designated representative(s) in the State’s territory, data processor(s) or mandated person(s);
- obtain: a) updating, rectification or, completion of the data; b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations under points a) and b) have been notified, including their contents, to the entities to whom or which the data were disclosed or disseminated, unless this requirement cannot be fulfilled or requires a clearly disproportionate effort compared with the right to be protected;
- object, in whole or in part: a) on legitimate grounds, to the processing of your personal data, even though they are relevant to the purpose of the collection; b) to the processing of your personal data, where it is carried out for the purpose of sending advertising materials or of direct selling or to perform market research or marketing communications, by means of automated calling systems without operator, by e-mail and/or by means of traditional marketing via telephone and/or regular post. Please note that your right to object, in accordance with point b) above, to direct marketing by means of automated methods includes traditional marketing methods; in any case you may also decide to object in part. Therefore, you may decide to receive only communications via traditional means or only via automated means or not to receive either type.
Where applicable, you also have the rights laid down in Articles 16-21 of the GDPR (right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Personal Data Protection Authority.
- Withdrawal of consent: In accordance with Article 6 of GDPR 679/2016, you may withdraw your consent at any time. This will not affect the lawfulness of the processing based on consent before its withdrawal.
Where we process your personal data on the basis of legitimate interests or public interest, you have the right to object at any time to the use of your personal information, in the manner provided for by the law.
- How you can exercise your rights: You may exercise your rights at any time by sending:
- a registered letter with acknowledgement of receipt to Is Morus Relais s.p.a., with office in Santa Margherita di Pula, Strada Statale 195 km 37.400;
- an e-mail to firstname.lastname@example.org.
- Controller, processor and mandated parties
The controller is Is Morus Relais s.p.a. with registered and administrative offices in Santa Margherita di Pula, Strada Statale 195 km 37.400, acting through its current legal representative.
The updated list of processors and mandated parties is held at the offices of the Controller.
Is Morus Relais s.p.a.