The purpose of this document is to inform the natural person (hereinafter the “Data Subject”) about the processing of their personal data (hereinafter “Personal Data”) collected by the data controller, Hotel D 120 S.r.l., with registered office at Via Torino 26, 20017, Rho (MI), Tax Code/VAT No. IT14569990964, REA MI 2792624, e-mail address info@hoteld120.com, (hereinafter the “Controller”) through the website amd120.com (hereinafter the “Application”).
Any changes and updates will be binding as soon as they are published on the Application. If the Data Subject does not accept the changes made to the Privacy Policy, they must stop using this Application and may request the Controller to delete their Personal Data.
Categories of Personal Data processed
The Controller processes the following types of Personal Data voluntarily provided by the Data Subject:
- Contact data: first name, last name, address, e-mail, telephone, images, authentication credentials, any further information sent by the Data Subject, etc.
- Tax and payment data: tax code, VAT number, credit card details, bank account details, etc.
- Employment-related data: data included in the curriculum vitae, data relating to the spouse or children, social security data, etc.
- Special (sensitive) data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health or sex life or sexual orientation, collected with the Data Subject’s prior consent. The Data Subject may withdraw consent at any time
- Judicial data: Personal Data relating to criminal convictions, offences or connected with security measures, collected with the Data Subject’s prior consent. The Data Subject may withdraw consent at any time.
The Controller processes the following types of Personal Data collected automatically:
- Technical data: Personal Data produced by the devices, applications, tools and protocols used, such as, for example, information about the device used, IP addresses, browser type, type of Internet provider (ISP). Such Personal Data may leave traces that, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons
- Browsing and usage data of the Application: such as, for example, pages visited, number of clicks, actions taken, session duration, etc.
- Data relating to the exact location of the Data Subject: for example, geolocation data that precisely identify the Data Subject’s position, which may be collected via the satellite network (e.g. GPS) and other means, collected with the Data Subject’s prior consent. The Data Subject may withdraw consent at any time.
Failure by the Data Subject to provide the Personal Data for which there is a legal or contractual obligation, or where such data constitute a necessary requirement for the conclusion of the contract with the Controller, will make it impossible for the Controller to establish or continue the relationship with the Data Subject.
A Data Subject who provides the Controller with Personal Data of third parties is directly and solely responsible for their origin, collection, processing, communication or dissemination.
Cookies and similar technologies
The Application uses cookies, web beacons, unique identifiers and other similar technologies to collect the Data Subject’s Personal Data regarding the pages and links visited and the other actions performed when the Data Subject uses the Application. They are stored and then transmitted on the Data Subject’s next visit.
Cookies are small text files that are placed on your computer by the websites you visit. Websites use cookies to help users navigate efficiently and perform certain functions. Cookies that are necessary for the website to function properly may be set without your permission. All other cookies must be approved before being set in the browser.
Legal basis and purposes of the processing
The processing of Personal Data is necessary:
- for the performance of the contract with the Data Subject and specifically:
- fulfilment of any obligation arising from the pre-contractual or contractual relationship with the Data Subject
- registration and authentication of the Data Subject: to allow the Data Subject to register on the Application, log in and be identified, including through external platforms
- support and contact with the Data Subject: to respond to the Data Subject’s requests
- payment management: to manage payments by credit card, bank transfer or other means
- to comply with a legal obligation and specifically:
- the fulfilment of any obligation provided for by applicable regulations, laws and rules, in particular regarding taxation and fiscal matters
- on the basis of the Controller’s legitimate interest, to:
- carry out email marketing of the Controller’s products and/or services, in order to directly sell the Controller’s products or services using the e-mail provided by the Data Subject in the context of the sale of a product or service similar to the one being sold
- manage, optimise and monitor the technical infrastructure: to identify and resolve any technical problems, to improve the performance of the Application, to manage and organise information in an IT system (e.g. servers, databases, etc.)
- security and fraud prevention: to ensure the security of the Controller’s assets, infrastructure and networks
- statistics with anonymous data: to carry out statistical analyses on aggregated and anonymous data in order to analyse the Data Subject’s behaviour, improve the products and/or services provided by the Controller and better meet the Data Subject’s expectations
- on the basis of the Data Subject’s consent, to:
- profile the Data Subject for marketing purposes: to provide the Data Subject with information about the Controller’s products and/or services through automated processing aimed at collecting personal information in order to predict or assess their preferences or behaviour
- carry out retargeting and remarketing: to reach, with a personalised advertisement, the Data Subject who has already visited or shown interest in the products and/or services offered by the Application, using their Personal Data. The Data Subject may opt out by visiting the Network Advertising Initiative page
- carry out marketing of the Controller’s products and/or services: to send commercial and/or promotional information or materials, to carry out direct selling of the Controller’s products and/or services or to conduct market research using automated and traditional methods
- carry out marketing of third-party products and/or services: to send commercial and/or promotional information or materials of third parties, to carry out direct selling or to conduct market research of their products and/or services using automated and traditional methods
- communicate Personal Data for third-party marketing purposes: to communicate the Personal Data to third parties operating in the hospitality sector so that they may use it to send commercial and/or promotional information or materials, to carry out direct selling of their products and/or services or to conduct market research using automated and traditional methods
- detect the Data Subject’s exact location: to detect the Data Subject’s presence, to monitor access, times and the Data Subject’s presence in a given place, etc.
On the basis of the Controller’s legitimate interest, the Application allows interactions with external platforms or social networks whose processing of Personal Data is governed by their respective privacy policies, to which please refer. The interactions and information acquired by this Application are in any case subject to the privacy settings that the Data Subject has chosen on such platforms or social networks. This information – in the absence of specific consent to processing for further purposes – is used solely to enable the use of the Application and to provide the information and services requested.
The Data Subject’s Personal Data may also be used by the Controller to defend itself in legal proceedings before the competent judicial authorities.
Processing methods and recipients of the Personal Data
Personal Data is processed using paper and electronic tools, with organisational methods and logic strictly related to the purposes indicated, and by adopting appropriate security measures.
Personal Data is processed exclusively by:
- persons authorised by the Controller to process the Personal Data who have undertaken to maintain confidentiality or who are under an appropriate legal obligation of confidentiality;
- parties acting independently as separate data controllers, or parties designated as data processors by the Controller in order to carry out all the processing activities necessary to pursue the purposes set out in this policy (for example, business partners, consultants, IT companies, service providers, hosting providers);
- parties or entities to whom the Personal Data must be communicated due to a legal obligation or by order of the authorities.
The parties listed above are required to use appropriate safeguards to protect the Personal Data and may access only the data necessary to perform the tasks assigned to them.
The Personal Data will not be disseminated indiscriminately in any way.
Location
The Personal Data will not be transferred outside the territory of the European Economic Area (EEA).
Retention period of the Personal Data
The Personal Data will be retained for the period of time necessary to fulfil the purposes for which it was collected, in particular:
- for purposes relating to the performance of the contract between the Controller and the Data Subject, it will be retained for the entire duration of the contractual relationship and, after its termination, for the ordinary limitation period of 10 years. In the event of litigation, for the entire duration of the proceedings, until the time limits for bringing appeals have expired
- for purposes relating to the Controller’s legitimate interest, it will be retained until that interest has been fulfilled
- for the fulfilment of a legal obligation, by order of an authority and for legal defence, it will be retained in compliance with the timeframes provided for by such obligations and regulations and, in any case, until the limitation period set out by the applicable rules has expired
- for purposes based on the Data Subject’s consent, it will be retained until consent is withdrawn. For marketing purposes, for a period not exceeding 24 months.
At the end of the retention period, all Personal Data will be deleted or stored in a form that does not allow the Data Subject to be identified.
Rights of the Data Subject
Data Subjects may exercise certain rights with regard to the Personal Data processed by the Controller. In particular, the Data Subject has the right to:
- be informed about the processing of their Personal Data
- withdraw consent at any time
- restrict the processing of their Personal Data
- object to the processing of their Personal Data
- access their Personal Data
- verify and request the rectification of their Personal Data
- obtain the restriction of the processing of their Personal Data
- obtain the erasure of their Personal Data
- transfer their Personal Data to another controller
- lodge a complaint with the supervisory authority for the protection of their Personal Data and/or take legal action.
To exercise their rights, Data Subjects may send a request to the following e-mail address info@hoteld120.com. Requests will be handled by the Controller immediately and dealt with as quickly as possible, in any case within 30 days.