(EU Regulation 2016/679, Legislative Decree 196/2003, as amended by Legislative Decree 101/2018, as well as other applicable legal provisions on the protection of personal data)

This privacy policy applies to any kind of information we collect. It is drafted in accordance with art. 13 and art. 14 of the EU Regulation nr 679/2016.
Our main priority is to offer you a pleasant stay of the highest standard; your complete satisfaction and trust are essential to us.
This is why, as part of our efforts to satisfy your needs, we have established a privacy policy that formalizes our commitment to you and describes how the Data Controller uses your personal data.

This document describes how your personal data is used and processed in a readable and transparent manner and provides our contact details.

The facility’s Data Controller can and will provide privacy notices for the guest in addition to this Privacy Policy, which defines the data collection and processing specifics. Together with this Privacy Policy, the notices form the basis for how the Data Controller processes the guest's personal data.

Please read our Privacy Policy carefully. By providing personal data and other information through our Services, you acknowledge that your personal data will be processed under the terms of this Privacy Policy. If you find any term of this Privacy Policy unacceptable, please do not use the Services or provide any personal data.

This Privacy Policy is written in Italian and may be translated into other languages. In case of inconsistencies, the terms specified in the Italian language version apply.

01) DATA CONTROLLER AND/OR JOINT DATA CONTROLLERS
02) DATA PROTECTION OFFICER (DPO)
03) CONSENT
04) STANDARD PRINCIPLES FOR THE PROTECTION OF PERSONAL DATA
05) TYPE OF PERSONAL DATA COLLECTED
06) SPECIAL DATA
07) TIMING OF PERSONAL DATA COLLECTION
08) PROCESSING PURPOSE
09) PROCESSING CARRIED OUT UNDER JOINT CONTROLLER: DIRECT MARKETING
10) SOFT-SPAM MARKETING
11) LEGITIMATE INTEREST OF THE DATA CONTROLLER
12) PROCESSING OF THE COLLECTED DATA
13) LEGAL BASIS OF PROCESSING
14) COMPULSORY OR OPTIONAL NATURE OF PROVIDING DATA AND THE CONSEQUENCES OF NOT PROVIDING IT
15) CONDITIONS OF THIRD PARTY ACCESS TO PERSONAL DATA
16) TRANSFERRING PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
17) DATA SECURITY
18) PLACE OF PROCESSING
19) DATA SHARING
20) THALASSO SPA & WELLNESS
21) WI-FI SERVICE
22) VIDEO SURVEILLANCE
23) MOBILE APP
24) DATA RETENTION
25) NAVIGATION DATA
26) RIGHTS OF THE DATA SUBJECT
27) PERSONAL DATA PROCESSING METHODS
28) COMPLAINTS
29) CONTACT US
30) UPDATES

01) DATA CONTROLLER AND/OR JOINT DATA CONTROLLERS
Depending on the specific purposes pursued and indicated in this policy, the companies listed below process your personal data independently or jointly in accordance with the European Regulation 2016/679 (hereinafter GDPR).

Joint Controller
Mediterranean Hospitality Srl in the person of its pro tempore L.R.
Loc. Torriani, snc | 89866 Ricadi (VV)
info@baiadelsole.com | info@villapaolatropea.it | +39 0963 663302

OWNER
Giubola 2000 Srl in the person of its pro tempore L.R.
Contrada Tono, snc | 89866 Fraz. San Nicolò | Ricadi (VV)
info@capovaticanoresort.it | +39 0963 665760

Mediterranean Hospitality Management & Consulting Srls
in the person of is its pro tempore L.R.
V.le G. Berto snc 89866 Ricadi (VV)
info@mediterranean-hospitality.com | + 39 0963 663302

02) DATA PROTECTION OFFICER (DPO)
To facilitate the relationship between you and each Data Controller, the Data Controllers have appointed the following individual Data Protection Officer (DPO) Mr. Nicola Viscomi c/o MH m&c srls | V.le G. Berto snc 89866 Ricadi (VV)
infoviscomi@gmail.com | +39 393 05 91 327
Pursuant to Article 38(4), data subjects may contact the Data Protection Officer for all matters relating to the processing of their personal data and exercising their rights.

03) CONSENT
"Personal data" refers to any information collected and recorded in a format that allows the personal identification of the data subject, either directly (e.g., name) or indirectly (e.g., telephone number) as an individual. Before providing this information, please read this document describing our Privacy Policy. This Privacy Policy is part of the general conditions applicable to all services the Data Controller offers. By accepting these conditions, you expressly agree to the provisions contained herein.

04) STANDARD PRINCIPLES FOR THE PROTECTION OF PERSONAL DATA
The following principles are applicable in the Data Controller’s business environment:
> Transparency: when collecting and processing your personal data, we will provide you with all the relevant information about the purposes and recipients of the data.
> Lawfulness: we only collect and process your personal data for the purposes described in this policy.
> Relevance and Accuracy: we only collect the personal data necessary for the relevant processing. We will take all reasonable steps to ensure that the personal data we have is accurate and up-to-date.
> Retention: we retain the customers' personal data for as long as necessary to carry out the relevant processing in accordance with legal requirements.
> Access, rectification, objection: you have the right to access your data, as well as edit, correct or delete it. In addition, you have the right to object to the use of your personal data, particularly not to receive commercial information (marketing).
> Confidentiality and security: we ensure that reasonable technical and organizational measures are taken to protect your personal data from accidental or unlawful modification or loss > International Sharing and Transfer: we reserve the right to share your personal data with third parties (e.g., business partners and/or service providers) for the purposes set out in this policy, and we will take appropriate measures to ensure security when sharing or transferring such data.

05) TYPE OF PERSONAL DATA COLLECTED
As our client, we will be required to ask you for information regarding you and/or your family members or companions on several occasions, such as:
> contact information (e.g., last name, first name, telephone number, e-mail address);
> personal information (e.g., date of birth, nationality);
> if applicable, information about your children (e.g., name, date of birth, age);
> arrival and departure dates
> credit card number or other payment account number, billing address, and other payment and billing data;
> the necessary data for fulfilling special requests (e.g., health conditions that call for a specific accommodation)
>The Data Controller may collect personal identifying data from other third-party sources:
> social media
> third-party organizations or affiliates
If you voluntarily provide us with identifying data regarding, for example, your health, such data will only be used as necessary to fulfill special requests (again, for example, health conditions that require specific accommodation in the facility or special requests regarding food products to avoid due to any medical conditions, allergies, or food-related disorders.)

By providing such data, you expressly consent to its collection, use, processing, and storage by the Data Controller in accordance with this policy.
Information collected relating to persons under 18 years of age is limited to first and last name, nationality, and date of birth. Such information may only be provided to us by an adult or person with parental responsibility. We would be grateful if you would ensure that your children don’t provide us with any personal information, particularly through the Internet, without your consent. If this is the case, you may contact us to provide the necessary details to delete their information.
We do not voluntarily collect information of a special nature concerning, for example, race, ethnicity, political opinions, religious and philosophical beliefs, trade union membership, or information relating to health status or sexual orientation. The Data Controller may need to collect such information to meet your needs or provide you with an appropriate service, such as specific dietary regimens. In such cases, your prior consent will be required to collect confidential information.

06) SPECIAL DATA
The term "special data" means information that discloses your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as dealing with genetic data, biometric data intended to uniquely identify a natural person, data relating to a person's health, sex life, or sexual orientation. We generally do not collect special information unless you voluntarily provide us with it or we are required to do so in accordance with applicable laws or regulations. With respect to your personal information you voluntarily provide that falls under the definition of special categories of personal information defined by Article 9 of the GDPR, we would like to inform you that it will be processed by authorized personnel with the utmost confidentiality in compliance with the provisions of the relevant legislation. We ask the kind clientele who need to communicate such information (pathologies, allergies, intolerances, etc.) to fill out the appropriate form prepared by the Data Controller. (An authorized person will destroy the form with a document shredder within three days of the guest’s checkout date.) The data subject has the right to revoke consent by directly contacting the reception staff or according to the ways indicated in the following point: RIGHTS OF THE DATA SUBJECT, at any time without affecting the legitimacy of the processing based on the consent given before revocation.

07) TIMING OF PERSONAL DATA COLLECTION
Personal data may be collected on various occasions, including:
(a) Administrative, hotel, and miscellaneous service activities:
> requesting quotes;
> booking/purchasing services;
> managing payment services;
> quotation and purchase of a package and/or tourist service;
> data processing activities for administrative and accounting purposes, customer service, etc.;
> during check-in/check-out and payment;
> consuming meals and drinks at the bar or restaurant during a stay;
> inquiries, complaints, and/or disputes.
(b) Profiling activities (commercial - marketing-profiling):
> Identification of preferences, tastes, habits, needs, and consumption choices, so as to improve the services we provide, meet specific needs, and target commercial interest proposals by processing personal data such as, but not limited to: personal data and residence/geographical area; family status; age; profession; data relating to registering on any of our corporate websites and the use of the same; goods or services purchased; consumption range; level of expenditure incurred; active services; frequency of use, etc. This allows the creation and definition of your profile, which is useful to process market analysis and statistics (aggregate or anonymous form); to improve the products and services offered and make them more responsive to your needs.
d) Receipt/Transmission of information from third parties:
> tour operators, travel agencies, reservation systems, and so on.
(e) Internet activities:
> connecting the Data Controller’s websites (IP address, cookies);
> information forms, contact requests, booking confirmations, entering comments, and so on;
> online data collection forms (online quote and/or booking request, the owner's social network pages, network access devices such as Facebook log-in data, and so on).
(f) Video Surveillance System:
> Video surveillance protects the Data Controller's business assets;
(g) WiFi Service:
> Use of the facility’s free service by registering your social credentials, email, and so on;
(h) Mobile App.
> Room reservation
> Checking in online (in this case, the client will have to attach a scanned copy of a valid ID, which we delete within 48 hours of receipt)
> Managing a room service order;
> Managing reservations at local restaurants;
> Requesting special requests such as wake-up service, late check-out, or couverture service;
> Processing of online check-out and opinion regarding the stay;
> Processing of requests submitted via the mobile app (e.g., chat).

08) PROCESSING PURPOSE
User data is collected to enable the Data Controller to provide the requested Service, fulfill legal obligations, respond to requests or enforcement actions, protect its rights and interests, detect any malicious or fraudulent activities, etc. Specifically, we carry out the collection of your personal data while:
8.1) Complying with our obligations to customers.
8.2) Granting your request to take advantage of the guarantee referred to in Article 50 of Legislative Decree No. 79/2011 (Tourism Code);
8.3) Fulfilling current administrative, accounting, and tax obligations.
8.4) Fulfilling legal obligations in general, including the obligation under the "Consolidated text of public security laws" (art. 109 R.D. 18.6.1931 n. 773). For public security purposes, the mentioned document requires us to communicate the particulars of the customers accommodated according to the procedures established by the Ministry of the Interior to the Police Headquarters (Decree January 7, 2013).
8.5) To fulfill the obligations under the residence fee (Article 4 of Legislative Decree No. 23 of March 14, 2011).
8.6) Managing requests for quotations and various information.
8.7) Managing the services requested.
8.8) Booking and organizing the stay.
8.9) Underwriting any insurance policy (mandatory and/or voluntary).
8.10) Managing room reservations and accommodation requests: e.g., creation and storage of legal documents.
8.11) Managing the clients' stay at our facilities. [e.g., monitoring the use of services (e.g., telephone, bar, pay TV, and so on), managing room access, internally managing the lists of clients who behaved inappropriately during their stay at the facility (aggressive and antisocial behavior, non-compliance with the facility's contractual terms, non-compliance with security regulations, theft, damage, and vandalism, or payment problems). Improving our services, in particular: processing your personal data for commercial activities (profiled marketing); adapting our products and services to better meet your needs; managing customer relations before, during, and after your stay: providing data for the customer database; sending newsletters, promotions, and tourist, hotel or service offers; Handling cancellation requests for promotions and tourist offers; Evaluating the right to object and other GDPR rights; Using a dedicated telephone service to research people staying at the Data Controller’s facilities; in the event of events that affect the facilities in question (natural disasters, terrorist attacks, and so on)].
8.12) Improving the Data Controller's services, specifically: conducting surveys and analyzing customer questionnaires and comments (including anonymous ones); handling claims/complaints.
8.13) Protecting and improving the Data Controller's website, particularly: improving navigation, taking security measures, and preventing fraud.
8.14) Complying with local legislation, e.g., on record keeping.
You can request more information via the contact info provided for the Data Controller(s) or Joint Controller(s).

09) PROCESSING CARRIED OUT UNDER JOINT CONTROLLER(S): DIRECT MARKETING
The Joint Controller(s), as identified within point 1 of this Policy, have entered into a Co-Partnership Agreement pursuant to Article 26 of the Regulations by which they intend to jointly process data collected in the course of their activities for Direct Marketing purposes.
The purpose will be carried out to direct the activity of sending promotional, advertising, or commercial communications regarding the Joint Controller’s products/services/initiatives.
Providing data is optional and subject to the following legal basis:
- Art. 6, § 1, lett. a - the data subject has consented to the processing of his/her personal data for one or more specific purposes.
Communications will be made electronically using automated means (such as sms, mms, fax, phonics, e-mail and web applications) and traditional means (such as telephone calls with an operator).
You have the right to revoke your consent by contacting the individual Data Controller or the Joint Controller via the methods indicated in Section 26 at any time. It doesn’t affect the lawfulness of the processing based on consent given prior to revoking. The refusal to use data for this purpose will have no consequences on existing business relationships.

10) SOFT-SPAM MARKETING
The email address provided for the purchase of a product and/or service sold directly by the Data Controller(s) or Joint Controller(s) may be used to allow the Data Controller(s) or Joint Controller(s) to sell you similar products or services (and thus to email you promotional communications regarding such products and/or services) directly without your consent, provided that you do not exercise your right to object according to the methods set forth in this Policy. The collection of your data by the Controller(s) or Joint Controller(s) is necessary for them to pursue their legitimate interest. Your data may be disclosed to personnel authorized by the Controller(s) or Joint Controller(s) and/or to the relevant service providers with whom a contract has been concluded and appointed as Data Controllers/Joint Controller, if necessary.
The legal basis of the processing as per Article 6 of Reg (EU) 679/2016 is:
- paragraph (f): the processing is necessary for the purposes of pursuing the legitimate interests of the Data Controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail, particularly if the data subject is a child.

11) LEGITIMATE INTEREST OF THE DATA CONTROLLER
11.1 The Data Controller may process your data to expedite registration procedures in the event of any subsequent stays at the Data Controller's facilities.
11.2 The Data Controller may send you advertising proposals aligned with your interests and habits and your membership in specific types of families and/or groups. The processing will be carried out based mainly on partially automated decision-making processes. The logic used is to acquire data provided directly by the data subject (e.g., through forms, questionnaires, registration forms, etc.) or from information related to the experience of stay, purchases made, services used, tastes, and preferences in general. The information acquired will be used to identify your consumption behaviors and habits to improve the products and/or services we provide and send you advertising proposals in line with your interests, habits, and your membership in specific households and/or groups. This data may also be processed in aggregate form, and over time, it may be enriched, compared, cross-referenced, and/or integrated with additional data in the legal possession of the Joint Controllers to carry out electronic analysis and processing (e.g., classification of customers into homogeneous categories by service levels, consumption, needs, service satisfaction, etc.).
11.3 The Data Controller may send you commercial offers regarding products and/or services offered by the Data Controller that are similar to those you had previously purchased (so-called "soft spam").
11.4 The Data Controller may administer a service satisfaction questionnaire (customer care surveys) to you (via email, regular mail, etc.). The questionnaire contains questions for you to answer and/or express your own opinion and/or make suggestions for us to improve our hotel tourism services.
The Data Controller has prepared the Legitimate Interest Impact Assessment (LIA).
The legal basis legitimizing the stated purposes is found in the Data Controller's legitimate interest [Art. 6(1)(f) GDPR].
If you wish to be excluded from these processing operations, you may express your opposition at any time by reaching out to the Data Controller via the contact information found in point 1 of this Policy.

12) PROCESSING OF THE COLLECTED DATA
The Data Controller(s) or Joint Controller(s) adopts the appropriate security measures aimed at preventing unauthorized access, disclosure, modification, or destruction of Personal Data. The processing uses paper, IT and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated.

13) LEGAL BASIS FOR PROCESSING
Personal data of the data subject is processed only if one of the following conditions exists:
> the user has given consent for one or more specific purposes;
> the processing is necessary for the performance of a contract with the user and/or the execution of pre-contractual measures;
> the processing is necessary to fulfill a legal obligation to which the Data Controller is subject;
> processing is necessary for the performance of a public interest task or the exercise of public authority vested in the Data Controller;
> the processing is necessary for pursuing the legitimate interest of the Data Controller or third parties.
However, it’s always possible to ask the Data Controller(s) or Joint Controller(s) to clarify the concrete legal basis of each processing and, in particular, to specify whether the processing is based on law, required by a contract, or necessary for concluding a contract.

14) COMPULSORY OR OPTIONAL NATURE OF PROVIDING DATA AND THE CONSEQUENCES OF NOT PROVIDING IT
Providing data is inherent to the execution of the contract, the request for quotation and/or information, and the fulfillment of legal, fiscal, accounting, and administrative obligations, etc. It’s mandatory, and failure to provide your data will result in the Joint Controller’s inability to perform the services requested.
Providing data for the performance of marketing activities is always free and optional. Any failure to provide it will have no consequence on your ability to access the features offered by the Site and/or the request for info/bookings/....
Any data subjects with doubts regarding which data is mandatory are encouraged to contact the Data Controller.

15) CONDITIONS OF THIRD PARTY ACCESS TO PERSONAL DATA
Your Personal Data may be disclosed to specific parties considered recipients of such Personal Data. In fact, Article 4 at point 9) of the Regulation defines a recipient of Personal Data as "the natural or legal person, public authority, service or other body that receives communication of Personal Data, whether or not it is a third party" (hereinafter the "Recipients").
With this in mind, to properly carry out all the Processing activities necessary to pursue the purposes set forth in this Notice, the following Recipients may be in a position to process your personal data:
- third parties who carry out part of the processing activities and/or activities related and instrumental to the same on behalf of the Data Controller or the Joint Controller. Such entities have been appointed as Data Controllers, whereby this expression is to be understood individually, according to Article 4 at 8) of the Regulations, as "the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller" (hereinafter the "Data Controller");
- individuals, employees and/or contractors of the Data Controller or the Joint Controller, who have been entrusted with specific and/or multiple Processing activities on your Personal Data. Such individuals have been given specific instructions regarding the security and proper use of Personal Data and are defined, pursuant to Article 4 at 10) of the Regulations, as "persons authorized to process Personal Data under the direct authority of the Data Controller or the Joint Controller" (hereinafter the "Authorized Persons");
- third parties who carry out Processing activities and/or activities related and instrumental to the same as autonomous Data Controllers, including, but not limited to, consulting companies, freelancers, insurance companies, third party companies, etc;
- when required by law or to prevent or suppress the commission of a crime, your Personal Data may be disclosed to public bodies or judicial authorities without them being defined as Recipients. In fact, according to Article 4 at point 9), of the Regulation, "public authorities that may receive communication of Personal Data in the context of a specific investigation in accordance with the law of the Union or Member States are not considered Recipients.
The complete and updated list of recipients can be obtained from the Data Controller/Joint Controller. Your Personal Data will not be disclosed.

16) TRANSFERRING PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
Your personal data is currently processed within the European Union territory by the Data Controller and is not subject to being disclosed. Any future transfer of data to non-EU countries will only be permitted to: 1) Non-EU countries "whose level of data protection has been deemed adequate by the European Commission under Article 45 of the GDPR". 2) Non-EU countries other than those referred to in the above point as "subject to the signing of the standard contractual clauses (Standard Contractual Clauses) adopted/approved by the European Commission under Art. 46, 2, lett. c) and d)." When it’s necessary to transfer data to third countries or international organizations, it’s the Data Controller’s responsibility on each occasion to take the required measures to ensure that such processing complies with the law and is subject to the relevant specific information to the data subject. A copy of the guarantees as mentioned above may be obtained by sending a specific request to the Data Controller in the manner provided in the Data Subject Rights paragraph.

17) DATA SECURITY
Appropriate technical and organizational measures are taken in accordance with applicable legal provisions to protect your personal data from unlawful or accidental destruction, accidental loss or modification, and unauthorized disclosure or access. To this end, we have taken technical (e.g., firewalls) and organizational measures (e.g., a system of user access by ID/password, physical protection solutions, and so on). When you provide your credit card information to make a hotel reservation, the transaction’s security is ensured by SSL (Secure Socket Layer) encryption technology. The security of e-mail communications cannot̀ be guaranteed, so in one's e-mail correspondence to the Data Controller, the data subject should not include any payment or special nature data.

18) PLACE OF PROCESSING
The processing related to the Data Controller’s services takes place in his offices and is carried out by internal Data Processors who collaborate with third parties designated External Data Processors. No data is disclosed. Personal data provided by users who access the web services present in the site’s interactive areas (e.g., requests for quotes, reservations, newsletter subscription) will only be used for the purposes previously indicated.

19) DATA SHARING
https://www.blastnessbooking.com/reser…… Browsing our website and using the "book your stay" service also shares your information with Blastness Booking and its affiliates, if any. This information may include personal information such as your name, contact details, payment details, the names of guests traveling with you, and preferences you specified when booking. For more information, we encourage you to visit their site.
Regarding other service providers, we use service companies to manage your data on our behalf. This management serves the purposes described in this policy, for example, managing your reservation, payments, sending marketing materials, etc. These service providers are bound by confidentiality agreements and don’t have permission to use your personal data for other purposes.

20) THALASSO SPA & WELLNESS
Any guest who accesses our premises and requests our services is declaring under his/her own personal responsibility that he/she is in good health, does not suffer from any kind of psychophysical conditions to use the thalassotherapy pools, steam bath and sauna, to undergo beauty treatments, physiotherapy in general, and to be aware that staying in such environments, given the particular microclimate, may be contraindicated in some pathological situations. In this regard, the guest is aware that he/she always declares under his/her personal responsibility that he/she is not suffering from any kind of cardiovascular pathology, that he/she is not suffering from more or less severe hypotensive or hypertensive crisis, that he/she is not suffering from chronic hypotension, that he/she is not suffering from any respiratory pathologies;
to not have any ongoing febrile illnesses; to not be undergoing chemotherapy treatment or has not undergone such treatment for more than 2 months; that they don’t have any healing skin wounds; and that they have read the internal regulations and this privacy policy, and they accept them.
In any case, we recommend our guests report any doubts related to using our services to the attendants. It’s obligatory for the Guest to report the state of pregnancy, and it’s the Guest’s responsibility to report it. In any case, we ask all the guests not to exceed the time limit indicated for each room, even in the absence of contraindications and in a state of good health. We are not responsible for any physical injuries reported by the guests throughout the Center and Gymnasium, including falls due to slippery floors. Access to the Center and Gymnasium by persons under the age of 16 is prohibited.

By accessing our premises and requesting/using our services, the guest declares that the data related to his/her personal information, expressly requested by the authorized person for the purpose of assessing the actual compatibility with our wellness services, is valid. Therefore, the guest relieves the attendant and our facility of all liability relating to any problems attributable to a voluntary or involuntary omission of information regarding any pathological, allergic, inflammatory or other conditions that may compromise their health. Lastly, the guest declares that he/she is aware that he/she is requesting wellness services and not medical/physiotherapeutic treatment of any kind, that he/she is aware of the general conditions of sale received, and that he/she accepts in full what this form states. The guest having received the due information on his/her personal data processing in accordance with current regulations consents to the processing of data and/or personal information of a particular nature. Any refusal may result in the inability to fulfill, in whole or in part, the performance of the services requested. The data subject has the right to revoke consent at any time without affecting the legitimacy of the processing based on the consent given before revocation.

21) WI-FI SERVICE
The Data Controller has provided in accordance w. art. 28 of GDPR 2016/679 to designate the following Data Controller for the Wi-Fi services: AETHERNA SRL With legal and operational headquarters: Polo Scientifico Tecnologico Como NExT | COMO | Via Cavour 2 Lomazzo | 22074 | info@aetherna.com | pec@pec.aetherna.com | T: 02.8936781 | customercare@aetherna.com | supporto@aetherna.com
Access to the WI-FI service is free of charge and allowed only to users who are 18 years of age or older. For more information, please refer to the specific information provided on the service.

22) VIDEO SURVEILLANCE
The personal data collected and processed by our video surveillance system constitutes images of people and things within the cameras’ range. The images are processed exclusively for the Data Controller’s pursuit of institutional purposes, particularly for the purpose of protecting the company's assets by preventing and prosecuting the commission of any unlawful acts.
The video surveillance activity is based on the pursuit of the legitimate interest (Article 6(1)(f) of the GDPR) to carry out the processing for the purposes highlighted above.
Only the Data Controller with the presence of the workers' safety representatives have access to your data. This data may be disclosed to public entities that have the legitimacy to request the data, such as judicial and/or public security authorities. The data acquired will not be transferred abroad, either within or outside the European Union.
The video surveillance system is equipped with cameras located at strategic points within the Data Controller's jurisdiction. It allows real-time ("live") viewing of the images and the related recording of images. The video surveillance system operates 24 hours a day, 7 days a week. The viewing and management of images taken through the video surveillance system are reserved for the Data Controller. The data is stored using appropriate security measures to prevent access by unauthorized personnel and to ensure the confidentiality and integrity of the data.

The data subject (i.e., the person who believes he or she has been filmed) may exercise all the rights provided for in Article 15 et seq. of the European Regulation against the Data Controller. In particular, he/she can ask the Data Controller for access to the images, object to the processing, and request the restriction of the processing and/or deletion where applicable. The right to update or supplement, as well as the right to rectification under Article 16 of the GDPR, is not specifically exercisable given the intrinsic nature of the processed data (images collected in real time concerning an objective fact). The right to data portability referred to in Article 20 of the GDPR cannot be exercised because the images acquired by the video surveillance system cannot be transferred to other parties – except in the cases mentioned in this privacy policy. You may request to view the images in which you believe you were filmed by showing the pertinent identification documents or attaching them to your request. The response to an access request will not include any data that refers to third parties unless the breakdown of the data processed or omitted elements render the personal data relating to the data subject incomprehensible. Once the retention periods specified above have expired, complying with any access requests will be impossible. To exercise the data subject’s rights, request the appropriate form from the Data Controller.
To exercise the rights just described, data subjects may contact the Data Controller and the Data Protection Officer, who will answer your request as soon as possible. In this regard, the regulation stipulates that a response should be provided within one month of the initial request. Still, this deadline can be extended to up to three months in case of particular complexity.
The data provision is mandatory and strictly instrumental in accessing the Data Controller’s premises. It won’t be possible to access the Data Controller’s premises if it cannot be provided.

23) MOBILE APP
To assist our guests in booking and/or planning their visit and to ensure a pleasant stay, we encourage them to use our MOBILE APP, downloadable from online app stores, including the Apple App Store or Google Play Store.
Depending on how you use our mobile app, your personal data may be processed for the following purposes: (a) to allow you to book a room at the hotel of your choice; (b) to process your online check-in; (c) to manage your room service order; (d) to request reservations at a local restaurant at your request; (e) to request special services such as wake-up service, late check-out, or turndown service; (f) to process your online check-out and your opinion about your stay; and (g) to process any requests submitted through the mobile app, including chat.
Notifications appear disabled by default, and to enable (or later disable) them, the user will need to do so directly in the app by going to the appropriate "app settings" section.
If you do not wish to receive any more push notifications via one of our mobile apps, you can override push notification permission in your device's operating system settings.
For more information, please refer to the GDPR policy specific to the mobile app.

24) DATA RETENTION
We retain your personal data only for the period necessary to fulfill the purposes set forth in this Privacy Policy or in accordance with the provisions of applicable law. We retain your personal data only for as long as necessary for the purposes for which it is collected, respecting the principle of minimization set forth in Article 5(1)(c) of the GDPR, namely:
1. tax and administrative purposes: duration 10 years
2. public safety law obligation purposes (digital receipt sending): duration 5 years
3. special data communications (accommodation facility): Your data is retained until the data subject revokes consent or, in the absence of such revocation, for a maximum of 3 days from check-out.
4. special data communications (Thalasso): Your data is retained until the data subject revokes consent or, in the absence of such revocation, for a maximum of 12 months.
5. legitimate interest purposes: until the data subject exercises his/her right to object, or, in the absence of such exercise, for a maximum of 5 years.
6. marketing purposes: until the data subject revokes consent, or, in the absence of such revocation, for a maximum of 5 years
7. corporate asset protection purposes (video surveillance): 48 hours after the footage has been recorded unless there is the need for further retention according to the applicable legislation. For more information regarding the data retention period and the criteria to determine this period, contact the responsible parties mentioned in point 1 of this notice.

25) NAVIGATION DATA
During their standard operation, the computer systems and software procedures used to operate this website may acquire some personal data whose transmission is implicit in the use of Internet communication protocols. This would be information that is not collected to be associated with identified data subjects but could, by its very nature, allow users to be identified through processing and association with data held by third parties. This category of data, for example, includes IP addresses or domain names of the computers used by anyone who connects to the site, addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used solely to obtain anonymous statistical information on site use and to check its correct operation, and it’s deleted immediately after processing. In the event of hypothetical computer crimes, the data could be used to ascertain responsibility to the site's detriment. Except for this possible scenario, the data on web contacts presently does not persist for longer than the time allowed by law.

26) RIGHTS OF THE DATA SUBJECT
Finally, we would like to inform you that Articles 15-22 of the GDPR allow data subjects to exercise specific rights. The data subject may obtain the following from the Data Controller and/or the Joint Controller: access, rectification, erasure, processing restriction, revocation of consent as well as the portability of data concerning him/her. The data subject also has the right to object to the processing. Should the right to object be exercised, the Data Controller and/or the co-processing companies reserve the right not to act on the request and to continue processing Comp compelling, legitimate grounds for proceeding with the processing override the data subject's interests, rights, and freedoms.
To exercise the rights identified above, contact the Data Controller and/or the Joint Controller in the manner indicated in point 1 of this Notice.
Please note that you may also contact the Data Protection Officer, as set forth in point 2 of this Notice at any time.
The data subject’s exercising of rights is not subject to formal constraints and is free of charge. The rights may be exercised vis-à-vis a single Data Controller/Processor or vis-à-vis all the Joint Controllers.

27) PERSONAL DATA PROCESSING METHODS
The processing of your personal data follows the GDPR provisions using paper, computer, and telematic tools with logic strictly related to the purposes indicated. In any case, the processing occurs in such a way as to ensure their security and confidentiality, adhering to the provisions of Article 32 GDPR.

28) COMPLAINTS
According to Regulation (EU) 2016/679, you have the right to make a formal complaint to the Guarantor Authority (Article 77) in the manner indicated on the Authority's website at:
> https://www.garanteprivacy.it/home/modulistica-e-servizi-online 
and to bring a judicial appeal (art. 79).

29) CONTACT US
If you have any questions about our Policy or how we handle your personal data, you can contact one or all of the Data Controllers/Joint Controllers.

30) UPDATES
We reserve the right to amend this Policy from time to time. Accordingly, we encourage you to consult it regularly. Any changes to this Policy become effective upon publication. Use of the Site after the last publication of such changes implies your acceptance of the new version.
(Privacy Policy updated to: 31.03.2023)