PERSONAL DATA PROCESSING POLICY
Please note that your personal data will be processed with fairness and transparency, for lawful purposes and protecting your privacy and your rights. We would also like to inform you of the following:
The Data Controller is Blu Hotels Spa, with headquarters in Via Enrico Fermi, 7/b - 25087 Salò Loc. Cunettone (BS) - ITALY.
1. Subject of Processing
The Data Controller will process your personal data and, if necessary and only in specific situations, some sensitive data (in particular, any health conditions related to the provision of the service, such as food intolerances or the presence of motor disabilities) provided by you in connection with the provision of catering and/or hotel services.
2. Purpose and legal basis of processing
Any personal and sensitive data provided shall be processed for the following purposes:
- to fulfil the obligations arising from the contract, including your specific needs/requirements;
- to fulfil legal obligations as well as current accounting and tax obligations;
- to exercise the rights of the Data Controller, such as the right of defence in legal proceedings;
B) Only your personal data, with your prior and explicit consent (Art. 7 GDPR), for the following Marketing Purposes:
- to send you by e-mail, post and/or SMS and/or telephone, communication and/or information and promotional material on the initiatives and offers promoted by the Data Controller.
C) Only your personal data and data relating to any stays, with your prior and explicit consent, will be used for purposes of analysis and processing of your habits and preferences (profiling), so that we can send you personalised promotional information, as well as any offers from the Data Controller.
You are free to change your consent at any time (grant or withdraw), in whole or in part, by sending an email with the subject line “WITHDRAW MARKETING CONSENT” to: firstname.lastname@example.org.
3. Methods of data processing and duration of data storage
The processing of your personal data is carried out by means of the operations indicated in Art. 4 No. 2) GDPR and more precisely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is processed both in paper and electronic format and/or automatically.
The Data Controller will process personal data for the time necessary to fulfil the above purposes and, in any case, for no more than 10 years from the termination of the relationship for the Service Purposes and for no more than five years from the collection of data for Marketing Purposes. The Data Controller will process sensitive data for the time necessary to fulfil the above purposes and, in any case, no later than 30 days from the end of your stay, except in special situations that determine the need to keep such data for a longer period of time (by way of example, if you are entitled to tax exemption due to disability).
4. Access to data
Your data may be made accessible for the purposes referred to in Articles 2.A), 2.B) and 2.C):
- employees and collaborators of the Data Controller, in their capacity as data processors and/or persons in charge of processing and/or system administrators. All the appointed subjects will exclusively carry out processing operations, on behalf of the Data Controller and/or of the person in charge, within the limits, in the forms and according to the methods expressly indicated in the related deeds of appointment.
- to third-party companies or other subjects (by way of example, professional studios, consultants, insurance companies, service companies, etc.) that perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
5. Nature of data provision and consequences of refusal to reply
The provision of data for the purposes referred to in Art. 2.A) is mandatory. If you do not provide your data to us, we will not be able to provide the services indicated in Art. 2.A). The provision of data for the purposes referred to in Art. 2.A), instead, is optional. You may therefore decide not to provide any data or to subsequently oppose to the processing of the data you have already provided: in this case, you will not be able to receive newsletters, commercial communications and advertising material relating to the Services offered by the Data Controller. In any case, you will continue to be entitled to the Services referred to in Art. 2.A).
6. Communication of data
With no need for your explicit consent (as per former Art. 6 par. b) and c) GDPR), the Data Controller can disclose your data for the purposes indicated in Art. 2.A) to supervisory and judicial Authorities, as well as to parties to whom such communication must be made by law for the fulfilment of such purposes. These parties will process the data in their capacity as autonomous data controllers. Moreover, the list of outsourced data controllers, which the undersigned uses, can be consulted at any time at the company’s registered office.
Your data will not be disclosed and will not be transferred to countries outside the EU or to international organisations.
7. Rights of the data subject and how to exercise them
As a data subject, you have the rights under Art. 15 GDPR, and precisely the rights to: request and obtain from the data controller - without “justified delay” - confirmation as to whether or not your personal data is being processed and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed; d) the envisaged period for which the personal data will be stored; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the data subject also has the right to obtain the updating, supplementing of data, cancellation, transformation into anonymous form or blocking of data processed in violation of the law; the data subject may, for legitimate reasons, oppose to the processing of data.
Where applicable, you also have the rights under Articles 16-21 GDPR (Right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object to processing), as well as the right to lodge a complaint with a supervisory authority.