Privacy Policy

Pursuant to Art. 13 EU Regulation 2016/679

Dear Data Subject,
with this document (the "Policy"), we wish to renew our commitment to ensuring that the processing of personal data collected through the website www.hotellocarno.com (the "Site"), carried out both automatically and manually, is carried out in full compliance with the protections and rights recognized by the Regulation (EU) 2016/679 ("GDPR" or the "Regulation") and other applicable rules on the protection of personal data.

The term personal data refers to the definition contained in Article 4(1) of the Regulation, i.e. "any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his or her physical, physiological, genetic, mental, economic, cultural or social identity" (the "Personal Data").

The purpose of this Privacy Policy - drafted on the basis of the principle of transparency and including all the elements required by Article 13 of the Regulation - is to provide you, in a simple and intuitive manner, with all the useful and necessary information so that you can provide your Personal Data in a conscious and informed manner and, at any time, exercise your rights under the GDPR.

THE DATA CONTROLLER
The company that will process your Personal Data for the purposes set forth in this Policy and that, therefore, will act as data controller, i.e. "the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data" is Hotel Locarno S.p.A., with registered office at Via della Penna n. 22, 00186 - Rome, VAT and Tax Code: 12161331009 (the "Data Controller").

DATA PROTECTION OFFICER
In order to facilitate relations with Data Subjects, the Data Controller has appointed a Data Protection Officer (the "DPO"), identifying SAPG Legal Tech S.r.l. with registered office in Via Durini n. 15, 20122 - Milan (MI).
As provided for by art. 38 of the GDPR, you may freely contact the DPO for all matters relating to the processing of your Personal Data and/or should you wish to exercise your rights as provided for in this Policy, by sending a written communication to the email address: [email protected].

PURPOSE AND LEGAL BASIS OF PROCESSING
While browsing the Site, some of your Personal Data may be acquired in the following ways.

• Navigation Data

The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This category of data includes: IP addresses or the domain names of the computers used by users who connect to the site, the date and time of the request, the URI (Uniform Resource Identifier) addresses of the resources requested, the size of the file obtained in response from the server, the numerical code indicating the status of the response given by the server (ok, error, etc.) and other parameters relating to the user's operating system and computer environment.

These technical/informatics data are collected and used only in an aggregate and non-identifying way, in order to obtain anonymous statistical information on the use of the site and to check its correct functioning, and are immediately deleted afterwards.

Such data, moreover, could be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Site.

The processing will be legally based on the legitimate interest of the Data Controller in the better functioning of its systems, in optimising and improving the browsing experience, in avoiding fraudulent activities and in improving the security of the Site (art. 6, paragraph 1, letter f) of the Regulations).

For further information on Cookies and their use on the Site, please refer to the specific policy available at www.hotellocarno.com/en/corporate-nav/privacy-policy.

• Data provided voluntarily by the visitor

This is all the Personal Data freely, optionally, explicitly and voluntarily provided by the visitor to the Site who:

a. submits requests to receive information on the Hotel's services, such as, for example, prices, room availability, table availability, organisation of events tried or makes online reservations;

b. book a stay at the Hotel through the "Book now" section by entering their Personal Data and contact details, as well as information to finalise payments.

This processing will be lawful under Article 6, paragraph 1, letter b) of the Regulation (execution of a contract or pre-contractual measures taken at the request of the Data Subjects) as well as for the fulfilment of any legal obligations.

In order to allow the Data Controller to carry out the processing activities for such purposes, it will be necessary to provide the Personal Data requested in the appropriate forms. If you fail to fill in even one of the fields marked as mandatory, it may not be possible to process your Personal Data and, consequently, to provide you with the information and services requested.

In addition to the above, your Personal Data may be processed by the Controller for the following additional purposes.

• Direct Marketing - This term refers to the carrying out of promotional activities (using both automated and traditional methods) for services of interest to you provided by the Data Controller. With regard to this direct marketing purpose, it should be noted that, by virtue of art. 6 paragraph 1 letter. f) of the Regulation and art. 130 paragraph 4 of the Privacy Code (so-called soft spam exception), the Data Controller may carry out this activity based on its legitimate interest, regardless of your explicit consent, as explained in Recital 47 of the Regulation in which it is "considered a legitimate interest of the Data Controller to process personal data for direct marketing purposes". This will be possible as a result of the assessments made by the Controller regarding the possible and possible prevalence of your interests, rights and fundamental freedoms requiring the protection of Personal Data over its own legitimate interest in sending direct marketing communications. Moreover, you may lawfully object at any time (even partially) to receiving promotional communications, without this affecting in any way the processing for other purposes.

SUBJECTS TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED
Your Personal Data may be managed, on behalf of the Data Controller, exclusively by staff expressly authorised to process it (pursuant to article 29 GDPR) and by third parties expressly appointed as data processors (pursuant to article 28 GDPR), in order to correctly carry out all processing activities necessary to pursue the purposes set out in this Policy.

For explanatory purposes only, we list some categories of subjects to whom your Personal Data may be communicated:

a) business partners of the Data Controller providing services, in their capacity as data controllers or autonomous data controllers, for the purposes set out in Article 6(1)(b) of the GDPR;

b) third party service and consulting providers in their capacity as controllers or autonomous data controllers, for the purposes referred to in Article 6 paragraph 1 letter b) of the GDPR;

c) subjects and authorities whose right to access the Data is expressly recognised by law, regulations or measures of competent authorities;

d) subjects who are transferees of a company or a company branch, companies resulting from possible mergers, demergers or other transformations of the Controller's company.
If you wish to know which entities have come into possession of your Personal Data as a result of your relationship with Hotel Locarno, you may contact the Controller at the following e-mail address: [email protected].

PERSONAL DATA RETENTION TIMES
In accordance with the principle of limitation of the storage period, pursuant to article 5 paragraph 1 letter e) of the GDPR), your Personal Data will be processed by the Controller only for the time necessary to achieve the purposes set out in this Policy.

In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated by Recital 39 of the Regulation, i.e. until the termination of the existing relationship between you and the Data Controller, as well as for an additional storage period that may be imposed by law; on this point, Recital 65 of the Regulation provides that "further storage of Personal Data should be lawful where it is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for reasons of public interest in the field of public health, for archiving in the public interest, for scientific or historical research or statistical purposes, or for the establishment, exercise or defence of legal claims".

Personal Data will be processed and stored for the following periods

• for the purposes referred to in Article 6(1)(b) of the GDPR, for the time of the duration of the contract and for the following 10 years from the expiry of the contract;
• for direct marketing purposes by virtue of the legitimate interest of the Controller, pursuant to Article 6 paragraph 1 letter f) of the GDPR, for up to 24 months from the collection of the data;

In any case, your Personal Data will be periodically checked, for no longer than 12 months, in order to assess its relevance to the Data Controller's activities; if your Personal Data is no longer relevant, it will be immediately deleted.

LINKS TO/FROM THIRD PARTY SITES
From the Website it may be possible to connect via links to other third party websites, including Meta's platforms: Facebook and Instagram.
If you have previously logged in to these platforms, the link on the Site will redirect you to the social page of the Data Controller with your account already logged in.
In this regard, the Data Controller cannot be held responsible for the possible management of Personal Data by third party websites and for the management of authentication credentials provided by third parties.

RIGHTS OF THE DATA SUBJECTS AND METHODS OF EXERCISE
You may exercise your rights under Articles 15 et seq. of the Regulation against the Data Controller at any time. In particular, you have the right to obtain

• confirmation as to whether or not your Personal Data is being processed and to obtain access to the data and to the following information: purpose of processing, categories of Personal Data, recipients and/or categories of recipients to whom the data has been and/or will be communicated as well as the relevant storage period;
• the rectification of your Personal Data that is inaccurate and/or the integration of your Personal Data that is incomplete, including by providing a supplementary declaration;
• the deletion of your Personal Data and the limitation of the processing in the cases provided for by the GDPR and by the privacy law in force;
• where applicable, the portability of your Personal Data and, in particular, the possibility to request the direct transmission of your Personal Data to another data controller;
• to object at any time, for reasons related to your particular situation, to the processing of your Personal Data in full compliance with applicable privacy laws.

To exercise your rights, you may contact the Data Controller at the following e-mail address, attaching a copy of your identity document: [email protected].

In any case, if you believe that the processing of your Personal Data is contrary to the Privacy Regulations, you will always have the right to lodge a complaint with the competent supervisory authority (Garante per la Protezione dei Dati Personali) pursuant to art. 77 GDPR.

PROCESSING LOCATIONS
Your Personal Data is processed within the territory of the European Union and may (for technical and/or operational reasons) be transferred and/or located in countries outside the territory of the European Union.

In these cases, we hereby inform you that entities located outside the European Union will be appointed (where applicable) as Data Processors pursuant to article 28 of the GDPR. Moreover, the transfer of your Personal Data to such entities, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of Chapter V of the GDPR.

Therefore, all necessary precautions will be taken in order to ensure the most complete protection of your Personal Data by basing such transfer: a) on adequacy decisions of the receiving third countries expressed by the European Commission; b) on adequate safeguards expressed by the receiving third party pursuant to article 46 of the Regulation; c) on the adoption of binding corporate rules; d) by adopting standard contractual clauses approved by the European Commission.

In any case, you may request further details from the Data Controller if your Personal Data has been processed outside the European Union, requesting evidence of the specific guarantees adopted, by writing to the following e-mail address: [email protected].