Privacy Policy

This Privacy Policy is intended to set out the principles governing the use of personal data provided by users and visitors who access our web services, with particular regard to the protection of their privacy.
This page describes how the website operates with respect to the processing of personal data of users and visitors who browse it. This notice is provided pursuant to EU Regulation 2016/679, and in accordance with applicable data protection legislation, for all those who interact electronically with the services available on this website, accessible at www.hotellocarno.com.
This Privacy Policy applies exclusively to the hotellocarno.com website and does not extend to any third-party websites accessible via links contained herein.

Data Controller and Processing Location

The website hotellocarno.com:

• is owned by Hotel Locarno S.p.A., VAT No. 12161331009, whose operational headquarters are located at Via della Penna 22, 00186 Rome, Italy, where all processing activities relating to the management of services and requests submitted through this website are carried out by duly authorised staff. As Data Controller, Hotel Locarno S.p.A. is committed to ensuring full compliance with applicable data protection legislation;
• is entrusted for maintenance, content management and booking system operations to Positioner SA, Lugano, Centro Monda 3, 6528 Camorino, Switzerland;
• is hosted at the server farm of iWay AG, headquartered in Zurich, Switzerland, where processing activities are limited exclusively to technical services.

Switzerland is recognised by the European Commission as a country providing an adequate level of protection for personal data.

Other parties operating within the services of this website include:

• Google LLC, Mountain View (USA), for traffic analysis services (Google Analytics) and tag management (Google Tag Manager) — the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR; where necessary, supplementary technical and organisational measures have been adopted to ensure an adequate level of protection;
• Meta Platforms Ireland Ltd, Dublin (Ireland), for advertising conversion tracking via Meta Pixel — processing takes place exclusively upon the explicit consent of the data subject. Meta Platforms Ireland Ltd may act as joint controller solely in relation to the collection and transmission of data, in accordance with the platform’s terms and conditions;
• Microsoft Corporation (Bing Ads), Redmond (USA), for advertising conversion tracking via Microsoft Advertising — processing takes place exclusively upon the explicit consent of the data subject; the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR;
• Sabre Hospitality Solutions (SynXis), Southlake (USA), as provider of the online booking engine integrated into the website, through which personal data required for reservation management is collected — the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR;
• Serenissima Informatica S.p.A., Padua (Italy), distributor and infrastructure management service provider for the Protel Property Management System (PMS), deployed on-premise on a virtual machine hosted at a server farm located in Italy, accessed via remote desktop. All processing takes place exclusively within Italian territory and does not involve any transfer of data to third countries outside the European Economic Area. Serenissima Informatica S.p.A. acts as Data Processor pursuant to Art. 28 GDPR;
• Cloudflare Inc., San Francisco (USA), as provider of security and performance optimisation services (CDN/WAF) through which the website’s traffic is routed — the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR;
• Usercentrics A/S (Cookiebot), Copenhagen (Denmark), as provider of the Cookie Consent Management Platform (CMP) integrated into the website — processing takes place within the European Economic Area;
• Inzone (cdn.inzone.com), as provider of rate intelligence services whose script is integrated into the website and may involve the transfer of data to servers located in the United States — processing takes place exclusively upon the explicit consent of the data subject; the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR;
• GlobRes (api.globres.io), as provider of the RealRate system for real-time rate comparison and display — data is processed on servers located in Germany (European Economic Area).

The website contains a link to a gift voucher service (hotel-locarno.bavoucherstore.com) operated by a separate legal entity. The privacy policy of that operator, available on the relevant website, governs all processing activities relating to browsing and purchases made on that platform.

Any other external parties who may have access to personal data held on this website will be duly appointed as Data Processors by the Controller. An up-to-date list of Data Processors may be requested directly from the Data Controller.

Users and visitors are asked to read this Privacy Policy carefully before submitting any personal information or completing any electronic form on this website. Browsing the website does not, in itself, constitute a legal basis for the processing of personal data pursuant to Art. 6 of EU Regulation 2016/679. Any processing requiring the consent of the data subject is carried out exclusively following its acquisition in the manner prescribed by applicable legislation.

Purposes and Legal Basis of Processing

Personal data provided by users and visitors following requests and/or use of services managed through this website is used solely to respond to the request and/or manage the service, and is communicated to third parties only where strictly necessary. The legal basis for such processing is the need to respond to a request from the data subject or to manage a service specifically requested by the data subject (performance of pre-contractual or contractual measures taken at the request of the data subject).
Where users and visitors additionally provide their consent, data may also be used for commercial communications relating to further services offered by the Controller. In such cases, the legal basis for processing is the freely given consent of the data subject.
In all other cases, navigation data is processed to ensure the proper functioning of the website on the basis of the Controller’s legitimate interest. Any processing carried out by means of non-anonymised traffic analysis tools (such as, by way of example, Google Analytics) is instead carried out exclusively upon the data subject’s consent, where such processing involves the direct or indirect identification of the user.

Categories of Data Processed and Purposes of Processing

Navigation Data
The computer systems and software procedures used to operate this website may, in the course of their normal operation, collect certain personal data whose transmission is inherent in the use of Internet communication protocols. This information is not collected for the purpose of being associated with identified individuals; however, by its nature, it could — through processing and cross-referencing with third-party data — permit the indirect identification of users (IP addresses, domain names of the computers used to connect, operating system and browser details, timestamps, etc.). Such data may be used solely for statistical purposes (in anonymous form) and to monitor the correct functioning of the website. It is retained for a limited period, is not disclosed, and is communicated only to the extent strictly necessary for the technical management of the service.

Data Voluntarily Provided by Users and Visitors
Where users and visitors voluntarily, explicitly and freely provide their personal data when connecting to the website — in order to submit requests, access services, make reservations or send communications via the contact form — such data will be collected and processed exclusively to fulfil the relevant request or provide the requested service. Personal data provided by users and visitors may be communicated to third parties only where implicitly necessary to fulfil those requests.

Cookie Data and Similar Technologies
Cookies are small text files that visited websites place on users’ devices to enhance browsing and, where applicable, monitor usage. Some cookies may be retransmitted to the same website on a user’s subsequent visit, enabling recognition and improving the website’s functionality. During browsing, users may also receive cookies sent by different websites or web servers (so-called “third-party” cookies).
The website hotellocarno.com uses session cookies to enable safe and efficient navigation, to recognise the country from which users are connecting, to maintain the user’s session and to allow them to complete their requests. These cookies are not stored permanently on the user’s device and expire when the session is closed.

The website may also use persistent cookies to personalise the browsing experience according to the device used, to analyse access patterns and to enable content sharing via social networks. These cookies are stored permanently on users’ devices and have varying durations.

Upon first access, users may express their consent to the installation of non-technical cookies via the dedicated banner managed by Cookiebot/Usercentrics, and may update their preferences at any time. Non-technical cookies — including profiling cookies, non-anonymised traffic analysis tools and marketing cookies — are installed and activated exclusively following the expression of the user’s consent through the preference management mechanism; in the absence of such consent, these tools remain disabled. For detailed information on the cookies used by this website, please refer to the Cookie Policy available at https://www.hotellocarno.com/en/corporate-nav/cookie-policy.

Links to Third-Party Websites

The Controller reserves the right to use and/or feature third-party services on this website. With regard to the management of personal data, the websites of such parties may operate under different and independent criteria. Accordingly, the Controller accepts no responsibility for the activities and content of any linked websites.

Multimedia content on the website may be delivered via third-party platforms (YouTube, Google), and typographic fonts may be loaded via Google Fonts (Google LLC, USA); these services may involve the transmission of the user’s IP address to the respective servers. For transfers to the United States, the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46 GDPR apply. The website also incorporates content from the Facebook and Instagram platforms (Meta Platforms Ireland Ltd, Dublin, Ireland), including the ability to access the Controller’s social media pages; this functionality may involve the transmission of data to Meta’s servers. This processing is distinct from advertising tracking via Meta Pixel and is based on the Controller’s legitimate interest in presenting the website’s content; data subjects may object by disabling the loading of embedded content through their browser settings.

The contact form is protected by Google reCAPTCHA (Google LLC, USA), which involves the transmission of technical data to Google’s servers in order to verify that requests originate from human users rather than automated systems. The transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR.

Voluntary Nature of Data Provision

With the exception of navigation data as described above, users and visitors are free to choose whether or not to provide their personal data. Failure to do so may result solely in the inability to obtain the requested service.

Processing Methods and Retention Periods

Each processing activity is carried out through automated means (e.g. electronic procedures and systems) and/or manually (e.g. on paper) for the time strictly necessary to achieve the purposes for which the data was collected, and in any case in accordance with applicable legal requirements. In particular: navigation data is retained for a period not exceeding 7 days, except where required for the investigation of criminal offences; data voluntarily provided via the contact form or information requests is retained for the time necessary to manage the request and, in any case, for no longer than 24 months from collection; data relating to reservations and contractual relationships is retained for 10 years pursuant to applicable civil and fiscal obligations. Upon expiry of the relevant retention period, data is deleted or rendered anonymous.

For processing activities carried out by third parties appointed as Data Processors (including providers of analytics, booking and multimedia content services), retention periods are governed by the respective contractual arrangements and the privacy policies of the individual providers, to which reference is made.
Specific security measures are implemented to prevent the loss, unlawful or improper use of data, as well as any unauthorised access.

Rights of Data Subjects

• Data subjects have the right, at any time and within the limits established by applicable law, to:
  obtain confirmation as to whether or not processing of their personal data is taking place, and to access such data (Art. 15 GDPR);
• obtain the rectification of inaccurate data or the completion of incomplete data (Art. 16 GDPR);
• obtain the erasure of their personal data, in the cases provided for by law (Art. 17 GDPR);
• obtain the restriction of processing (Art. 18 GDPR);
• object at any time to processing where it is based on the Controller’s legitimate interest (Art. 21 GDPR);
• withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal (Art. 7(3) GDPR);
• receive their personal data in a structured, commonly used and machine-readable format (data portability, Art. 20 GDPR);
• lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali): Piazza Venezia 11, 00187 Rome – www.garanteprivacy.it – PEC: [email protected]
  Requests relating to the exercise of the above rights may be submitted to the Data Controller at [email protected] or directly to the Data Protection Officer (DPO) at [email protected].

This document, published at www.hotellocarno.com, constitutes the Privacy Policy of this website and may be updated periodically to reflect changes in applicable legislation, organisational structure or technology. The use of any information collected is subject to the policy in effect at the time of such use.