in order to comply with the regulations concerning data protection, recently revised by EU Regulation no. 679/2016 and subsequent amendments and integrations, we have sent all customers a policy statement concerning the processing of their data.
Your data were collected at the time of registration at one of our hospitality facilities.
We are writing to inform you about the way in which we process your data and we kindly ask you to return your consent, duly signed, to: firstname.lastname@example.org by email, or by post to: Cermis Srl via Paolo Borsellino n. 5 – 38123 TRENTO.
Thank you for your cooperation in this matter. Sincere regards,
- Data Controller
The Data Controller is Cermis Srl (VAT reg./Tax ID code 00449810225), headquartered in Milan and with administration offices at Via Paolo Borsellino n. 5 – 38123 TRENTO – mail: email@example.com -firstname.lastname@example.org – tel. +39 0461/930460 and Fax +39 0461/930781.
- Purposes of data processing and legal basis for same
The processing of your information will be based on the principles of “lawfulness, correctness, transparency, purpose limitation and retention period, data minimization, accuracy and accountability”, as well as to safeguard integrity and confidentiality.
On each occasion of contact or interaction with a potential guest, personal information may be collected, such as personal details, address, personal characteristics, days for a possible stay, family members, nationality, passport number and date and place of issue, and credit card number to guarantee payment or reservations, etc.
Data is processed for the following purposes:
- to send information/promotions/offers regarding our services and facilities;
- management of relations with potential customers
- pre-contract activities (quotes and information about facilities, offers, events and services);
- contract activities (management of bookings and any services/packages chosen);
- correct performance of the rights and obligations provided for by law (for example, for accounting purposes, banking, business relations or to apply or defend rights in court);
- collection of aggregate - and anonymous - statistics for the purpose of monitoring and improving products or services supplied and to meet the requirements of the data subject.
- storage of data to accelerate registration processes in case of subsequent stays at our facilities.
Processing can be carried out with or without the support of electronic or in any case, automated means.
The Data Controller has put in place all of the security measures considered suitable and necessary to protect data against the risk of loss, abuse or alteration, compliant with that stated in the Privacy Regulations and Privacy Code.
The Data Controller makes regular checks of the suitability of these measures.
To send advertising/information/promotional notices, the Data Controller may make use of supports provided by third-parties, such as mailing lists. In this case, we may use statistics tracking systems that make it possible to see if a message has been opened, as well as the number of clicks on a link, identifying the amount and the date.
This policy statement extends, insofar as it is compatible, to the data collected through the applications or websites of Cermis Srl.
- Obligation to provide data and consequences
The purposes of “management of relations with the customer” regards pre-contract and contract activities, obligations and rights connected to same and therefore, there is no need for your consent, unless the treatment is for specific data as per art. 9 and 10 of Reg. EU 2016/679. In case of refusal to provide personal data, pre-contract or contract activities cannot continue or may be impossible to execute (for example, we will be unable to confirm your reservation or provide you with the services you require).
Activities concerning the sending of advertising material require your consent, which is optional. Failure to provide consent will prevent Cermis Srl to send you information/communications concerning the facility, offers, services and events if you do not expressly request this.
Retention of your data allows us to speed up your registration processes. This processing depends on your consent. Failure to consent will prevent Cermis Srl from storing/processing your data further for this purpose, excepting when strictly necessary to meet fiscal, accounting or legal requirements or to exercise the Controller’s specific rights or interests (e.g. legal defence of Controller’s rights).
- Personal data recipients or categories of recipients
With regard to the above aims, your data may be communicated to:
- thAird-party companies for the purpose of fulfilling contract or pre-contract obligations;
- for the purpose of meeting fiscal, legal or similar requirements from subjects appointed to fiscal, accounting, legal and contract management (e.g., accounting firms, etc.);
- for the purpose of meeting the obligations set down in current laws by the public authorities or administrations for compliance with fiscal or legal requirements;
- for the purpose of meeting contract obligations with subjects performing processing, recording and filing of data with third parties (for example, companies providing hardware and software);
- consultants, within the limits necessary for the performance of their tasks within our company;
- banking institutes for the management of receipts and payments;
- financial administration or public entities, in fulfilment of regulatory obligations;
- legal firms for the protection of rights;
- advertising agencies for the sending of informative material;
In any case, the abovementioned subjects will only be provided with the data necessary for the purposes of processing as required.
Your data may be known to and processed by our internal staff, subject to the obligation for confidentiality.
Furthermore, your data may be viewed by external subjects, appointed to the control and maintenance of hardware and software on occasion of the necessary interventions for the correct operation of same.
Anyone not appointed as responsible for processing data will be considered as autonomous handlers of data. The list of those responsible for processing can be seen on request.
- Transfer of personal data to a third country or international organisation and the existence of an automated decision process
The Data Controller has no intention to transfer personal data to a third country or international organization.
The Data Controller does not use automated decision processes.
- Retention period
Data will be processed for the period of time required for the performance of the aims described herein. Data are in any case stored for the time required by Italian law concerning fiscal/accounting requirements (to date, at least 10 years from the date of the last registration).
- Data subject’s rights
The data subject shall have the right to obtain:
- confirmation of the existence of personal data concerning him or her, regardless of whether or not said data is already recorded, and communication of such data in intelligible form.
- information as to:
- the source of the personal data;
- the purposes and methods of processing;
- the logic applied to the processing, if the latter is carried out with the help of electronic means;
- the identification data concerning data controller, data processors and the person responsible for data protection and the designated representative;
- the subjects or categories of subjects to whom personal data may be communicated and who or which may get to know said data
- Information as to:
- the updating, rectification or, where interested therein, integration of the data;
- the erasure, anonymization or blocking of data that have been processed unlawfully, including data that do not need to be retained with regard to the purposes for which they were collected and then processed.
- certification to the effect that the operations as per letters a) and b) have been notified, as also related to content, to those to whom the data have been communicated or divulged, except in the case in which said performance results as being impossible to achieve or would lead to the use of means that are clearly disproportionate in view of the right that is being protected.
- limits to the processing of data concerning him or her, and he or she has the right to the portability of data as established in current regulations.
- to object, wholly or in part:
- on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose
- to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling, or for market research or commercial communication.
The data subject has the right to refuse consent to the processing of data at any time. Refusal of consent will not affect the lawful nature of processing based on consent before withdrawal of same.
A data subject shall have the right to lodge a complaint with a supervisory authority.
The full text of EU Regulation 2016/679 with all rights of the data subject (articles 15 to 22) is available at the headquarters of the Data Controller and on the website www.garanteprivacy.it
- Procesure for exercising of rights
The data subject may, at any time, exercise his or her rights by writing to the following email address email@example.com or by mail to: Cermis Srl via Paolo Borsellino n. 5 – 38123 TRENTO – mail: firstname.lastname@example.org email@example.com – tel. +39 0461/930460 and Fax +39 0461/930781.
This does not exclude the possibility of providing other information, including verbally, to the data subject at the time of data collection.
I, the undersigned, ________________________________________________________________________________ having read the information from the data controller, pursuant to art. 13 of the Privacy Regulation, hereby consent to the processing of my details for the activities of marketing, promition and the sending of advertising material.
□ I consent □ I do not consent
I consent to the storage of my data to accelerate registration processes in case of subsequent stays at the facilities of the data controller.
□ I consent □ I do not consent
By signing this, I: ________________________________________________address (name and surname (address/telephone/mail): _______________________________________________________________________________
declare that I have carefully read the contents of the policy statement, provided pursuant to the Privacy Code (Lgs. Decree 196/2003) and EU Regulation no. 2016/679, by Cermis Srl (00449810225) headquartered in Milan with administrative offices at Via Paolo Borsellino n. 5 – 38123 TRENTO – mail: firstname.lastname@example.org – tel. +39 0461/930460 and Fax +39 0461/930781.
I declare that I have received a copy of the policy statement and that I have freely communicated my data.
I undertake to communicate any changes to my details.