Privacy Policy

COMPANY PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 12 AND FOLLOWING OF REGULATION (EU) 2016/679 (GDPR)

 

 

1. Subject Privacy notice on the processing of personal data for Monteverdi S.R.L., pursuant to Articles 12 et seq. of Regulation (EU) 2016/679.

2. Introduction Regulation (EU) 2016/679 ('General Data Protection Regulation', or GDPR) provides for the protection of personal data of individuals. According to this Regulation, the processing of personal data referring to a data subject must be carried out lawfully, fairly and in a transparent manner, while ensuring the protection of the privacy and rights of the data subject, who has the right to know how their data is processed. We inform you, in accordance with the aforementioned regulation, that our organization possesses some of your personal data, acquired through your customer relationship with our facility. Such data may have been acquired verbally, directly or through third parties who process data, or through parties to whom we provide this information at your request. Under the GDPR, such data is classified as 'personal data' and is therefore protected under the relevant provisions. Pursuant to Articles 12 et seq. of the GDPR, our organization, as Data Controller, will process the personal data you provide in compliance with the regulation, with the utmost care, by implementing appropriate technical and organizational measures to ensure the protection of your personal data. To this end, authorized personnel, using procedures recommended by the regulation to safeguard collected data, are committed to: 1) Preventing unauthorized access or disclosure; 2) Maintaining data accuracy; 3) Ensuring that data is used solely for the specific purposes for which it was collected.

3.Definitions 1) Personal data: any information relating to a natural person, legal person, entity, or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number such as name, identification number, location data, online identifier, or one or more elements characteristic of their physical, physiological, genetic, mental, economic, cultural, or social identity.

2) Processing: any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, deletion or destruction.

3) Data subject: the natural person to whom the personal data refer.

4) Data controller: the natural or legal person, public authority, service, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

5) Data processor: a natural or legal person, public authority, service, or other body that processes personal data on behalf of the controller.

6) Third party: any natural or legal person, public authority, service, or other body other than the data subject, controller, processor, and persons authorized to process personal data under the direct authority of the controller or processor.

7) Consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data relating to them.

8) Supervisory authority: the independent public authority established by a Member State pursuant to Article 51 of the GDPR.

4. Collected Personal Data The Data Controller uses your personal data to ensure effective delivery of its services. The following data may be requested or collected, in whole or in part:

a) Personal data: tax code, VAT number, company name, registered office, residence, domicile, and contact information (phone/email);

b) Contract data: details of the type of tourism booking services contract and related information required for its execution;

c) Accounting data: financial relationship details, amounts due and paid, periodic status, and summaries;

d) Data to enhance collaboration and operational efficiency;

e) Special categories of personal data (e.g., health-related data) as defined in Articles 4 and 9 of the Regulation, necessary for the lawful provision of SPA Wellness Center services;

f) Video surveillance data: collected only in designated areas and strictly for legal purposes;

g) Data required for compliance with legal obligations to report guest information to the Police Headquarters and fill out the ISTAT C/59 form, including document type and number, place of issue, full name, gender, date and place of birth, citizenship, and dates of arrival and departure. A scanned image of the ID (front and back) is also collected.

5. Data Retention Period The collected data will be retained for the duration of the collaboration and for 10 years from its termination. If data are processed for purposes beyond administrative and accounting obligations, they will only be kept for the time necessary to achieve those purposes and then deleted. You will be informed of the retention period when consent is requested.

Video surveillance footage is stored for 24 hours unless affected by holidays, office closures, or requests from judicial authorities, in accordance with the measure of 8 April 2010. Guest registration and ISTAT C/59 data are stored for 60 months. Regarding any photographic scans of your ID (front and back), the data is retained for a maximum of 48 hours after check-in. After this retention period, the recorded images are automatically deleted from the relevant electronic, computer, or magnetic media.
6. Mandatory or Optional Nature of Data Provision It is mandatory to provide the Data Controller with the essential data for the provision of services and the data required to comply with obligations established by laws, regulations, EU legislation, including provisions of authorities authorized by law and supervisory bodies. Non-essential data may be optionally provided, with appropriate information and consent forms. Refusal to provide optional data may reduce our operational efficiency or prevent full or partial delivery of services.

7. Processing Methods Pursuant to Articles 12 et seq. of the GDPR, we inform you that the personal data you provided will be recorded, processed, and stored in our paper and electronic archives, and by third-party collaborators, in compliance with the technical and organizational measures required by the GDPR. Processing operations may include collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or any other form of disclosure, alignment or combination, restriction, erasure, or destruction. Processing may be carried out manually or with electronic tools, ensuring security and confidentiality. The data may be included in the Controller's internal documentation and in mandatory legal records.

8. Purpose of Processing The main purpose of processing your personal data is to enable the proper establishment and management of the contractual relationship. In particular:

a) Administrative-accounting purposes:

- Compliance with tax or accounting obligations;

- Legal obligations requiring data processing by MONTEVERDI S.R.L.;

- Customer management (contracts, orders, billing, creditworthiness);

- Dispute management (defaults, warnings, settlements, debt collection);

- Internal control (security, service quality, asset integrity);

b) Marketing (with your consent):

- Promotional activities via email, SMS, phone, instant messaging, or social media;

- Customer satisfaction surveys;

c) SPA Wellness Center services (with specific consent): processing special categories of personal data necessary to provide the services.

Personal data is also processed to comply with legal, administrative, insurance, and tax obligations, and to fulfill commercial and contractual obligations

9. Automated Decision-Making MONTEVERDI S.R.L. does not carry out any automated processing of personal data (including profiling).

10. Legal Basis of Processing Under Article 6 GDPR, personal data processing is lawful if the data subject has given consent for one or more specific purposes. Processing is also lawful without consent when:

a) Required to perform a contract with the data subject or pre-contractual measures;

b) Required to comply with a legal obligation;

c) Necessary to protect the vital interests of the data subject or another person;

d) Necessary for the performance of a public interest task or official authority;

e) Necessary for the legitimate interests of the controller or third parties, unless overridden by the rights and freedoms of the data subject, especially minors.

Consent is not required when data is obtained from public registries, lists, or publicly available documents under applicable laws.

11. Activities Potentially Delegated to Third Parties The Data Controller may delegate data processing activities to third parties for the provision of SPA services. Third parties will use only the data needed for service delivery and must respect confidentiality.

Recipients may include:

1. Public Administrations for institutional functions within legal limits;

2. Third parties and service providers (within the EU or Italy), such as:

- Consultants and collaborators performing work-related tasks;

- Professionals (accounting, legal, tax, finance);

- ICT service providers (installation, maintenance, IT systems);

- External parties required by law or contract (e.g., banks);

- Security and surveillance service providers;

- SPA Wellness Center operators;

- Marketing and communication providers;

3. Parent, subsidiary, or affiliated companies under Article 2359 of the Civil Code.

All third parties will act as Data Processors under Article 28 GDPR and will only process data as needed under strict confidentiality agreements.

12. Data Dissemination The Data Controller will not disclose your data indiscriminately or make it available to undefined recipients.

13. Transfer of Personal Data Abroad Your data will be processed in Italy. If transferred outside the EU, it will only be to countries deemed adequate by the European Commission (Article 45 GDPR). Currently adequate countries include: Andorra, Argentina, Australia, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, USA. Transfers may also occur under Standard Contractual Clauses (SCCs) aligned with GDPR.

14. Data Access Scope Your data may be accessed by:

a) Employees or collaborators in roles such as: administration, maintenance, accounting, sales, marketing;

b) Executives and administrators;

as well as third parties as outlined in section 11. These parties may carry out specific tasks related to the execution of the data subject's relationship with MONTEVERDI S.R.L.

15. Rights of Data Subjects Under Article 15 GDPR, you have the right to confirm whether personal data concerning you is being processed. Requests require ID verification.

You have the right to:

a) Access your personal data and information (purpose, categories, recipients, retention period, data origin, automated decisions, data transfers);

b) Request deletion (Article 17);

c) Request restriction, correction, or object to processing (Article 18);

d) Request data portability (Article 20);

e) Receive notification of deletion, correction, or restriction to all recipients (unless impossible or disproportionate) (Article 19);

f) Lodge a complaint with the data protection authority (Garante per la protezione dei dati personali).

16. Identification of Controller and DPO

1. Data Controller: MONTEVERDI S.R.L. Piazzetta Maurilio Bossi, 4, 20121, Milan (MI), Italy; Tel: +39 0578-268146; Email: privacy@monteverdituscany.com

2. Data Processors: External companies bound by contractual agreements and required to process your data to fulfill such contracts. To request a list of appointed processors, contact the Data Controller. These processors are not responsible for handling data subject rights requests.

3. Data Protection Officer (DPO): Officially appointed and reachable at: dpo@monteverdituscany.com

17. Representative Established in the State Territory Our organization has not appointed a representative in the State territory, as none of the conditions under Article 4(1)(17) GDPR requiring such appointment apply. THE DATA CONTROLLER: MONTEVERDI S.R.L.