Privacy statement on the processing of personal data – Articles 13, 14 and 26 of EU Regulation 2016/679

Data subjects: users of the www.italyfamilyhotels.it website

The ITALY FAMILY HOTELS Consortium (based in Via Macanno 38/Q, 47923 Rimini (RN), Italy, info@italyfamilyhotels.it) and the Consortium’s partner accommodation facilities, (click here to view the updated list), as joint data controllers of the processing of your personal data, based on contractual agreements in place, pursuant to and for the purposes of Article 26 of EU Regulation 679/2016, hereinafter referred to as the “GDPR”, hereby inform you that the aforementioned regulation provides for the protection of your personal data, and that this data processing shall be based on the principles of correctness, lawfulness, transparency and protection of privacy and of your rights.

Distribution of the purposes of the data processing based on existing contractual agreements among the joint data controllers (Article 26 of EU Regulation 679/2016 – essential content of the agreement)

The ITALY FAMILY HOTELS Consortium is the owner of the www.italyfamilyhotels.it portal, which allows users to request offers and services for stays in all registered hotels; the Consortium also aims to raise public awareness of the local territory and to promote tourism offers through profiled marketing activities; members of the ITALY FAMILY HOTELS Consortium receive the requests for quotations and respond autonomously through their own email addresses; they also promote their direct marketing activities towards the data subjects who are requesting information, services and quotations through the same portal.

Purpose and legal basis of the data processing:
1a) Formulation of offers and quotations on the basis of requests received by filling out the forms available on the www.italyfamilyhotels.it portal. The offers shall be made directly by the hotels/accommodations facilities that you have shown interest in through a voluntary selection.
The legal basis of the data processing is a pre-contractual obligation in order to respond to the request.
1b) Additional services offered on the portal (e.g. subscription to the newsletter, downloading the catalogue, etc.) which require the acquisition of contact data in order to use them.

Optional data processing
2) Direct marketing: sending of information and newsletters on events, initiatives, on the territory and on the tourist accommodation sector relative to the market in which the ITALY FAMILY HOTELS Consortium operates, as well as promotions, newsletters and direct marketing by the ITALY FAMILY HOTELS Consortium and information on accommodation and non-accommodation activities offered by members of the Consortium, as independent data controllers.
Communications shall be sent via the contact channels you have specified, such as email, mobile
phone number, sms, whatsapp, traditional mail and/or phone calls. Also, if you have activated a Facebook Social profile (or other Social networks currently active), and have chosen to associate this profile with the same email indicated in this form, you may occasionally view the advertising banners of the ITALY FAMILY HOTELS Consortium on the social networks to which you are subscribed.
This marketing activity is also accessible by subscribing to additional services offered on the portal, through a voluntary consent action.
The legal basis for the data processing is the data subject’s consent.

3) Profiling: sending of commercial information by the ITALY FAMILY HOTELS Consortium for marketing purposes, based on the information you specified in your request. The communications shall be customised based on your specific preferences and travel habits, the composition of your household, as well as consumption statistics. Any marketing communications with regard to accommodation and non-accommodation activities offered by members of the Consortium shall be carried out as independent data controllers.
The legal basis for the data processing is the data subject’s consent.

Retention: your personal data shall be retained based on the data controllers’ purposes for which the data was collected and kept until the receipt of an eventual deletion request, which the data subject may submit any time from the communications received.

Consequences of lack of consent for optional purposes
The failure to consent to the promotional and/or direct marketing or profiling purposes referred to in points 2 and 3 shall not affect the processing of data necessary for the provision of the basic service, which provides for the receipt of quotations based on your request.
Your personal data shall be processed in accordance with the laws of the aforementioned legislation and with the privacy obligations provided for therein. This shall also take into account the provision of the Italian Authority for the Protection of Personal Data, “Guidelines on promotional activities and the combating of spam” of 4 July 2013 (Published in the Official Journal no. 174 of 26 July 2013).
The processing of data necessary for the fulfilment of such obligations (purpose 1 concerning subscription to the service) is necessary to ensure a correct management of the relationship and the provision of such data is mandatory to implement the aforementioned purposes. The Data Controllers note that any non-communication or incorrect communication of one or more of the pieces of contact information described above, may result in the inability to provide the service requested.

Data processing method
Your personal data may be processed using the following methods:
– Outsourcing of processing operations (to data processors or sub-processors), necessary for the management of the service, of communications and of processing activities;
– Collection of data through paper forms, electronically or by telematic means via the web;
– Processing using electronic computers and paper files;

Technical and organisational measures
Each data processing operation shall take place in accordance with the methods provided for in Articles 6 and 32 of the GDPR and through the adoption of appropriate security measures;

Recipients and data transfer outside the EU
Your data shall be stored in paper and electronic format by server providers, through agreements with hosting, cloud and connectivity providers (data processors or sub-processors), located both in EU countries, as well as in non-EU countries (United States), through suppliers subscribing to the Privacy Shield agreement, or to other confidentiality agreements or clauses. These systems are managed by a system administrator and by authorised and adequately trained persons, with the guarantee of technical and organisational security measures to protect personal data in reference to Articles 29 and 32 of EU Regulation 679/2016, through technical, administrative and commercial personnel.

In particular, but not limited to, your data may be processed by the following categories of persons, under the authority of the data controllers:
– Administrative staff
– Technical staff and system administrators
– Sales and marketing representatives
Additional recipients that contribute to the provision of the services requested for the stated purposes, and any other subjects in accordance with legal obligations.

Disclosure: Your personal data shall not in any way be disclosed.

The Data Protection Officer (DPO)
Studio Paci&C srl (contact person: Luca Di Leo) based in Via Edelweiss Rodriguez Senior, 13 – 47924 – Rimini, Italy – Tel. +39 0541 1795431, is designated as DPO by the Data Controller, pursuant to Article 37 of the GDPR.

Rights of the data subjects
You have the right to obtain, from the Data Processor, the deletion (so-called “right to be forgotten”), limitation, updating, correction, portability, opposition to the processing of your personal data, as well as in general, you may exercise all the rights provided for by Articles 15, 16, 17, 18, 19, 20, 21 and 22 of the GDPR.EU Regulation 2016/679:

Articles 15, 16, 17, 18, 19, 20, 21 and 22 – Rights of the data subject

1. The data subject shall be entitled to obtain conformation regarding the existence or otherwise of personal data concerning the party itself, even if not yet registered, and its communication in intelligible form.

2. The data subject shall have the right to obtain information concerning:
– the source of the personal data; the purposes and processing methods;
– the logic applied in the event of data processing carried out with the aid of electronic or automated tools; the identity of the data controller, the data processors and the representative appointed under Article 5, paragraph 2;
– the entities or categories of entity to whom or which the personal data may be communicated and who or which may become familiar with said data in their capacity as designated representative in the State’s territory, as data controllers or processors.

3. The data subject shall have the right to obtain:
– the updating, the correction or, where interested, the integration of the data; the deletion, the transformation into anonymous form or the blocking of data processed in violation of law, including any data whose retention is not required in relation to the purposes for which the same has been collected or subsequently processed;
– the certification that the operations referred to under letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or distributed, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected; the portability of the personal data.

4. The data subject shall have the right to oppose, in whole or in part:
– for legitimate reasons, the processing of personal data, even though pertinent to the purpose of collection; the processing of personal data for sending advertising material or for direct selling or for carrying out market research or commercial communications.

Complaints
Where applicable, data subjects also have the right to file a complaint with the Italian Authority for the Protection of Personal Data as Supervisory Authority, in accordance with the procedures laid down. For any additional information and to enforce the rights recognised to the data subject by applicable European regulation, you may contact the data controller using the contact information provided above.

Acquisition formula of the data subject’s consent
The undersigned data subject, having received the information provided by the joint data controllers, pursuant to Articles 13, 14 and 26 of the GDPR, confirms that he/she has read this Privacy Statement on the processing of personal data for the purposes necessary for the continuation of the relationship, specified in the aforementioned Privacy Policy Statement (point 1), as necessary to allow the joint data controllers to ensure the correct management and an appropriate processing of the same data, in order to provide the service, manage and respond to your requests.

As evidence of your explicit and unequivocal consent, we shall record the date, time, IP address, email address, your possible consent to direct marketing/receive newsletters (point 2), and/or for profiling purposes (point 3), manifested by ticking the appropriate boxes.