© Gecal srls P. IVA 16888891005 CIN IT058091B47GS2FQRH
Termini e Condizioni
CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)
The Data Protection Officer is Gecal srls, tel. +39 3278458125, e-mail: lexieguesthouse@gmail.com
PURPOSE OF PROCESSING, LEGAL BASIS AND DATA STORAGE PERIOD
a) Purpose: Service Delivery (Registration of the customer and then subsequently fulfilling legal obligations)
Types of data that can be processed: First Name, Last Name, Phone Number, Additional Requests, Address, ZIP Code, Province, Country, State and E-mail, Payment Information.
Legal basis: Performance of a contract to which you are a party or pre-contractual measures taken at the request of the data subject; fulfilment of legal obligations. Art. 6 co. 1 lett. b) e c) GDPR.
Storage period: The retention time is changeable as it is dictated by the difference between the time the reservation is made and the time the guest actually arrives at the facility. Encrypted payment information is retained up to 15days after the departure of the client's guest.
b) Purpose: Request for quotation (request for quotation with subsequent contact from the Data Controller)
Types of data that can be processed: First name, last name, email and phone number.
Legal basis: Pre-contractual measures taken at the request of the data subject. Art. 6 co. 1 lett. b) e c) GDPR.
Storage period: For the time it takes to process the request
c) Purpose: Newsletter (Sending newsletters, by automated means, of contacting)
Types of data that can be processed: Personal and contact data.
Legal basis: Consent (required by contract or specific request); optional and revocable at any time. Art. 6 co. 1 lett. a) GDPR.
Storage period: Until consent for that purpose is withdrawn and/or five years have elapsed since the 'expression of consent.
d) Purpose: If necessary, to ascertain, exercise or defend the rights of the Joint Data Controllers in judicial proceedings
Types of data that can be processed: Personal data and contact details; data necessary for the execution of the contractual relationship.
Legal basis: Legitimate interest (judicial protection). Art. 6, paragraph 1 letter f) GDPR.
Storage period: For the time necessary to exercise rights in court.
OBLIGATORY NATURE OF PROVISION OF DATA
The data subject must provide necessary data for carrying out the contractual relationship to the Company, as well as the data necessary to fulfil the obligations provided for by laws, regulations, community standards, and by provisions of Authorities legitimated by law and by supervisory and control bodies (referred to in purposes a) and f) above). Data that are not essential for the performance of the contractual relationship are qualified and considered supplementary and their provision by the data subject, if requested, is optional and subject to consent. Consent provided may be withdrawn by the data subject at any time. Such withdrawal shall in no way affect the lawfulness of processing based on the consents given prior to withdrawal of consent.
PROCESSING METHODS
Personal data will be recorded, processed and stored in the Company’ archive, paper and electronic, in compliance with the appropriate technical and organizational measures referred to in Art. 32 of the GDPR. The processing of the data subject personal data may consist of any operation or set of operations described in Art. 4, paragraph 1, point 2 of the GDPR. Personal data will be processed using suitable tools and procedures that guarantee security and confidentiality. Such processing may be carried out directly and/or via delegated third parties, both manually using hard-copy support and electronically using IT equipment and other instruments. In order to manage properly the relationship and fulfilment of legal obligations, personal data may be entered in the internal documentation of the Company and, if necessary, in the documents and registers required by law. Your data may be processed by the employees of the departments of the Company assigned to the pursuit of the above-mentioned purposes. These employees have been expressly authorized to process the data and have received adequate operating instructions pursuant to and for the purposes of Art. 29 GDPR.
CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Personal data under purpose (a) are only disclosed to possible legal offices where required by law.
Payment data is transmitted to payment service providers for completion of the transaction.
DATA TRANSFER TO COUNTRIES OUTSIDE THE EU
The data provided by the data subject will only be processed countries within the European Union. If the personal data of the data subjects are processed in a country outside of the EU, the data subject’s rights under EU legislation will be guaranteed and the data subject will be notified on a timely basis.
RIGHTS OF THE DATA SUBJECT
Pursuant to Articles 15 et seq of the GDPR, the data subject may exercise the following rights:
1.access: to obtain confirmation of whether or not the personal data of the data subject are being processed and the right to access them; requests that are manifestly unfounded, excessive or repetitive cannot be answered;
2.rectification: to correct/obtain the correction of personal data if incorrect or outdated and to complete data if incomplete;
3.erasure/to be forgotten in some cases, to obtain the erasure of the personal data provided; this is not an absolute right, as the Company may have legitimate or legal reasons to store them;
limitation: the data will be stored, but cannot be processed further, in the cases foreseen by the regulation;
4.portability: to move, copy or transfer data from the Company’ databases to third parties. This applies only to data provided by the data subject for the performance of a contract or for which 5.express consent has been given and the processing is carried out by automated means;
6.objection to direct marketing;
7.withdraw of the consent at any time if processing is based on consent.
Pursuant to Art. 2-undicies of Legislative Decree 196/2003, the exercise of data subjects rights may be delayed, restricted or excluded, following justification provided without delay, unless this might compromise the purpose of the restriction, for as long as and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the interests referred to in paragraph 1, letters a) (protected interests with regard to money laundering), e) (for the conduct of defensive investigations or the exercise of a right in court) and f) (for the confidentiality of the identity of the employee who reports offenses he becomes aware of on his duties). In such cases, data subjects’ rights may also be exercised through the Personal Data Protection Authority in the manner referred to in Article 160 of said Decree. In such case, the Personal Data Protection Authority will inform the data subject that it has carried out all the necessary checks or that it has carried out a review, as well as of the data subject right to take legal action. It should also be noted that - before processing the requests - the Company may ascertain the identity of the data subject, in order to evaluate the legitimacy of the same. To exercise these rights, the data subject may contact the Data Controller at the addresses indicated in section "Identity and contact details" of this document. The Company will respond within 30 days of receiving the data subject formal request. If the abovementioned rights concerning data subject personal data are infringed, the latest may complain to the competent authority.
THE DATA
CONTROLLER