This page shows the policies for personal data security that the company Società per l’industria alberghiera S.P.L.I.A. S.p.a. implements for users of the website, and more generally for the data subjects who interact with our hotel in various ways. This policy is provided pursuant to Art. 13 of the General Data Protection Regulation, EU Regulation 2016/679 (hereinafter, GDPR - General Data Protection Regulation) to people who interact with the web services of Hotel The Place Firenze, which can be accessed online at: http://www.theplacefirenze.com
The policy only refers to the Internet site of Hotel The Place Firenze and not for any other websites that the user may visit via link.
DATA CONTROLLER AND DATA PROCESSOR
• Pursuant to Art. 4(7) of GDPR 2016/679, the Website’s Data Controller is the Company Società per l’industria alberghiera S.P.L.I.A. S.p.a., provider of hotel and restaurant services for the Hotel The Place Firenze located in Piazza Santa Maria Novella, 7-9r - 50123 Florence
• Pursuant to Art. 28 of GDPR 2016/679, the Data Processor for bookings which take place through the company’s website via the platform https://www.blastnessbooking.com is Blastness srl, P.IVA/C.F.: 01195440118, N.ISCRIZIONE REA DI MILANO 2107189, Sede Legale: Galleria del Corso, 2 – 20122 Milano, Italy
DATA PROTECTION OFFICER
• Pursuant to Art. 37 of GDPR 2016/679, Società per l’industria alberghiera S.P.L.I.A. S.p.a. has officially appointed a Data Protection Officer (DPO) whose contact details are: email@example.com
The DPO can be contacted by data subjects for any information concerning the processing of their personal data and the exercise of their rights.
LOCATION OF DATA PROCESSING
Processing associated with this website’s web services takes place at the offices of the Data Controller and of the Data Processors and is performed only by technical staff appointed to carry out processing.
The personal data provided by users who forward requests for information are used solely in order to provide the requested service, while some data collection forms envisage the possibility of communicating the data subject’s personal data to providers of services in order to fulfil the contract and provide the requested services.
TYPES OF DATA PROCESSED
The computer systems and software procedures used to operate the website acquire, during their normal operation, certain personal data whose transmission is implicit in the Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the website, URIs (Uniform Resource Identifiers) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters regarding the user’s operating system and IT environment. These data are used for the sole purpose of obtaining anonymous statistical information on website use and to check its correct functioning and are deleted immediately after processing. Data could be used to ascertain responsibility in the event of hypothetical computer crimes against the website: except for this possibility, at present the data on web contacts do not persist for more than thirty days.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of email to the addresses indicated on this website involves the subsequent acquisition of the sender’s email address, which is necessary in order to respond to requests, as well as any other personal data included in the message.
The services on this website are not intended for minors. We do not knowingly collect the data of minors, including Personal Data.
If we become aware that we have collected the Personal Data of a minor, we will immediately erase them, except where we are obliged by law to keep such data. The user is asked to contact us should they believe that Società per l’industria alberghiera S.P.L.I.A. S.p.a. has collected information on a minor by mistake or involuntarily.
Personal data are processed using automated tools for the time needed in order to achieve the purposes for which they were collected. Specific security measures are observed to prevent any loss of data, unlawful or improper use and unauthorised access.
PURPOSES, LEGAL BASIS AND NATURE OF CONSENT
The Personal Data you provide through the website will be processed by the company Società per l’industria alberghiera S.P.L.I.A. S.p.a. for the following purposes:
1. purposes associated with the execution of a contract to which the data subject is a party or the execution of pre-contractual measures adopted as per their request (e.g. contact request through the Contact Us form, request for high resolution images of the hotel in the “Download” section, request for private events in the “Private Events” section, booking requests, participation in special offers, etc.). Consent not necessary;
2. purposes associated with sending promotional and commercial material following voluntary registration to the Hotel’s newsletter. Requires the explicit consent of the data subject or the exercise of soft spam;
3. purposes associated with sending promotional and commercial material via email following voluntary registration to the restaurant's newsletter accessible via QR Code. Requires the explicit consent of the data subject
4. to assess possible job candidates by acquiring CVs via email or via the “Job Opportunities” Requires the explicit consent of the data subject
5. purposes of research and strategic analysis of anonymous aggregate data aimed at measuring the website’s operation, measuring traffic and assessing its usability and interest in order to make it more functional and better performing; Consent not necessary because it does not constitute processing of personal data;
7. purposes related to compliance with laws and regulations; Consent not required;
8. purposes that are necessary in order to ascertain, exercise or defend a right before the courts or when the courts act in their judicial capacity. Consent not required Data processed by us may include special categories of personal data as defined by Article 9 of the GDPR 2016/679, namely personal data relating to health or religion (food allergies, services for people with disabilities, menus suitable for certain religions, etc.) that you provide to us voluntarily in the message field of the request or in the CVs sent to us. The data in question will be processed under maximum security, will not be disclosed to third parties and the processing will be restricted to those operations that are essential in order to fulfil the obligations, including pre-contractual obligations, that the Hotel undertakes in its business, in order to provide the specific goods or services requested by the data subject. Pursuant to Art. 9 of the GDPR 2016/679, we will always ask for explicit authorisation for the processing of personal data since we cannot know beforehand if the data subject will voluntarily enter such data in the personal data collection form.
This policy is provided pursuant to Art. 13 of EU Regulation 2016/679 and can also be used by the company Società per l’industria alberghiera S.P.L.I.A. S.p.a. for job advertisements placed for personnel recruitment on websites or portals not managed by the company directly.
The Company will process CVs arriving via email or through third party personnel recruitment companies (job ads placed on portals, etc.) to assess potential candidates in the company or future candidates.
Processing is carried out using electronic means except for CVs received by post. Any CVs considered “interesting” will be kept at the company’s offices for no longer than one year and will be processed in full compliance with the minimum security measures laid down by Article 32 of the GDPR 2016/679.
Any CVs that are not relevant and CVs that have been kept for more than 18 months will be deleted/thrown away.
In any case CVs will be stored at the Hotel The Place Firenze and will not be disclosed to unauthorised third parties.
They may be assessed by the Hotel’s employees or collaborators who have been appointed to carry out processing (pursuant to Art. 29 and 32(4) of the GDPR 2016/679).
We kindly ask that candidates follow these rules when sending CVs in electronic form:
1. Prepare your CV using the European template;
2. send your CV in pdf format;
3. do not include special categories of personal data in your CV as defined in Art. 9 of the GDPR 2016/679 (related, in particular, to health, religious beliefs or philosophical or political opinions) that are not relevant to the job opportunity;
4. consent to the processing of sensitive data that are relevant to the establishment of an employment relationship (e.g. belonging to a protected group).
The company reserves the right to delete/throw away CVs that do not comply with the above requirements.
The purpose of processing associated with managing CVs covers activities that are strictly related to the assessment, recruitment or selection of personnel, with the goal of collaboration, temporary or permanent employment, internship or in order for the chosen candidate to prepare their degree thesis at our offices.
TRANSFER OF PERSONAL DATA
The Data Controller undertakes to restrict the areas of circulation and processing of personal data (e.g. storage, archiving, conservation of data on its servers) to countries within the European Union, with an express prohibition to transfer them to countries outside the EU that do not guarantee (or in the absence of) an adequate level of protection, that is, in the absence of the protection tools provided by the EU Regulation 2016/679 - CHAPTER V (adequacy decision, Standard Contractual Clauses, EU-US Data Privacy Framework or explicit consent from the data subject).
BOOKING SYSTEM SECURITY
Blastness srl uses the credit cards provided during the booking stage in compliance with the Payment Card Industry Data Security Standard (PCI DSS). All information sent to this website, under an SSL session, are encrypted and protected against disclosure to third parties.
STORAGE OF DATA
Hotel The Place Firenze will process data subjects’ personal data for the time strictly necessary to achieve the purposes indicated in this policy.
By way of illustration only, Hotel The Place Firenze will process Personal Data for the newsletter service until the data subject decides to cancel the service simply by clicking on a link in the email received.
Without prejudice to the above, Società per l’industria alberghiera S.P.L.I.A. S.p.a. will process your Personal Data for the time permitted by Italian law in order to protect its own interests (Art. 2947(1)(3) of the Civil Code).
Further information on the period for storing Personal Data and the criteria used to determine this period can be obtained by writing to firstname.lastname@example.org
RIGHTS OF DATA SUBJECTS
People to whom the personal data refer have the right at any moment to obtain confirmation as to whether or not personal data concerning them are being processed, to know their content and origin, check their accuracy or request their completion, update or rectification (Art. 15 et seq. of GDPR 2016/679). Pursuant to these articles, you have the right to request the erasure, anonymisation or block of data processed in breach of the law as well as the right to object, on legitimate grounds, to such processing. Requests should be sent to Società per l’industria alberghiera S.P.L.I.A. S.p.a. - Sestiere Castello, 4171 - 30122 Venezia, for the attention of the General Manager.
In compliance with Chapter III of GDPR 2016/679, the data subject has the right, at any time, to request access to their Personal Data, their rectification or erasure, to object to such processing, to restrict processing and to obtain data concerning them in a structured, commonly used and machine-readable format and also has the right to object to profiling and to lodge a complaint with the Supervisory Authority.
The data subject also has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. For a full and comprehensive list of the rights that can be exercised as data subject, reference is made to Articles 15 et seq. of the GDPR 2016/679.
Requests should be sent by email to the company’s Data Protection Officer at: email@example.com
UPDATE AND REVISION