INFORMATIVA PRIVACY AGGIORNATA AL GDPR 679/2016

CAPELLI & CAPELLI SRL, with registered office in VIA ROMA 96, 34077 RONCHI DEI LEGIONARI, VAT No. 01284510318 (hereinafter, the “Controller”), in its capacity as data controller, informs you pursuant to Italian Legislative Decree 30 June 2003 No. 196 (hereinafter, the “Privacy Code”) and Regulation (EU) No. 2016/679 (hereinafter, the “GDPR”) that your data will be processed in the following manner and for the following purposes:

1) Subject of the Processing

The Controller processes personal, identifying and non-sensitive data (in particular: first name, last name, tax code, VAT number, email address, telephone number — hereinafter “personal data” or “data”) provided by you when registering on the Controller’s website and/or subscribing to the newsletter service offered by the Controller.

2) Purpose of the Processing

Your personal data are processed:

A) Without your explicit consent, for the following Service purposes:
• To fulfill pre-contractual, contractual, and tax obligations arising from existing relationships with you;
• To comply with obligations established by law, regulations, EU legislation, or orders issued by Authorities;
• To acquire and confirm your booking of accommodation services and ancillary services, and to provide the requested services;
• To comply with the obligation under the “Consolidated Public Security Laws Act” (Article 109 of Royal Decree 18.6.1931 No. 773), which requires us to communicate guest identity details to the Police Headquarters for public security purposes, in accordance with procedures established by the Ministry of the Interior (Decree 7 January 2013);
• For the protection of persons, property, and company assets through a video surveillance system in certain areas of the premises, clearly indicated by appropriate signage;
• To exercise the Controller’s rights, such as the right of legal defense.

B) Only with your specific and separate consent, for the following Organizational and Management purposes:
• To register on the website;
• To subscribe to the newsletter service provided by the Controller and any additional services requested by you;
• To speed up registration procedures for future stays at our facility;
• To receive messages and phone calls addressed to you during your stay;
• To send you promotional communications and updates regarding rates and offers.

3) Methods of Processing and Data Retention Period

The processing of your personal data is carried out through the following operations: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data.

Your personal data are processed both in paper format and electronically, including by automated means.

The Controller will process personal data for as long as necessary to fulfill the above purposes and, in any case:
• No longer than 10 years from termination of the relationship for Service purposes;
• No longer than 5 years from data collection for Marketing purposes;

Without prejudice to the exercise of data subject rights and/or other legal obligations.

4) Access to Data

Your data may be made accessible for the purposes set out in Article 2.A) and 2.B):
• To employees and collaborators of the Controller, in their capacity as authorized persons and/or internal data processors and/or system administrators;
• To external companies responsible for IT system maintenance, data storage, and other services, or to third parties (such as website management providers, suppliers, banks, professional firms, etc.) that perform outsourced activities on behalf of the Controller, in their capacity as external data processors.

5) Data Disclosure

Without your explicit consent, the Controller may communicate your data for the purposes set out in Article 2.A) to:
• Employees and collaborators of the Controller, in their capacity as authorized persons and/or data processors and/or system administrators;
• Supervisory bodies, judicial authorities, and all other entities to whom communication is mandatory by law;
• Technicians and/or collaborators for administrative, tax, and accounting management and/or to fulfill specific legal obligations, including identified external suppliers.

Your data will not be publicly disclosed.

6) Data Transfer

The management and storage of personal data will take place on servers located within the European Union belonging to the Controller and/or third-party companies duly appointed as Data Processors.

Currently, our servers are located in Italy.

Data will not be transferred outside the European Union.

However, if necessary, the Controller reserves the right to relocate servers within Italy and/or the European Union and/or non-EU countries. In such cases, the Controller ensures that any transfer outside the EU will comply with applicable legal provisions by entering into agreements that guarantee an adequate level of protection and/or adopting the Standard Contractual Clauses approved by the European Commission.

7) Nature of Data Provision and Consequences of Refusal

Providing data for the purposes set out in Article 2.A) is mandatory. Without such data, we will not be able to guarantee website registration or the Services referred to in Article 2.A).

Providing data for the purposes set out in Article 2.B) is optional.

You may therefore decide not to provide any data or to subsequently withdraw consent to the processing of previously provided data. In such case, the services referred to in Article 2.B) cannot be provided. You will still be entitled to the Services referred to in Article 2.A).

8) Rights of the Data Subject

As a data subject, you have the rights set out in Article 15 of the GDPR, including the right to:

A) Obtain confirmation as to whether or not personal data concerning you exist, even if not yet recorded, and receive such data in intelligible form;

B) Obtain information regarding:
• The origin of personal data;
• The purposes and methods of processing;
• The logic applied in case of processing carried out with electronic instruments;
• The identity of the Controller, processors, and designated representatives;
• The entities or categories of entities to whom personal data may be communicated or who may become aware of them as designated representatives, processors, or authorized persons;

C) Obtain:
• Updating, rectification, or integration of data;
• Erasure, anonymization, or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which they were collected or subsequently processed;
• Confirmation that the operations described above have been notified to those to whom the data were communicated, except where this proves impossible or involves disproportionate effort;

D) Object, in whole or in part:
• For legitimate reasons, to the processing of personal data concerning you;
• To the processing of personal data for the purpose of sending advertising material or direct marketing via email and/or traditional marketing methods such as telephone or postal mail.

The right to object to direct marketing via automated means also extends to traditional methods. The data subject may choose to receive only traditional communications, only automated communications, or none at all.

Where applicable, you also have the rights under Articles 16–21 GDPR (right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.

9) Exercise of Rights

You may exercise your rights at any time by sending:
• A registered letter with return receipt to: CAPELLI & CAPELLI SRL, VIA ROMA 96, 34077 RONCHI DEI LEGIONARI GO
• An email to: info@capelliecapelli.it

10) Controller, Processors, and Authorized Persons

The Data Controller is CAPELLI & CAPELLI SRL, represented by its pro-tempore legal representative, with registered office in VIA ROMA 96, 34077 RONCHI DEI LEGIONARI GO MI.

The updated list of data processors and authorized persons is kept at the registered office of the Controller.

11) Data Protection Officer

The appointment of a Data Protection Officer (D.P.O.) is not applicable to our organization.

12) Cookies

The website uses cookies. Please refer to the specific cookie policy.

13) Amendments to This Privacy Notice

This Privacy Notice may be subject to changes. We recommend regularly reviewing this notice and referring to the most updated version.