Headquarters
BLU HOTELS S.p.A.
Via Enrico Fermi, 7b
25087 - Salò Loc Cunettone (BS)
PERSONAL DATA PROCESSING POLICY
We inform you that the processing of your personal data will take place with correctness and transparency, for lawful purposes and protecting your privacy and your rights, and we also inform you of the following:
The data controller is BH BRIXIA S.R.L. VIA PERTINI, 10 - 25014 CASTENEDOLO (BS)
1. Subject of Processing
The Data Controller processes personal data and, where appropriate and only in specific situations, some sensitive data (in particular any health conditions connected with the provision of the service such as food intolerances or the presence of motor disabilities) communicated by you on the occasion of the provision of the catering and/or hotel service.
2. Purpose and legal basis of processing
Any personal data and sensitive data provided are processed for the following Purposes:
A)
- fulfil the obligations arising from the contract, including your particular needs/requests;
- to comply with legal obligations and with current accounting and tax obligations;
- exercise the rights of the Data Controller, for example the right of defence in court;
B) Only your personal data, subject to your specific and distinct consent (art. 7 GDPR), for the following Marketing Purposes:
- send them by e-mail, post and/or sms and/or telephone contacts, communications and/or information and promotional material relating to the initiatives and offers promoted by the Owner.
C) Only your personal data and any stays, subject to your specific and distinct consent, will be used for the purposes of analysis and processing of your habits and preferences (profiling) to be able to send them, personalized promotional information, and any offers by the Data Controller.
Your consent may always be freely modified (give or deny), in whole or in part, by sending an email with the subject "REVOCATION MARKETING CONSENT" to: privacy@bhbrixia.it.
3. Methods of data processing and duration of data storage
The processing of your personal data is carried out by means of the operations indicated in Art. 4 No. 2) GDPR and more precisely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is processed both in paper and electronic format and/or automatically.
The Data Controller will process personal data for the time necessary to fulfil the above purposes and, in any case, for no more than 10 years from the termination of the relationship for the Service Purposes and for no more than five years from the collection of data for Marketing Purposes. The Data Controller will process sensitive data for the time necessary to fulfil the above purposes and, in any case, no later than 30 days from the end of your stay, except in special situations that determine the need to keep such data for a longer period of time (by way of example, if you are entitled to tax exemption due to disability).
4. Access to data
Your data may be made accessible for the purposes referred to in art. 2.A), 2.B) and 2.C):
- to employees and collaborators of the Data Controller, in their capacity as data processors and/or data processors and/or system administrators. All the named subjects will carry out exclusively the operations of treatment, on behalf of the Data Controller and/or of the responsible party, within the limits, with the forms and in the modalities expressly indicated in the respective acts of appointment.
- to third-party companies or other subjects (as an indication professional firms, consultants, insurance companies, service companies, etc.) that carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
5. Nature of data provision and consequences of refusal to reply
The provision of data for the purposes referred to in art. 2.A) is mandatory. In their absence, we cannot guarantee the Services of art. 2.A). The provision of data for the purposes referred to in art. 2.B) and 2.C) is optional. You may therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you may not receive newsletters, commercial communications and advertising related to the Services offered by the Owner. You will still be entitled to the Services referred to in art. 2.A).
6. Communication of data
Without the need of an express consent (ex art. 6 lett. b) and c) GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2.A) to Supervisory Authorities and Judicial Authorities, as well as to those subjects to whom communication is mandatory by law for the fulfilment of the aforementioned purposes. These subjects will process the data in their capacity as independent data controllers, also the list of data controllers in outsourcing, which the undersigned uses, can be consulted at any time at the company’s headquarters.
Your data will not be disseminated and will not be transferred to non-EU countries or to international organisations.
7. Rights of the data subject and how to exercise them
In your capacity as data subject, you have the rights under art. 15 GDPR and precisely the rights to: request and obtain from the data controller - without "justified delay" - confirmation that a personal data concerning him or her is being processed or not and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed; d) the envisaged period of retention of personal data; e) the existence of the data subject’s right to ask the data controller to rectify or delete the personal data or to object to their processing; the data subject also has the right to have the data updated, supplemented, the cancellation, the transformation in anonymous form or the blocking of data processed in violation of the law; the owner has the right to oppose, for legitimate reasons, the processing of data.
Where applicable, it also has the rights referred to in Articles. 16-21 GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.
You can exercise your rights at any time by sending an e-mail to: privacy@bhbrixia.it
SECURITY MEASURES OF THE SITE
For the management of the site, specific security measures have been adopted, aimed at ensuring safe access and protecting the information contained in the reserved area from risks of loss or destruction, including accidental destruction of the data, unauthorized access or treatment not allowed or not in accordance with the purposes of the collection.
The antivirus software is automatically updated. To access the reserved area of the site, customers are assigned an identification code and a password. The latter are assigned and communicated in a confidential way to the person designated by the customer, if body or Company, or to the customer himself, if natural person. The user must keep the identification code and password confidential.