Privacy

CREMONAHOTELS.IT SRL
Piazza Libertà, 26 – 26100 Cremona (CR) – C.F. e P. IVA: 01529080192
Tel: 0372/434141 – Email: corporate@cremonahotels.it

PRIVACY POLICY

ART. 13 et seq. REG. EU 2016/679 (GDPR)

Customer Information Form REV. 00 of 1 DECEMBER 2024

interested parties: website visitor

Dear Customer,

hereby CREMONAHOTELS.IT S.R.L. provides information regarding the processing of personal data acquired, including verbally, directly or through third parties, relating to you, necessary for the performance of administrative, accounting, management and contractual services connected to or deriving from the execution of the contract. This information is provided pursuant to the provisions of art. 13 of EU Reg. 2016/679 (so-called GDPR).

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER.

The Data Controller is
CREMONAHOTELS.IT S.R.L. PIAZZA LIBERTA‘ 26
CAP 26100 CREMONA (CR)
P.IVA: 01529080192
TEL: +39 0372434141
PEC: cremonahotels.it@legalmail.it

2.   PERSONAL DATA SUBJECT TO PROCESSING BY THE DATA CONTROLLER

The Data Controller will collect and process your personal data, i.e. any information that can identify you or that is directly or indirectly linked to you, such as, for example:

• Personal identification data;
• Special data (sensitive);
• Information on your stay;
• Personal preferences;
• Identity documents;
• Autograph signature;
• Purchase history;
• Bank and credit card details.
• Video surveillance images;
• Data relating to electronic devices is used to connect to the facility’s network.
• Data relating to telephone calls.
• Access and use data of ICT resources.

and any other data necessary to achieve the purposes indicated in paragraph 4.

Special data will also be processed such as:

• Data relating to health conditions.

3. HOW PERSONAL DATA ARE COLLECTED

Personal data is provided directly by the interested party to the Data Controller or collected through other entities such as:
• OTA (Online Travel Agency) such as, for example, Booking.com, Daybreakhotels.com, Expedia.com, etc.;
• Traditional travel agencies;
• Entities, organizations, companies or individuals who organize events or stays at our facilities.

4. PURPOSE AND LEGAL BASIS OF DATA PROCESSING

The personal data collected by the Data Controller will be processed for the following purposes:

• Stipulation and execution of the contract and all related activities, such as, for example, invoicing, credit protection, administrative, management, organizational and functional services to the contractual relationship (including the fulfillment of pre- and/or post-contractual obligations). In particular, personal data and information regarding the company partners and family members / guardians / special attorneys are requested for the purposes of managing the company file and related practices.
• Fulfillment of legal obligations, including those provided for by laws, regulations, national and/or EU regulations on contractual, accounting and tax matters, as well as other provisions issued by authorities vested with the law and by supervisory and control bodies.
  Sending commercial communications via email addresses provided in the context of the sale of a good or service, for the forwarding of informational or promotional material on services similar to those purchased by the Data Subject (Consid. 47 GDPR). The Data –
• Subjects may object at any time to the processing for soft spam purposes, using the unsubscribed link at the bottom of each communication or by sending an explicit request to the Data Controller.
  Verification, exercise or defense of the Data Controller’s rights in court, where necessary.

5. LEGAL BASIS OF PROCESSING

Data processing will be carried out in accordance with the provisions of the law, respecting the principles of lawfulness, correctness and transparency. The legal bases are:

• Pre-contractual and contractual obligations (art. 6, co. 1, lett. b, GDPR) for the stipulation and execution of the contract to which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same.
• Fulfillment of legal obligations (art. 6, co. 1, lett. c, GDPR) relating to or deriving from the contract.
• Legitimate interest (art. 6, co. 1, lett. f, GDPR), for:
  1. Sending commercial communications on similar products (soft spam), unless the interested party explicitly objects;
  2. Ascertainment, exercise or defense of the rights of the Data Controller in court.
  3. Consent (art. 9, co. 2, lett. a, GDPR) for the processing of special data possibly collected in the company file of the customer and/or members of his family.

6. METHODS OF DATA PROCESSING.

The processing will be carried out in compliance with the provisions of art. 32 of GDPR 2016/679 and will be performed using electronic and IT tools, as well as paper media.
The processing is carried out by the Data Controller and its collaborators and/or employees, designated as data processors, by the system administrator, as well as by the data controllers specifically appointed in writing, within the scope of their functions and according to the directives provided by the Data Controller, ensuring the adoption of adequate measures for the protection of the data processed and the protection of their confidentiality.
According to the provisions of the Regulation, the processing carried out by the Data Controller will be conducted in compliance with the principles of lawfulness, correctness, transparency, limitation of purposes and conservation, data minimization, accuracy, integrity and confidentiality.
The data will always be managed in full compliance with the principle of confidentiality, even when processed by third parties expressly appointed by the Data Controller.

7. DATA PROVISION AND CONSEQUENCES OF REFUSAL

If the provision of personal data is necessary for the execution of a contract or for compliance with a legal obligation, the processing is essential and, in the event of non-acceptance of the processing of the data subject to this information, the Data Controller will not be able to carry out the activities indicated in paragraph 4 and, more generally, will not be able to fulfill the contractual obligations undertaken.
With regard to the purposes of the processing that require your consent, any refusal will not compromise the obligations already undertaken.

8. RECIPIENTS OF PERSONAL DATA AND DISSEMINATION OF DATA.

The personal data provided by you may be disclosed to the Data Controller, the people in charge and/or the data controllers. The list of Data Processors, where appointed, is available upon request.

The communication of the interested party’s personal data occurs mainly towards third parties and/or recipients whose activity is necessary for the performance of the activities inherent to the execution of the contractual relationship established and to respond to certain legal obligations, such as:

– subjects that process the data in compliance with specific legal obligations (national and government bodies, etc.).

– any trade associations to which the company has adhered.

credit institutions, financial companies and other credit intermediaries that provide functional services for the purposes described above.

– software and hardware assistance companies; external consultants who provide functional services, deriving from or connected to the purposes described above, identified in writing and to whom specific written instructions have been given with reference to the processing of personal data.

– companies or professionals for the judicial or extrajudicial protection of the rights of the Data Controller; in general, to all those public and private subjects for whom communication is necessary for the correct and complete fulfillment of the purposes indicated above.

The data provided and collected by the Data Controller is not subject to public dissemination or profiling.

9. TRANSFER OF DATA ABROAD.

The data collected will not be transferred to third countries or international organizations.

Some Personal Data of the interested parties are shared with Recipients who may be located outside the European Economic Area. The Data Controller ensures that the transfer and processing take place in compliance with the applicable legislation. Indeed, transfers are carried out through adequate guarantees, such as adequacy decisions, standard contractual clauses approved by the European Commission or other legal instruments.

10. DATA RETENTION PERIOD.

Your personal data will be retained during the execution of the contract and for a period of ten years following its termination/completion in order to fulfill tax and accounting obligations, as well as for legal protection in the event of disputes arising from the contract itself.

This does not apply to cases in which the rights deriving from the contract should be asserted in court; in which case the personal data of the interested party, exclusively those necessary for such purposes, will be processed for the time necessary to achieve them.

With regard to the sending of promotional communications via email for products similar to those already purchased, your data will be retained until your possible opposition.

For the Security Purpose, the data will be retained until the pursuit of the same, except for further retention if it is necessary for the defense of the rights of the Data Controller.

After the retention periods indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatible with the technical cancellation and backup procedures.

This information will also be considered valid for subsequent contracts that you may conclude with the Data Controller.

11. RIGHTS OF THE INTERESTED PARTY

The legislation grants the interested party the exercise of specific rights listed in articles. from 15 to 22 of the GDPR, including that of obtaining from the Data Controller confirmation, or otherwise, of the existence of their personal data (or access), their provision in an intelligible form, as well as the rectification, or cancellation of the same, or to limit in whole or in part the processing or to oppose for legitimate reasons to the same and/or to withdraw consent to the processing at any time (without prejudice to the consequences indicated), or to request the portability of their data with regard to the data subject to specific consent, or even the updating.

The interested party has the right to have knowledge of the origin of the data, the purpose and methods of processing, the logic applied to the processing, the identification details of the owner and the subjects to whom the data may be communicated.

The interested party also has the right to request the transformation into anonymous form, the limitation or blocking of data processed in violation of the law; may also lodge a complaint regarding the unauthorized processing of data provided to the Data Protection Authority using the methods published on the website of said authority (http://www.garanteprivacy.it/).

Requests relating to the exercise of the aforementioned rights may be addressed to the Data Controller, at the contact details indicated above, without formalities or, alternatively, using the form provided by the Personal Data Protection Authority available on the website: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

The exercise of the aforementioned rights may be exercised by written communication to be sent via PEC or by registered letter with return receipt addressed to the above-mentioned structure.

12. FINAL NOTES

The provision of personal data is not mandatory; however, it is necessary for the exact execution of contractual and pre-contractual obligations. Providing contact details for commercial activities is not mandatory but is necessary if you wish to receive communication relating to the services and promotions offered by the Data Controller.

The Data Controller specifies that you will only be asked for the data strictly necessary for the conclusion of the contract and for the execution of the obligations or legal obligations arising from it.

Failure by the interested party to indicate the data will make it impossible to enter into the contract as well as to carry out the pre-contractual measures requested, and to accurately complete the fulfillment of the contractual obligations, as well as the obligations (including legal) arising from or connected to the contract and, more generally, the impossibility of fulfilling the purposes indicated above.

Acknowledgment of Information from CREMONAHOTELS.IT S.R.L.

The undersigned, identified below, declares that they have received complete information pursuant to Articles 13 and following of Regulation (EU) 2016/679 and have fully understood its contents.

Name and Surname:

…………………………………………………………………………………………….

CONSENT DECLARATIONS FOR DATA PROCESSING

Privacy Sensitive Data Processing
If you inform us about any health conditions, such as allergies, food intolerances, medical conditions, or other health issues (referred to as „sensitive data“ according to Article 9 of Regulation (EU) 2016/679), you need to explicitly consent to the use of this information. This will allow us to provide you with a personalized and safe hotel experience while ensuring the utmost attention to your health.
□ I authorize □ I do not authorize

Privacy Message/Phone/Item Reception
To carry out the function of receiving and delivering messages, phone calls, or items addressed to you during your stay, your consent is required to receive these.
□ I authorize □ I do not authorize

Privacy Promotional Communications
We would like to offer you the opportunity to stay updated on our special offers, events, and exclusive promotions. With your consent, we may send you personalized promotional communications via email, SMS, or other means of contact.
You can withdraw your consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal, by using the unsubscribe link in promotional emails or by contacting us using the details provided in our Privacy Notice.

□ I authorize □ I do not authorize

DATA CONTROLLER
CREMONAHOTELS.IT SRL