CUSTOMER PRIVACY POLICY STATEMENT

Pursuant to art.s 13 and 14 of Regulation (EU) no. 2016/679 on the protection of natural persons with regard to the processing of personal data, Masseria Torre Luciana SRLS provides you with complete information concerning the purposes for which your personal data are processed and the procedures used, the entities to whom your data may be disclosed and your legal rights with regard to the processing of your personal data by the Data Controller. You are therefore kindly requested to note the information provided here and to give your consent to the processing by signing this privacy policy statement.

1.             The Data Controller

The Data Controller who determines the purposes and methods of data processing, is Masseria Torre Luciana SRLS  with registered office in San Pietro in Lama (LE), at strada vicinale da Fica km2, VAT n. 05371310755 – email: masseriatorreluciana@gmail.com – pec: masseriatorreluciana@pec.it – telephone n.: + 39 3270863980.

2.             Personal data being processed

The Data Controller will process your personal data, meaning any data which may identify you and which can be directly or indirectly traced to you, such as (but not limited to):

  1. Personal identifying data;
  2. Special categories of data;
  3. Data relating to your stay;
  4. Identification papers;
  5. Credit card and/or bank data;
  6. Security camera images and footages;
  7. Data relating to the electronic devices used to connect to the Masseria Internet;
  8. Data relating to telephone calls;
  9. Data concerning access to and use of ICT resources.

and all other data necessary to provide the activities covered by point 4. In the case of your explicit consent, particular data such as those relating to your health conditions will also be processed.

3.             Collection of personal data

Personal data are collected directly by the data subject and could be collected through other entities such as Online Travel Agencies and Traditional travel agencies.

4.             Purposes of the processing

The personal data collected will be processed for the following purposes:

  1. Customer management;
  2. Signing and management of contracts;
  3. Administrative management;
  4. Management of disputes;
  5. Customer care;
  6. Protecting people’s physical health;
  7. Internal security;
  8. Protecting and guaranteeing people’s security and safety;
  9. Protecting the company’s assets and property;
  10. Allowing the use and guaranteeing the safety of ICT infrastructure.

Legal basis of processing

Personal data will be processed in compliance with legal requirements, in accordance with principles of lawfulness and ethics and without breaching your right to privacy. Personal data will be processed for:

  • Contractual and pre-contractual obligations
  • Legal obligations
  • Legitimate interest of the Data Controller
  • Issue of consent, if necessary

5.             Nature of the contribution of data

If the provision of personal data is functional to the execution of a contract or a legal obligation, the processing is essential and in case of refusal to process the data covered by this privacy policy statement, the Data Controller will not be able to fulfill the activities referred to in paragraph 4 and in general will not be able to fulfill the obligations undertaken. With regard to the purposes of the processing for which your consent is required, the refusal will not prejudice the obligations undertaken.

6.             Processing Procedures

The processing will be carried out in automated and/or manual form, in accordance with the provisions of art. 32 of GDPR 2016/679, and in particular:

a.             Through operations that will allow the collection, recording, organisation, conservation, consultation, processing, modification, selection, extraction, use, communication, cancellation and destruction of data;

b.             Through the use of electronic or other automated tools that allow the storage, processing and transmission of data, configured in order to guarantee the maximum privacy and the necessary safeguards.

c.             Through the use of documents contained on paper support with the adoption of suitable custody measures that preclude knowledge of them by subjects without authorization.

7.             Disclosure of data

Your data may be transferred to and processed by other entities, in the capacity of authorised processors, data processors or independent data controllers, for the fulfilment of precontractual, contractual or statutory obligations, or on the grounds of legitimate interest. Categories of recipients could therefore be, by way of example and not limited to: People in charge of data processing, Data Processors, Accounting Consultants, Legal Advisers, Associations, Organisations, Businesses or individuals who organise events or stays, Public authorities, Police forces Banks, Insurance companies, Infrastructure maintenance service companies, Internet and email service provider companies. The data contributed to and collected by the Data Controller are not publicly disseminated or used for profiling.

8.             Storage

Your data will be stored for the time strictly necessary to carry out the activities related to the purposes referred to in point 4 of this document. Specifically, the storage times will be:

•              10 years (as envisaged by Italian Civil Law);

•              no more than 3 months from the check-out date for credit card data;

•              no more than 3 years after the last check-out for personal data, special data, stay-related data, personal preferences, identification papers (Points 1) to 5) of paragraph 2), unless otherwise specified by the data subject;

•              no more than 7 days for security camera images and footages;

•              90 days from check-out for telephone traffic data;

•              1 month for data concerning access to and use of ICT resources.

Without prejudice to longer storage periods if required by specific sector regulations.

9.             Transfer of data abroad

Your personal data may be transferred to European Union Countries, non-European Union Countries if this is necessary to achieve the purposes referred to in paragraph 4 and to be able to fulfill the obligations undertaken.

10.           Rights of the data subject

By written communication sent by certified email or registered letter with return receipt to the address of the Data Controller indicated above, you may exercise the following rights:

Right of access to data (Art. 15, GDPR)

The right to obtain confirmation from the Data Controller as to whether or not personal data concerning you are being processed, and, in this case, to obtain access to the personal data and further information specifically indicated in the art. 15 of the GDPR.

Right to rectification (Art. 16, GDPR)

The right to obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data concerning you, depending on the purposes of the processing, you also have the right to the supplementation of incomplete personal data, also by providing an additional statement.

Right to erasure (Art. 17, GDPR)

The right to from the controller the erasure of personal data concerning you without undue delay.  In this case, the Data Controller has the obligation to delete your personal data without unjustified delay, unless there are reasons preventing the exercise of the aforementioned right.

Right to restriction of processing (Art. 18, GDPR)

The right to obtain, in the cases provided for by art. 18 of the GDPR, the restriction of the processing of your personal data..

Right to the portability of the data (Art. 20, GDPR)

If the processing is based on consent or on a contract, and is undertaken by automated means, you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and to transmit them to another data controller, or have them transferred by the controller itself, if technically feasible.

Right to object (Art. 21, GDPR)

The right to object, on grounds relating to your situation at any time to processing of personal data concerning you which is based on the legitimate interest of the data controller or your consent, including profiling. In this case, the Data Controller will refrain from further processing your personal data, unless he demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the interested party or for the establishment, exercise or defense of a right in court.

Right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (art. 22, GDPR)

The right to not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. As communicated above, the Data Controller does not use automated decision- making processes.

The right to lodge a complaint with a supervisory authority (Art. 77, GDPR)

Without prejudice to any other administrative or judicial appeal, if you believe that the processing that concerns you violates this regulation, you have the right to lodge a complaint with a Supervisory Authority, in particular in the Member State in which you habitually reside, work or the place where the alleged violation occurred, and exercise all the rights recognized by the current legal provisions.

11.           Response times from the the Data Controller

n the event that you request information relating to your data, the Data Controller will promptly respond – unless this proves impossible or involves a disproportionate effort – and, in any case, no later than 30 days from the request. Any inability or delays on the part of the Data Controller in satisfying requests must be justified.

I, the undersigned, declare that I have received the full privacy policy statement as required by Art. 13 and 14 of Regulation (EU) 2016/679 and that I have clearly understood its contents.

Signature confirming reading of the privacy policy statement

Name and Surname: ____________________

Declaration of consent to processing

In order to ensure a personalized and safe experience, it is necessary for you to express your explicit consent to the processing of data relating to your health conditions, such as allergies, food intolerances, pathologies or other medical conditions.

□ I authorise           □ I do not authorise

San Pietro in Lama (LE), ………………………………

Signature: ………………………………………………………………