INFORMATION ON THE PROCESSING OF PERSONAL DATA
PURSUANT TO ARTICLES 13 AND 14 OF THE GDPR 2016/679
In compliance with the provisions of the GDPR 2016/679, hereby we inform you, as the "Data Subject", about the purposes of data collection and about the processing of personal data relating to your company/person, which have been obtained directly and/or indirectly from you, to enable us to carry out our activity according to the current provisions.
We hereby provide you with the correct information on the processing of personal data, as specified below, even with reference to the management of this website. This information is not provided for other websites visited by the user by links or other sharing tools, such as widget and applications which allow to connect and to share contents on social networks or platforms not related to www.coloradogrouphotels.com
- IDENTITY AND CONTACT DETAILS OF THE CONTROLLER
The Controller is COLORADO S.A.S., with its registered office in Camposampiero (PD), Piazza Vittoria n. 19, VAT n. 02499990287, e-mail: [email protected], pec: [email protected]
- PURPOSES OF THE PROCESSING
Without prejudice to the obligations established by laws, regulations and European provisions, the collected data will be processed by us for the following activities:
- performance of the contract or of the pre-contractual measures, compliance with a legal obligation to which the Controller is subject;
- administrative and accounting management of customers, suppliers and users, in particular:
- customer/supplier/user administration;
- management of the contractual relationship/fulfillment of the requested services online and offline;
- order management;
- receipts and payments;
- eventual credit recovery;
- insertion and conservation in the database of the Processor in order to quicken the registration in case of next stay;
- communication to third persons for the only purpose of receiving mail and calls for the Data Subject during the stay;
- sending newsletters and/or material and/or advertising and promotional communications relating to products, services or events attributable to the activities of the Controller (soft spam).
- LEGAL BASIS OF THE PROCESSING
The legal basis of the processing is constituted by the fulfillment of pre-contractual and/or contractual obligations.
With reference to the specific purposes referred to in the previous art. 2 lett. c., d., e., the legal basis of the processing is constituted by the specific consent given by you.
- CATEGORIES OF PERSONAL DATA CONCERNED
Personal data processed are the following:
- registry data of the Data Subject;
- contact data of the Data Subject.
- RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
Personal data may be communicated by us exclusively to the third parties indicated below:
- accounting, tax, legal advisors;
- computer technician for IT assistance;
- debt recovery companies, only if necessary;
- banking institutions;
- public entities, judicial, financial and other institutions, if required by laws, regulations, European provisions;
Personal data may also be known by the staff specifically appointed by the Controller who may provides for the management of data, in relation to the purposes indicated above.
The specific identification data of the abovementioned third parties may be known by you at any time through the exercise of the right of access recognized to you and without prejudice to any legal limitations in this regard.
Personal data will not be disseminated.
- AIM OF THE CONTROLLER TO TRANSFER PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION
The Data Controller does not have the aim to transfer personal data to a third country or international organization.
- THE PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED
Collected data will be stored as follows.
- Necessary Data for the purpose of the pre-contractual relationship: for the time strictly necessary for the possible finalization of the contractual relationship and, in any case, for a period of time not exceeding 1 year from the collection.
- Necessary Data for the fulfillment/management of the contractual relationship/requested services and performances: for the entire duration of the contractual relationship, for the time strictly necessary for the fulfillment of the requested services and performances and, in any case, for a further period of 10 years exceeding the termination of the relationship.
- Accounting records, invoices and correspondence: 10 years, as established by law.
- Necessary Data for credit recovery activity: up to completion of this activity.
- Necessary Data for the management of any litigation: up to the definition of the dispute itself.
- Necessary Data for marketing activities: for 10 years from the date of your consent to the processing for marketing purposes and, in any case, up to the revocation of the consent or the exercise of the right to object and to erasure of personal data.
Any longer period of conservation remains in the event that these derive from legal, accounting and/or tax obligations.
After the retention period, as described above, we will proceed to the entire elimination of data provided by you.
- RIGHTS OF THE DATA SUBJECT
The GDPR 2016/679 acknowledges the following rights to the Data Subject:
- Right of access – art. 15;
- Right to rectification - art. 16;
- Right to erasure (‘right to be forgotten’) - art. 17;
- Right to restriction of processing - art. 18;
- Right to data portability - art. 20;
- Right to object – art. 21;
- Right to automated individual decision-making – art. 22;
- Right to withdraw the consent at any time without affecting of the lawfulness of processing based on consent before its withdrawal – art. 7;
- Right to lodge a complaint with a supervisory authority – art. 77;
- Right to an effective judicial remedy against a supervisory authority (art. 78) and against the Controller or processor (art. 79).
For the exercise of the abovementioned rights from a) to h) the Data Subject has to contact the Data Controller.
- SOURCE FROM WHICH THE PERSONAL DATA ORIGINATE
Personal data may be collected as follows:
- eventual direct collection by the Controller from public sources, such as Booking, Trivago etc.
- LEGAL NATURE OF THE DATA COLLECTION
The provision of personal data by the Data Subject, even though unnecessary, is a contractual requirement for the fulfillment of the abovementioned purposes. In case of failing in providing such data the contractual obligation may not be fulfilled.
The provision of personal data for the specific purposes referred to in the previous art. 2 lett. c., d., e., is also unnecessary. You are free to choose not to provide any data or to withdraw afterwards the possibility to processing data; in this case you will not take any advantage of the above mentioned purposes.
It is up to the Data Subject to promptly notify the Data Controller of any changes concerning personal data.
- AUTOMATED DECISION-MAKING, INCLUDING PROFILING
Collected data will not be subject to automated decision-making, including profiling.
Collected data will be processed as follows in compliance with the GDPR 2016/679 provisions:
- the access to data and the files will be allowed to the processors and the external parties designated as responsible,
- the protection and systematic monitoring of personal data through appropriate actions;
- the data recording and processing through information systems or files or paper means and organization of paper and computer files;
- the data management by pseudonymisation and anonymisation measures, if possible;
- the review and change of personal data on a possible request from the customer/supplier/user.
- RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
The Data Subject has the right to lodge a complaint with the supervisory authority in the event of any kind of violation of the GDPR 2016/679. The supervisory authority is the Garante per la Protezione dei dati personali