This document (“Information Sheet”) serves to provide information about the use of personal data by the Data Controller as specified hereafter, pursuant to art. 13 of the GDPR (General Data Protection Regulation) in relation to the service performed by Fornace Suite.
DATA CONTROLLER
The Data Controller is Fornace 2018 Srl, Via Pasquale Villari, no.9 – 50125 Florence – Tax Code and V.A.T. No. 06871030489, in the person of its legal representative pro tempore, Mr. Neri Casamonti (CSMNRE93L19A564O).
CATEGORIES OF PERSONAL DATA PROCESSED
Within the limits and for the purposes described in this Information Sheet, the data that may be processed can be considered: a) “Common Data”, i.e. your bank codes and contact information such as mobile phone number, home and/or office address, e-mail address; b) “Particular Data” characterized, for the purposes of the applicable legislation, by a particular character; for example, it might refer to data informative of the state or condition of health of the user, or about religious or philosophical beliefs (art. 9 of EU Regulation 679/2016).
For convenience of reference, in this Information Sheet, the expression “Personal Data” shall be understood as referring both to your Common and to your Particular Data, unless specified otherwise.
PURPOSES AND LEGAL BASES FOR PROCESSING DATA
The Personal Data collected for use of the service will be held for the purposes and on the strength of the legal bases listed hereafter:
1) to manage your contract relationship relative to the service requested, or to fulfill precontractual requirements (such as, for example, the request for information or tenders, which may also be received via email, telephone or fax), to acquire and confirm your booking of services of accommodation and accessory services and to provide the services requested. For this purpose, you may decide to provide the Data Controller with your Particular Data in order to request the performance of a service additional to your contractual relationship and/or to the service requested, with regard to needs connected with your health such as allergies, pathologies, and/or food intolerances or other conditions that would reveal data relative to the protection of your health. Since the processing of data is necessary for the stipulation of the contract agreement and for its subsequent implementation, and/or to perform the services requested by you, you are free not to provide your Personal Data, however in case of failure to provide them we will not be able to confirm your reservation or provide you with the services requested. Any Particular Data you may provide will only be processed with your explicit consent.
Legal basis for data processing: performance of the contractual relationship, legitimate interest of the Data Controller with regard to possible disputes inherent to the contractual relationship. In case of provision of particular data, the legal basis consists of your consent.
For that purpose, your data will be kept for the duration of the relationship and for 10 years thereafter (the time required for the ordinary statute of limitations). Any Particular Data you may provide will be kept only for the time strictly necessary to perform the service you have requested, unless you provide your consent to maintain them for a longer period of time;
2) to fulfill the obligations provided for by the “Consolidated Text of Laws on Public Security” (article 109 of Royal Decree no. 773 dated June 18, 1931) which requires us to inform Police Headquarters, for purposes of public security, the details of the clients lodged, according to the rules established by the Ministry of the Interior (Decree of January 7, 2013). Since it is necessary to process your data to comply with our legal obligations, you are free not to provide them but without them we cannot provide the services requested and we will not be able to accommodate you in our facilities.
Legal basis for processing data: compliance with the legal obligations for the safeguard of public security.
For this reason, the data acquired are not kept by us after termination of the relationship as described in item 1), unless you give us your consent to their conservation as provided in item 5);
3) to comply with our administrative, accounting and fiscal obligations as currently in force. The data are processed by us and by our appointees, and are communicated to others only in fulfillment of our legal obligations. Since the processing of data is necessary for compliance with administrative, accounting and fiscal obligations, you are free to provide but without them we are unable to confirm your reservation or provide you with the services requested.
Legal basis for processing: performance of a contractual relationship, compliance with legal, administrative, accounting and fiscal obligations; legitimate interest of the Data Controller for defense (in case of inspections by the specific authorities.
For these purposes, your data will be kept for the time required by the pertinent legislation;
4) to perform the services necessary for satisfaction of the demands of the clientele, made at your request, regarding your needs and/or preferences, such as a preferred room or floor of lodging, presence of objects and/or other. For this reason, you might decide to give the Data Controller your Particular Data as well. Data of this kind can only be processed by the Data Controller with your prior free and explicit consent expressed in writing at the end of this Information Sheet, and revocable at any time.
Your possible refusal to provide consent for the Data Controller to process those data will not prevent you from using the services detailed in item 1) and any other services you may request. Legal basis for processing: your consent.
For this reason, the data acquired are not kept by us after termination of the relationship as described in item 1), unless you give us your consent to their conservation.
5) to accelerate procedures of registration in the Hotel referring to purposes 1), 2), and 3) in case of your subsequent stay in our facility. For that purpose, following acquisition of your free and explicit consent, revocable at any time, your data, provided for the categories of data and purposes detailed in items 1), 2) and 3), they will be used when you are our guest again. Your possible refusal to provide consent for the Data Controller to process those data will not prevent you from using the services detailed in item 1 and any other services that you may request.
Legal basis for processing: your consent.
For these purposes, your data will be kept for the maximum period of 5 years;
6) to guarantee you provision of the services detailed in purpose 4) (service to achieve customer satisfaction) in case of your subsequent stay at our facility. For that purpose, following acquisition of your free and explicit consent, revocable at any time, your data will be used when you are our guest again. Your possible refusal to provide consent for the Data Controller to process those data will not prevent you from using the services detailed in item 1) and any other services you may request.
Legal basis for processing: your consent.
For these purposes, your data will be kept for the maximum period of 5 years;
7) for purposes of protection of the people, property and corporate equity, through a system of video surveillance of certain areas of the facility, identifiable by the presence of specific signage. Your consent is not required for this purpose, as it is done in pursuit of our legitimate interest in protecting people and property from possible aggression, theft, robbery, damage, acts of vandalism, as well as fire prevention and safety in the workplace.
Legal basis for processing: legitimate interest of the Data Controller in applying measure of protection of persons, property and corporate equity.
For that purpose, the images recorded are deleted after 24 hours, except in case of holidays or other cases of closure of the facility, and in any case after no more than a week. They are not communicated to third parties, unless we are required to comply with a specific investigative demand of the legal authorities or police.
8) to perform the service of receiving messages and telephone calls made to you during your stay. For that purpose, your consent is necessary. You may revoke that consent at any time. If you refuse to give your consent to processing of your data we will not be able to receive messages and telephone calls made to you during your stay. Your possible refusal to provide consent for the Data Controller to process those data will not prevent you from using the services detailed in item 1) and any other services you may request.
Legal basis for processing: your consent.
For these purposes your data will be kept until you leave our premises;
9) for purposes of marketing and to send you reminders and promotional communications, to send you are updated rates and offers made by the Data Controller, communications relative to events organized by the Data Controller. Data of this kind can only be processed by the Data Controller with your prior free and explicit consent expressed in writing at the end of this Information Sheet, revocable at any time. Your possible refusal to provide consent for the Data Controller to process those data will not prevent you from using the services detailed in item 1) and any other services you may request.
Legal basis for processing: your consent.
For these purposes, your data will be kept for the maximum period of 8 years;
MODES OF PROCESSING
Personal Data are processed using manual, electronic or telematic instruments capable of ensuring their security and confidentiality pursuant to the provisions of articles 24 and 25 of the GDPR, and will be processed by personnel duly informed about the GDPR.
In addition to the cases when it may be necessary to contact you for reasons connected with your contractual position, if you consent to processing of your data other than for the purposes in item 1), also for those contemplated in item 3.9), you may be contacted via e-mail, text or using any equivalent instrument or by regular postal service or telephone call by an operator provided with all the contact information you have provided. If you prefer to be contacted only at one or certain of those contact addresses, you may request this specifically by contacting the Data Controller at the addresses indicated in item 1) of this Information Sheet. Your data will be kept in one or more specific files or databases by the Data Controller, in respect of the conservation time indicated for each purpose, with the exclusion of Particular Data, which will be kept only if we receive your consent to do so.
SITE OF DATA PROCESSING
Data processing connected with the internet services of the Fornace website take place at the addresses indicated above and is done only by technical personnel appointed to process them, or by possible appointees engaged to perform occasional maintenance activities.
None of the data deriving from our internet services is published.
Personal data supplied by the users who make requests to have informative material sent to them are used for the sole purpose of performing the service requested and are communicated to third parties only if necessary (as in the case, for example, of shipping companies or carriers).
DATA TRANSFERS
Personal data are kept on servers located in Italy or in any case within the European Union. In this connection, it should be understood that the Data Controller has the right, if necessary, to move the service even outside the EU. In that case, the Data Controller hereby guarantees that any transfer of data outside the EU will be done in accordance with the applicable provisions of law, for example, after stipulating the standards contractual clauses contemplated by the European Commission.
ACCESS TO DATA. RECIPIENTS OF DATA PROCESSED
Your data may be rendered accessible for the purposes indicated in this document:
to employees and collaborators of the Data Controller in their role as appointees, in accordance with the requisites of the GDPR, external data processors, IT experts;
to third party companies or other entities (such as banks, professional studios, consultants, insurance companies for the provision of insurance services, etc.).
The Data Processors are expressly appointed by the Data Controller on the basis of written agreements pursuant to articles 28 and 29 of the GDPR. The updated list of external processors is available at the registered office of the Data Controller. At any time, you may request the updated list by contacting the Data Controller at the addresses and contacts indicated in this document.
The Data Controller hereby guarantees that if it avails itself of the services of external processors of personal data (art. 28 – 29 GDPR) the appointment will be made in accordance with the applicable provisions of law including, for example, stipulation of the standard contractual clauses contemplated by the European Commission.
RIGHTS OF DATA SUBJECTS
You may, at any time, pursuant to EU Regulation no. 2016/679, exercise your right to: request confirmation of the existence or not of your personal data;
obtain information relative to the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your personal data have been or will be communicated and, when possible, the period of time for which they will be kept; obtain correction and deletion of your data;
obtain the limitation of processing
obtain portability of your data, i.e. receive them from the Data Controller in a structured form, commonly used and legible on an automatic device, and transmit them to another Data Controller without impediment;
object to processing at any time and also in case of processing for purposes of direct marketing;
object to an automated decisional process relative to individuals, including profiling. ask the Data Controller for access to your personal data and to correct or delete them, or limit processing of them, or oppose their processing, as well as the right to portability of the data; revoke your consent at any time without affecting the legitimacy of processing based on consent given prior to revocation;
file a claim with a controlling authority.
You can exercise your rights with a written request sent to the Data Controller’s contacts indicated above.
AMENDMENTS
The Data Controller reserves the right to amend or edit this privacy information at any time, wherever it is published on the website, especially by virtue of the application of new legislation in the sector. All users may ascertain the latest version of the privacy information at any time by connecting to the website, where it is updated by the Data Controller.