Headquarters
BLU HOTELS S.p.A.
Via Enrico Fermi, 7b
25087 - Salò Loc Cunettone (BS)
INFORMATION ON DATA PROCESSING
We inform you that the processing of your personal data will take place with correctness and transparency, for lawful purposes and protecting your privacy and your rights, and also inform you that considered art. First paragraph 26 of the GDPR, "when two or more data controllers jointly determine the purposes and means of processing, they are joint data controllers", we inform you of the following references:
BH BRIXIA S.R.L. VIA PERTINI, 10 - 25014 CASTENEDOLO (BS) - ITALY and Blu Hotels Spa, located in Via Enrico Fermi, 7/b - 25087 Salò Loc. Cunettone (BS).
1. Subject of the Processing
The Joint Data Controllers process personal data and, where appropriate and only in specific situations, some sensitive data (in particular any health conditions connected with the provision of the service such as food intolerances or the presence of motor disabilities) communicated by you on the occasion of the provision of the catering and/or hotel service.
2. Purpose and legal basis of processing
Any personal data and sensitive data provided are processed for the following Purposes:
A) Purpose of the contract
- fulfil the obligations arising from the contract, including your particular needs/requests;
- to comply with legal obligations and with current accounting and tax obligations;
- exercise the rights of the joint proprietors, for example the right of defence in court;
B) Only your personal data, subject to your specific and distinct consent (art. 7 GDPR), for the following Marketing Purposes:
- send them by e-mail, post and/or SMS and/or telephone contacts, communications and/or information and promotional material relating to the initiatives and offers promoted by one of the joint controllers.
C) Only your personal data and any stays, subject to your specific and distinct consent, will be used for the purposes of analysis and processing of your habits and preferences (profiling) to be able to send them, personalized promotional information, and any offers by one of the joint data controllers.
Your consent may always be freely modified (give or deny), in whole or in part, by sending an email with the object "REVOCATION MARKETING CONSENT" to privacy@bluhotels.it (contact point).
3. Method of processing and retention time
The processing of your data is carried out by means of the operations indicated in art. 4 n. 2) GDPR and precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. Your personal data are subject to both paper and electronic and/or automated processing.
The Joint Data Controllers will process personal data for the time necessary to fulfil the above purposes and in any case for no more than 10 years from the termination of the relationship for the Service Purposes and for no more than 5 years from the collection of data for the Marketing Purposes. The Joint Data Controllers will process sensitive data for the time necessary to fulfill the purposes mentioned above and in any case not later than 30 days from the end of the stay, except in special situations that determine the need to maintain also such data for a longer time (by way of example where there are tax exemptions in your favour linked to disability).
4. Access to data
Your data may be made accessible for the purposes referred to in art. 2.A), 2.B) and 2.C):
- employees and collaborators of the Joint Data Controllers, in their capacity as data processors and/or data processors and/or system administrators. All the named subjects will carry out exclusively the operations of treatment, for account of the Joint Data Controller and/or of the responsible one, within the limits, with the forms and according to the modalities expressly indicated in the respective acts of appointment.
- to third-party companies or other subjects (as an indication, professional firms, consultants, insurance companies, service companies, etc.) that carry out outsourcing activities on behalf of one of the joint controllers, in their capacity as external data processors.
5. Nature of data provision and consequences of refusal to reply
The provision of data for the purposes referred to in art. 2.A) is mandatory. In their absence, we cannot guarantee the Services of art. 2.A). The provision of data for the purposes referred to in art. 2.B) and 2.C) is optional. You may therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you may not receive newsletters, commercial communications and advertising related to the Services offered by one or both of the joint controllers. You will still be entitled to the Services referred to in art. 2.A).
6. Communication of data
Without the need of an express consent (ex art. 6 lett. b) and c) GDPR), each of the Joint Controllers may communicate your data for the purposes referred to in art. 2.A) to Supervisory Authorities and Judicial Authorities, as well as to those subjects to whom communication is mandatory by law for the fulfilment of the aforementioned purposes. These subjects will process the data in their capacity as independent data controllers, also the list of data controllers in outsourcing, which the undersigned uses, can be consulted at any time at the company’s headquarters.
Your data will not be disseminated and will not be transferred to non-EU countries or to international organisations.
7. Rights of the data subject and how to exercise them
In your capacity as data subject, you have the rights under art. 15 GDPR and precisely the rights to: request and obtain from the data controller - without "justified delay" - confirmation that a personal data concerning him or her is being processed or not and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed; d) the envisaged period of retention of personal data; e) the existence of the data subject’s right to ask the data controller to rectify or delete the personal data or to object to their processing; the data subject also has the right to have the data updated, supplemented, the cancellation, the transformation in anonymous form or the blocking of data processed in violation of the law; the owner has the right to oppose, for legitimate reasons, the processing of data.
Where applicable, it also has the rights referred to in Articles. 16-21 GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.
You may at any time exercise your rights by sending an e-mail to: privacy@bluhotels.it, Blu Hotels SpA is in fact identified by the Joint Data Controllers as a contact point for the exercise of the rights of the data subject.
A Blu Hotels SpA may also request a copy of the joint title agreement between the joint proprietors.
SECURITY MEASURES OF THE SITE
For the management of the site, specific security measures have been adopted, aimed at ensuring safe access and protecting the information contained in the reserved area from risks of loss or destruction, including accidental destruction of the data, unauthorized access or treatment not allowed or not in accordance with the purposes of the collection.
The antivirus software is automatically updated. To access the reserved area of the site, customers are assigned an identification code and a password. The latter are assigned and communicated in a confidential way to the person designated by the customer, if body or Company, or to the customer himself, if natural person. The user must keep the identification code and password confidential.