This page illustrates the policies for personal data security implemented by STEM S.r.l. for the benefit of users who consult the website and, more generally, for data subjects who interact with our hotel for various reasons.
DATA CONTROLLERS AND DATA PROCESSORS
1. Pursuant to Article 4 point 7 of the GDPR 2016/679, the data controller for the Website is the company STEM S.r.l. with headquarters in Via Palestro 13, 00185 Rome – Province of Rome;
2. Pursuant to Article 28 of the GDPR 2016/679, the external Data Processor and System Administrator for the management of the hotel's website and the online booking platform www.blastnessbooking.com, integrated in the website itself, is the company BLASTNESS S.r.l. with headquarters in Via Paolo Emilio Taviani 164,19124 La Spezia (Province of La Spezia), Tel. 0187 599737- Fax 0187 020349 - email: firstname.lastname@example.org.
3. Pursuant to Article 28 of the GDPR 2016/679, the company HOTEL KEY MANAGEMENT S.r.l., with registered office in Via Nazionale 200, Rome, is responsible for the marketing activities of the website and newsletters and is in charge of the Brand AG GROUP.
DATA PROCESSING LOCATION
The processing operations associated with the web services of this website take place at the headquarters of the data controller and data processors, and are carried out only by technical personnel assigned to the data processing service.
Personal data submitted by users who request information material are used only to perform the service or provide services requested, whereas certain data acquisition forms provide for the possibility of forwarding the data subject's personal data to service providers to comply with the contract and provide the requested services.
TYPES OF DATA PROCESSED
During their normal operation, computer systems and software procedures used to operate this website acquire certain personal data the transmission of which is implicit in the use of internet communication protocols. This information is not collected with the intent of associating it with identified users but, by its own very nature, could lead to the identification of users through processing and association with data held by third parties. This category includes IP addresses or domain names of the computers used to connect to the website, URI (Uniform Resource Identifier) addresses of the requested resources, time of the request, method used to submit the request to the server, size of the file obtained in response, digital code indicating the server response status (successful, error etc.) and other parameters pertaining to the user's operating system and IT environment. This data is used only to obtain anonymous statistics about the usage of the website and to check that it is functioning correctly; it is deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site; except for this possibility, web contact data is presently retained for no longer than thirty days. Data submitted voluntarily by users
The optional, explicit and voluntary sending of emails to the addresses indicated on this website entails the subsequent acquisition of the sender's address, which is necessary to reply to requests, as well as any other personal data included in the messages.
The voluntary compilation of data acquisition forms to request specific services, adhere to offers or to purchase services and products, entails the subsequent processing of the personal data submitted to ensure the execution of a contract to which the data subject is a party or the fulfilment of pre-contractual terms requested by the same data subject.
The services provided on this website are not intended for minors. We do not knowingly collect data, including personal details, related to minors.
Should we become aware that we have collected the personal data of a minor, we will immediately delete such data, unless we are obliged by law to retain the same. Please contact us if you believe that the Hotel has mistakenly or unintentionally collected information related to a minor.
Personal data are processed by automated tools for the time necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent the loss of data, the illicit or incorrect use thereof and unauthorised access.
PURPOSE, LEGAL BASIS AND NATURE OF SUBMITTED DATA
Data provided through the Website will be processed by the Data Controller for the following purposes:
a) purposes relating to the execution of a contract to which the data subject is a party or to the fulfilment of pre-contractual terms requested by you (e.g.: booking, acceptance of special offers, etc.). Consent is not necessary;
b) purposes related to the sending by email of promotional and commercial material following voluntary registration to the Hotel newsletter. This requires the explicit consent of the data subject or soft spamming;
f) purposes related to the fulfilment of laws and regulations; Consent is not required g) purposes necessary to establish, exercise or defend a right in court or whenever the courts exercise their judicial functions. Consent is not required
The data processed by us may include special categories of personal data as defined by Article 9 of GDPR 2016/679 or personal data concerning health or religion (food allergies, services for the disabled, menus related to religion, etc.) provided voluntarily, with prior consent, in the Notes fields of the booking form.
The data in question will be processed guaranteeing appropriate security measures limited to the data and operations necessary to fulfil the pre-contractual obligations that the hotel undertakes in its sector of activity, in order to provide specific goods or services requested by the data subject.
Pursuant to Article 9 of the GDPR 2016/679, however, we will always ask for an explicit authorisation to process your personal data as we cannot know in advance if data subjects will voluntarily enter information applicable to a given category in the data acquisition forms.
MANAGEMENT OF CVS
The Company will process the CVs received by email or through third-party recruiting companies (publications on portals, etc.) to evaluate potential candidates within the company or that could be presented in the future. The processing is carried out electronically, with the exception of CVs received by ordinary post.
CVs considered "interesting" will be retained at the company's headquarters for a period not exceeding one year and will be processed in full compliance with the minimum security measures prescribed by Article 32 of the GDPR 2016/679
CVs deemed irrelevant as well as those whose retention time has exceeded 18 months will be deleted.
In any case, the CVs will be retained at the Hotel The Guardian and will not be disclosed to unauthorised third parties excluding hotels and companies belonging to the Brand AG GROUP (www.aghotels.it)
The CVs in question shall be evaluated by employees or collaborators of the hotel officially appointed and instructed in personal data protection matters.
In any case, we ask candidates to observe the following rules when submitting their CVs electronically:
1. please complete your CV in the European format;
2. submit your CV as a pdf file;
3. in your CV, avoid including special personal data categories as defined in Article 9 of the GDPR 2016/679 (in particular relating to state of health, religious, philosophical or political beliefs) that are not relevant to the job opportunity;
4. consent to the processing of sensitive data relevant to the establishment of an employment relationship (e.g. if you belong to a protected category).
The company reserves the right not to delete CVs not compliant with the above requirements. Processing purposes related to the management of CVs will involve activities strictly related to the evaluation, recruitment or selection of personnel, in contexts of collaboration, fixed-term or permanent employment, internships, or to enable selected student candidates to prepare dissertations at our headquarters.
TRANSFER OF PERSONAL DATA
The company STEM S.r.l. ensures that the processing of Personal Data by the Recipients takes place in compliance with the Applicable Regulations which are legally applicable outside the EU.
Otherwise, transfers are subject to an adequacy judgement or compliance with the Standard Model Clauses approved by the European Commission or, in cases of transfers to the USA, compliance with the Privacy By Shield principles.
More relevant information and explanations can be provided by the data controller.
By way of non-exhaustive example, the hotel will process Personal Data to provide the newsletter service until the interested party decides to unsubscribe from the service itself by simply clicking on the email received.
Without prejudice to the above, the data controller will process your Personal Data for as long as permitted by Italian law to protect its interests (Article 2947(1)(3) of the Italian Civil Code). More information about the Personal Data retention period and the criteria used to determine this period can be requested by writing to email@example.com
RIGHTS OF THE DATA SUBJECTS
At any time, data subjects have the right to obtain confirmation of the existence or non-existence of the data itself, to be informed of its content and origin, to verify its accuracy, and to request that it be supplemented, updated or corrected (Article 15 – 22 GDPR 2016/679). In accordance with the above-mentioned Articles, Data Subjects have the right to request the deletion, anonymization or blocking of data processed in violation of the law, and in any case, to oppose the processing of said data for legitimate reasons.
Pursuant to Chapter III of the GDPR 2016/679, at any time, data subjects have the right to request access to their Personal Data, the correction or cancellation of the same or to oppose their processing as well as restriction of processing or return of the data in a structured, commonly used and machine-readable format. Data subjects may also oppose profiling and lodge complaints with the Supervisory Authority.
At any time, data subjects also have the right to revoke their consent to processing without prejudice to the lawfulness of the processing based on consent given before the revocation. For the complete and exhaustive list of the rights exercisable by data subjects, see Article 15 et seq. of the GDPR 2016/679.
Requests should be sent via email to firstname.lastname@example.org
UPDATES AND REVISIONS