Privacy Policy

Published on 2024-11-21 15:45:16

Hotel Ratschingserhof, with registered office at Stange 4, Ratschings (BZ) - 39040, C.F./P.IVA IT02337460212, (hereinafter referred to as the "Data Controller" or "Controller"), is committed to protecting the online privacy of individuals while they browse and use the services of the website https://www.ratschingserhof.com (hereinafter referred to as the "Portal" or "Website").

This document describes every aspect related to the processing of personal data of users (hereinafter referred to as "Data Subjects") carried out through the Website, in accordance with the provisions of Article 13 of EU Regulation No. 2016/679 (hereinafter referred to as the "Regulation"). According to the provisions of the Regulation, the processing carried out by the Controller through the Website will be based on the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.

1. Data Controller

The Data Controller for the processing carried out through the Portal is Hotel Ratschingserhof as defined above and can be contacted using the methods indicated in the "Contact" section (see Article 10).

2. Categories of Personal Data processed

3. Purposes of Processing

The Data Controller uses the Personal Data collected through this Website for the following purposes:

4. Legal Basis for Processing

The Data Controller uses the Personal Data collected through this Website for the following purposes:

Protection of Vital Interests:

The processing of Personal Data is based on Article 6(1)(d) of the Regulation ("[...] processing is necessary in order to protect the vital interests of the data subject or of another natural person").

Task Carried Out in the Public Interest:

The processing of Personal Data is based on Article 6(1)(e) of the Regulation ("[...] processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller").

5. Processing Methods

The processing is carried out using manual and/or automated methods, including the use of computer and telecommunications technologies (e.g., CRM, management software, and mailing list services), applying suitable technical and organizational security measures to ensure the security, integrity, and confidentiality of Personal Data, in order to minimize the risks of destruction, loss, unauthorized access, alteration, and unauthorized disclosure, in accordance with Articles 6 and 32 of the GDPR.

6. Transfer of Personal Data outside the EU/EEA

The Data Controller does not intend to transfer Personal Data outside the European Economic Area. However, if there is a need for organizational/production purposes, for example, by using providers and/or cloud services that involve the transfer of data abroad, appropriate safeguards will be implemented for the transfer of Personal Data to a Third Country. Depending on the specific circumstances, these safeguards may include verifying the existence of adequacy decisions by the European Commission, adopting standard contractual clauses and/or binding corporate rules, and verifying the adoption of any additional measures in compliance with EDPB Recommendation 01/2020.

Vendor Name Description Vendor Privacy Policy
Facebook https://www.facebook.com/policy/cookies
Google Advertising Products https://business.safety.google/privacy/
Microsoft Clarity https://privacy.microsoft.com/en-us/privacystatement
Consisto https://www.consisto.it/it/privacy-policy.html
YouTube https://policies.google.com/privacy
TikTok https://www.tiktok.com/legal/privacy-policy

7. Retention Periods

The Data Controller retains Personal Data only for the periods of time necessary to fulfill the purposes outlined in this document, or as required by specific regulations.

In particular:

  • Personal Data processed for the purpose of "Service Provision" will be retained for a period not exceeding 10 years;
  • Personal data processed for the purpose of "Payments and Invoicing" will be retained for a period not exceeding 10 years (Art. 2220 of the Italian Civil Code).
  • Personal Data processed for Direct Marketing purposes will be retained for a period not exceeding 2 years or until the withdrawal of consent by the data subject.
  • The duration of individual cookies is specified in the "Cookie Policy".
  • The Data Controller may retain Personal Data for the period permitted and required by Italian law for the purpose of "Judicial Protection" of their interests (Art. 2946 and 2947 paragraph 1, paragraph 3 of the Italian Civil Code).

After the expiration of these retention periods, Personal Data will be deleted or anonymized, unless held for additional purposes based on appropriate legal grounds.

8. Recipients

The Personal Data collected by the Data Controller may be disclosed or made accessible, for the purposes mentioned above, to the following categories of recipients:

  • Employees and collaborators assisting the Data Controller in the processing operations, with their explicit authorization and, if necessary, the signing of confidentiality agreements;
  • Entities providing outsourcing services on behalf of the Data Controller, acting as Data Processors: cloud computing service providers, independent professionals, companies or professional firms providing assistance and consultancy to the Data Controller, or entities entrusted with hosting and technical maintenance activities, including software maintenance, network devices, and electronic communication networks;
  • Independent Data Controllers to whom the communication of data is necessary for the provision of the requested service.
  • Independent Data Controllers pursuing their own purposes (subject to the data subject's consent);
  • Public authorities, when such communication is required by law.

After the expiration of these retention periods, Personal Data will be deleted or anonymized, unless held for additional purposes based on appropriate legal grounds.

9. Data Subject's Rights

At any time, the Data Subject has the right to access their personal information and request its rectification, erasure, restriction of processing, and portability. The Data Subject also has the right to object, in whole or in part, to the processing and to not be subject to a decision based solely on automated processing, including profiling.

To exercise the rights provided by Articles 15-22 of the GDPR, the Data Subject can contact the Data Controller using the contact details provided in the "Contacts" section (see Article 10). The Data Controller is required to respond to the request within 1 month, or to communicate any delay in case of numerous and/or complex requests (the extension period cannot exceed 2 months). In any case, the Data Subject has the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority) in accordance with Article 77 of the Regulation if they believe that the processing of their Personal Data is in violation of applicable regulations.

10. Contacts

For further information regarding the processing of Personal Data carried out under the contract or to exercise your rights, you can contact the Data Controller at the following email address: info@ratschingserhof.com