---

Privacy Policy

---

This Privacy Policy intends to describe the management methods of the Website www.ghmilano.it with reference to the processing of personal data of users/visitors who consult it.

The Privacy Policy is provided only for this Website and not for any other websites that may be accessed by the user through specific links.

Grand Hotel Milano SRL guarantees compliance with the law on the protection of personal data (Legislative Decree 196/03 and Regulation 2016/679/EU). Users/visitors of this Website should therefore read this Privacy Policy carefully before sending any personal information and/or filling out any electronic form posted on the Website itself.

Data Controller

Grand Hotel Milano SRL, with registered office in Viale Roma 46, 53042, Chianciano Terme (Siena) – Italy and email info@ghmilano.it, is the Data Controller for the processing of Personal Data (hereinafter, the “Data Controller”).

Data subject to processing

• Navigation data

The computer systems and software procedures used to operate this Website acquire, during normal operation, some personal data that is then transmitted implicitly in the use of internet communication protocols.

This is information which, by its very nature, could identify users/visitors (e.g. IP address, domain names of computers used by users/visitors connecting to the Website, etc.) through processing and association with data held by third parties.

This data is only used for statistical information and to monitor the proper functioning of the Website.

In any event, web contact data is not retained for more than seven days, except when it is necessary to monitor instances of criminal activities against the Website.

No data deriving from the web service is communicated or disclosed.

• Data provided voluntarily by Users/Visitors

If users/visitors connecting to this Website submit their personal data in order to access certain services or to make requests through email, they are aware that this involves the Data Controller’s acquisition of the sender’s address and/or any other personal data which, in turn, will be processed exclusively to respond to the request or to provide a service to the sender.

The personal information provided by users/visitors will be disclosed to third parties only if such disclosure is necessary to comply with requests made by users/visitors themselves or to satisfy legal obligations or public authorities.

• Cookies

In addition to the data expressly provided to the Data Controller, other data may be stored deriving from the user’s browsing on the Website. Indeed, upon user access, the Website can send the user a “cookie”. A “cookie” is a small text file that the Website can automatically send to the user’s computer when viewing pages on this Website. The “cookies” are used to make browsing more convenient, as well as to obtain information on the individual user’s navigation within the Website and to allow the operation of some services that require identification of the user’s browsing through different pages of the Website. For any access to the Website, regardless of the presence of a “cookie”, the Website records the type of browser (i.e. Internet Explorer, Chrome, Firefox), the operating system (i.e. Windows, Macintosh) and the host and the URL of origin of the user-navigator, in addition to data on the requested page. This data can be used in an aggregated and anonymous form for statistical analyses on usage of the Website. For the complete management of cookies, consult the “Cookie Policy” page of this Website.

Data processing procedures

Data is processed via automated means (i.e. using electronic procedures and electronic devices) and/or manually (i.e. hard copies) for the time strictly necessary to achieve the purposes for which the data was collected, albeit in accordance with the legal provisions in force.

Purpose for processing

In addition to those indicated in the individual policies that precede the completion of the forms of the different sections of the Website, the purposes of the processing performed by the Data Controller must be understood as:

1. collection, storage and processing for the purposes of establishing the contractual relationship (availability check and online quote). Categories of data: general information and contact details, date of arrival and departure;
2. collection, storage and processing for requirements relating to the establishment and/or performance of the established contractual relationship and operational and administrative (accounting and tax) management of the contractual relationship (reservation). Categories of data: general information and contact details, tax code and/or VAT number, bank details, credit and debit card details provided as guarantee and/or balance, list of services and products requested and purchased, date of arrival and departure;
3. collection, storage and processing to perform statistical analysis in anonymous and/or aggregate form, market research, statistical and economic analysis. Categories of data: navigation data on the pages of the Website, place of residence, length of stay, period of stay, type of room, number of minors, booking method or request;
4. collection, storage and processing for the communication of sales information on future initiatives and new product or service announcements, including the sending of advertising and/or promotional material and for the execution of games with prizes and promotional initiatives in general. Categories of data: general information and contact details, date of arrival and departure

Legal basis for processing

The legal basis of the processing of the Website users/visitors’ data (the “Data Subjects”) performed by the Data Controller through the Website is constituted:

1. as to the collection, storage and processing for the purpose of establishing the contractual relationship (availability check and online quote), by pre-contractual measures adopted at the request of the Data Subject as set forth under art. 6 lett. b) Regulation 2016/679/EU;
2. with regard to the collection, storage and processing for requirements relating to the establishment and/or performance of the established contractual relationship and operational and administrative (accounting and tax) management of the contractual relationship (reservation), by the performance of a contract of which the Data Subject is a party as set forth under art. 6 lett. b) Regulation 2016/679/EU;
3. as for the collection, storage and processing to perform statistical analysis in anonymous and/or aggregate form, market research, statistical and economic analysis, by the pursuit of the legitimate interest of the Data Controller as set forth under art. 6 lett. f) Regulation 2016/679/EU;
4. regarding the collection, storage and processing for the communication of sales information on future initiatives and new product or service announcements, including the sending of advertising and/or promotional material and for the execution of games with prizes and promotional initiatives in general, by, alternatively: (i) the consent of the Data Subject as set forth under art. 6 lett. a) Regulation 2016/679/EU or, in the absence of this, (ii) the c.d. soft spam set forth under art. 130, paragraph 4, Legislative Decree 196/03. The Data Subject, on the occasion of sending each communication made, is informed of the possibility of opposing the processing at any time.

Recipients

In some cases, in addition to the Data Controller, certain categories of managers and authorized parties involved in the business organization of the Website may have access to the data, including – by way of mere example – administration, sales, marketing, legal, system administrators (jointly referred to as the “Data Processors”). Furthermore, the Data Controller may use external parties (such as third-party technical service providers, carriers, hosting providers, cloud services, IT companies, communication agencies) who may be appointed as external Data Processors. The updated list of Data Processors can be requested to the Data Controller via the email indicated below.

Transfer to a non-EU country

For the services offered by the Website, the Data Controller uses servers located in Italy and thus, on the basis of Regulation 2016/679/EU, is to be considered as falling within the EU.

Data processed by the Data Controller will never be disclosed.

Data processing location

The processing related to the services of the Website takes place at the registered office of the Data Controller and is handled only by the technical staff in charge of processing

Timing of data retention

It is acknowledged that:

1. as for the processing for the purpose of establishing the contractual relationship (availability check and online quote), the data retention period is 3 months from the collection date;
2. as for the processing for requirements relating to the execution and/or performance of the established contractual relationship and the operational and administrative (accounting and tax) management of the contractual relationship (reservation), the data retention period is 10 years (and even beyond in the event of disputes or tax assessments) from the collection date;
3. with regard to the processing for anonymous and/or aggregate statistical analysis, market research, statistical and economic analysis, the data retention period is 12 months from the date of collection;
4. as to the collection, storage and processing for the communication of commercial information, the data retention period is 24 months from the date of collection.

Voluntary or mandatory submission of data

Without prejudice to what specified for navigational data that automatically acquires data, users/visitors are free to provide their personal data or otherwise. Failure to provide the data can merely render it impossible to obtain the requested service.

Rights of data subjects

Pursuant to Regulation 2016/679/EU, the Data Subjects whose personal data is collected have the right at any time to obtain confirmation of the existence of such data and to know its content and origin, verify its accuracy or request its integration, updating or correction.

In relation to the processing of the aforementioned data, the user/visitor has the right to obtain from the Data Controller:

1. confirmation of the existence or otherwise of Personal Data, its communication in intelligible form and knowledge of its origin, as well as the logic on which the processing is based;
2. the cancellation, within a reasonable period, of the data, its transformation into anonymous form or the blocking of data processed in violation of the law;
3. the updating of the data, its rectification or – whereby there is interest – its integration;
4. a guarantee that the operations referred to in points 2 and 3 above have been brought to the attention of those to whom such has been communicated, provided that this is not impossible or involves the use of disproportionate means;
5. the rectification or erasure of data concerning the Data Subject or the limitation of processing;
6. the revocation of consent relating to optional processing and not related to the execution of the contract signed with the Data Controller.

The subjects to whom the personal data refer also have the right to object for legitimate reasons to the processing of personal data concerning them, even if pertinent to the purpose of the collection, to request portability, exercise the right to be forgotten, as well as contact the Supervisory Authority responsible for the protection of personal data for any breach that the Data Subject believes to have suffered.

The Data Controller contact details are as follows:
Grand Hotel Milano SRL
Viale Roma, 46
53042 Chianciano Terme (Siena) – Italy
Email: info@ghmilano.it

The Italian Data Protection Authority is as follows:

Italian Data Protection Authority

Piazza Venezia, 11, 00187, Roma
e-mail garante@gpdp.it
fax 06 696773785.

Automated decision-making processes

No automated decision-making processes are carried out on the aggregated data collected, if not for the best management of the Website.