Customers privacy notice pursuant to artt 13 and 14 of the EU Regulation 2016/679
A – Data Controller and Data Protection officer
The Continental Terme S.r.l. (hereinafter, the “Data Controller”), based in Napoli (CAP 80133), via M. Cervantes De Savaedra 55, VAT 03376570630 (telephone number: +39 081.991588; email: firstname.lastname@example.org; PEC: email@example.com), informs that it is the Data Controller of personal data pursuant art.4, n.7) of the EU Regulation 2016/679.
The Data Controller has appointed a Data Protection Officer, which can be contacted at: firstname.lastname@example.org:
B – Processed Data
The processed data, summarized hereinafter, will be voluntarily provided by You for the execution of the existing legal relationship: name and surname, date of birth, registered residence or fiscal domicile, telephone number, banking data, email address, images, data concerning your health (the latter, hereinafter, “special categories of personal data”, voluntarily provided). The data can be collected from You, or from third companies (such as travel agencies) which provide to book rooms.
C- Purposes of the processing, nature and lawfulness of processing
The personal data provided by You will be processed for the following purposes:
With reference to the purposes under: numbers 1 and 5, processing is necessary for the performance of a contract; numbers 2, 3 and 4, processing is necessary for compliance with a legal obligation; number 5, 6 and 8, processing is necessary for the purposes of the legitimate interests pursued by the Data Controller; referring to the data concerning health (which You voluntary give to the Data Controller) and for the purpose under n.7, processing is based on the consent you can give at the bottom. The processing is, therefore, lawful (Art. 6, paragraph 1, letter b, EU Regulation 2016/679).
Providing data is not compulsory for the purposes set out in points 1 and 5. Not fulfilling or providing incorrect personal data, as well as your refusal to reply, could make difficult for Data Controller to perform the contract. Providing data is compulsory for the purposes under 2, 3, 4, 6 and 8 and not fulfilling or incorrect fulfilling could make difficult for Data Controller to be comply with law or to protect Data Controller’s legitimate interests.
Providing data is not compulsory for the purpose under n.7. Not giving consent will prevent you from receiving promotional messages, rates and services offered.
Personal data will be processed with appropriate technical and organisational measures to ensure to be comply to the EU Regulation 2016/679.
D – Communication to third parties and/or data disclosure – transferring data abroad
For the purposes referred to Paragraph C, the Data Controller informs You that your data could be communicated to third parties, appointed in writing, should this be necessary to fulfill an obligation set by law, Data Processor.
The recipients of the personal data communications of the data subject can be identified in the following categories:1) IT providers (e.g.: the hotel booking provider); 2) public security authorities for the compliance with law obligations; 3) (referring to the services requested for your wellness) employees of the wellness area; 4) banks, financial institutes, judicial authorities, consultant to whom the communication of the aforesaid data is necessary for the performance of the Data Controller’s administrative, accounting and fiscal obligations or for the protection of its legitimate interests.
The data collected will be processed only in Italy or in the EU.
E -Data retention period
The personal data collected will be stored for: I) (for personal data stored in the management program, where no special categories of personal data are stored): 5 years (ID data); 180 days from the checking out (banking data); II) (data stored not in the management program): the end of the season; III) data processed for the purposes under n.5, Par.C, 3 years; IV) data processed for the purposes under n.7, Par. C., 3 years, except for the previous withdrawal of the consent.
If requested by the law, a different term of retention shall be apply.
The images collected by the monitoring camera system will be stored for 24 hours. After these terms, personal data will be deleted or made anonymous.
F -Data subject’s rights
The data subject may, at any time, exercise the rights set out in the EU Regulation 2016/679: a) the right to access to your personal data; b) the right to obtain rectification or erasure of the data or restriction of processing You personal data; c) the right to object to the processing; d) the right to data portability; e) the right to revoke the consent if the processing is based on express/explicit consent for one or more specific purposes. The withdrawal of consent shall not affect the lawfulness of processing based on consent until that moment; f) the right to lodge a complaint with the supervisory authority (Data Protection Authority).
The aforementioned rights may be exercised by sending a communication to: