Privacy Policy

POLICY CONCERNING THE PROCESSING OF CUSTOMER PERSONAL DATA

ACCORDING TO REGULATION (EU) 2016/679 (“GDPR”) Controller
Business name:  MINIHOTEL s.r.l.
Address:  Via Tiziano ,6  ,20145 Milano
Telephone number:  02 7214791
e-mail address: privacy@minihotel.it 
Common Name of the Controller: MINIHOTEL s.r.l. 

Types of Data, Purpose of the Processing
The collection and the processing will be performed on the following types of data:

  • identification data: name, surname, tax code, etc.
  • contact details: telephone number, e-mail address, address, etc.
  • bank details: IBAN, credit card number, etc.
  • special categories of personal data (already “sensitive data”): personal data revealing racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person or data concerning a natural person’s sex life or sexual orientation
  • data relating to criminal convictions and offenses (already “judicial data”): personal data suitable which could reveal the judicial proceedings referred to in article 3, paragraph 1, letters from a) to o) and from r) to u), of the D.P.R. November 14, 2002, n. 313, on criminal records, records of administrative sanctions resulting from offences and related charges, or the condition of accused person or person under investigation in accordance with articles 60 and 61 of the Code of Criminal Procedure; or personal data relating to criminal convictions and offenses or related security measures

For the following purposes:

a. Establishment and execution of the contractual relationship

b. To fulfill obligations required by law or regulations

c. If necessary, to ascertain, exercise or defence, the rights of data owner either in court or out-of-court

d. To comply with our “Public Safety Law” (Article 109 Royal Decree n. 773, 18/6/1931) which requires that we provide identification data of our guests to the police, for purposes of public safety, in the manner established by the Ministry of the Interior (Decree of 7 January 2013)

 e. Marketing: eg. sms and e-mails, telephone calls with operators and traditional mail for promotional and commercial offers relating to services/products offered by the Company or reporting of company events, as well as the creation of market studies and statistical analysis  

f. Profiling: analysis of preferences, habits, behaviours or interests of the customer to send personalized commercial communications

Legal basis for the processing

The legal bases applicable for the treatment identified by the GDPR are:

  • Performance of a contract of which the data subject is part
  • Need to fulfill legal obligations
  • Legitimate interest of the controller
  • The consent will be optional and revocable without prejudice to the data subject also with regard to the processing of data based on the consent given before have exercised the withdrawal

Data retention or criteria used to determine this period

The data retention period is:

  • 10 years after the termination of the contract
  • Need to fulfill legal obligations
  • For marketing purposes: 24 months from their registration
  • For profiling purposes: 12 months  from their registration

After the expiry of the storage terms, the data will be destroyed, erased, or made anonymous, compatibly with the state of the art.

Conferment of data

The conferment of data for the purposes set out in letters a), b), c) and d) above are mandatory. In case of non-conferment of this mandatory personal data will not be possible to proceed with the contractual relationship

Third recipients of personal data

The data may be transmitted to subjects other than the Data Controller (e.g. authorities and control and supervisory bodies, public or private subjects who have the right to request data).

The data may also be transmitted to subjects who process them on behalf of the Company as Data Processors on the basis of a legally binding agreement which ensure the protection of the personal data.

Categories of subject, e.g.:

a. IT providers (e.g. back-up data services, e-mail, WEB / cloud computing, hosting, network monitoring, e-mail sending, maintenance of the website, etc.)

b. consultants (e.g. payroll, attending doctor, workplace safety, professionals, etc.)

c. authorities and supervisory and control bodies, public or private entities that have the right to request data

d. other Entities of the Business Group. 

The up-to-date list of those responsible for data processing in outsourcing is available at the Data Controller’s headquarter

Subjects authorised to process personal data

The data may be processed by workers in relation to their duties, expressly authorized and duly instructed to process the data

Transfer of personal data to third countries (Extra-EU/EEA) 

Personal data will not be transferred outside the European Union except on the request of the customer sending the invoice abroad. In this occasion  all the legal, technical and organizational measures foreseen by the GPDR will be taken.

Data subject's rights - right to lodge a complaint with the competent supervisory authority

The interested parties have the following rights:

a. right of access:

  • to know if data is being processed, for which purposes, on which data, recipients or categories of recipients to whom the personal data have been or will be communicated, when possible, the storage period of personal data, if not it is possible, the criteria used to determine this period, data subject's rights, information about their origin, if Automated decision-making is in progress, including profiling (at least in such cases with significant information on the logic used, importance and consequences of this process), what are the adequate guarantees if the data is transferred to a Third Country
  • to obtain a copy of the personal data being processed without affecting the rights and freedoms of others

b. correction of inaccurate data and integration taking into account the purposes of the processing,

c. cancellation in the following cases: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent if there is no other legal basis for the treatment; c) the interested party opposes the processing in the absence of prevailing contrary rights or obligations; d) personal data have been processed unlawfully; e) there is a legal obligation to do so by the Data Controller e) personal data have been collected in relation to the offer of internet services

d. limitation on processing for disputing the accuracy of the data, for unlawful processing because excessive, for the assessment, exercise or defence of a right in court (even if the holder no longer needs the data), in case of opposition (pending verification of the existence of this right in practice)

e. opposition (in case of processing necessary for the performance of a task carried out in the public interest or for legitimate interest of the data owner, including profiling) for reasons related to the particular situation of the interested party, Without prejudice to other public interest rights or under other legal or regulatory requirements

f. opposition to the receipt of commercial communications with automated methods (e-mail, etc.) for treatment with direct marketing purposes, including profiling

g. data portability in interoperable and commonly used electronic format, also directly to another operator if technically possible, in case of treatment with automated tools 

h. in the cases referred to in letters b), c) and d), the data controller shall inform each of the recipients to whom the personal data have been transmitted of any corrections or cancellations or limitations on the processing performed unless this proves impossible or involves a disproportionate effort.

To exercise proper rights, may contact: Operations Manager, privacy@minihotel.it - Via Tiziano 6, 20145 Milano 

Interested parties have the right to lodge a complaint with the competent Supervisory Authority in the Member State in which they reside habitually or work or of the State in which the alleged violation has occurred