PRIVACY POLICY

INFORMATION ON THE PROCESSING OF PERSONAL DATA
Under Legislative Decree 101/2018 and EU Regulation No. 679 of 27/4/2016 – GDPR
Dear Guest
Società Imprese Lignano – S.I.L. spa, in accordance with the current legislation on the protection of personal data (EU Regulation 679 of 2016 and Legislative Decree 101/2018), wishes to inform you that the processing of your personal data is carried out fairly and transparently, for lawful purposes and protecting your privacy and your rights.
This information is provided in accordance with the principles of transparency, fairness and respect of your rights, pursuant to EU Regulation 2016/679 on the protection of personal data. The processing is related to the personal data of the service recipient. In the case of a user who is a minor or who lacks civil rights, the processing also covers the identifying data of the parent, family member, or legal guardian who signs up for the service and to whom this notice is addressed.
***
1. DATA CONTROLLER and/or its representative:
The data controller is Società Imprese Lignano S.I.L. SPA, based in Lungomare R. Riva, 1/C – 33054 Lignano Sabbiadoro (UD), Tel. 0431/424411, email spiaggia@sil-lignano.net, PEC sil.lignano@pec.it
2. PROCESSING PURPOSES:
the data you provide will be processed, including electronically, for the following purposes:
for needs related to the conclusion of contracts, their performance and any subsequent amendments that may be necessary for their fulfilment. Since this processing is necessary for the establishment of the contractual agreement and its subsequent performance, your consent is not required, except in cases where special data, so-called special-category data, are provided. If you refuse to provide personal information, we will not be able to confirm your reservation or provide you with the requested services. Processing will cease when you leave, but some of your personal data may or must continue to be processed for the purposes and in the manner indicated in the following points;
for operational, organisational, managerial, fiscal, financial, accounting needs related to the contractual and/or pre-contractual relationship established with you. For these purposes, the processing does not require your consent. Data processed by us or our appointees are disclosed externally only in compliance with legal obligations. If you refuse to provide information necessary for these purposes, we will not be able to confirm your reservation or provide you with the requested services. Data acquired for these purposes will be retained by us for as long as necessary for the completion of the contractually stipulated activities and in any case no longer than 10 years (and even longer in case of tax assessments);
for needs related to the need to monitor the way products and/or services are delivered, the progress of customer relationships, and the analysis and management of risks related to the contractual relationship. In order to expedite the registration procedures in case of your subsequent stays at our hotel, subject to your consent, revocable at any time, your data will be kept for the time necessary for the completion of the contractually provided activities and in any case no longer than 10 years from collection, and will be used for the same purposes when you are our guest again; for us to be able to receive messages and phone calls addressed to you during your stay, your consent is required, which you may revoke at any time. Such processing will cease when you leave; your consent is required for sending our promotional and rate update messages: in connection with this purpose, your data will be kept for a maximum period of 24 months and will not be disclosed to third parties. It is understood that you may revoke your consent at any time;
for obligations arising from EU legislation or domestic primary and secondary legislation (regulations) of any nature;
3. PROCESSING METHODS:
processing may be either manual, i.e., non-automated, or partially automated, and it may consist of the following operations: data collection and recording, storage, consultation, use, processing, modification, selection, comparison, retrieval, interconnection, transmission, communication, deletion, distribution, blocking and restriction.
The processing will be carried out with the help of electronic and computerised tools suitable to guarantee the security and confidentiality of the data in accordance with the provisions of Article 32 (Security of processing) of the GDPR, regulation EU/2016/679.
In any event, all technical, computer, organisational, logistical and procedural security measures will always be taken when performing processing operations, in order to ensure at least the minimum level of data protection required by law.
Should the processing regard, among others, special-category data (i.e., data revealing the racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in trade unions, associations or organisations of a religious, philosophical, political or trade-union nature, as well as data revealing the subject’s state of health and sexual orientation) or judicial data (i.e., data revealing measures indicated in criminal records, database of administrative penalties consequent to a criminal offence, pending proceedings or the quality of suspect or defendant in criminal proceedings), processing may only take place under the control of the public authority or only if the processing is authorised by EU or State legislation in accordance with the provisions of article 10 of the GDPR, EU Regulation 2016/679. Processing shall be conducted in compliance with the security measures ordered by the Privacy Authority and for purposes strictly required for the normal conduction of the business activity, the operations related to the provision of products/services and the compliance with contractual and/or statutory and/or regulatory obligations.
4. SECURITY MEASURES ADOPTED: the safety measures adopted are the following: a) use of suitable, regularly changed passwords for access to data; b) access to data is only permitted for the activities required to perform the contract, provide products and services, for operational, organisational, administrative, fiscal, financial, accounting needs relating to the contractual and/or pre-contractual relationship established with you, obligations arising from EU legislation and from domestic primary and secondary legislation (regulations) of any nature; for needs linked to the necessity to monitor the methods of provision of products and/or services, the progress of customer relations and the management of risks related to the contractual relationship; c) use of encryption systems for special category data; d) adoption of regularly updated antivirus software; e) use of advanced real-time intrusion and threat detection systems; f) use of firewalls to protect the company’s network from unauthorised access; g) automated backup systems to ensure an updated copy of data for prompt recovery.
5. LEGAL BASIS OF THE PROCESSING:
the provision and processing of data is

Mandatory and does not require your consent for the achievement of purposes related to obligations under internal laws and regulations or EU legislation;

Essential and does not require your consent for all personal data that are necessary for the proper establishment, management and continuation of the contractual relationship;

Optional and requires your explicit consent for all personal data collected for purposes not directly and/or indirectly related to contractual, pre-contractual, legal obligations or the pursuit of legitimate business interests.
Refusal to provide all or part of the above data, even when it is lawful, could jeopardize the regular course of the relationship with our company; in particular, for the personal data defined above as mandatory and essential, such refusal could result in the inability of the company to perform normal business operations and regularly provide the products and services requested.
6. DATA RECIPIENTS/DATA TRANSFER:
According to Article 4(1)(9) of the European Regulation, recipient means “a natural or legal person, public authority, agency or another body which may receive personal data, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing”.
The recipients or categories of recipients who may have access to the personal data or to whom the data may be disclosed, also indicated in the Register of Processing Operations, are as follows:

Persons in charge of processing, i.e., management, administration area, business area, employees and/or contractors duly appointed;

Data processor – professionals, tax advisor, banks;

System administrator.
personal data may also be disseminated, but only in aggregate and anonymous form, for statistical purposes.
Personal data may also be disclosed to public agencies, police forces, or other public and private entities in order to comply with legal obligations, regulations, or EU legislation.
The data in question will not be disclosed to any parties other than those stipulated in this information notice, and the data likely to reveal the health status of the person concerned will not, in any case, be disseminated.
7. DATA RETENTION:
Data are stored in the (2) company servers with backup via network NAS in a dedicated room with access only to authorised personnel, located within the EU/Italy and in the full availability of the controller and/or of duly appointed third parties. Data may be processed and transferred to recipients based in other EU countries or even outside the EU, provided that the following conditions are met: adequacy decision of the European Commission and adequate privacy guarantees.
8. RIGHTS OF THE DATA SUBJECTS:
You have the right to request from the data controller access to and rectification or erasure of your data, or restriction of the processing of personal data concerning you, or to object to their processing, in addition to the right of data portability; where the processing is based on article 6(1)(a), or article 9(2)(a), you have the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal; you also have the right to lodge a complaint with a supervisory authority;
if the provision of personal data is a legal or contractual obligation, or a necessary requirement for the conclusion of a contract, you will be informed of the obligation to provide personal data, as well as the possible consequences of not providing such data;
9. RETENTION PERIOD:
your data will be kept in our online archives through In Cloud system for online bookings and through e-mail for the time necessary to carry out the contractual activities and in any case for a maximum of 10 years or 24 months depending on the purposes, as explained in point 2 above;
10. COMPLAINT TO THE SUPERVISORY AUTHORITY:
if the conditions are met, you have the right to lodge a complaint with the Data Protection Authority as the supervisory authority. To find out how to make a claim, you can visit the following link: http://www.garanteprivacy.it/web/guest/home