Change language

Privacy policy

Protection of rights

INFORMATION REGARDING THE NEW REGULATIONS FOR THE PROTECTION OF PERSONAL DATA (Reg No. 679/2016 - GDPR)


Website privacy policy
www.hotelgraal.it

The EU Reg. 2016/679 ("European Regulation on the protection of personal data" in short GDPR) provides for the protection of persons and other subjects and respect for the processing of personal data.

The first principle of GDPR n. 679/2016 is the accountability that is the responsibility of the Data Controller and of all the components of its organization in data management. For this purpose we have appointed a Data Protection Officer.
Here are our references on data processing.
 

EXTREME IDENTIFICATION OF THE OWNER, RESPONSIBLE DATA PROCESSING

Name of the data controller
Anna Fraulo

Address
via della repubblica n.8-84010 ravello (sa)

Email    
info@hotelgraal.it

Pec    
hotelgraal@legalmail.it

Name of the Responsible Protection of the treatment
Anna Fraulo

Telephone number
+39 089 857222

Email    
info@hotelgraal.it

This site may collect some personal user data.
Therefore, under Articles 13 and 14, we provide some information on the processing of some of your data.

 

RIGHTS OF THE INTERESTED PARTY
Article 15 (right of access), 16 (right of rectification) of EU Reg. 2016/679

The interested party has the right to obtain from the data controller confirmation that it is or is not undergoing treatment of personal data concerning him and in this case, to obtain access to personal data and the following information:
•    a) the purposes of the processing;
•    b) the categories of personal data in question;
•    c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
•    d) the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
•    e) the existence of the right of the data subject to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
•    f) the right to lodge a complaint with a supervisory authority;
•    h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject.

Without prejudice to any other action in administrative or judicial proceedings, the interested party may lodge a complaint with the competent supervisory authority on the Italian territory (Authority for the protection of personal data) or the one carrying out its duties and exercising its powers in the Member State where the GDPR violation took place.

Right pursuant to art. 17 of EU Reg. 2016/679 - right to cancellation ("right to be forgotten")
The data subject has the right to obtain from the data controller the deletion of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay if one of the following reasons exists:
•    a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
•    (b) the interested party revokes the consent on which the treatment is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and if there is no other legal basis for the treatment;
•    (c) the data subject opposes the processing pursuant to Article 21 (1) and there is no legitimate overriding reason to proceed with the processing, or opposes the processing pursuant to Article 21 (2);
•    d) personal data have been processed unlawfully;
•    e) personal data must be deleted to fulfill a legal obligation under Union law or the law of the Member State to which the data controller is subject;
•    f) personal data have been collected with regard to the information society service offer referred to in Article 8, paragraph 1 of EU Reg. 2016/679

Right referred to in art. 18 Right of limitation of treatment
The interested party has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:

a) the interested party disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;

b) the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited;

c) although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to ascertain, exercise or defend a right in court;

d) the interested party has opposed the treatment pursuant to article 21, paragraph 1, Reg EU 2016/679 pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
 
PROTECTION OF RIGHTS
The articles 11 and 12 of the "New Regulations" regulate in general the procedures for the exercise of all the rights arising from the data subject.
The Community Legislator has laid down the obligation - burdening the holder - to respond regularly in written form to the requests of the interested party, also through electronic tools that facilitate accessibility. The information requested may be granted to the interested party in oral form only if the same is required to make an explicit request
The interested party to assert his rights may also refer to the judicial authority or the Guarantor, in case of failure to satisfy his requests to the data controller.

Response times for the exercise of rights
The deadline for responding to the data subject by the Data Controller is, for all rights (including the right of access), 1 month, extendable up to 3 months in cases of particular complexity; the holder must in any case give feedback to the interested party within one month of the request, even in case of refusal.
The Data Controller, in the event of a data breach, must implement two different actions:
• notification of the violation to the Control Authority within 72 hours of the act
• reporting to the interested party (without unjustified delay).

Revocation of consent to treatment
For reasons relating to the particular situation of the interested party, the same may oppose at any time the processing of their personal data if it is based on legitimate interest or if it takes place for business promotion, sending the request to the Owner at [...]

The interested party has the right to cancel his / her personal data if there is no legitimate overriding reason for the Data Controller than the one giving rise to the request, and in any case in case the Data Subject opposes the processing for commercial promotion activities.

Conclusion
On May 25, this regulation came into force in Italy to regulate the relationship that public and private bodies, professionals, establish with people: citizens, customers, workers. We are obliged to process the personal data of our users in full compliance with the law.

Here is the link to consult the entire European regulation on privacy in Italian.
European Regulation on privacy 679/2016