PRIVACY POLICY PURSUANT TO EUROPEAN REGULATION No. 2016/679 (“GDPR”)
Dear Guest,
please read this policy (hereinafter, “Privacy Policy”) carefully, drafted pursuant to Articles 13 and 14 of the GDPR, in which we provide you with all the details relating your personal data processed within the context and for the purposes of executing the rental agreement with Corso Italia S.r.l. hereinafter, “Agreement”).
This Privacy Policy is provided to you, as a Guest of the property, as well as to any third parties (e.g. guarantors and/or people making the payment other than the Guest) whose personal data you have provided to us. In this regard, you declare that you are entitled to provide such information and undertake to inform third parties of the content of this Privacy Policy, as well as to indemnify and hold harmless the Data Controller from any dispute, claim, request for compensation for damage from processing, etc. by such persons whose personal data has been processed through your spontaneous submission in violation of the applicable personal data protection regulations.
1. DATA CONTROLLER and DPO
The Data Controller is Corso Italia s.r.l., with registered office in Milan, Via San Paolo n. 7, VAT number 11678740967 (hereinafter, the “Data Controller” or “Corso Italia”), which can be contacted at the following e-mail address: corsoitaliasrl-mi@legalmail.it.
The Data Controller has appointed its own Data Protection Officer (“DPO”), who can be contacted at the following email address: Privacy.Corsoitalia@StudioDiRevisori.it
2. PERSONAL DATA SUBJECT TO PROCESSING AND SOURCE OF PERSONAL DATA
The Data Controller, in the context of the execution of the Agreement, may collect and process the following personal data:
a) common data (personal details, identification and contact details): such as name, surname, gender, tax code, residential address, telephone number, e-mail address, credit/debit card details or details of other payment instruments, payment details, identity document details, place and date of birth;
b) data related to the Guest’s employment and financial situation: such as, for example, a copy of the employment agreement, latest payslips, tax certification;
c) personal data related to guarantors and/or family members of the Guest.
The Data Controller will not process special categories of personal data, except for any data you may voluntarily provide (e.g. information that may reveal, even indirectly, your state of health) in the context of your specific requests, including any requests relating to accommodation, also in relation to specific accessibility requirements (e.g. removal or overcoming of architectural barriers).
The personal data listed above (hereinafter, “Personal Data”) may be collected directly from the Data Subject or through third parties, such as affiliated third parties and booking platforms . Data related to guarantors or family members will be provided by the Guest.
3. PURPOSE OF THE PROCESSING AND LEGAL BASIS
Personal Data may be processed for the following purposes:
a) to take care of all necessary formalities for the conclusion of the Agreement and/or the establishment of the contractual relationship, as well as to perform the services provided for in the Agreement, including, by way of example and without limitation, management and operational activities, sending of information communications, management of invoicing, accounting and credit recovery activities;
b) to ensure compliance with the legal obligations, regulations and EU provisions to which the Data Controller is subject;
c) to ensure the health and safety of Guests and/or persons present on the Data Controller’s premises;
d) ascertaining, exercising or defending a right or interest of the Data Controller in court and/or out of court, against any competent authority or body;
e) to enable the Data Controller to complete a potential merger, transfer of assets, transfer of business or business unit by disclosing and transferring your personal data to the third party or parties involved; and
f) with the prior consent of the data subject, to send promotional communications (e.g. Newsletter) and to update you on the Data Controller’s commercial initiatives and events, initiatives or partnerships, to conduct market and Guest satisfaction surveys, in accordance with the provisions of the Italian Data Protection Authority’s “Guidelines on promotional activities and combating spam - 4 July 2013 [2542348]”. These activities may be carried out, as provided for by current regulations, by means of paper mail, telephone contact via an operator (“traditional methods”), e-mail (newsletters), text messages, push notifications and the use of social networks (“automated methods”). In this regard, we specify that we will collect a single consent for the marketing purposes indicated above, in accordance with the aforementioned Guidelines.
With reference to the purpose referred to in point 3.a, the legal basis for the processing is Article 6(1)(b) of the GDPR, “performance of a contract or pre-contractual measures”.
With regard to the purposes referred to in point 3.b, the legal basis for the processing is Article 6(1)(c) of the GDPR, “compliance with a legal obligation to which the controller is subject”. In the case of processing of special categories of data, freely provided by you, the Data Controller will process such data within the limits set out in Article 9 of the GDPR , which will therefore constitute the legal basis for the processing of such data.
With regard to the purposes referred to in point 3.c, the legal basis for the processing lies, depending on the case, in Article 6(1)(c) of the GDPR, “compliance with a legal obligation to which the controller is subject”, or in Article 6(1)(f) of the GDPR, “pursuit of the legitimate interests of the controller or of third parties”.
With regard to the purposes referred to in points 3.d and 3.e, the legal basis for the processing is Article 6(1)(f) of the GDPR, “pursuit of the legitimate interests of the controller or of a third party”.
With regard to the purposes referred to in point 3.f., the legal basis for the processing is Article 6(1)(a) of the GDPR, “consent of the data subject”.
4. RECIPIENTS OF THE PROCESSING AND TRANSFER OF PERSONAL DATA
Your personal data may be shared with:
Your personal data will be transferred outside the European Economic Area only if the requirements set out in Articles 44 et seq. of the GDPR are met.
5. NATURE OF DATA PROVISION
The provision of Personal Data, as referred to in point 2, is necessary in order to allow the Data Controller to fulfil the Agreement, to perform the services provided therein and to comply with the related legal obligations. Any refusal to provide the aforementioned data would make it impossible for the Data Controller to execute the Agreement and allow you to use the related services.
Please note that, with reference to data belonging to special categories, as well as data collected for the purposes referred to in point 3.f., the provision of such data is entirely optional and free. Failure to provide such data will not affect the performance of the Agreement in any way.
6. STORAGE OF PERSONAL DATA
Personal data will be stored only for the period necessary for the purpose for which it is processed and, in any case, in compliance with the terms set out in applicable national and EU laws, rules and regulations. In any case, with reference to the purposes referred to in points 3.a) and b), your data will be stored for a period not exceeding 10 years from the termination of the Agreement, without prejudice to the fulfilment of the legal obligations to which the Data Controller is subject.
With reference to the purposes referred to in point 3.c), the data being processed will be stored for the time strictly necessary to pursue those purposes and, in any case, in full compliance with the principle of minimisation referred to in Article 5 of the GDPR.
With reference to the purposes referred to in points 3.d) and 3.e), we inform you that your data will be processed, respectively, for the period strictly necessary to allow the Data Controller to ascertain, exercise or defend a right or interest in court and/or out of court or whenever the judicial authorities exercise their judicial functions, to complete any extraordinary operations involving the Data Controller and the activities related to them. The pursuit of the Data Controller’s legitimate interest is fairly balanced with the Guest’s interest, as the processing of personal data is limited to what is strictly necessary for the performance of these activities. Processing for legitimate interest purposes is not mandatory, and the Guest may object to such processing in the manner described in this Privacy Policy, in which case the Data Controller may not process the Personal Data for that purpose, unless the Data Controller demonstrates the existence of legitimate prevailing reasons.
With regard to the purposes referred to in point 3.f), your data will be stored until you withdraw your consent. In any case, the Data Controller will periodically and in specific circumstances (such as, for example, verification of the inactivity of the data subject) assess the current interest of the data subject in remaining updated on events and initiatives promoted by the Data Controller and in receiving related commercial and marketing communications.
7. RIGHTS OF THE DATA SUBJECT
You have the right to ask the Data Controller at any time, in accordance with the law, access to your personal data, the rectification or erasure of the same, or to object to their processing. You have the right to request the restriction of processing in the cases provided for in Article 18 of the GDPR, as well as to obtain your data in a structured, commonly used and machine-readable format in the cases provided for in Article 20 of the GDPR. You also have the right, pursuant to Article 7(3) of the GDPR, to withdraw your consent at any time. In any case, the withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
Requests can be sent to the following email address: Privacy.Corsoitalia@StudioDiRevisori.it
Finally, we remind you that you always have the right to lodge a complaint with the competent supervisory authority (Garante per la Protezione dei Dati Personali), pursuant to Article 77 of the GDPR, if you believe that the processing of your data is contrary to the legislation in force.