DATA CONTROLLER

The Data Controller is the company Don Ferrante s.r.l. (P.IVA 07125280722) with registered office in via S. Vito n.27, Monopoli (Ba), pec address: donferrante@legalmail.it, email info@donferrante.it, telephone 080.742521. Don Ferrante s.r.l., in accordance with Article 37 of the GDPR, has appointed a Data Protection Officer who can be contacted at the email: avv.giovannivinci@gmail.com; 

PURPOSE AND LEGAL BASIS OF DATA PROCESSING 

The processing of personal data is necessary, 

A) for the performance of the contract with the Interested Party regarding hospitality services, namely:

- fulfillment of any obligation arising from the pre-contractual or contractual relationship with the Interested Party;

- registration and authentication of the Data Subject: to allow the Data Subject to register on the booking application, as well as, access and be identified also through external platforms;

- support and contact with the Data Subject: to respond to the Data Subject's requests;

- payment processing: to handle payments by credit card, bank transfer or other means;

B) to fulfill legal obligations in tax and fiscal matters; 

C) to ensure a legitimate interest of the Data Controller with regard to the promotion of products and/or tourist - accommodation services of the Data Controller (direct marketing purposes) using the e-mail provided by the Data Subject in the context of the sale of a product or service similar to the one being sold

D) to ensure a legitimate interest of the Data Controller in order to protect the company's assets against possible risks of theft, damage and/or vandalism through a video surveillance system of some external areas of the accommodation facility, identifiable by means of special short information signs. 

TYPE OF DATA COLLECTED AND PROCESSING METHODS 

The data collected consists of personal identification data such as first and last name, company name, residential address, telephone number, fax number, tax code, VAT number, regular and certified e-mail addresses, bank data, identification documents, any data related to special problems that require staff attention.

Personal data (e.g., first name, last name, address, e- mail, bank details) that come from the reservation system set up on the website (www.donferrante.it) are collected through the external data processor appointed for this purpose, Athena Solutions Srl, through the booking engine portal https://book.ermeshotels.com which states its privacy policy at https://www.ermeshotels.com/privacy.html. Personal data (first name, last name, address, e- mail, bank details) that come from external websites such as www.booking.com, www.expedia.it; are collected by such websites that have their own privacy policy, the contents of which can be easily identified by the interested parties within the relevant portals. 

The processing of data from the video surveillance system is carried out in such a way as to limit the visual angle of the area to be protected, avoiding as much as possible the filming of surrounding places and details that are not relevant (streets, other buildings, etc.). With regard to video surveillance, technical measures are also taken to meet the needs of both physical security (implementation of anti-intrusive measures) and logical security of the systems (firewall, antivirus, backup, and access control); 

Processing involves the performance of the following operations: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. 

The data will be processed on paper and by automated means (computer/electronic) with logics that guarantee the confidentiality, integrity and availability of the data. Personal data will not be subject to fully automated decision-making processes.

The data will be processed, exclusively for the above-mentioned purposes, by employees (e.g. administrative and secretarial staff) and, in particular, by specially designated Data Processors and specifically authorised Data Processors. Also for the purposes indicated, the data may be processed by subjects who perform instrumental activities for the Data Controller, who provide adequate guarantees regarding the protection of personal data and who are appointed as Data Processors pursuant to Article 28 of the Regulation (e.g. the company that manages the site, hosting providers, vigilance consultants, accountants and lawyers who provide services functional to the purposes of the processing). 

The updated list of Data Processors and Data Controllers is made available by the Data Controller upon request.

NATURE OF PROVIDING DATA 

Without prejudice to the autonomy of the data subject, any refusal to provide personal data may, depending on the specific nature of the data, result in the impossibility, in whole or in part, to establish, continue or properly execute the requested service.

COMMUNICATION AND DISSEMINATION OF DATA

Personal data are not subject to general disclosure and, therefore, will not be communicated to third parties or disseminated except in cases specifically provided for by national or European Union law.

By virtue of the legal provisions in force, your data may therefore be communicated 

- to the competent Authorities as provided for by the ‘Testo unico delle leggi di pubblica sicurezza’ (Article 109 R.D. 18.6.1931 no. 773), which requires the communication to the Police Headquarters, for public security purposes, of the personal details of the stayers in accordance with the procedures established by the Ministry of the Interior;- Judicial authorities or the judicial police, with regard to the images collected by the video surveillance system, in the event of a specific investigative request. 

TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION

Personal data will not be transferred to third countries or international organisations. It is possible, however, that the use of desktop applications will result in the transfer of processed data to the U.S.A. The legitimacy of any such transfer is based, pursuant to Article 45 GDPR, on the adequacy decision adopted by the European Commission on 10 July 2023 (EU-US Data Privacy Framework).

RETENTION PERIOD

Personal data shall be retained for a period of time not exceeding that necessary for the purposes for which it was provided. In particular: data collected to fulfil accounting and tax purposes will be retained for a period not exceeding 10 years. Conversely, data collected for promotional purposes will be kept for a period not exceeding 2 years. Data collected by the video surveillance system shall be deleted within 24 hours, except for holidays or other cases of closure. 

RIGHTS OF THE DATA SUBJECT

Each data subject, with reference to the processing of his or her personal data, enjoys the rights set out in Articles 15 to 22 of the GDPR. Accordingly, he/she may request from the Data Controller access to his/her personal data and the rectification or deletion thereof or the restriction of the processing of his/her personal data or to object to the processing thereof, as well as the right to data portability (where the specific legislation so permits). The aforementioned requests must be sent to the following pec address: donferrante@legalmail.it, email info@donferrante.it.  If the data subject considers that his or her data is being processed contrary to the provisions of the GDPR, he or she has the right to lodge a complaint with the Data Protection Authority.