The protection of the privacy of the Users of our website is a top priority for us.
CA.PRI S.R.L., therefore, in accordance with Articles 13 and 14 of the EU Regulation 2016/679 (so-called “GDPR” – General Data Protection Regulation), wishes to inform you about the processing of your personal data operated by means of our website, premising that it is aimed at users over the age of 14 years, in accordance with Art.
8, par. 1 GDPR and art.
2-quinquies of Legislative Decree.
n.
196/2003.
By connecting to the site and, if necessary, providing their own data or expressing consent to their processing (when required, for specific purposes), the User declares to be over 14 years old.

(A) SUBJECTS INVOLVED IN DATA PROCESSING

The Data Controller is the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data.
This entity is also required to identify and adopt appropriate technical and organizational measures to ensure a level of security of personal data processed by it that is appropriate to the risk generated by the processing operations carried out.
The data controller is CA.PRI S.R.L., C.F. 01938520036, located in VIA GIUSEPPE FAVA 18, 28016 – Orta San Giulio (NO), Italy, tel.: +39 0322 911902, ordinary e-mail: info@villacrespi.it, PEC: caprisrlorta@legalmail.it.
The Data Processor is the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller.
With reference to the personal data processing operations of Users operated by means of the site, pursuant to Art.
28 GDPR, the Data Controller may appoint one or more Data Processors – for example – from among the suppliers that provide hosting, domain management, IT maintenance, etc., services on behalf of the Data Controller itself.
The updated list of Data Processors can be found at the Data Controller’s offices.

(B) THE PERSONAL DATA BEING PROCESSED

By means of our site, the following personal data of Users may be collected and processed by the Owner (as well as any Responsible Parties):

Common personal data of the User, suitable to allow its identification: first and last name, e-mail address, telephone number, tax data (where the issuance of invoice is required), data inherent to the means used for payment (where made by means of the site), additional identifying data whose transmission to the competent Police Headquarters is mandatory under Art.
109 R.D. no.
773/1931 (Testo Unico delle Leggi di Pubblica Sicurezza) and Art. 2 of the Technical Annex to Ministerial Decree 076.01.2013, as well as any further personal data voluntarily provided by the User.
Particular data: data inherent to health, relating to food allergies or intolerances, as well as further data related to special dietary regimes followed by the User.

(C) PURPOSE, LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF PROCESSING

The purposes for which the data referred to in the preceding paragraph are processed by the Owner are as follows:
1. Management of reservation requests at the Restaurant;
2. Management of reservation requests at the Hotel;
3. Fulfillment of obligations imposed by current regulations (accounting, tax, etc.);
4. Fulfillment of obligations imposed by current regulations regarding the identification of sojourners at accommodation facilities and the reporting of names to the territorially competent police headquarters pursuant to Art.
109 R.D. no.
773/1931 (Testo Unico delle Leggi di Pubblica Sicurezza) and the regulations referred to therein;
5. Sending newsletters containing business proposals related to the activities of the Owner;
6. Sending newsletters containing business proposals related to the activities of partner companies of the Owner;
7. Management of site statistics based on non-anonymized data.
The legal bases for personal data processing operations related to the pursuit of the above purposes are those listed below.
For the purposes stated above in nos. 1 and 2, the legal basis is the performance of a contract to which the User is a party or the execution of pre-contractual measures taken at the User’s request, pursuant to Art.
6 par. 1 lett.
b) GDPR; for the same purposes, the legal basis for the processing of any special data is constituted by the free, specific, informed and unequivocal consent of the User, pursuant to Art.
6 par. 1 lett.
(a) GDPR.
For the purposes stated above in nos. 3 and 4, the legal basis is constituted by the fulfillment of a legal obligation to which the Controller is subject in accordance with the relevant legislation in force, pursuant to Art.
6 par. 1 lett. c) GDPR.
For the purposes stated above in nos. 5, 6 and 7, the legal basis is constituted by the free, specific (i.e. relating to a single purpose), informed and unambiguous consent given by the User, pursuant to Art.
6 par. 1 lett. a) GDPR.
For the purposes stated above in nos. 1 and 2, the User has a contractual obligation to provide the data: failing this, the Owner will not be able to enter into the contract with the User and execute it, providing the performance or service requested by the User.
For the purposes indicated above in nos. 3 and 4, the User has a legal obligation to provide the data: failing this, the Controller will not be able to fulfill its obligations under current legislation and the User will not be able to benefit from the performance or service requested.
For the purposes stated above in nos. 5, 6 and 7, the provision of data is optional: without it, depending on the purpose, the User will not be able to receive newsletters and the Owner will collect statistics based on non-anonymized data.

D) RECIPIENTS

The data processed by means of this site, and exclusively for the above-mentioned purposes, may be communicated to subjects external to the Owner (external collaborators, suppliers, etc.) appointed as Data Processors.
For the purposes of no.
4 the data are also communicated to the Entities identified by the current legislation (Police Headquarters competent for the territory and Ministry of the Interior – Department of Public Security).

(E) TRANSFERS

Data transfers to third countries that do not comply with the conditions set forth in Articles 45 et seq. – in particular Art.
46 – of the GDPR.

(F) DATA RETENTION

Personal data collected or otherwise processed by means of this site will be treated in accordance with the principles of Art.
5 GDPR (lawfulness, fairness and transparency; purpose limitation; minimization; accuracy; storage limitation; integrity and confidentiality; accountability) by paper or computer methods, exclusively for the pursuit of the above-mentioned purposes.
Personal data will be retained for a period of time no longer than is strictly necessary to achieve the stated purposes, unless further retention is required by applicable law or permitted by the legitimate interest of the Owner.
In particular, for the purposes indicated in nos. 1 and 2, the data will be retained for the time necessary to execute the contract, as well as – based on the legitimate interest of the Holder in the possible defense in court – until the expiration of the statute of limitations of any actions based on the contract.
For the purposes indicated in Nos. 3 and 4, data will be kept for the time stipulated by current regulations (e.g., accounting records, invoices, letters and telegrams received and sent must be kept for 10 years in accordance with Article 2220 of the Civil Code).
For the purposes indicated in nos. 5, 6 and 7, the data will be retained until the individual purpose is pursued or, if earlier, the User withdraws consent.
Once the retention period has ended, personal data will either be deleted or radically anonymized so as to prevent any re-identification of the User. The computer systems used to manage the data collected are configured, already at the outset, in such a way as to minimize the use of data when they are not absolutely necessary for the achievement of the purpose from time to time pursued.

(G) HIS RIGHTS

The Data Controller informs the User about the rights recognized to the same by Articles 13, par. 2, letters b) and d), 15, 16, 17, 18, 19 and 21 GDPR and precisely the rights of: access to data (art. 15 GDPR); rectification (art. 16 GDPR), cancellation (art. 17 GDPR), restriction of data processing (art .18 GDPR); data portability (art 20 GDPR); objection to processing (art. 21 GDPR); revocation at any time of one’s consent that may have been given (art. 13 par. II lett. c GDPR).
Requests can be addressed to the Controller, without formalities or, alternatively, using the template provided by the Data Protection Authority, by sending a registered letter with return receipt to the Controller at the above addresses or an e-mail to: privacy@villacrespi.it.
Where the processing is based on the User’s consent, the User has the right to revoke it at any time without affecting the lawfulness of the processing carried out prior to such revocation.
At the same time, if the User believes that with the processing of personal data carried out by this site the current legislation has been violated, he/she has the right to lodge a complaint with the competent Supervisory Authority (in Italy the Guarantor for the Protection of Personal Data).