INFORMATION ON THE PROCESSING OF PERSONAL DATA
of the users visiting the websites of Borgo San Felice Resort
Pursuant to Article 13 of EU Regulation 2016/679
This page contains a description of the policies for managing the website in regard to processing the personal data of the users who visit the site and their privacy. This information is provided pursuant to article 13 of Italian and European Privacy Code, Legislative Decree no. 196/2003 and GDPR 679/2016 – Laws concerning the Protection of Personal Data and the individuals who interact with the web services of Borgo San Felice Resort, which is accessible by telematics means through the following web address:
http://www.borgosanfelice.it
which corresponds to the home page of the official website of Borgo San Felice Resort, Loc. San Felice, 53019 Castelnuovo Berardenga (SI).
The information provided does not concern other online websites, pages or services that can be accessed via hyperlinks on the above website but relate to resources outside the Borgo San Felice Resort domain.
THE “DATA CONTROLLER”
Following access to this website, data pertaining to persons that are identified or identifiable may be processed. The “Data Controller” of the personal data collected following a visit to our website or any other data used for providing our services is Borgo San Felice Srl, Mr. Danilo Guerrini, Loc. San Felice, 53019 Castelnuovo Berardenga (SI). The Data Protection Coordinator is Mr. Massimo Bruno, who can be contacted at privacy@borgosanfelice.com .
PLACE WHERE DATA IS PROCESSED
The processing operations related to the web-based services that are made available via this website [physically "hosted" by Blastness S.R.L., Galleria del Corso,2 - 20122 - Milano (www.blastness.com) are carried out at the headquarters office exclusively by our technical staff in charge of said processing, or else by persons tasked with such maintenance activities as may be necessary from time to time.
The personal data obtained from the users who submit hotel booking requests or through informative material (informative notes, newsletters, registration, etc) is used only to carry out the services or assistance requested and is not transmitted to third parties, except in the following possible cases:
- Business partners of Borgo San Felice Srl, to whom Borgo San Felice transmits the data exclusively in order to avoid on-line reservations, among which Blastness S.R.L. and Relais & Châteaux and e Onyx CenterSource;
- Persons, companies or professional offices who lend assistance and consulting services to Borgo San Felice Resort concerning accounting, administrative, legal, financial and tax matters;
- Subjects who are authorized to have access to the data by law or through requests by the authorities;
CATEGORIES OF PROCESSED DATA – LEGAL BASIS – NATURE OF DATA PROVISION
NAVIGATIONAL DATA
The information systems and software procedures relied upon to operate this web site acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols. Such information is not collected in order to relate it to identified data subjects, however it might allow user identification per se after being processed and matched with data held by third parties.
This data category includes IP addresses and/or the domain names of the computers used by any user connecting with this web site, the URI/URL (Uniform Resource Identifier /Locator) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user's operating system and computer environment. The data necessary for the use of web services are also processed in order to:
- obtain statistical information on the use of services (most visited pages, number of visitors by time or day, geographical areas of origin, etc.);
- check the correct functioning of the services offered.
The data will be used to ascertain responsibility in the event of hypothetical IT crimes against the site.
Legal Basis: The processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject who require the protection of personal data do not prevail, taking into account the reasonable expectations of the interested party and the activities strictly necessary for the functioning of the site and navigation itself. (Art. 6, par. 1, lett. f) and Recital 47 of the GDPR).
Nature of Data Provision: The provision of data is necessary for browsing the website.
DATA CARRIED OUT THROUGH SOCIAL MEDIA PLATFORMS
Regarding the processing of personal data carried out by the managers of the Social Media platforms used by the Data Controller, please refer to the information notice provided by them through their respective privacy policies. The Data Controller processes the personal data provided by users through the pages of the dedicated Social Media platforms, to manage interactions with users (comments, public posts, etc.) and in compliance with current legislation.
DATA VOLUNTARILY PROVIDED BY THE USER
Sending messages, on the basis of the user’s free, voluntary, explicit choice, to this website contact addresses, or sending private messages to the data controller social media pages and profiles (where this option is available), and filling in and sending the forms made available on the data controller websites entail the acquisition of the sender’s contact information – which is necessary to provide a reply – as well as of any and all the personal data communicated in that manner.
Data will be retained only for registration request to send the newsletters or special offers and will not be disclosed to anyone.
The personal information regarding the individual who visited the website is not collected or used. The visitors remain anonymous. The only exception to this rule concerns the information for personal identification needed to fulfill the booking contractual obligations on behalf of the user.
Reservations
In the event of reservations made through the website, the user must provide his name, address, telephone number and information regarding the payment manners and credit card used. Borgo San Felice Srl will use said information only to process the reservations and to send specific information, which is relevant to the confirmation of said, such as a receipt, the reservation code and the conditions.
The information provided will not be used for marketing purposes and will not be sold, transmitted, given by contract or sent to third parties an any way, with the exception of our provider of on-line reservation services, Blastness S.R.L., Piazza Castello, 26 - 20121 – Milano - ITALY (www.blastness.com)] and Relais & Châteaux Entreprise, 58-60, Rue de Prony - 75017 Paris – FRANCE (www.relaischateaux.com), or to the intermediary for commission payments Worldwide Payment System S.A.U dba Onyx CenterSource, INSUR Bldg. Diego Martínez Barrio 10, 4th floor, 41013 Seville - SPAIN (https://www.payments.onyxcentersource.com) to whom elaboration of the reservations is entrusted to, only for online reservations purposes.
In any event, the administrator of the website guarantees the use of scrupulous procedures in order to protect the navigational data and the use of particular precautions to protect the data pertaining to the credit card, which is provided during on-line reservations.
The credit card data used for booking will be automatically unavailable at the end of the stay.
The processing is necessary for the execution of a contract of which the interested party is a party (Recital 44 - art. 6 §. 1 lett. b of the GDPR)
Nature of Data Provision: The provision of personal data is mandatory, as it is essential to be able to execute legal obligations.
NEWSLETTER:
Site visitors can register for our newsletter service. By registering, the user's e-mail address will automatically be included in a list of contacts to which e-mail messages will be sent. The newsletter will be containing periodic updates with commercial and promotional information relating to initiatives, events or promotions of the data controller.
To subscribe to the newsletter, you can use the registration forms on the site by entering your name and e-mail address. The information supplied with the registration form will be only used to sending our newsletter via e-mail and will not be disclosed to third parties. The newsletters will be sent through the DigitalOcean platform owned by " DigitalOcean LLC” (https://www.digitalocean.com/legal/), and data will be processed through the CRM platform provided by Ingenia Direct s.r.l. (www.ingeniadirect.com) with servers located at OVH (Strasbourg - SBG3) – FRANCE, acting as data processors.
Personal Data Processing Collected From Curriculum Vitae
You can use the Borgo San Felice Srl contact form to send candidates' CVs in digital format. Providing spontaneous and voluntary of the Curriculum Vitae data will be considered as implicitly informed consent by the data subjects for personal data processing contained, only following the purposes related to the selection of potential candidates.
The data processed for the purpose of selection of candidates are personal useful to search for the particular profile. In general, the nature of the data is normal, except in some cases where you may indicate any sensitive data necessary to identify the specific requirements of the regulations, such as specifying a particular protected classes, the suitability for certain jobs and / or start-ups required. These particular data will be processed with explicit consent of the data subject to the processing of such personal data for one or more specific purposes;
The provision of data relating to the selection of candidates is required. Any refusal to provide such data makes it impossible to perform an orderly selection and the possible recruitment. The data in question will not be disclosed to anyone.
Legal Basis: the processing is based on the consent to the processing of personal data (Recitals 42 and 43 and art. 6, §. 1, lett. a) of the GDPR) and/or the processing is necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same. (Recital 44 and Art. 6, §. 1, lett. b of the GDPR).
Nature of Data Provision: The provision of personal data is mandatory, failure to provide the necessary data will make it impossible to apply.
General Rules for providing the CV
Any CV received spontaneously, replying to a job advertisement, will be stored directly by person in charge of the processing in accordance with the safety guidelines of personal data adopted in compliance with the security measures according to Chapter IV Section 2 of GDPR 679/2016. These will be printed only at a selection meeting with the data subject.
To send Curriculum Vitae use the following addresses:
- Human Resources Dpt, Borgo San Felice Srl, Loc. San Felice, 53019 Castelnuovo Berardenga (SI)
- E-mail: recruitment@borgosanfelice.it
Administrative, Financial and Accounting Data Management
For organisational, administrative, financial nature and for accounting and customer/user data management, it is possible that the data controller may process the relevant personal data.
Legal Basis: The processing is necessary for the execution of a contract of which the data subject is a party (Recital 44) or for the fulfillment of legal obligations (Recital 45) - art. 6 §. 1 lett. b) and c) of the GDPR.
Nature of Data Provision: The provision of personal data is mandatory, as it is essential to be able to execute legal obligations.
COOKIES AND TRACKING TECHNOLOGIES USED
In this website we are applied cookies technologies for different purposes, including computer technology authentication or to monitor sessions, and to store specific technical information regarding the users that access to the web server provider, in compliance with Guidelines on cookies and other tracking tools adopted on the websites (10 June 2021) of the Italian Data Protection Authority and Guidelines of the European Data Protection Board (EDPB) of May 2020. More information on the cookies adopted available in the Cookie Policy of this site web.
For the non-technical cookies and similar technologies, the processing is based on the consent to the processing of personal data (Recitals 42 and 43 and art. 6, §. 1, lett. a of the GDPR). The consent is given through the banner and the cookie policy of the website.
Nature of Data Provision: See the cookie policy in the website footer.
WHISTLEBLOWING
Borgo San Felice Srl has adopted an internal communication channel that can be reached through a specific link on this website, pursuant to and for the purposes of Legislative Decree no. 24 of 10 March 2023 concerning "the protection of people who report breaches of Union law and containing provisions regarding the protection of people who report breaches of national regulatory provisions", implementing Directive (EU) 2019/1937. The data will be processed through the platform made available by Allianz Group and will be managed in compliance with the organisational, physical and logical measures in compliance with the provisions of the art. 32 of the GDPR 2016/679.
Legal Basis: The processing is necessary for the fulfillment of legal obligations (Recital 45 - art. 6 §. 1 lett. c of the GDPR).
Nature of Data Provision: See the information on the reporting portal.
PERIOD FOR DATA RETENTION - CRITERIA USED
According to the provisions set forth in art. 5 par. 1 lett. e) of the Regulation (EU) 2016/679, collected personal data shall be kept in a form which permits identification of data subjects for a period not exceeding the purposes for which the personal data were collected and subsequently processed.
Data retention periods depend on the purposes of the processing:
- purposes related to technical navigation data for the correct functioning and browsing the website: data are kept for no longer than seven days (except where judicial authorities need such data for establishing the commission of criminal offences);
- purpose of reply to info request/services supply request (up to 12 months for contact requests; 10 years for administrative / accounting / financial documentation relating to the provision of a service);
- purposes related to the management of Hand-outs Gift/Donations: the data retention period is determined based on the time period necessary to execute the donation or pre-contractual obligations, in all phases and related administrative and reporting communications. Therefore, they will be kept for the entire period of activation of the donation, where performed on a regular basis (e.g. monthly donation) or for the time necessary to manage the free donation. Furthermore, the period is determined on the basis of individual national and community regulations that impose legal obligations, for which for administrative, fiscal and accounting purposes, therefore, the data is retained for a period of ten years.
- data collection for staff recruitment (up to 24 months). In principle, the data collected during the recruitment process will be deleted as soon as it becomes apparent that no job offer will be made or that the offer will not be accepted by the candidate;
- newsletter, marketing or promotional communications in general (up to 24 months -until withdrawal of consent)
- purpose of administrative / accounting / financial management: 10 years as required by law for the conservation of administrative / accounting / financial documentation.
- purpose of cookie management: See the cookie policy in the website footer.
- purpose of whistleblowing reports management: 5 years - see also the information on the reporting portal.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
Personal data is not transferred to non-EU third countries, except for any cases described above where the controller provide appropriate safeguards, in compliance with the provisions of Chapter V of the GDPR 679/2016, in particular:
- For transfers to the USA or others extra EU countries, in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, it takes place on the basis of:
- Google Advertising Cookie: by standard data protection clauses adopted by the EU Commission (Article 46, 2c GDPR) according to commission implementing decision (EU) 2021/914, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council for Transfer controller to processor of 4 June 2021 for the transfer of personal data to third countries. See also the Cookie Policy;
- an adequacy decision of the EU Commission vs third country or an International organization (Article 45 GDPR), particularly the decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework of 10 July 2023
OPTIONAL DATA PROVISION
Subject to the specifications made with regard to navigation data, users are free to provide the personal data listed in the request forms of Borgo San Felice or referred to in contacting the hotel in order to provide CV, to make on-line reservations or to request delivery of information materials and other communications. Failure to provide such data may entail the failure to be provided with the items requested.
PROCESSING ARRANGEMENTS AND DATA PROTECTION MEASURES
Personal data is also processed with automated means for no longer than is necessary to achieve the purposes for which it has been collected indicated in this information. The Data Controller and the Data Processors ensures the adoption of appropriate technical and organisational measures to ensure a level of security appropriate to the risk and that personal data are processed adequately and in accordance with the purposes for which they are processed, in compliance with the provisions of the art. 32 of the GDPR 2016/679. Specific security measures are implemented to prevent the data from being lost, used unlawfully and/or inappropriately, and accessed without authorisation. There is no provision for an automated decision-making process for the processing of personal data.
DATA SUBJECTS' RIGHTS
You may contact the Data Controller at any time to exercise your rights as provided for in Chapter III GDPR 679/2016, in particular, the right to obtain confirmation as to whether or not personal data concerning him exist and the logic applied to the processing, the right to ask for their integration, the right to object to their processing on legitimate ground, and the right to request rectification, updating, erasure (right to be forgotten) or blocking of data that have been processed unlawfully, the right to obtain a copy of the personal data being processed as well as the right to data portability to another controller. The requests should be sent to:
Borgo San Felice Srl, Loc. San Felice, 53019 Castelnuovo Berardenga (SI), or at e-mail address (privacy@borgosanfelice.com). The Data Protection Officer DPO e-mail contact is: dpo@borgosanfelice.com
Furthermore, it is to exercise the right to lodge a complaint with the Privacy Supervisor Authority, according to the law.
RIGHT TO LODGE A COMPLAINT
If a data subject considers that the processing of personal data relating to him or her as performed via this website infringes the Regulation, he or she has the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 of the Regulation, or to an effective judicial remedy pursuant to Article 79 of the Regulation.
VOICE YOUR CONCERNS - WHISTLEBLOWING
This reporting channel gives all persons working for Allianz as well as all external stakeholders the opportunity to confidentially report suspected violations of laws, regulations or internal rules, also pursuant to and for the purposes of Legislative Decree no. 24 of 10 March 2023 concerning "the protection of people who report breaches of Union law and containing provisions regarding the protection of people who report breaches of national regulatory provisions". Your report will be handled in strictest confidentiality and can be made completely anonymously, if preferred.
To send the report click HERE:
ALLIANZ GROUP PRIVACY POLICY
To consult the Allianz Group Privacy Policy, click HERE