Request for availability and prices

Information regarding processing of personal data

DATA CONTROLLER

The owner of the data processing of the visitors of the website www.alponteantico.com is ALM@ S.r.l. - P.IVA 03192900276 - with registered office in Calle dell'Aseo, Cannaregio 5768 – 30131, Venice. ALM@S.r.l can be reached at: tel. +39.041.2411944, fax +39.041.2411828, or by e-mail at info@alponteantico.com

TYPE OF PERSONAL DATA PROCESSED

Pursuant to the EU Regulation No. 679/2016 (the General Data Protection Regulation, "GDPR"), this page describes how the personal data of users consulting the website of the hotel "Al Ponte Antico" (hereinafter "Website") accessible electronically at https://www.alponteantico.com/, are processed.

The navigation data of computer systems and the software procedures responsible for the operation of the website acquire, in their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This is information is not collected to be associated with identified interested person, but which by its very nature might, through elaboration and association with data held by third parties, allow to identify the users. The data collected include, for instance, the IP addresses of the computers used by users who connect to our website, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.

This data is used for the sole purpose of obtaining statistical information on the use of the website, to check its correct operation and for security reasons. The data could be used to ascertain responsibility in case of computer crimes against the site.

This data may be provided implicitly by the tools used to access and use the services or may be directly provided by the user.

The provision and processing of data is not mandatory, however, failure to provide it may have consequences on components of the service that require their availability (e.g.: without the e-mail address, it will not be possible to provide newsletter services or use the hotel room reservation service).

If the user decides to make a reservation through the appropriate function available on our website, by filling out the appropriate reservation masks, he or she will be connected to a "reservation engine" (a software program that allows the user to consult hotel availability and prices and to make online reservations at our hotel facility).

This booking engine is provided by our Partner NOZIO, appointed as the Data Processor.

The reservation system processes the following data:

Common data (e.g., first name, last name, e-mail, phone, country of origin, credit/debit card no., holder, expiration date).

The provision of data is voluntary, but failure to provide it will not allow the requested service to be carried out. The legal basis for processing is found in Art. 6 paragraph 1 letter a) "the data subject has given consent to the processing of his or her personal data for one or more specific purposes; "

Listed below are, by way of example, the main types of personal data collected:

technical navigation data related to IP address, pages visited or services accessed/invoked, identification codes of devices used by the user to use the site or services, browser type and access times;

common identifying data provided by the user (e.g., first name, last name, e-mail, phone number, etc.) for the use of products and services, data on preferences for configuring products and services, data on preferences regarding the content to be displayed.

Access to data is allowed to categories of the Owner's appointees from the organization involved in data processing (administrative staff, sales staff, system administrators, etc.). The designated individuals have been duly trained and instructed to carry out these tasks in compliance with current regulations.

In relation to the nature of the processing and the skills and technology required for the pursuit of the purposes, the Data Controller may make use of the support of external providers (such as third-party technical service providers, postal couriers, hosting providers, IT companies).

In order to ensure the adequate protection and safeguarding of data, the Data Controller uses only qualified suppliers who have been appointed as Data Processors for technical and organizational tasks instrumental to the pursuit of the purposes.

The External Data Processor, to the extent of his or her competence, is required by law and relevant appointment by the Controller, for himself or herself and for anyone acting under his or her authority, to implement the security measures provided for the regulations currently in force regarding the processing of personal data, by assisting the Controller in ensuring compliance therewith.

The Data Processor, taking into account the state of the art and costs of implementation, the nature, object, context and purposes of the processing, and the risks of different probability and severity for the rights and freedoms of natural persons, shall ensure that the security measures prepared and adopted by the reservation system are adequate to guarantee a level of security appropriate to the risk, in particular against: destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or otherwise processed, data processing that is not permitted or not in accordance with the purposes of the processing operations.

The Data Processor shall apply the security measures, mentioned above, in order to ensure, among others, the pseudonymization and encryption of personal data; the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services; and the ability to promptly restore the availability and access of personal data in the event of a physical or technical accident.

The optional, explicit and voluntary sending of messages to the contact addresses indicated in this website, private messages sent by users to institutional profiles/pages on social media (where this possibility is provided for), as well as the completion and submission of forms (cd forms), entail the acquisition of the sender's contact data, necessary to respond, as well as all personal data included in the communications.

The legal basis for the processing is found in Article 6 paragraph 1 letter a) "the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

COOKIES AND OTHER TRACKING SYSTEMS

A cookie is a short string of text that is sent to your browser and eventually, saved on your computer/smartphone/tablet (or any other tool you use to access the Internet); cookies are generally sent each time you visit a website. The Data Controller uses cookies for a variety of purposes in order to provide a fast and secure digital experience, for example, by allowing you to maintain an active connection to the secure area while navigating through the pages of the site.

Cookies stored on the user's terminal cannot be used to retrieve any data from the hard disk, transmit computer viruses or identify and use the e-mail address.

For more information on what cookies are and how they work, you can refer to the "All about cookies" website http://www.allaboutcookies.org. For more information, please refer to the cookie policy found at https://www.alponteantico.com/cookie-policy/

DURATION OF PROCESSING AND DATA RETENTION

The data provided will be processed and stored for the period strictly necessary for the pursuit of the purposes stated above. This is without prejudice to storage for a longer period in connection with requests from public authorities or in connection with needs related to the exercise of the right of defense in case of litigation.

Browsing data do not persist for more than seven days (except for any need for the investigation of crimes by the judicial authority).

MODALITIES, PROCESSING LOGIC, STORAGE TIME AND SECURITY MEASURES

Regarding data security, in the sections of the website set up for particular services, where personal data are requested from the navigating user, the data are encrypted using a security technology called Secure Sockets Layer, abbreviated to SSL.

SSL technology encrypts the information before it is exchanged over the Internet between the user's processor and remote servers, making it unintelligible to unauthorized parties and thus ensuring the confidentiality of the information transmitted; in addition, transactions made using electronic payment instruments are carried out using the Payment Service Provider (PSP) platform directly, and the Holder retains only the minimum set of information necessary to handle any disputes.

Precisely with reference to the aspects of personal data protection, the user/customer is invited, in compliance with Article 33 of the GDPR to report to the owner any circumstances or events from which a potential "personal data breach (data breach)" may arise in order to allow an immediate assessment and the adoption of any actions aimed at counteracting such an event by sending a communication to the above-mentioned contact details.

The measures taken by the Data Controller do not exempt the data subject from paying the necessary attention to the use, where required, of passwords/PINs of appropriate complexity, which he/she will have to update periodically, especially in case he/she fears they have been hacked/known by third parties, as well as carefully guard them and make them inaccessible to third parties, in order to avoid improper and unauthorized use.

AREAS OF COMMUNICATION AND DATA TRANSFER

In pursuit of the above purposes, the Controller may disclose and make processing, in Italy or in the EU, personal data of users/customers to third parties with whom we have relationships, where these third parties provide services at our request. We will only provide these third parties with the information necessary to perform the requested services taking all measures to protect your personal data.

Personal data may be communicated to the competent public subjects and authorities for the needs of compliance with regulatory obligations or for the ascertainment of responsibility in case of computer crimes to the detriment of the site as well as communicated to, or allocated at, third parties (as managers or, in the case of providers of electronic communication services, as autonomous holders), who provide computer and telematic services (e.g. hosting services, website management and development) and which Data Controller uses to carry out tasks and activities of technical and organizational nature also instrumental to the functioning of the website. The subjects belonging to the above categories operate as separate Data Controllers or as Managers appointed for this purpose by the Data Controller.

Personal data may, in addition, be known by employees/consultants of the Owner who are specially trained and appointed as Data Processors.

RIGHTS OF INTERESTED PARTIES

The person concerned may at any time exercise the rights granted to him or her by law, including:

- to access your personal data, obtaining evidence of the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom the data may be disclosed, the applicable retention period, and the existence of automated decision-making processes;

- to obtain without delay the rectification of inaccurate personal data concerning you;

- to obtain, in the cases provided for, the cancellation of your data;

- to obtain restriction of processing or to object to processing when possible;

- to request the portability of the data you have provided to Data Controller, i.e., to receive it in a structured, commonly used, machine-readable format, including for the purpose of transmitting such data to another data controller, within the limits and constraints of Article 20 of the GDPR;

The user can always revoke consent and exercise the right to object to direct marketing where previously requested.

In addition, you may file a complaint with the Data Protection Authority under Article 77 of the GDPR.