Customer privacy policy statement

Pursuant to art.s 13 and 14 of Regulation (EU) no. 2016/679 (hereinafter “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, Nimar Srl in its capacity as Data Controller, is obliged to provide you with complete information concerning the purposes for which your personal data are processed and the procedures used, the entities to which your data may be disclosed, and all your legal rights with regard to the processing of your personal data by the Data Controller.

You are therefore kindly requested to note the information provided here and to give your consent to the processing by signing this privacy policy statement.

  1. Who decides the purposes for which the data are processed and the procedures used?

The Data Controller.

The Data Controller is Nimar Srl with registered office at Via Gagini no. 75 – Palermo – Register of Companies and VAT no. 04111310829 and Regional Identification no.19082053A201169.

2.          Which personal data does the Data Controller process?

The Data Controller will collect and process your personal data, meaning any data which may identify you and which can be directly or indirectly traced to you, such as (but not limited to):

  1. Personal identifying data;
  2. Special categories of data;
  3. Data relating to your stay;
  4. Personal preferences;
  5. Identification papers;
  6. Autograph signature;
  7. Purchasing history;
  8. Credit card and/or bank data;
  9. Security camera images;
  10. Data relating to the electronic devices used to connect to the hotel’s Internet;
  11. Data relating to telephone calls;
  12. Data concerning access to and use of ICT

and all other data necessary to provide the activities covered by point 4. Special categories of data will also be processed, including:

  • Health

3.          How are personal data collected?

Personal data are contributed to the Data Controller directly by the data subject or collected through other entities such as:

  • OTA (Online Travel Agencies) such as, for example, com, Venere.com, Worldhotels.com, Trivago.com, Expedia.com, etc;
  • Traditional travel agencies;
  • Institutions, Associations, Organisations, Businesses or individuals who organise events or stays at the hotel;

4.          Why do you collect my data? Purposes of the processing

The personal data collected by the Data Controller will be processed for the

following purposes:

  1. Customer management;
  2. Signing and management of contracts;
  3. Administrative management;
  4. Management of disputes;
  5. Customer care;
  6. Public relations
  7. Promotion, marketing and advertising;
  8. Protecting people’s physical health;
  9. Internal security;
  10. Protecting and guaranteeing people’s security and safety;
  11. Protecting the company’s assets and property;
  12. Allowing the use and guaranteeing the safety of ICT

Legal basis of processing

Personal data will be processed in strict compliance with legal requirements, in accordance with principles of lawfulness and ethics and without breaching your right to privacy. Personal data will be processed for:

  • Issue of consent;
  • Contractual and pre‐contractual obligations;
  • Legal obligations;
  • Legitimate interest of the Data

5.             How will the data collected be     processed?

Data will be processed in automated and/or manual form, in accordance with

the provisions of art. 32 of GDPR 2016/679, and in particular:

  1. Through operations which will enable the collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, use, communication, erasure and destruction of data;
  2. Through the use of electronic or other automated tools allowing the storage, processing and transmission of data, always configured in order to guarantee the maximum privacy and the necessary
  3. Through the use of paper documents with the adoption of suitable storage measures which prevent them from coming to the knowledge of unauthorised

6.     Why should I contribute my data to the Data   Controller? Can I refuse?

Nature of the contribution of data and Refusal to contribute them

If the contribution of personal data is necessary for the fulfilment of a contract or a legal obligation, processing is essential, and in case of a refusal to contribute or allow the processing of the data covered by this privacy policy statement, the Data Controller will be unable to provide the activities covered by point 4 and in general will be unable to fulfil the obligations undertaken.

With regard to the purposes of the data processing for which your consent is requested, the refusal will not affect the obligations undertaken.

7.  Who will obtain knowledge of my data? Disclosure of data

Your data may be transferred to and processed by other entities, in the capacity

of authorised processors, data processors or independent data controllers, for the fulfilment of precontractual, contractual or statutory obligations, or on the grounds of legitimate interest.

Categories of recipients may therefore include:

  • People in charge of data processing;
  • Data Processors;
  • System administrators;
  • Accounting Consultants;
  • Legal Advisers;
  • Banks;
  • Insurance companies;
  • Auditing firms;
  • Hotel infrastructure maintenance service companies;
  • Internet and email service provider companies;
  • Institutions, Associations, Organisations, Businesses or individuals who organise events or stays at the hotel;
  • Public authorities;
  • Police forces;

The data contributed to and collected by the Data Controller are not publicly disseminated or used for profiling.

8.   May my data be transferred abroad?

Personal data may be transferred to European Union Countries, non‐European Union Countries or an international organisation if this is necessary to provide the activities covered by point 4 and in general will be unable to fulfil the obligations undertaken. As of the date of this document, the countries to which your data are transferred are:

  • Other EU states (apart from Italy);
  • United Kingdom;
  • Ireland;
  • Switzerland;
  • USA;

9.   For how long will my data be stored? Storage

Your data will be stored for the time strictly necessary for the performance of

the activities related to the purposes set out in this Statement. Specifically, the storage times will be:

  • 10 years (as envisaged by Italian Civil Law ‐ 2220 Civil Code);
  • no more than 3 months from the check‐out date for credit card data;
  • no more than 3 years after the last check‐out for personal data, special data, stay‐related data, personal preferences, identification papers, signature, purchasing record and marketing

 

 

 

data (Points 2.1 to 2.7), unless otherwise specified by the data subject;

  • no more than 5 days for security camera images;
  • 90 days from check‐out for telephone traffic data;
  • 1 year for data concerning access to and use of ICT

In all cases, longer storage periods will apply if required by specific legislation in the sector. In the event of disputes, personal data will be stored until the end of the expiration period envisaged by law for the protection of rights relating to the contractual relationship.

10. What can I do to restrict, prevent or object to the processing of my data by the Data Controller?

Rights of the data subject

Via a specific written communication, sent by certified email or registered letter with return receipt to the Data Controller’s address, you have:

Right of access to data (Art. 15, GDPR)

To obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and specific information detailed in art. 15 of the GDPR.

Right to rectification (Art. 16, GDPR)

To obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data concerning you, depending on the purposes of the processing, you also have the right to the supplementation of incomplete personal data, also by providing an additional statement;

Right to erasure (Art. 17, GDPR)

To obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase your personal data without undue delay, unless there are grounds impeding the exercise of the above right.

Right to restriction of processing (Art. 18, GDPR)

To obtain the restriction of processing of your personal data when possible, or to withdraw consent given previously. The withdrawal of consent is without prejudice to the lawfulness of the processing prior to the withdrawal.

Right to the portability of the data (Art. 20, GDPR)

If the processing is based on consent or on a contract, and is undertaken by automated means, you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine‐readable format and to transmit them to another data controller, or have them transferred by the controller itself, if technically feasible.

Right to object (Art. 21, GDPR)

The right to object, on grounds relating to your situation at any time to processing of personal data concerning you which is based on the legitimate interest of the data controller or your consent, including profiling, unless the controller demonstrates compelling legitimate grounds for the processing which override your rights.

Right to ensure that your data are not subject to an automated decision‐making process, including profiling (art. 22, GDPR)

Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

As stated in point 7, the Data Controller does not use automated decision‐ making processes.

The right to lodge a complaint with a supervisory authority (Art. 77, GDPR)

Without prejudice to any other administrative or judicial remedy, if you consider that the processing of personal data relating to you infringes these regulations, you may lodge a complaint with the Supervisory Authority, and exercise all your rights under current legislation in general.

11. How long will it take to receive a reply from the Data Controller?

If you request information concerning your data, the Data Controller will reply as soon as possible ‐ unless this is impossible or implies a disproportionate effort ‐ and in all cases not more than 30 days after the application. Any inability to reply or delays on the part of the data controller will be justified.

12. Validity and duration

This privacy policy statement also applies to positions opened before 25.05.2018