INFORMATION ON THE PROCESSING OF PERSONAL DATA

of users who visit the “Pellicano Hotels” websites pursuant to Article 13 of Regulation (EU) 2016/679.

This page describes the management methods of the website regarding the processing of personal data of users who consult it and their privacy. This notice is also provided pursuant to Art. 13 of the GDPR 679/2016 – European Regulation on the Protection of Personal Data for those who interact with the web services of Pellicano Hotels accessible electronically at:

https://www.pellicanohotels.com/

which corresponds to the homepage of the official Pellicano Hotels website.

"CONTROLLERS" OF THE DATA PROCESSING

Following consultation of this site, data relating to identified or identifiable individuals may be processed. The "Controllers" of any personal data processed as a result of visiting this site and any other data used to provide our services are:

  • Pellicano Hotels S.p.A. – Loc. Sbarcatello, Porto Ercole (GR)
    (Website: pellicanohotels.com)
  • Pellicano OpCo S.r.l. – Loc. Sbarcatello, Porto Ercole (GR)
    (Siti: https://www.pellicanohotels.com/en/hotels/hotel-il-pellicano/, https://www.pellicanohotels.com/en/hotels/la-posta-vecchia-hotel/, issimoissimo.com)
  • Mezzatorre Hotel S.r.l. – Piazza Venezia 11, Roma
    (Sito: https://www.pellicanohotels.com/en/hotels/mezzatorre-hotel-e-thermal-spa/)

The privacy policies can be found on the relevant links available on the above websites.

DATA PROCESSING LOCATION

The data processing related to the web services of this site [physically hosted by SiteGround Spain S.L. ("https://it.siteground.com") on a server located within the EU in Amsterdam (NL), sub-processor RELACTIONS S.R.L. (https://www.relactions.com), designated as a data processor] takes place at our headquarters and is handled only by technical staff responsible for processing, or by individuals responsible for occasional maintenance operations.

The personal data provided by users who submit hotel reservation requests or send informational material (information, newsletters, registrations, etc.) are used solely to perform the requested service and are not disclosed to third parties, except in the following cases:

  • Business partners of the Hotels or the representation chain Leading Hotels of the World Ltd (www.lhw.com), which uses Sabre GLBL Inc (www.sabrehospitality.com) in the USA for online bookings via the SynXis platform (be.synxis.com);
  • Individuals, companies, or professional firms that provide assistance and consultancy to the Data Controllers in accounting, administrative, legal, tax, and financial matters;
  • Subjects authorized by law or by orders from authorities;
  • Data may be shared with the “Pellicano” Group hotels within the EU.

TYPES OF DATA PROCESSED – LEGAL BASIS – NATURE OF PROCESSING

BROWSING DATA

The IT systems and software procedures responsible for the functioning of this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected to be associated with identified subjects, but by its nature, it could allow users to be identified through processing and association with data held by third parties.

This category of data includes IP addresses or domain names of the computers used by users connecting to the site, URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server response (success, error, etc.), and other parameters related to the user's operating system and IT environment. These data, necessary for the use of web services, are also processed for the purpose of:

  • obtaining statistical information on the use of the services (most visited pages, number of visitors by time slot or daily, geographical areas of origin, etc.);
  • ensuring the proper functioning of the services offered.

The data could be used to determine responsibility in case of hypothetical computer crimes against the site.

Legal Basis: Processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject do not override these interests. The legitimate interest is based on the reasonable expectations of the data subject and the activities strictly necessary for the functioning of the website and navigation – (Recital 47 – Art. 6, para. 1, letter f of the GDPR).

Nature of Provision: The provision of data is necessary for website navigation.

DATA PROCESSED THROUGH SOCIAL MEDIA PLATFORMS

Regarding the processing of personal data carried out by the managers of social media platforms used by the Data Controller, please refer to the information provided by them through their respective privacy policies. The Data Controller processes personal data provided by users through the social media pages, to manage interactions with users (comments, public posts, etc.) in compliance with applicable law.

DATA VOLUNTARILY PROVIDED BY THE USER

The optional, explicit, and voluntary sending of messages to the contact addresses of the Data Controller, the private messages sent by users to the institutional profiles/pages on social media (if this is foreseen), and the filling out and submission of forms on the Data Controller's website involve the acquisition of the sender's contact data, necessary to respond, as well as all personal data included in the communications. The data will only be stored for the subscription to newsletters or special offers and will not be shared with anyone. No personal information is collected or used regarding website visitors. Visitors remain anonymous. The only exception concerns personal identification information necessary to fulfill booking obligations towards the user.

A. NEWSLETTER

Site visitors may register for our newsletter service. Upon registration, the user’s email address will automatically be added to a list of contacts to which periodic email messages may be sent, containing updates, commercial, and promotional information about initiatives, events, or promotions from the Data Controller. To subscribe to the Newsletter, users may use the registration forms on the site by entering their first name, last name, phone number, and email address. The data entered will only be used to send our newsletter via email and will not be shared with third parties. The newsletters are processed through the CRM platform provided by e.RATIO s.r.l. with servers at OVH (Strasbourg - SBG3) – FRANCE, acting as a data processor.

B. BOOKINGS

When booking the hotel services offered through this site, the user must provide their name, last name, email address, phone number, and, when required, payment information and credit card details. The Data Controller will use this information only to process the booking and send specific information relevant to the confirmation, such as the receipt, booking code, and conditions. The information provided will not be used for commercial purposes and will not be sold, transferred, licensed, or otherwise forwarded to third parties, except for our reservation service providers Leading Hotels of the World Ltd and Sabre GLBL Inc for hotel reservations. In the case of hotel bookings, the booking service provider ensures the adoption of strict procedures to protect navigation data and the use of particular care to protect the personal data provided, including those relating to the credit card provided during online reservations.

Legal Basis: Processing is necessary for the execution of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject; (Recital 44 and Art. 6 1 letter b GDPR).

Nature of Provision: Provision is necessary. Failure to provide the necessary data will make it impossible to complete the bookings.

C. MANAGEMENT OF PERSONAL DATA COLLECTED THROUGH CURRICULA VITAE

Pellicano OpCo Srl accepts personal CVs from potential candidates both in paper and electronic formats. The spontaneous and voluntary submission of the CV will be considered implicit consent, informed by this notice, granted by the data subject for the receipt and processing of the personal data contained therein solely for the purpose of selecting potential candidates. The data processed for candidate selection purposes are personal and useful for finding the specific profile required. In general, personal data is of a normal type, except in certain cases where sensitive data may be indicated as necessary to identify specific requirements provided for by current regulations, such as indicating particular protected categories, suitability for specific jobs, and/or mandatory placements, in compliance with the limits indicated by the General Provision of the Data Protection Authority of June 5, 2019, which amended the General Authorization of the Data Protection Authority No. 1 of December 15, 2016, regarding the processing of sensitive data in employment relationships.

General Rules for Sending the CV

Any CVs received spontaneously, in response to an advertisement, or at our request, will be stored directly by the designated data processing staff according to the personal data security guidelines adopted in compliance with the security measures referred to in Chapter IV, Section 2 of GDPR 679/2016. These will be printed only during an interview and meeting with the candidate. After the interview, if the candidate is not selected, the CV will be stored for one year and then deleted and/or destroyed. In all other cases, after the interviews have taken place and the probationary period has been completed, the CVs will be stored for 12 months and then deleted from the computer and, if already printed, destroyed.

For CV submissions, please use the following address: Human Resources Division – Pellicano OpCo Srl, Località Sbarcatello 58019 Porto Ercole (Grosseto) or use the email address: recruiting@pellicanohotels.com.

Legal Basis: The processing is based on consent to the processing of personal data (Recital 42 and 43 and Art. 6 para. 1 letter a) of the GDPR) and/or the processing is necessary for the execution of a contract to which the data subject is a party, for the implementation of pre-contractual measures taken at the request of the data subject, or for the fulfillment of specific legal obligations – (Recital 44 and Art. 6 para. 1 letter b) and c) GDPR).

Nature of Provision: The provision of data is necessary for the purpose of participating in the selection processes.

D. ADMINISTRATIVE AND ACCOUNTING MANAGEMENT

For organizational, administrative, financial activities and for accounting and customer/user data management, the data controller may process the relevant personal data.

Legal Basis: The processing is necessary for the performance of a contract to which the data subject is a party (Recital 44) or for compliance with a legal obligation (Recital 44 - Art. 6(1)(b) of the GDPR).

Nature of Provision: The provision of personal data is mandatory, as it is essential to fulfill legal obligations.

COOKIES AND TRACKING TECHNOLOGIES USED

This website uses cookie technologies for various purposes, including computer authentication, session monitoring, and storing specific technical information about users accessing the web server provider, in compliance with the Guidelines on cookies and other tracking tools adopted on websites (June 10, 2021) by the Privacy Authority and the European Data Protection Board (EDPB) Guidelines from May 2020. Further information on the cookies used is available in the Cookie Policy of this website.

However, if the user blocks or deletes a cookie, it may not be possible to restore preferences or previously specified custom settings, and our ability to personalize the user experience will be limited.

Legal Basis: For non-technical cookies and equivalent technologies, processing is based on consent for the processing of personal data (Art. 6(1)(a) and Recitals 42 and 43 of the GDPR). Consent is provided through the site's banner and cookie policy.

Nature of Provision: See the cookie policy in the site's footer.

DATA RETENTION PERIOD OR CRITERIA FOR DETERMINING THE PERIOD

In accordance with Article 5(1)(e) of Regulation EU 2016/679, the personal data collected will be stored in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

The retention times for personal data provided through the website depend on the purpose of the processing, in particular:

  • Purpose related to technical navigation data for the proper functioning of the website: Without prejudice to any liability findings, navigation data does not persist for more than seven days;
  • Purpose related to responding to requests for information/provision of requested services: A maximum of 12 months for contact requests; 10 years for any administrative/accounting/financial documentation related to the provision of a service;
  • Data collection for personnel selection: A maximum of 12 months. In principle, data collected during the hiring process will be deleted as soon as it is clear that no job offer will be made or that the candidate will not accept the offer;
  • Newsletter, marketing, or promotional communications via email: A maximum of 24 months – until consent is withdrawn;
  • Administrative and accounting management purposes: 10 years, as per legal requirements for the retention of administrative/accounting/financial documentation;
  • Purposes related to the management of cookies: See the cookie policy in the site's footer;
  • Purposes related to whistleblowing management: See the notice on the reporting portal.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Personal data is not transferred to non-EU countries, except in cases described above, where appropriate safeguards are provided in compliance with Chapter V of the GDPR.

In the case of transfers to the USA or other third countries, in the absence of an adequacy decision under Article 45(3), or appropriate safeguards under Article 46, it may take place:

  • Google Advertising Cookies - through the EU Commission's adequacy decision vs. the third country or an international organization (Art. 45 GDPR), in particular the decision on the adequacy of protection provided by the EU-U.S. Privacy Shield Framework of July 10, 2023. See also the Cookie Policy;
  • LHW Booking Data based on the necessity of the transfer for the performance of a contract concluded between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject under Art. 6(a) and Art. 49(1)(b) of the GDPR.

OPTIONAL NATURE OF DATA PROVISION

Apart from what is specified for navigation data, the user is free to provide personal data in the request forms to Pellicano OpCo Srl or otherwise indicated in contacts with the hotel to send CVs, make online reservations, request the sending of informational materials or other communications. Failure to provide such data may make it impossible to obtain what is requested.

PROCESSING METHODS AND DATA PROTECTION MEASURES

Personal data is also processed by automated means for the time strictly necessary to achieve the purposes for which it was collected, as indicated in this notice. The Data Controller and Data Processors ensure the adoption of appropriate organizational, technical, and physical measures to guarantee an adequate level of security to mitigate the risk, and that personal data is processed adequately and in compliance with the purposes for which it is managed, as per Art. 32 of GDPR 2016/679. Specific security measures are observed to prevent data loss, illegal or incorrect uses, and unauthorized access. No automated decision-making process is involved in data processing.

RIGHTS OF DATA SUBJECTS

The Data Controller is Pellicano Hotels S.p.A., Località Sbarcatello Porto Ercole 58019 (Grosseto), and the Data Protection Officer is Mr. Massimo Bruno. You may contact them at any time to exercise your rights under Chapter III of GDPR 679/2016, in particular, the right to request access to personal data and rectification or deletion (Right to be Forgotten) or the restriction of processing or to object to its processing, the right to obtain a copy of the personal data undergoing processing, and the right to data portability by submitting a specific request, including via email: privacy@pellicanohotels.com.

RIGHT TO LODGE A COMPLAINT

Data subjects who believe that the processing of personal data relating to them through this website violates the Regulation have the right to lodge a complaint with the supervisory authority, as provided for by Art. 77 of the Regulation, or to pursue the appropriate legal proceedings (Art. 79 of the Regulation).

CHANGES TO THIS PRIVACY POLICY

This Privacy Policy is subject to regular review. We reserve the right, at our discretion, to change, modify, add, or remove sections of this policy at any time. This privacy policy will be updated to reflect any changes (including when they will take effect) if required by applicable data protection laws.