Cabrera S.r.l., with registered office in Ragusa, Via Gen. S. La Rosa, 4 – 97100 and email firstname.lastname@example.org, is the Data Controller for the processing of Personal Data (hereinafter, the “Data Controller”).
Data subject to processing
The computer systems and software procedures used to operate this Website acquire, during normal operation, some personal data that is then transmitted implicitly in the use of internet communication protocols.
This is information which, by its very nature, could identify users/visitors (e.g. IP address, domain names of computers used by users/visitors connecting to the Website, etc.) through processing and association with data held by third parties.
This data is only used for statistical information and to monitor the proper functioning of the Website.
In any event, web contact data is not retained for more than seven days, except when it is necessary to monitor instances of criminal activities against the Website.
No data deriving from the web service is communicated or disclosed.
Data provided voluntarily by Users/Visitors
If users/visitors connecting to this Website submit their personal data in order to access certain services or to make requests through email, they are aware that this involves the Data Controller’s acquisition of the sender’s address and/or any other personal data which, in turn, will be processed exclusively to respond to the request or to provide a service to the sender.
The personal information provided by users/visitors will be disclosed to third parties only if such disclosure is necessary to comply with requests made by users/visitors themselves or to satisfy legal obligations or public authorities.
Data processing procedures
Data is processed via automated means (i.e. using electronic procedures and electronic devices) and/or manually (i.e. hard copies) for the time strictly necessary to achieve the purposes for which the data was collected, albeit in accordance with the legal provisions in force.
Purpose for processing
In addition to those indicated in the individual policies that precede the completion of the forms of the different sections of the Website, the purposes of the processing performed by the Data Controller must be understood as:
collection, storage and processing for the purposes of establishing the contractual relationship (availability check and online quote). Categories of data: general information and contact details, date of arrival and departure;
collection, storage and processing for requirements relating to the establishment and/or performance of the established contractual relationship and operational and administrative (accounting and tax) management of the contractual relationship (reservation). Categories of data: general information and contact details, tax code and/or VAT number, bank details, credit and debit card details provided as guarantee and/or balance, list of services and products requested and purchased, date of arrival and departure;
collection, storage and processing to perform statistical analysis in anonymous and/or aggregate form, market research, statistical and economic analysis. Categories of data: navigation data on the pages of the Website, place of residence, length of stay, period of stay, type of room, number of minors, booking method or request;
collection, storage and processing for the communication of sales information on future initiatives and new product or service announcements, including the sending of advertising and/or promotional material and for the execution of games with prizes and promotional initiatives in general. Categories of data: general information and contact details, date of arrival and departure
Legal basis for processing
The legal basis of the processing of the Website users/visitors’ data (the “Data Subjects”) performed by the Data Controller through the Website is constituted:
as to the collection, storage and processing for the purpose of establishing the contractual relationship (availability check and online quote), by pre-contractual measures adopted at the request of the Data Subject as set forth under art. 6 lett. b) Regulation 2016/679/EU;
with regard to the collection, storage and processing for requirements relating to the establishment and/or performance of the established contractual relationship and operational and administrative (accounting and tax) management of the contractual relationship (reservation), by the performance of a contract of which the Data Subject is a party as set forth under art. 6 lett. b) Regulation 2016/679/EU;
as for the collection, storage and processing to perform statistical analysis in anonymous and/or aggregate form, market research, statistical and economic analysis, by the pursuit of the legitimate interest of the Data Controller as set forth under art. 6 lett. f) Regulation 2016/679/EU;
regarding the collection, storage and processing for the communication of sales information on future initiatives and new product or service announcements, including the sending of advertising and/or promotional material and for the execution of games with prizes and promotional initiatives in general, by, alternatively: (i) the consent of the Data Subject as set forth under art. 6 lett. a) Regulation 2016/679/EU or, in the absence of this, (ii) the c.d. soft spam set forth under art. 130, paragraph 4, Legislative Decree 196/03. The Data Subject, on the occasion of sending each communication made, is informed of the possibility of opposing the processing at any time.
In some cases, in addition to the Data Controller, certain categories of managers and authorized parties involved in the business organization of the Website may have access to the data, including – by way of mere example – administration, sales, marketing, legal, system administrators (jointly referred to as the “Data Processors”). Furthermore, the Data Controller may use external parties (such as third-party technical service providers, carriers, hosting providers, cloud services, IT companies, communication agencies) who may be appointed as external Data Processors. The updated list of Data Processors can be requested to the Data Controller via the email indicated below.
Transfer to a non-EU country
For the services offered by the Website, the Data Controller uses servers located in Italy and thus, on the basis of Regulation 2016/679/EU, is to be considered as falling within the EU.
Data processed by the Data Controller will never be disclosed.
Data processing location
The processing related to the services of the Website takes place at the registered office of the Data Controller and is handled only by the technical staff in charge of processing
Timing of data retention
It is acknowledged that:
as for the processing for the purpose of establishing the contractual relationship (availability check and online quote), the data retention period is 3 months from the collection date;
as for the processing for requirements relating to the execution and/or performance of the established contractual relationship and the operational and administrative (accounting and tax) management of the contractual relationship (reservation), the data retention period is 10 years (and even beyond in the event of disputes or tax assessments) from the collection date;
with regard to the processing for anonymous and/or aggregate statistical analysis, market research, statistical and economic analysis, the data retention period is 12 months from the date of collection;
as to the collection, storage and processing for the communication of commercial information, the data retention period is 24 months from the date of collection.
Voluntary or mandatory submission of data
Without prejudice to what specified for navigational data that automatically acquires data, users/visitors are free to provide their personal data or otherwise. Failure to provide the data can merely render it impossible to obtain the requested service.
Rights of data subjects
Pursuant to Regulation 2016/679/EU, the Data Subjects whose personal data is collected have the right at any time to obtain confirmation of the existence of such data and to know its content and origin, verify its accuracy or request its integration, updating or correction.
In relation to the processing of the aforementioned data, the user/visitor has the right to obtain from the Data Controller:
confirmation of the existence or otherwise of Personal Data, its communication in intelligible form and knowledge of its origin, as well as the logic on which the processing is based;
the cancellation, within a reasonable period, of the data, its transformation into anonymous form or the blocking of data processed in violation of the law;
the updating of the data, its rectification or – whereby there is interest – its integration;
a guarantee that the operations referred to in points 2 and 3 above have been brought to the attention of those to whom such has been communicated, provided that this is not impossible or involves the use of disproportionate means;
the rectification or erasure of data concerning the Data Subject or the limitation of processing;
the revocation of consent relating to optional processing and not related to the execution of the contract signed with the Data Controller.
The subjects to whom the personal data refer also have the right to object for legitimate reasons to the processing of personal data concerning them, even if pertinent to the purpose of the collection, to request portability, exercise the right to be forgotten, as well as contact the Supervisory Authority responsible for the protection of personal data for any breach that the Data Subject believes to have suffered.
The Data Controller contact details are as follows: