INFORMATION ON THE PROCESSING OF PERSONAL DATA
Regolamento (UE) 2016/679

According to art. 13 of the Personal Protection Privacy Code2016/679, pleased be advised that after having consulted our website www.grandhotelcostabrada.it and the connected portal https://booking.ericsoft.com/BookingEngine/Book?idh=635A24ED5D8A7EEB, data referring to identified or identifiable people may be processed.
The information must not be considered valid for other websites that may be consulted through links on the domain owner’s internet sites, which are not to be considered in any way responsible for third party websites.
By visiting the above mentioned website, personal data may be processed.

Data Controller
Responsible for the data processing is Costa Brada S.r.l. (hereinafter also referred to as Data Controller or Company Controller) located in Via Lit. per Santa Maria di Leuca, km. 4 – 73014, Gallipoli (LE), VAT number.: IT04133370751, e-mail: privacy@grandhotelcostabrada.it; phone number +39 0833 202551, fax number: +39 0833 202555

Purpose of treatment, legal basis and nature of the provision.
For the purposes expressed in this information will be processed only personal data (no sensitive information).
The data will be processed in compliance with the conditions of lawfulness pursuant to art. 6 of the Regulation, in order to:

a. To browse this website and technical management of its connections.
The computer systems responsible for the operation of the websites acquire, during their normal operation and for the sole duration of the connection, some personal data whose transmission is implicit in the use of internet communication protocols.
This information is not collected to be associated with identified interested parties, but by their very nature could, through processing and association with data held by third parties, allow the identification of users.
This category of data includes, for example: IP addresses or computer names used by users who connect to websites, URI (Uniform Resource Identifier) addresses of the requested resources, the characteristics of the browser used for navigation, the screen resolution in which the browser is run on the device used, and other parameters related to the operating system and the computer environment of the user. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the sites and to check their correct functioning, and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the sites.

Legal basis of the processing: the processing is necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail, especially if the interested party is a minor (art. 6 paragraph 1, letter f of the GDPR).

The data required for the purposes indicated are necessary to allow navigation on the site.

b. to respond to requests for information or contact and other types of requests, made by customers/ users about the services offered by the Owner.
The voluntary sending of e-mail to the e-mail addresses indicated on the above mentioned website or the compilation of the specific contact form published, involves the subsequent acquisition of the e-mail address of the sender, the telephone number, name and other data necessary to respond to requests for information on the availability of the services of the structure, as well as any other personal data included voluntarily in the message. This also applies to the management of complaints forwarded by users and the feedback to them.

Legal basis of the processing: the processing is necessary for the execution of a contract in which the interested party is involved or for the execution of pre-contractual measures adopted on request of the same (art. 6 paragraph 1, letter b of the GDPR).

The provision of data is optional, considering that they are necessary to be able to respond to the requests of the interested party, Therefore an eventual lack would have as effect the impossibility to send and/or to receive and/or to supply answer to the demands of the interested one.

c. Booking and purchase of the services offered by the owner and made by customers/ users.
By voluntarily inserting personal data in the dedicated section of the portal https://booking.ericsoft.com/BookingEngine/Book?idh=635A24ED5D8A7EEB, reachable from the main site through the button BOOK NOW and, therefore registering at the same the user/ customer allows Costa Brada S.r.l. to use personal data to receive and manage reservations, process payments and send communications relating to bookings and provision of services requested.
The user/ customer can, subsequently, make access to their reserved area using their Facebook account or Google, or by entering the credentials communicated at the time of registration.

Legal basis of the processing : execution of a contract in which the interested party is involved or the execution of pre-contractual measures adopted on his request (art. 6 paragraph 1, letter b of the GDPR).

The provision of data is optional but necessary to be able to conclude and execute the contract requested by the interested party. Failure to provide data lead to the impossibility of concluding the booking/ purchase of products or services.

d. Newsletter and marketing
By voluntarily entering personal data in the specific section of subscription to the Newsletter, thus expressing consent to the processing for activities of newsletter/marketing, giving its specific consent at the bottom of the data collection forms on the site, the user accepts, separately, the sending by Costa Brada S.r.l. of newsletters or commercial offers, market research or other sample research and direct sales, informative material for the detection of the degree of satisfaction, promotional, commercial and advertising material or related to events and initiatives of the Owner. In the latter case, the sending can be made by automated means, e-mail, fax, messages of the type Mms or SMS or other type, as well as by telephone calls via operator or paper mail.

Legal basis of the processing : the interested party has given consent to the processing of his personal data for one or more specific purposes (art. 6 paragraph 1, letter a of the GDPR)

The data requested for the purposes indicated are necessary to send commercial communication and promotional material to the person involved. Failure to provide data has as its only effect the impossibility to send commercial communication and promotional material. The person involved has the right to revoke the consent given at any time, without prejudice to the lawfulness of the processing based on consent given before revocation (art. 7, subsection 3, del GDPR) simply through a request formulated by e-mail to the addresses of the Data Controller indicated above, or using the form I Rights of the Data Subject downloadable at the following link or available at the bottom of the website homepage.

Methods of data processing: The processing will be carried out with manual, IT and telematic tools in compliance with the rules in force and the principles of correctness, lawfulness, transparency, relevance, completeness, accuracy and logic of organization and processing strictly related to the purposes pursued and in any case in order to ensure the security, integrity and confidentiality of the data processed, in compliance with organizational measures, the physical and logical provisions in force.

Data retention period: In compliance with the provisions of art. 5 paragraph 1 lett. e) of Reg. EU 2016/679, the personal data collected will be stored in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which the personal data are processed. The storage of personal data provided depends on the purpose of the processing.

For data relating to the purpose a.: up to the duration of the browsing session and in any case not more than 7 days
For data relating to the purpose b.: maximum 1 year
For data relating to the purpose c.: according to tax and civil law
For data relating to the purpose d.: until revocation of consent and in any case no later than 2 years
After these terms, the data will be deleted or transformed into anonymous form, unless their further storage is necessary to fulfil the contractual obligations entered into, legal obligations or to comply with orders issued by Public Authorities and/or Supervisory Bodies.

Recipients of data or categories of recipients: For the pursuit of the purposes described, or in the event that this is indispensable or required by provisions of law or by authorities with the power to impose it, the Data Controller reserves the right to communicate the data to persons appropriately appointed Data Processors or acting as independent holders or joint holders, belonging to the following categories:
• professional studies or companies in the field of assistance and advice;
• persons providing services for the management and/or maintenance of the information system used by the Owner and telecommunications networks, including e-mail and website management;
• Authorities and Supervisory and Control Bodies and, in general, public or private entities, with functions of public importance (e.g.: Prefecture Police, Judicial Authorities, in any case only to the extent that the conditions established by the applicable legislation are met);

The data may also be known, in relation to the performance of the tasks assigned, by the staff of the Holder, including interns, temporary workers, all of which are specifically authorised for processing and under the control of the Data Controller or a designated Data Processor.

Data transfer abroad: your data will not be transferred to non-EU countries.

Dissemination of data: user data will not be disseminated.

Use of Social Networks: From the website you can connect to the company pages of Costa Brada S.r.l. on the Social Networks, through the respective icons (Facebook, Instagram, Linkedin), or to dedicated pages on third-party sites (e.g. Tripadvisor).

As is well known, the Social Networks autonomously regulate their privacy for those who browse, post and communicate through them, being in this case the main data controllers.

We therefore invite the user to visit, for more information, the following links:

https://www.facebook.com/privacy/explanation
https://policies.google.com/privacy?hl=it&gl=it
https://help.instagram.com/519522125107875
https://www.tripadvisor.it/pages/LSOInfo.html

However, when the user is in the social pages managed by Costa Brada S.r.l. and communicates, in various ways, their personal data (eg. through a private message or by commenting a post or leaving a review), or when the Social Networks provide some statistics on the use of pages in a non-anonymous way (and therefore reconnectable to the activity carried out on the page, by the specific person) is Costa Brada S.r.l. to become the Data Controller.

The processing of data is carried out exclusively for the ordinary management of the pages (e.g., if a comment is posted in which insults other users, Costa Brada S.r.l. may decide to remove it from the page as unlawful) and to answer the questions of the user (both public and private) about the characteristics of the services of Costa Brada S.r.l.

In this case, the legal basis of the processing is the legitimate interest of Costa Brada S.r.l. to explain to the user its products and their characteristics, as well as the need to provide answers to every question asked by the user.

The processing of personal data of the user will be done through the tools made available by the same Social Network.

In this phase of simple contact, Costa Brada S.r.l. will not transfer or communicate the personal data of the user to other subjects.

The user is always free to decide when to remove the like, delete a comment, a review, etc. , simply returning to the page of the relevant Social Network and providing direct elimination

As for any messages exchanged via social media, these are stored for a maximum of 12 months from the last contact, after which they are deleted.

The user is always free to provide his personal data. Failure to provide data may make it impossible to obtain what is requested.

Please note that the data provided may be processed for the protection of the Data Controller’s legitimate interests and defence in court. Also in this case the principle of no excess will be applied and the treatments and the times of conservation will be evaluated time by time.

Data subject’s rights
The artts. 15, 16, 17, 18, 19, 20, 21 of the GDPR confer on the interested party the exercise of specific rights that may be exercised against the Data Controller.
In particular, the user, under the conditions provided by the GDPR, may exercise the following rights:

• right of access: right to obtain confirmation that personal data concerning him or her are being processed and, if so, to obtain access to their personal data, including a copy thereof;

• right of rectification: right to obtain the rectification of inaccurate personal data concerning him and/or the integration of incomplete personal data;

• right to erasure (right to be forgotten): right to obtain the erasure of personal data concerning him, if they are no longer necessary for the purposes pursued by the Data Controller, in case of revocation of consent or its opposition to the processing, in case of unlawful processing, or where there is a legal obligation to delete. The right to cancellation does not apply to the extent that the processing is necessary for the fulfillment of a legal obligation or for the execution of a task carried out in the public interest or for the investigation, the exercise or defense of a right in court;

• right of restriction of processing: right to obtain limitation of processing, when: a) the data subject disputes the accuracy of personal data; b) the processing is unlawful and the data subject opposes the deletion of personal data and asks instead that it be limited to its use; c) the personal data are necessary to the interested party for the assessment, the exercise or the defense of a right in court;

• obligation to notify recipients: The controller shall communicate to each of the recipients to whom the personal data have been transmitted any corrections or cancellations or limitations of the processing carried out pursuant to Article 16, Article 17, paragraph 1, and Article 18 thereof, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of such recipients if the data subject so requests.

• right to data portability: right to receive, in a structured, commonly used and readable format from an automatic device, the personal data concerning him provided to the Owner and the right to transmit them to another holder without hindrance, where processing is based on consent and carried out by automated means;

• right to object: right to object, at any time, to the processing if the personal data are processed for purposes other than those for which the data subject has consented to the processing.

Pursuant to art. 77 of the Regulation, the interested party has the right to lodge a complaint with a supervisory authority, in particular in the Member State where he usually resides, works or in the place where the alleged infringement occurred, that in Italy corresponds to the Guarantor Authority for the Protection of Personal Data, whose references can be found on www.garanteprivacy.it.

The exercise of the rights of the interested party is free of charge pursuant to Article 12 GDPR. However, in the case of manifestly unfounded or excessive requests, also for their repetitiveness, the Holder may charge a reasonable fee, in the light of the administrative costs incurred to manage the request, or deny the satisfaction of the same.

The rights of the interested party can be exercised using the form ‘Rights of the interested party’, downloadable at the following link or at the bottom of the homepage of the site, which must be sent on paper to the address of the Owner, or by e-mail or fax to the addresses in this statement.

This Policy was updated on 04/05/2020, any updates will always be published on this page.