ADVISORY NOTE ON PROCESSING PERSONAL DATA
This advisory note on processing personal data (also for the sake of brevity, the “Privacy Advisory Note”), describes the information collected from Unibell clients. It specifies, moreover, the way in which the Controller uses this information to carry out its activities, for legitimate commercial aims and to better satisfy the needs of clients, current and potential.
The advisory note is provided pursuant to art.13 of EU Regulation 2016/679 on the “Protection of natural persons with regard to the processing of personal data and on the free movement of such data” (for brevity, the GDPR) and art.13 of Italian Legislative Decree 196/03 “Personal data protection code” (for brevity, the Privacy Code).
The data subject is invited to carefully read this document.
Table of contents
- What is meant by personal data?
- What personal data can be collected?
- Why is the data subject’s personal data acquired and stored?
- The legal basis for processing personal data
- The nature of providing data
- Communicating and disseminating data
- How is personal information protected?
- How long will the personal data be stored for?
- The data subject’s rights
- The Controller
1. What is meant by personal data?
The terms “personal data” and “personal information” mean any information relating to an identified or identifiable natural person. An identifiable natural person is someone who can be identified, directly or indirectly, specifically by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal information can include: name, address, email address, telephone number, IP address, location data, payment data, browsing information within websites, information regarding the user’s interests, bookings, purchases and preferences concerning products and services, data acquired in authentication and tracking logs and information collected by cookies and similar technologies.
2. What personal data can be collected?
Personal data collected by the Controller may be summarised into the following categories.
Information provided by the client or the potential client. The client or the potential client can provide information about him/herself by performing any of the following: completing a form to have a newsletter sent, sending a “request for information” or for reporting, for marketing purposes (that is, for the Company to send promotional material and/or commercial communications relating to its services).
This information may include: name, email address, invoice address, telephone number, the content of the email(s) sent and any other similar information. The user is not obliged to provide the aforementioned information, however, by not providing it, or by providing only part of it, Unibell may not be able to provide certain content, services or responses to any request for information.
Information regarding the user that is received from third-party sources. Third-party sources can include commercial information agencies as well as others.
3. Why is the data subject’s personal data acquired and stored?
The Controller will process the data subject’s personal data in full respect of current legislation and solely for the purposes listed below:
- to supply the service, product or information requested by the user;
- to respond to requests for information, observations, complaints and any other query;
- to manage financial transactions, including to check solvency and to recover debt;
- to comply with applicable legal provisions; for example, to supply the data requested by a police authority when such a request complies with the law;
- to carry out internal commercial analysis including data analysis, research, trend analysis, for statistical purposes and surveys;
- to create a client profile. For the purposes of offering personalised service and offers, this data is used for profiling purposes.
4. The legal basis for processing personal data
The legal basis for processing a data subject’s personal data for the purposes described above includes:
- to ensure the proper functioning of this site’s web pages and the site’s contents. The data acquired may, furthermore, be used to ascertain responsibility in the hypothetical case of a computer crime causing damage to the site;
- the processing necessary to fulfil UnibellS.r.l.’s legal obligations.
5. The nature of providing data
Providing personal data is necessary and, therefore, specific consent is not required, pursuant to art.7 of the GDPR and art.24 of the Privacy Code, to the extent that the data is used by UnibellS.r.l. to execute its contractual obligations.
Consent is also not required when the data is processed for the Controlle’s legitimate interests.
Outside of these cases, the data subject will be asked for his/her consent for UnibellS.r.l. to use his/her personal data. Personal data may also be used, without the need for prior consent, if the data comes from public records or registries, lists, acts or documents freely accessible to the public and, in any case, excluding the dissemination of data, when processing is carried out to assert or to defend UnibellS.r.l.’s rights in a court of law.
Refusing to provide personal data which is essential to providing a service (for example, first name, last name, company name, registered office, operating location, any secondary locations, share capital, telephone number(s), fax number(s), legal representative, tax code and VAT number, corporate purpose, bank references or details, etc.) may make it impossible to provide the service itself and, therefore, to establish or to maintain a contractual relationship.
In other cases, if consent is not granted, UnibellS.r.l. may not be able to offer its services nor personalise any offers.
6. Communicating and disseminating data
In some processing cases, the Controller will proceed to communicate the data in respect of applicable legislation and for the purposes described above. For example:
- to subsidiary companies, associated companies, and associated branches and offices;
- to external supplies and service providers in order to facilitate the website’s operation;
- to statistical analysis partners such as CRM companies and/or marketing and communication companies for statistical and analysis purposes;
- to advertising partners who send personalised advertising messages to a user’s device or similar publicity notices;
- subject to the data subject granting his/her consent, to marketing partners who contact the user by post (or mail), email, telephone, SMS or other means;
- to third-party service providers and consultants;
- to public authorities when such a request complies with the law.
Based on the current processing rules, data will not be disseminated except in an anonymous and aggregated form.
7. How is personal information protected?
UnibellS.r.l. employs technical and organisation processes aimed at protecting the privacy of users. However, nothing can guarantee absolute security. Non-authorised access or use, hardware or software errors and other factors could compromise the security of the user’s information.
Each Unibell location stores personal information in a secure place, be it in a database, a hotel management system, a marketing or research database or file. In addition, Unibell has adopted measured to guarantee that only authorised personnel have access to this information.
Information relating to credit cards is transmitted and stored in an encrypted form and is decrypted only when necessary to carry out payments or to guarantee future stays. Access to non-encrypted credit card data is limited to authorised personnel only.
8. How long will the personal data be stored for?
Personal data will be stored for the time reasonably necessary to carry out the purposes mentioned above or as required by applicable legislation. For more information on the storage times applicable to personal data, users are invited to contact the Controller.
To the extent that there is a legitimate and lawful interest, UnibellS.r.l. may store the data subject’s personal data in an anonymous form, or in a form no longer referable to the data subject, for statistical purposes and without any time limit.
9. The data subject’s rights
A user wishing to exercise one or more of his/her rights with respect to personal data is invited to send his/her request using the following means of communication: via email to email@example.com.
It is possible that the data subject may wish to know which personal information is held by the Controller, who will provide the utmost availability in assisting the data subject with his/her request. However, to protect the personal information, Unibell will require that the data subject prove his/her identify when submitting the aforementioned request, which may also be sent via email
Opposition to processing personal data, including automated processing and profiling
The user who, at any moment, wishes to delete his/her personal information from the guest database and systems, or who does not wish to be part of the profiling module, is invited to contact the Controller.
The user may request the rectification and/or integration of any inaccurate or incomplete personal data.
The data subject may, at any time, withdraw his/her consent to the processing of his/her personal data, as permitted by applicable legislation. Withdrawing of consent does not affect the legitimacy of processing based on the consent previously granted. The user who withdraws his/her consent to processing their personal data may find that he/she is no longer able to use certain services for which processing personal data is essential.
The data subject may request that his/her personal data be deleted. Such a request should be sent to the Controller who will proceed to fulfil the request, barring any legal impediment.
Portability of data
Under certain circumstances, the user may ask the Controller to supply the user’s personal data in a structured, widely-used format that can be read by a computer and to transfer this data to another supplier of identical or similar services. In this scenario, when the original Controller sends personal data to another supplier, it does not lead to the original Controller deleting the personal data it holds on the user. The original Controller who may still need to process this data for legitimate and lawful purposes.
10. The Controller
The Controller is UNIBELL S.r.l., with registered offices in Via Indipendenza no. 27, Calco, Italy.
The Controller has appointed Processors for its various business areas.
The Controller and the Processors may be contacted at firstname.lastname@example.org.