INFORMATION NOTICE PURSUANT TO ARTICLE 13 OF EUROPEAN REGULATION 679/2016 (GDPR)
DATA CONTROLLER AND DATA PROTECTION OFFICER
The data controller is Metropolitan Spa, with registered office in 30122 Venezia, Riva degli Schiavoni 4149 e-mail email@example.com. Metropolitan has not appointed a Data Protection Officer (D.P.O.).
TYPES OF INFORMATION COLLECTED
METROPOLE HOTEL’S CLIENTS can be requested to provide the following personal data: Arrival Date; Number of days of stay; Surname, Name, Sex; Date of birth; Place of birth (municipality and province if in Italy, state if born abroad); Nationality; Type of identity document; Number of identity document; Place of document’s issue (municipality and province if in Italy, state if issued abroad); Payment details.
For individual families only one spouse is required to provide all the foregoing data. For the other spouse and under-age children the following information is sufficient: Number of days of stay; Surname, Name, Sex; Date of birth; Place of birth (municipality and province if in Italy, state if born abroad); Nationality.
In addition, we collect the personal data of any client’s acquaintance who wants to leave a message for or get in contact with the client, or, when the client wish to contact any of his acquaintance.
At the client’s explicit request special categories of personal data may be collected (e.g. information that will indicate racial or ethnic origins, political opinions, religious faith or philosophic convictions, membership of trade unions, sexual life, health conditions or judicial data) in order to meet his/her specific requests or satisfy special requests (e.g. particular types of food, changing the furniture in the room for reasons of health, etc.).
SIMPLE VISITORS may be requested to provide common personal data, unless a specific service is requested for which additional personal data are needed.
MET RESTAURANT CLIENTS will be requested common personal data, in the event of booking, and payment details.
INTERNET SITE USERS will be requested common personal data when they request information on Metropolitan services, in addition to profiling data according to the specifications indicated in the special page “Cookies and online technologies”. All data are collected for the following purposes.
PURPOSES OF DATA PROCESSING
The personal data collected are processed for the following purposes: A) Providing the services requested; B) Complying with the obligations laid down for public security, especially Ministerial Decree 7 January 2013, regulations on communication to public security authorities on persons using accommodation facilities and any supplementary or amending regulations; C) Performing tax or accounting requirements; D) Allowing clients to receive and send messages from and to third persons; E) Satisfying the personal preferences of clients, such as requests for services or advice; F) Send information material on Metropolitan’s events or promotions. G) Metropolitan reserves the right to request permission to use clients’ personal data in order to send direct marketing messages and communications on Metropolitan’s services and products.
LEGAL BASIS FOR PROCESSING
The data collected for the purposes stated under points A), B) and C) permit Metropolitan to provide the service requested. Refusal to provide such data will make it impossible for Metropolitan to provide the service requested.
Personal data collected under points D), E) and F) will be processed by Metropolitan on the basis of a freely-given consent.
Clients’ personal data will be kept in a form that permits personal identification for a period of time strictly necessary to enable Metropolitan to pursue the purposes for which they were collected but in any case for no longer than ten (10) years, as required by public security regulations.
The period of storage may, however, be extended up to ten (10) years or even a longer period if required by Italian law on matters concerning tax data or the settlement of judicial disputes. The special categories of data, when disclosed by the client, are kept for no longer than five (5) years. The expiry date will be duly adjusted from the new stay of the client on. At the conclusion of the storage period the data will be anonymize in order to analyse trends and behaviours on an aggregate base.
Metropolitan communicates personal data online to public security authorities in compliance with the provisions of the Consolidated Public Security Law and Ministerial Decree 7 January 2013, or with their amendments or supplements.
In addition, personal data may be disclosed to:
1. Any Metropolitan worker who provides services for the purposes indicated under the foregoing points;
2. Subjects who process data in compliance with specific statutory obligations;
3. Other judicial or administrative authorities, whenever this may be necessary to comply with legal or statutory requirements or obligations descending from the application of current laws, a court order or a writ of summons.
4. Third companies and service providers who operate on Metropolitan’s behalf for purposes closely related to the performance of the services requested by clients.
5. Third companies or service providers in order to meet contractual obligations linked to the handling of bookings for stays or future events.
PROFILING AND DISCLOSING DATA
Personal data can be processed using both paper-based and IT procedures (including portable devices) and handled in ways strictly necessary to meet the foregoing purposes. With the exceptions indicated in the preceding paragraphs, Metropolitan will treat clients’ data with the maximum confidentiality.
In order to ensure an exclusive service, as far as possible tailored to a client’s specific requirements, Metropolitan may perform profiling activities, with reference, for example, to preceding stays.
THE DATA SUBJECT’S RIGHTS
For all legal purposes, the data subject will always be able to refer to the foregoing address to exercise his or her rights, including the right to:
request Metropolitan to give him/her access to personal data and information upon him/her; the rectification of inexact data or the supplementing of incomplete data; the erasure of personal data (in the event that one of the conditions indicated under article 17, paragraph 1, of the GDPR applies, and pursuant to the exceptions provided for under paragraph 3 of this article); limiting the processing of personal data (commencing from one of the circumstances indicated under article 18, paragraph 1 of the GDPR);
request and obtain his or her personal data from Metropolitan in a structured format, legible by an automated device, and also for the purpose of communicating such data to another data controller (the so-called right to personal data portability);
oppose the processing of personal data at any time when particular situations occur regarding the data subject;
revoke the consent at any time, limited to the cases in which the processing is based on consent for one or more specific purposes regarding common personal data (e.g. date and place of birth or place of residence), or special categories of data (e.g. data that reveal a racial origin, political opinions, religious convictions, state of health or sexual life). The treatment based on consent and carried out prior to the revocation of the same preserves, however, its lawfulness;
submit a complaint to the supervisory authority (the authority for the protection of personal data - www.garanteprivacy.it)