Dear Guest,
In compliance with the provisions of Article 13 of REGULATION (EU) 2016/679 (hereinafter referred to as "GDPR" or "Regulation"), we would like to notify you of both the use of your personal data and your rights, by informing you of the following. The Data Controller HOTEL LEON D'ORO S.R.L., with registered office at Viale Piave no. 5, postcode 37135, Verona (VR), Italy, tax code and VAT reg. number 04041100407. To exercise the rights under REGULATION (EU) 2016/679 (hereinafter ‘GDPR’ or ‘Regulation’), or to request any clarification on the processing of your personal data, you may contact the Data Controller using the following contact details: telephone (+39) 0415321630, email privacy@hnh.it. PURPOSE AND LEGAL BASIS The data you provide will be processed in compliance with the principles set out in Article 5 of the GDPR and, in particular, with the principles of lawfulness, fairness, transparency, accuracy, purpose limitation, and data minimisation, for the following purposes:

1. PRIMARY PURPOSES

1.1. Management of bookings and stays

Description: Processing of data necessary to manage your booking, check-in, check-out and all activities related to your stay at our establishment, including the personalisation of services requested.
Legal basis: Performance of pre-contractual measures and the contract to which you are party (Art. 6, para. 1(b) GDPR).
Data processed: Personal data, contact details, IP address (for online bookings), dates of stay, room preferences, payment method.

1.2. Handling of enquiries via our website

Description: Processing of data provided via the contact forms on our website to respond to your requests for information, quotes or clarifications on our services.
Legal basis: Execution of pre-contractual measures taken at your request (Art. 6, para. 1(b) GDPR).
Data processed: First name, last name, email address, telephone number (if provided), message content, IP address.

1.3. Website operation

Description: Processing of the data necessary to ensure the correct operation of the website, cyber security and the prevention of fraudulent activities.
Legal basis: Legitimate interest of the Data Controller (Art. 6, para. 1(f) GDPR).
Data processed: IP address, log data, information on the browser and device used, date and time of access. Note: For detailed information on the use of cookies and other tracking tools, please see our Cookie Policy.

1.4. Fulfilment of legal obligations

Description: Communication of data to public security authorities as required by the Consolidated Law on Public Security; tax, accounting and administrative fulfilments.
Legal basis: Fulfilment of a legal obligation to which the Controller is subject (Art. 6, para. 1(c) GDPR).
Data processed: Personal data, identity document, tax code, tax and accounting data.

1.5. Additional services required during the stay

Description: Provision of expressly requested additional services such as room service, restaurant bookings, transfers, excursions, wellness and spa services.
Data processed: Personal preferences, specific requests, preferred times.
It is possible that, before and during your stay, hotel employees may become aware of special data, such as, for example, information regarding your state of health or religious affiliation. In this regard, it is important to emphasise that we never request or solicit such particular data. These data are only processed if voluntarily provided by you and are not recorded in any database or permanent archive. Should you decide to provide us with such information, it will only be used to meet specific requests (such as allergies or dietary preferences, room configuration needs) and only for as long as is strictly necessary to fulfil such requests.

1.6. Verification of the quality of services

Description: Collection of feedback on the quality of services through questionnaires, checks and audits, also by sending satisfaction questionnaires by email after the stay.
Legal basis: Legitimate interest of the Controller in improving the quality of its services (Art. 6, para. 1 (f) GDPR).
Data processed: Evaluations, comments, suggestions.

1.7. Protection of the Controller's rights

Description: Establishment, exercise or defence of a right in judicial and extrajudicial proceedings.
Legal basis: Legitimate interest of the Data Controller (Art. 6, para. 1(f) GDPR).
Data processed: Data concerning the stay, correspondence, payment data, any complaints.

1.8. Expediting registration procedures

Description: Data storage to simplify and expedite check-in procedures in case of subsequent stays at our establishment.
Legal basis: Legitimate interest of the Controller in providing a more efficient service to regular guests (Art. 6, para. 1(f) GDPR).
Data processed: Personal data, previous stay preferences, identity documents.

2. SENDING OF OFFERS TO CLIENTS

Description: Use of your contact data, in particular your email address, to send you offers for products or services similar to those you have already purchased.
Legal basis: Controller's legitimate interest in promoting similar products and services (Art. 6, par. 1 (f) GDPR; Art. 130, section.4, Legislative Decree 196/03).
Data processed: Email address, first name, last name, purchase history.
Right to object: You always have the right to object to the sending of such communications at any time and free of charge.

3. NEWSLETTER

Description: We periodically send out newsletters containing information on our offers, news, events and promotions to those who voluntarily subscribe via the form on our website.
Legal basis: Consent of the data subject (Art. 6, para. 1(a) GDPR).
Data processed: Email address, name (if provided).
Method: Newsletters sent exclusively by email.
Note: Subscription to the newsletter is completely optional. You may unsubscribe at any time by clicking on the unsubscribe link in each newsletter or by contacting us using the details given in this notice.

PROVISION OF DATA AND CONSEQUENCES IN THE EVENT OF FAILURE TO CONSENT TO PROCESSING

The provision of your personal data may be compulsory or optional, depending on the different purposes for which they are processed. Below we outline the consequences of failure to provide data or to consent to processing:
Data required for primary purposes (items 1.1 to 1.8) The provision of personal data necessary for the Primary Purposes set out in points 1.1 to 1.8 is mandatory, as such data are indispensable for Managing your booking and your stay (1.1); Answering your requests for information via the website (1.2); Ensuring the operation and security of the website (1.3); Fulfilling legal obligations, including communications to public safety authorities (1.4); Providing the additional services you request during your stay (1.5); Verification of the quality of our services (1.6); Protecting your rights in the event of disputes (1.7); Expediting registration procedures for future stays (1.8). Consequences of failure to provide these data: failure to provide these data will make it impossible for the Controller to provide the information and/or services requested, to conclude the contract with you and, in general, to fulfil the obligations undertaken. In particular, without providing the data requested in the online forms, we will not be able to process your request or complete your booking.
Data for sending offers to clients (point 2) You always have the right to object to the sending of such communications, at any time and free of charge, without this affecting the possibility of using the services requested in any way.
Data for the purpose of sending the newsletter (point 3) The provision of data for subscribing to the newsletter is always optional. Failure to provide data or to consent to their processing for this purpose will have no consequence on the possibility to use the requested hotel services and will only imply the impossibility of receiving the newsletter. Any consent given by you may be freely withdrawn at any time, without affecting the lawfulness of the processing based on the consent given before withdrawal. Withdrawal of consent may be communicated via the contact details indicated in the 'Data Controller' section of this notice.

CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Only persons authorised to process data and persons who, by processing data on behalf of the Data Controller, have been identified as Data Processors may access personal data. These persons are also bound to secrecy and confidentiality on the basis of specific internal regulations. In particular, the following will be able to access the data: Technological service providers (companies or consultants in charge of installing, maintaining, updating and, in general, managing hardware and software; Cloud and hosting service providers; Electronic mail and digital communication service providers; Booking engine providers, etc.); Providers of hotel services (consultants and/or other professionals with whom the Data Controller collaborates to provide the Hotel Services; External parties for the provision of additional services requested by the Data Subject such as transport services, restaurants, spas, excursions); Online Travel Agencies (OTA) and booking agencies (OTAs and traditional Travel Agencies; Global Booking Systems; Booking and price comparison portals) External consultants and professionals (Legal consultants; Tax consultants and accountants; Security and service quality consultants); Financial and payment institutions (Banks and credit institutions for payment management; Credit card issuing companies; Insurance companies); Public bodies (Public safety authorities, as provided for by the Consolidated Law on Public Safety; Judicial authorities, where required; Public bodies (e.g. Revenue Agency) for the fulfilment of fiscal and administrative obligations). Data processed for the above-mentioned purposes will not be disseminated (i.e. will not be disclosed to unspecified persons) and will not be used for automated decision-making processes. Any person who comes into possession of your personal data will be obliged to use it exclusively for the stated purposes and in compliance with the data protection regulations. An updated list of Data Processors may be requested from the Data Controller by means of communication to the addresses indicated in this notice. The Data Controller undertakes to entrust your data only to parties with sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and guarantees the protection of your rights.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Data processed for the above-mentioned purposes will not - as a rule - be transferred outside the European Economic Area. In the event that this becomes necessary (e.g. for the use of cloud-based IT systems or for the transmission of data to international OTAs), the Controller guarantees that the transfer will take place in compliance with the conditions set out in Chapter V of the GDPR and in particular:
• Art. 45 GDPR: transfer on the basis of an adequacy decision adopted by the European Commission vis-à-vis the third country or international organisation. For example, Google LLC (provider of Google Analytics) adheres to the EU-US Data Privacy Framework, guaranteeing an adequate level of protection pursuant to Art. 45 of the GDPR.
• Art. 46 GDPR: transfer subject to appropriate safeguards, such as standard contractual clauses approved by the European Commission, binding corporate rules, codes of conduct or certification mechanisms;
• Art. 47 GDPR: transfer based on binding corporate rules approved by the competent supervisory authority;
• Art. 49 GDPR: transfer on the basis of exceptions in specific situations, such as the explicit consent of the data subject, the need to perform a contract or pre-contractual measures, the need to exercise or defend a right in court or the need to protect the vital interests of the data subject or other persons.
To obtain a copy of the guarantees adopted for the transfer of personal data outside the European Economic Area, or to know the place where they have been made available, a request can be made to the Data Controller via the contact details indicated in this notice.

DATA RETENTION CRITERIA

Personal data are processed for the time necessary to fulfil the purposes for which they were collected or for any other legitimate related purpose. Therefore, if personal data are processed for different purposes, they will be retained until the purpose with the longest retention period expires; however, they will no longer be processed for the purposes whose retention period has expired. Personal data that are no longer needed, or for which there is no longer a legal basis for their storage, will be irreversibly anonymised (or permanently deleted). In particular, your personal data will be stored according to the following criteria:
1. Data processed for Primary Purposes (points 1.1 to 1.8) Personal data acquired for primary purposes will be retained for 10 years from the date of the last stay or the last accounting entry, in accordance with obligations to keep accounting records and to ensure the protection of the Controller's rights in the event of disputes or litigation. Exceptions are: credit card data, which will be kept only for the time strictly necessary to complete the transaction and in any case no longer than 3 months from check-out; Data collected through the website contact forms (point 1.2): retained for 6 months from receipt of the request, unless a booking is made, in which case the above terms will apply; Log data and IP addresses collected for the operation of the website (point 1.3): retained for a period not exceeding 6 months, unless required to be retained for the investigation of offences.
2. Data processed for sending offers to clients (point 2) Data used to send offers for products or services similar to those already purchased will be retained until such time as the data subject objects. 3. Data processed for sending the Newsletter (point 3) The data used for sending the newsletter will be retained until you request cancellation of the service.
Retention in case of litigation If it is necessary to defend or enforce a right of the Data Controller in court, the personal data relevant for this purpose will be retained for as long as necessary for the settlement of the dispute, even beyond the ordinary limitation period, until the time limit for appeals is exhausted. Appropriate deletion or anonymisation operations will be carried out on the data collected at the end of the established retention periods or upon the occurrence of other circumstances that render the processing no longer necessary or legitimate.

DATA SUBJECT’S RIGHTS

The Data Controller hereby informs you that the data subject has the right to request:
• access to personal data and information (Art. 15 of the GDPR);
• rectification or erasure of same (Articles 16 and 17 of the GDPR);
• the restriction of the processing of personal data (Art. 18 of the GDPR).
Finally, the data subject may:
• object to the processing of personal data under the conditions and within the limits set out in Article 21 of the GDPR;
• exercise the right to data portability (Art. 20 GDPR).

With regard to processing operations based on consent, please note that the data subject has the right to withdraw said consent at any time (without prejudice to the lawfulness of the processing based on the consent given before the withdrawal). Finally, if the Data Subject considers that the processing of their data is in breach of the Regulation, they have the right to lodge a complaint with a supervisory authority (Data Protection Authority or any other competent authority) pursuant to Article 77 et seq. of the GDPR.