PRIVACY POLICY STATEMENT


pursuant to Art. 13 of EU Regulation 2016/679(“RGPD”)

1. Data Controller and contacts
2. Purposes of the processing, legal bases, storage period

     2.a) Viewing and browsing the website
     2.b) Site analytics
     2.c) Marketing (newsletter)
     2.d) Management of user request form (contacts, stakeholders, accesses)
     2.e) Recruitment
     2.f) Verification, exercise, and/or defence of a right
3. Optional nature of the provision of data and consequences of a refusal to provide data
4. Recipients or categories of recipients
5. Transfer of data abroad
6. Rights of the data subject
7. Changes

1. DATA CONTROLLER AND CONTACTS

The Data Controller is the party who decides for what purposes the Data Subject’s data are to be processed, according to what legal basis, for how long, and to whom they can be transmitted. The Data Controller is Xenia Hôtellerie Solution S.p.A., with registered office in Guardiagrele (Chieti), Via Antonio Gramsci 79, VAT No. and Taxpayer Code 01691390692. For all matters concerning the processing of your personal data, you can contact the Data Controller by regular mail to the above address, or by sending an email to: info@xeniahs.com. The Data Controller does not have to name a DPO (Data Protection Officer), since the legal requirements making it obligatory do not apply.
Back



2. PURPOSES OF THE PROCESSING, LEGAL BASES, STORAGE PERIOD

A purpose is a reason for which we process your personal data. Below is a list of our purposes. Each and every purpose has one or more legal bases.
Back

2.a) Viewing and browsing the website

Purpose:: to permit a flawless website browsing experience.
Legal basis:: use of a service requested by the data subject, art. 6.1.b) RGPD.
Notes on the processing and storage period:

Viewing and browsing the website entail, for reasons intrinsic to the use of ICT protocols, an exchange of technical information between the Controller’s ICT system and yours. The information transmitted consists, for example, of the following: operating system used, browser and its version, time of the request, information flow size.

The data are immediately deleted at the end of the browsing session, unless they are necessary for the exercise or defence of rights (see below).
Back



2.b) Site analytics

Purpose: statistical studies/analyses on aggregate or anonymous data that do not entail the processing of personal data.
Legal basis: these are data that are rendered anonymous, and thus not subject to the legislation on the protection of personal data.
Notes on the processing:

The Data Controller uses the Google Analytics service to collect aggregate data on the site’s performance. See the section on analytic cookies below for more information.
Back


2.c) Marketing (newsletter)

Purpose:: marketing.
Legal basis: consent, as per art. 6.1.a) of the GDPR. and art. 13 of Dir. 2002/58/CE (and Art. 130.2 of Italian Legislative Decree 196/03).
Notes on the processing and storage period:

The newsletter only contains mere commercial information. You may withdraw your consent at any time, easily and free of charge, by writing to us or using the “Unsubscribe” button found in every newsletter. Your information will not be transmitted to third parties, with the sole exception of the processors chosen by the Controller for its industrial organization.

As expressly envisaged by the legislation (Art. 13.2 of Dir. 2002/58/CE and Art. 130.4 of Italian Legislative Decree 196/03), the Controller may send informational newsletters, even without their consent, to customers who have already purchased similar goods or services, without prejudice to their right to object to their receipt, easily and free of charge (typically by using the “Unsubscribe” link found in every newsletter). When you purchase one of our goods or services, you may refuse the newsletter from the outset, by writing to the Controller’s contact email address.
Back


2.d) Management of user request form (contacts, stakeholders, accesses)

Purpose: acknowledgment/fulfilment of direct request from user.
Legal basis: contract, as per Art. 6.1.b) of the GDPR.
Notes on the processing and storage period:
At the present time, the site supports three types of direct requests:

Contacts through the contact form. We only collect the data that are strictly necessary for responding to the contact request.

Requests for documents by stakeholders. We only collect the data that are strictly necessary for responding to the stakeholder’s request.

Requests for access to the reserved area. We only collect the data that are strictly necessary for permitting the authentication of users in order to allow them access to the reserved area.

The personal data transmitted by filling in the above-said forms are used solely for the above-said purposes; they are not processed for marketing purposes, nor for profiling or any other purpose other than those indicated. They are not transmitted to third parties. For their processing, the Controller might rely on processors within its company organization. They are deleted once the customer’s request has been met. The authentication logs are deleted at the end of the session.
Back

2.e) Recruitment

Purpose: establishment of employment or a consultancy relationship.
Legal basis: performance of precontract- and contract-related measures, as per Art. 6.1.b) of the GDPR.
Notes on the processing and storage period:

Any curricula vitae (CVs) transmitted are used solely for recruitment purposes. If the job applicant is not hired, they are holded for six months.

If the applicant is hired, the CV will be kept for the entire period of employment for purposes of verification of the information indicated, as it contains elements of reference for drafting the employment contract. Also, the Controller uses quality certification systems that require keeping the CV of the persons hired.

The information on CVs is not transmitted to third parties. It could be processed by processors employed by the Controller in its company organization.
Back

2.f) Verification, exercise, and/or defence of a right<

Purpose: defence of rights.
Legal basis: legitimate interest, as per Art. 6.1.f) of the GDPR.
Notes on the processing and storage period:

The Controller’s legitimate interest is to exercise rights and defend itself both judicially (including pre-litigation) and extrajudicially with regard to third parties (including public authorities) and data subjects.

The personal data collected for this purpose are kept for 10 years, as envisaged by the ordinary limitation period (Art. 2946 of the Italian Civil Code), except in the case of interruption of the limitation period.
Back

3. OPTIONAL NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF A REFUSAL TO PROVIDE DATA

The decision to provide your personal data is optional and voluntary. The only consequence if you refuse to provide your personal data will be the impossibility for you to browse the website or for us to provide you with the services you request.
Back

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS

We will transmit the personal data collected through the website to:
- hosting, housing, and cloud providers;
- providers of information communication platforms or channels;
- providers of remote payment services (where applicable);
- consultants and professionals who assist us (also in legal and commercial matters, if necessary);
- public and police authorities if it becomes necessary to involve them;
- judicial authorities in the exercise of their functions when deemed necessary or when required by law; - persons authorized by the Controller to process the data who have committed themselves to
confidentiality or are under an appropriate statutory obligation of confidentiality (e.g. employees and consultants).
Back

5. TRANSFER OF DATA ABROAD


We use back office services also located in other countries EU/EEA (Albania). This processing is carried out in compliance with the applicable legislation, through the recourse to legal guarantees, i.e. standard contractual clauses approved by the European Commission. You may obtain a copy of said clauses by contacting the Controller.
Back

6. RIGHTS OF THE DATA SUBJECT

Rights: You may exercise the following rights: access, rectification, erasure (“right to be forgotten”), limitation, objection, and portability pursuant to Articles 15, 16, 17, 18, 20 e 21 of the GDPR.
Complaint: hYou also have the right to lodge a complaint with the competent supervisory authority (for Italy: Garante per la protezione dei dati personali: Personal Data Protection Authority) for any violation of the legislation on the processing of personal data (GDPR).
We do not engage in: automated decision-making or profiling activities.
Withdrawal of consent: Consent may be withdrawn at any time, without any formalities. For example, you may always withdraw your consent to the newsletter; see above.
Back

7. CHANGES

This Privacy Policy Statement is in effect from 25 May 2018 and replaces the previous version. We reserve the right to change or simply update its contents. Any variations will be binding from the moment they are published on the website. We therefore recommend that you consult this section regularly so you can be informed of the most recent and updated version of the Statement, and therefore keep up to date on the data collected and how the Controller uses them.
Back