PRIVACY INFORMATION ACCORDING TO REG. UE 679/2016, D.LGS. 196/2003 and D.lgs. 101/2018

Dear Guest,

SAR.TA. SRL, as Data Controller, wishes to inform you that, in compliance with art. 13 EU Reg. 679/2016 (GDPR) and Legislative Decree 196/2003 and subsequent amendments, your data will be processed in the manner and for the purposes set out below.

OWNER OF THE TREATMENT is SAR.TA. s.r.l., with headquarters in Largo Cesare Battisti 5, Gravedona ed Uniti (CO), 0039 0344 89450, mail info@rivadellario.it.

PROCESSED DATA, PURPOSE AND LEGAL BASIS OF THE PROCESSING

As part of the activity, personal identification data are processed, such as name and surname or company name, date of birth, place of birth, place of residence or headquarters, citizenship, CF / VAT number, unique code and / or pec, telephone number, email, identity document (identity card, passport, driving license, etc.), bank and / or payment data (e.g. credit card references).

It may happen that the customer provides particular categories of data (e.g. concerning health, allergies, etc.).

The data you provide will be processed for the following purposes:

1. fulfill the pre-contractual and contractual obligations connected to the requested service (for example, filling in the booking plan, also collected by Booking, communications both by paper and electronic means, accounting, tax, organizational purposes, bureaucratic obligations relating to the services requested);

2. fulfill the obligations established by laws or regulations, by European legislation, by requests from the judicial authorities (e.g. mandatory electronic communication to the Police Headquarters of the "housed tickets" and to the Province for ISTAT purposes, communications both by paper and electronic means , accounting, tax, organizational purposes, bureaucratic obligations relating to the services requested). For more information, visit the websites https://alloggiatiweb.poliziadistato.it/PortaleAlloggiati/InfoGen.aspxhttp://www.regione.lombardia.it/wps/portal/istituzionale/HP/DettaglioRedazionale/servizi-e-informazioni/enti-e-operatori/promozione-del-turismo/promozione-turistica/osservatorio-regionale-del-turismo;

3. exercise the rights of the owner, including e.g. the right to defence in court.

The legal basis that legitimizes the processing of the data referred to in point 1 is the execution of the contract of which the Customer is a party, or the performance of pre-contractual activities at the request of the Customer; for point 2 the legal basis is represented by the fulfilment of legal or regulatory obligations; for point 3 the legal basis is represented by the pursuit of the legitimate interest of the Data Controller.

NATURE OF THE CONFERMENT

The provision of personal data relating to the processing is optional. However, the partial or total failure to provide the data may result in the partial or total impossibility of establishing or continuing the relationship with the Customer, within the limits in which such data are necessary for the execution of the same.

RECIPIENTS OR POSSIBLE CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The processing of customer data is carried out by the owner (administrator of the company), by the partners of the company, by the data processors and by the subjects authorized to process data according to the instructions that are given in compliance with current legislation on privacy and security of data.

If this is necessary for the purposes listed above, the Customer's personal data may be processed by third parties appointed as Data Processors (pursuant to art. 28 GDPR) or independent Data Controller and precisely:

• by professionals (e.g. accountants, labour consultants, etc.), companies, associations or professional firms that provide the Owner with assistance or advice for administrative, accounting, tax, managerial-organizational, technical and operational purposes;

• by all the Public Institutes established by law and more generally by all the Bodies envisaged by the current accounting and tax legislation as recipients of mandatory communications;

• by judicial or administrative authorities, for the fulfilment of legal obligations;

• by insurance and banking institutions for collections and payments, as well as by any professionals, for the management of payments by credit cards or electronic payment instruments in general, postal couriers and for any debt collection;

• by suppliers of installation, assistance and maintenance services for IT and telematic systems and systems and all services functionally connected for the fulfilment of the services covered by the contract.

In any case, the customer's personal data are not subject to disclosure.

TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATIONS

As part of the contractual management, there is no transfer of customer data to non-EU third countries or to international organizations.

However, the Data Controller reserves the right to use the cloud services, in which case the service providers will be selected from among those who provide adequate guarantees pursuant to art. 46 GDPR.

DATA RETENTION PERIOD

For the aforementioned purposes, the Customer's personal data will be processed and stored by the Data Controller for the entire duration of the contractual relationship and, at the end of the same, for any reason, for the time provided for by the current accounting, tax and civil law legislation, and procedural, in any case for a maximum of 11 years.

TREATMENT METHOD: The treatment will be carried out in the following ways: manual and computerized.

RIGHTS OF THE INTERESTED PARTY

Pursuant to art. 13 and 15 to 21 GDPR, in your capacity as an interested party and in relation to the treatments described in this statement, the customer has the rights, which he can exercise at any time, referred to in articles 7, from 15 to 21 and 77 GDPR and in particular on:

· right of access to your personal data and information relating to them (art.15 GDPR): right to obtain confirmation that the processing of personal data concerning the customer is in progress and in this case obtain access to such personal data, including a copy thereof;

· right of rectification (art.16 GDPR): right to obtain the correction of inaccurate personal data and / or the integration of incomplete data without undue delay;

· right to erasure (right to be forgotten, art. 17 GDPR): right to obtain, without undue delay, the erasure of personal data concerning the customer;

· right to limit the processing of your personal data (if one of the hypotheses indicated in art.18, paragraph 1 of the GDPR occurs) when the interested party disputes the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data; the treatment is unlawful and the interested party opposes the cancellation of personal data and instead requests that their use be limited; personal data are necessary for the interested party to ascertain, exercise or defend a right in court; the interested party has opposed the treatment pursuant to art. 21 GDPR, in the waiting period of the verification regarding the possible prevalence of legitimate reasons of the Data Controller compared to those of the interested party;

· right to data portability (art.20 GDPR): right to receive, in a structured format commonly used and readable by an automatic device, the personal data concerning the Customer provided to the Owner and the right to transmit them to another Owner without impediments, if the treatment is based on consent and is carried out by automated means. Furthermore, the right to obtain that the customer's personal data are transmitted directly to another Data Controller if this is technically feasible;

· right of opposition (art.21 GDPR): right to object at any time, for reasons connected to your particular situation, to the processing of your personal data concerning the user based on his condition of lawfulness of the legitimate interest or of the execution a public interest task or the exercise of public powers, including profiling, unless there are legitimate reasons for the Data Controller to continue processing that prevails over the interests, rights and freedoms of the interested party, or for the assessment, the exercise or defence of a right in court. Furthermore, the right to object at any time to the processing if personal data are processed for direct marketing purposes, including profiling to the extent that it is connected to such direct marketing;

· right of withdrawal (art.7 GDPR): right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of the treatment based on consent before the revocation;

· right of complaint (art. 77 GDPR): the Customer has the right to lodge a complaint with the Guarantor Authority for the protection of personal data - www.garanteprivacy.it, Piazza Venezia 11, 00187 Rome.

The Customer may at any time exercise his rights by sending a registered letter with return receipt to SAR.TA. SRL, L.go C. Battisti 5, 22015 - Gravedona ed Uniti (CO) or an email to info@rivadellario.it

The exercise of rights by the Customer is free of charge pursuant to art. 12 GDPR. However, in the case of manifestly unfounded or excessive requests, also due to their repetitiveness, the Data Controller may charge the Customer a reasonable expense contribution, in light of the administrative costs incurred to manage his request or deny the satisfaction of his request.

If you decide to stay at the structure, you declare that you have received, carefully read and taken note of the content of the information provided by SAR.TA. SRL with reference to the processing for the following purposes:

1. fulfil the pre-contractual and contractual obligations connected to the requested service (for example, filling in the booking plan, also through Booking, communications both by paper and electronic means, accounting, tax, organizational purposes, bureaucratic obligations relating to the services requested);

2. fulfil the obligations established by laws or regulations, by European legislation, by requests from the judicial authorities (eg mandatory electronic communication to the Police Headquarters of the "housed tickets" and to the Province for ISTAT purposes, communications both by paper and electronic means, accounting, tax, organizational purposes, bureaucratic obligations relating to the services requested);

3. exercise the rights of the owner, including e.g. the right to defence in court.