Please be informed that, pursuant to art. 13 of the GDPR no. 2016/679 (hereafter, “GDPR”), any personal data collected from you shall be processed based on the principles of correctness, lawfulness, transparency and protecting your confidentiality and your rights;

a) Our organisation, as a legal entity, holds the dual role of data controller and data processor;

b) The data controller and data processor (see contact details on the last page), following an in-house assessment of the case in question, has not designated a data protection officer as there was no obligation to do so, pursuant to art. 37, paragraph 1 of the GDPR no. 2016/679.

Your data shall be processed:

c/i) pursuant to art. 6 paragraph b) and c) , for the purposes of performing a contract or implementing pre-contractual measures and fulfilling the legal obligations to which the data controller is subject; e.g. the data processing necessary to manage requests, quotes and

bookings, fulfil all contractual, accounting and tax obligations, manage payments also via

credit cards, POS devices and advanced online services offered by the respective credit institutions or agencies and to manage disputes; furthermore, for all legal obligations; e.g.
regulations, EU and local legislation or orders from authorities, registering and sending data to authorities and managing any disputes; in addition, to pursue the legitimate interest of the data controller or of third parties under the conditions provided for by the GDPR;

c/ii) pursuant to art. 7, with your freely-given consent, for other service and marketing purposes; e.g. the data processing necessary to send promotional offers regarding our services

and other events, updating prices, other quotes as well as sending birthday and Christmas wishes; to provide additional services such as sending data relating to your stay to third parties for the sole purpose of allowing goods, messages and telephone calls addressed to you to be
in order to process specific categories of personal data to offer a better standard of hospitality;

e.g. food intolerances, allergies or other specific data;
in order to process advanced online services; e.g. registering with our management programme so we may use your e-mail address to send the final balance, receipt or invoice, to
manage loyalty scheme points and other similar services;

c/iii) pursuant to art. 7, with your freely-given consent, for other purposes; e.g. the data

processing necessary to LOG-ON to our public WIFI/LAN network in order to surf the internet; as well as the processing of the data that are necessary to use our company website and that must be transmitted in order to use internet communication protocols. This data is not collected to be associated with specific individuals, but could, for its very nature, allow the users to be identified if processed and associated with data held by third parties; e.g. this

category of data includes the IP addresses or the domain names of the devices used by those visiting the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to issue the request to the server, the size of the file received in response, the numerical code indicating the status of the reply given by the server and other parameters relating to the operating system and the user’s computing environment;
this data is used for the sole purpose of gathering anonymous statistical information on the use of the WIFI/LAN network and the company website; e.g. to check that our IT infrastructure is working correctly and to improve the service; likewise, data could be used by the competent authorities, e.g. to establish responsibility in the case of potential computer crimes or damages
to our WIFI/LAN network, our IT system and our company website.

d) pursuant to art. 6, paragraph 1, letter f), considering the reasonable expectations of the parties, for the purposes of the legitimate interests pursued by the data controller or by a third

party; e.g. data to prevent fraud (monitoring attendance, registering entries, biometric data, images from CCTV, etc.) and for direct marketing purposes.

Recipients and categories of recipients of your data are as follows:

e) natural or legal persons, public authorities, collaborators such as employees, professionals, service providers, bodies and associations.

Your personal data may be transferred to another country or to an international organisation

f) in view of the above, in addition to being processed in paper format in our organisation’s archives or on third-party premises, data are mainly processed and stored in electronic format on our mass storage devices inside our facilities or within the EU through hosting, server and cloud services. It is nonetheless understood that the data controller, if necessary, shall have


the right to move its hosting servers, servers and cloud services to countries outside of the EU; likewise, the data controller hereby guarantees that data shall only be transferred to countries outside of the EU in compliance with applicable legal provisions, subject to standard contract clauses being drawn up as provided for by the European Commission.
Your data shall be processed in a correct and transparent way, with the data being collected, registered, organised, stored, consulted, processed, modified, selected, extracted, compared, used, interlinked, blocked, disclosed, cancelled and destroyed, as necessary. Your personal data shall be subject to both paper and electronic and/or automated processing.

Data may be processed, only for the purposes referred to by the previous points c/i, c/ii, c/iii and d, also by employees and collaborators of the data controller or by other institutions based in Italy or in other European countries, by third-party companies or other bodies; e.g. by means

of example but not limited to: credit institutions, professional firms, insurance companies to provide insurance services, IT service companies and telephone operators or other

organisations providing services/products on behalf of the Data controller, in their role as external persons in charge of processing. In accordance with art. 14 of the GDPR, if personal data have not been obtained from the data subject, then the data controller must provide the specific information required within one month; in your case, on the other hand, reference should be made to this information notice.
As an interested party, by sending a registered letter or an email to the holder of the processing, you can assert your rights under the Articles 15, 16, 17, 18, 20 and 21 of the GDPR

c) right to withdraw consent, for the cases provided for by the GDPR, at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

e) How data is provided and the consequences of refusing to reply
Providing data for the purposes referred to by the previous point c/i, c/ii, c/iii it is considered implicit


Contact details of the Data controller (e-mail, address):

Gestala s.r.l.

Sede legale: via Priore Berengario n.5 – 090129 Cagliari(CA)

C.F. – R.I. – P.IVA. 03753900921