In accordance with Regulation (EU) 2016/679 (“GDPR”) articles 13 and 14
Information on the processing of personal data in the context of the Covid-19 epidemiological emergency
The purpose of this document (“Policy“) is to provide you with information regarding the processing of data provided by you to BORGO BRUFA SRL and is provided pursuant to EU Regulation no. 679/2016 (“GDPR“).
If you contact us directly, for example, through our websites, via e-mail or by telephone through our direct phone line with the intention of receiving information regarding our services.
If you purchase one of our services, for example, through our websites.
If you respond to our marketing campaigns, for example, by filling out a response form, or by entering personal data on one of our websites.
If your contact details are communicated to us by a third party with your consent.
If business partners legitimately transfer your personal data to us.
If you participate in an event organized by us.
If you provide personal data on behalf of someone else, it is your responsibility, before you do so, to ensure that you and the person in question have read this Privacy Statement. If the person is under 18, please do not provide us with any personal information.
Therefore, within the limits of the purposes and methods described in this Policy, information that may be considered “Common personal data“, including your personal details, contact details (such as, mobile phone number, e-mail address), and “Specific personal data” related to your physical health and defined in art. 9 of the GDPR may be processed.
For ease of reference, within the present Policy, the term “Personal Data” shall be understood as a reference to all your personal data, unless otherwise specified.
Personal Data collected will be processed for the purposes and on the basis of the following legal bases:
Legal basis for processing
|Categories a), b) (when relevant): for the management of your contractual relationship, that is, to execute pre-contractual measures (such as requests for information or estimates, services provided). In this case, you are free to provide your data; however, failure to provide it will not allow you to establish the aforementioned relationship to satisfy your request.||The treatment is necessary in relation to the execution of a contract of which you are a party|
|Category c): for communications required by public safety standards (PS communication). Failure to provide this data implies the inability to provide hospitality service in your favor.||The treatment is necessary due to a legal obligation|
|Categories d), e), f), g), h) and i) are subject to your specific consent for the personalization and improvement of service with specific reference to food and beverage, the wellness center and beauty treatments. The lack of data communication does not prevent the service, but it does prevent the personalization and improvement of such.||
|Categories d), e), f), g), h) are subject to your specific consent for the completion (and subsequent use) of surveys, as well as to contact you, via the contact details provided, in order to verify the quality of service rendered you and your degree of satisfaction. These activities will, however, be brief and limited, in the spirit of discretion of our facility (along with the “satisfaction verification”). Failure to give consent prevents us from knowing your degree of satisfaction.||
|Categories a), d), e) are subject to your specific consent, in order to send you reminders and promotional offers; communication relating to events organized by the title holder or his business partners (along with “marketing purposes”). These activities will, in any case, be brief and limited, within the spirit of discretion of our structure. Failure to give consent prevents us from being able to contact you about our initiatives.||
|Category j) Self-certification acknowledging situations at risk of COVID-19 infection||Purpose of public interest
The processing of personal data provided is legitimate in order to fulfil a task of public interest (Article 6 paragraph 1, letter e of the GDPR) and for reasons of public interest in the public health sector (Article 9, paragraph 2, letter i of the GDPR) as part of the implementation of anti-contagion safety protocols (“Shared protocol for regulating measures to combat and contain the spread of the Covid-19 virus in the workplace, dated 24 April 2020”)
|Category k) Images taken by video surveillance system||Pursuit of the legitimate interest of the Data Controller, aimed at safeguarding corporate assets (Article 6, paragraph 1, letter f of the GDPR (“…processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail”). In the event of a request to make the images available by the judicial or police authorities, the legal basis and Article 6, paragraph 1, letter c of the GDPR (“…processing is necessary to fulfill an obligation to which the data controller is subject”).|
Personal Data will be processed using manual, computerized or telematic tools, appropriate to guarantee security and confidentiality, and will be carried out by personnel duly trained in the compliancy rules of the applicable regulations.
In addition to cases in which it is necessary to contact you for requirements related to the management of your stay with us, where you give consent to the processing of your data for the purposes referred to in point 3, you may be contacted by e-mail, text message (or any equivalent electronic instrument), or postal service or you may be called by an operator at any of the contact details provided. If you prefer to be contacted via only one or some of these contacts, you may specify such in writing to the following e-mail address: email@example.com.
If you express your consent in relation to the purposes set out in point 3, your personal data will be made visible and stored in a Customer Relationship Management (CRM) database, and may also be stored in one or more designated company archives or databases.
Your personal data may be transferred to:
|Recipients of Personal Data||Purpose|
|Specifically trained and authorized internal personnel, pursuant to Art. 29 of the GDPR||Operational management of the activity|
|Third-party companies that provide support services to the company’s activities, or to professionals with whom specific agreements have been signed pursuant to the Art. 28 of the GDPR||Support in managing activities|
|Bodies and/or Authorities possibly established by law||Regulatory obligation|
|Health Authority||Prevention of COVID-19 contagion|
Your personal data may also be communicated whenever necessary in order to comply with requests made by Judicial Authority or Public Safety bodies. The collected data will, in no circumstances, be disseminated. Personal data is not transferred to areas outside the EU, not even for the use of cloud services.
The table below contains indications of the retention times (i.e. determination criteria) of Personal Data:
|Purpose||Period of retention|
|Categories a), b) (contract)||For the entire duration of the relationship and thereafter for 10 years (ordinary limitation period)|
|Categories c) (PS communications)||Period prescribed by law|
|Categories d), e), f), g), h), i), service improvement||Immediately after the end of the service or stay|
|Categories d), e), f), g), h), i), satisfaction verification||Four years from collection, due to the likeliness of other future client relations with you, with the condition that you can modify and/or revoke your consent of such data at your own free will and at any time.|
|Categoria d), e), f), g), h), i), marketing||Four years from your last client relation with us, due to the likeliness of other future client relations with you, with the condition that you can modify and/or revoke your consent of such data at your own free will and at any time.|
|Category j)||14 days|
|Category k)||72 hours|
In any event, the data are retained for the period prescribed by the mandatory rules and regulations, when provided for.
You have the right to:
Right to oppose treatment of data. You have the right to request the interruption of processing your personal information:
You have the right to limit the treatment of personal data:
If we proceed to limit the processing of your personal data, as per your request, we will inform you before involving you again in such processing.
Data portability requests: You have the right to request us to provide your personal data to you or a third party designated by you in a commonly used electronic format. However, we inform you that the data portability rights only apply to personal data that we have obtained directly from you and only if our processing is performed automatically, based on consent or execution of a contract.
Sending requests: to exercise your right, as laid out in articles 15 and 22 of the GDPR and for all matters pertaining to the processing of personal data, you can send an email to firstname.lastname@example.org.
We will respond to all such requests within 30 days of receipt of the request, unless there are mitigating circumstances, in which case it may take up to 60 days to receive a response. We will inform you, however, if we foresee that more than 30 days are necessary to respond to your request. Nevertheless, some personal information might be excluded, in compliance with the currently applied data protection laws. Furthermore, we will not respond to any request unless we can adequately verify the applicant’s identity. When provided for by the regulations, you may be charged a reasonable amount for the subsequent copies of the data you are requesting.
Right of withdrawal of consent: As per Art. 7, Par. 3 of the GDPR, you have the right to withdraw your consent to any processing that we conduct exclusively on the basis of your consent (such as sending direct marketing materials to your personal email address). You can revoke your consent to marketing activities by following the instructions given in any marketing e-mail or by contacting us at email@example.com. Withdrawal of consent, however, does not prejudice the lawfulness of the treatment based on the consent made before the revocation.
Right to lodge a complaint with the supervisory authority: If, at any time, you feel your rights have been violated, you have the right to lodge a complaint to the Guarantor Authority to protect your personal data following the indications on their website at www.garanteprivacy.it.
Profiling and dissemination of data
Personal data are not subject to dissemination nor any type of fully automated decision systems including profiling.
The present Policy may be subject to variations. It is therefore advised to periodically check our privacy section at the following link: www.borgobrufa.it.
Regenerate body and mind in the temple of relaxation in Umbria! 1 night...Read more
Treat yourself to a luxury Italian dream trip. We have designed a...Read more
Treat yourself to a luxury Italian dream trip. We have designed a...Read more
The best way to relax is... Borgobrufa SPA Resort. 1 night mid-week starting...Read more