Privacy Policy

   In accordance with Regulation (EU) 2016/679 (“GDPR”) articles 13 and 14  


Information on the processing of personal data in the context of the Covid-19 epidemiological emergency



The purpose of this document (“Policy“) is to provide you with information regarding the processing of data provided by you to BORGO BRUFA SRL and is provided pursuant to EU Regulation no. 679/2016 (“GDPR“).


  1. Who is the Data Controller and how can he/she be contacted? The data controller is: Borgo Brufa srl, legally represented by Andrea Sfascia, and with legal offices in Torgiano, via del Colle 38, 06089. Contact details are as follows: telephone 0759883; e-mail; certified e-mail


  1. How do we collect personal information?

If you contact us directly, for example, through our websites, via e-mail or by telephone through our direct phone line with the intention of receiving information regarding our services.

If you purchase one of our services, for example, through our websites.

If you respond to our marketing campaigns, for example, by filling out a response form, or by entering personal data on one of our websites.

If your contact details are communicated to us by a third party with your consent.

If business partners legitimately transfer your personal data to us.

If you participate in an event organized by us.

If you provide personal data on behalf of someone else, it is your responsibility, before you do so, to ensure that you and the person in question have read this Privacy Statement. If the person is under 18, please do not provide us with any personal information.


  1. What data categories of personal data do we collect?

The following categories of personal data concerning you may be collected through the various services and contact channels described in this Privacy Policy:


  1. Contact details – information regarding name, address, telephone number and email address.
  2. Payment details – Information related to your chosen payment method, such as credit card number, debit card, IBAN ID, etc.
  3. Complete identification data – information relating to your identity deriving from the identity documents required by law such as identity card, passport, driving license, etc.
  4. Interest and preferences – information that you provide us regarding your interests, including the type of hotel treatment you prefer (such as your telephone availability while at the facility, your preferred time for meals or beauty treatments, etc.) or the types of additional services you are interested in relating to the restaurant, the wellness center and the beauty treatments we provide.
  5. Other personal data – information that you provide us regarding your date of birth, education or professional profile for the sole purpose of personalizing the service.
  6. Use of Website – information relating to the way in which you use our website, read or forward our communications, including information collected through cookies and other tracking technologies.
  7. Your account details – information related to your account on our website.
  8. Images – images of you captured in photos taken and/or videos made at events organized by us at our venue.
  9. Data relating to your state of health or other data belonging to specific categories – information that you provide us regarding any physical conditions you might have (e.g. food allergies or other ailments) for the sole purpose of enabling you to better benefit from our services, such as personalized meals, or to have the opportunity of enjoying the services of the wellness center or beauty treatments in the most serene and safe manner possible.
  10. Self-certification acknowledging situations at risk of COVID-19 infection including data related to the state of health (body temperature\flu symptoms), stating that you have not come from a high risk areas, and that you have not been in contact with COVID-19 positive individuals over the past 14 days.
  11. Images taken by video surveillance system – images captured by our video surveillance system that might occasionally show you.


Therefore, within the limits of the purposes and methods described in this Policy, information that may be considered “Common personal data“, including your personal details, contact details (such as, mobile phone number, e-mail address), and “Specific personal data” related to your physical health and defined in art. 9 of the GDPR may be processed.

For ease of reference, within the present Policy, the term “Personal Data” shall be understood as a reference to all your personal data, unless otherwise specified.


  1. What are the purposes and legal requirements for processing your personal data (purposes and legal basis for processing)?


Personal Data collected will be processed for the purposes and on the basis of the following legal bases:






Legal basis for processing


Categories a), b) (when relevant): for the management of your contractual relationship, that is, to execute pre-contractual measures (such as requests for information or estimates, services provided). In this case, you are free to provide your data; however, failure to provide it will not allow you to establish the aforementioned relationship to satisfy your request. The treatment is necessary in relation to the execution of a contract of which you are a party
Category c): for communications required by public safety standards (PS communication). Failure to provide this data implies the inability to provide hospitality service in your favor. The treatment is necessary due to a legal obligation
Categories d), e), f), g), h) and i) are subject to your specific consent for the personalization and improvement of service with specific reference to food and beverage, the wellness center and beauty treatments. The lack of data communication does not prevent the service, but it does prevent the personalization and improvement of such.  

Your consent

Categories d), e), f), g), h) are subject to your specific consent for the completion (and subsequent use) of surveys, as well as to contact you, via the contact details provided, in order to verify the quality of service rendered  you and your degree of satisfaction. These activities will, however, be brief and limited, in the spirit of discretion of our facility (along with the “satisfaction verification”). Failure to give consent prevents us from knowing your degree of satisfaction.  

Your consent

Categories a), d), e) are subject to your specific consent, in order to send you reminders and promotional offers; communication relating to events organized by the title holder or his business partners (along with “marketing purposes”). These activities will, in any case, be brief and limited, within the spirit of discretion of our structure. Failure to give consent prevents us from being able to contact you about our initiatives.  

Your consent

Category j) Self-certification acknowledging situations at risk of COVID-19 infection Purpose of public interest

The processing of personal data provided is legitimate in order to fulfil a task of public interest (Article 6 paragraph 1, letter e of the GDPR) and for reasons of public interest in the public health sector (Article 9, paragraph 2, letter i of the GDPR) as part of the implementation of anti-contagion safety protocols (“Shared protocol for regulating measures to combat and contain the spread of the Covid-19 virus in the workplace, dated 24 April 2020”)

Category k) Images taken by video surveillance system Pursuit of the legitimate interest of the Data Controller, aimed at safeguarding corporate assets (Article 6, paragraph 1, letter f of the GDPR (“…processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail”). In the event of a request to make the images available by the judicial or police authorities, the legal basis and Article 6, paragraph 1, letter c of the GDPR (“…processing is necessary to fulfill an obligation to which the data controller is subject”).



  1. How is your personal data processed?

Personal Data will be processed using manual, computerized or telematic tools, appropriate to guarantee security and confidentiality, and will be carried out by personnel duly trained in the compliancy rules of the applicable regulations.

In addition to cases in which it is necessary to contact you for requirements related to the management of your stay with us, where you give consent to the processing of your data for the purposes referred to in point 3, you may be contacted by e-mail, text message (or any equivalent electronic instrument), or postal service or you may be called by an operator at any of the contact details provided. If you prefer to be contacted via only one or some of these contacts, you may specify such in writing to the following e-mail address:

If you express your consent in relation to the purposes set out in point 3, your personal data will be made visible and stored in a Customer Relationship Management (CRM) database, and may also be stored in one or more designated company archives or databases.


  1. To whom do we communicate your data?

Your personal data may be transferred to:


Recipients of Personal Data Purpose
Specifically trained and authorized internal personnel, pursuant to Art. 29 of the GDPR Operational management of the activity
Third-party companies that provide support services to the company’s activities, or to professionals with whom specific agreements have been signed pursuant to the Art. 28 of the GDPR Support in managing activities
Bodies and/or Authorities possibly established by law Regulatory obligation
Health Authority Prevention of COVID-19 contagion

Your personal data may also be communicated whenever necessary in order to comply with requests made by Judicial Authority or Public Safety bodies. The collected data will, in no circumstances, be disseminated. Personal data is not transferred to areas outside the EU, not even for the use of cloud services.


  1. Data retention period (determination criteria).

The table below contains indications of the retention times (i.e. determination criteria) of Personal Data:


Purpose Period of retention
Categories a), b) (contract) For the entire duration of the relationship and thereafter for 10 years (ordinary limitation period)
Categories c) (PS communications)  Period prescribed by law
Categories d), e), f), g), h), i), service improvement  Immediately after the end of the service or stay
Categories d), e), f), g), h), i), satisfaction verification Four years from collection, due to the likeliness of other future client relations with you, with the condition that you can modify and/or revoke your consent of such data at your own free will and at any time.
Categoria d), e), f), g), h), i), marketing Four years from your last client relation with us, due to the likeliness of other future client relations with you, with the condition that you can modify and/or revoke your consent of such data at your own free will and at any time.
Category j) 14 days
Category k) 72 hours


In any event, the data are retained for the period prescribed by the mandatory rules and regulations, when provided for.


  1. What are your rights?

You have the right to:

  • ask us to confirm if we are processing your personal data
  • receive information on how we process your data
  • obtain a copy of your personal data
  • request us to update or correct your personal data
  • ask us to delete personal data in certain circumstances


Right to oppose treatment of data. You have the right to request the interruption of processing your personal information:

  • for marketing activities
  • statistical purposes
  • where such processing is based on our legitimate business interests, unless we are able to demonstrate a legitimately grounded reason for such processing, or if the processing of your personal information is necessary to ascertain, exercise or defend a right in court.


You have the right to limit the treatment of personal data:

  • when evaluating or taking steps to respond to your request to update or correct your personal information
  • where such treatment is contrary to the law and you do not wish your data to be eliminated
  • if they are no longer requested or needed by us, but we wish to keep the data to ascertain, exercise or defend a right in court
  • if you have submitted an opposition to the processing on the basis of our legitimate business interests and are awaiting our response to this request.

If we proceed to limit the processing of your personal data, as per your request, we will inform you before involving you again in such processing.


Data portability requests: You have the right to request us to provide your personal data to you or a third party designated by you in a commonly used electronic format. However, we inform you that the data portability rights only apply to personal data that we have obtained directly from you and only if our processing is performed automatically, based on consent or execution of a contract.


Protection method

Sending requests: to exercise your right, as laid out in articles 15 and 22 of the GDPR and for all matters pertaining to the processing of personal data, you can send an email to
We will respond to all such requests within 30 days of receipt of the request, unless there are mitigating circumstances, in which case it may take up to 60 days to receive a response. We will inform you, however, if we foresee that more than 30 days are necessary to respond to your request. Nevertheless, some personal information might be excluded, in compliance with the currently applied data protection laws. Furthermore, we will not respond to any request unless we can adequately verify the applicant’s identity. When provided for by the regulations, you may be charged a reasonable amount for the subsequent copies of the data you are requesting.


Right of withdrawal of consent: As per Art. 7, Par. 3 of the GDPR, you have the right to withdraw your consent to any processing that we conduct exclusively on the basis of your consent (such as sending direct marketing materials to your personal email address). You can revoke your consent to marketing activities by following the instructions given in any marketing e-mail or by contacting us at Withdrawal of consent, however, does not prejudice the lawfulness of the treatment based on the consent made before the revocation.


Right to lodge a complaint with the supervisory authority: If, at any time, you feel your rights have been violated, you have the right to lodge a complaint to the Guarantor Authority to protect your personal data following the indications on their website at


Profiling and dissemination of data

Personal data are not subject to dissemination nor any type of fully automated decision systems including profiling.


The present Policy may be subject to variations. It is therefore advised to periodically check our privacy section at the following link:


Info & reservation

Make your reservation

Book your stay

Do you need more information?

Ask for information