INFORMATION NOTICE ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
I. Introduction
In conducting its business activities, Welcome Hotel places utmost importance on the protection and security of personal data belonging to all individuals who interact with it (hereinafter referred to as "Data Subject" and/or "User"). To this end, it implements every suitable, adequate, and necessary security measure and procedure.
Believing strongly in the principles of transparency and fairness, this information notice aims to provide all interested parties with a comprehensive description of the methods and purposes for processing personal data in connection with the delivery of services and/or sale of goods (hereinafter collectively referred to as "Services"), in compliance with Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR").
II. Data Controller and Data Processor
The data controller is Welcome Hotel, located at Strada di Fondo Valle 30, registered at the Chamber of Commerce of Dogana with VAT number COE SM30465. For the purposes of this notice, it may be contacted via email at
info@welcomehotel.sm or by phone at +39 0549878302 (hereinafter "Data Controller").
The processing of personal data provided to the Data Controller for the use of the Booking Engine Service (hereinafter "Web Booking") will be conducted, on behalf of the Data Controller, by Passepartout S.p.A., a San Marino-based company focused on software development and related services, located in Dogana (ZIP 47891), Via Consiglio dei Sessanta no. 99, registered at the Companies Registry under no. 6210 since August 6, 2010, with an Economic Operator Code SM03473 and a share capital of approximately €2,800,000, and reachable at
privacy@passepartout.sm or at +39 800 414243 (hereinafter also "Passepartout" and/or "Data Processor").
Passepartout S.p.A. has appointed (i) Paci Rappresentante Privacy Srl, registered with the Chamber of Commerce of Romagna with a share capital of €10,000 and located in Rimini, P.tta Gregorio da Rimini no. 1, as its EU representative in accordance with Article 27 of the GDPR, and reachable at
passepartout@pacirappresentanteprivacy.eu or at +39 0541 902128 (hereinafter "Representative"); and (ii) a data protection officer (DPO), reachable at
rpd.privacy@passepartout.sm or +39 800 414243.
III. Personal Data
Personal data refers to any information concerning an identified or identifiable natural person, including, for example, name, ID details, physical identity, physiological, genetic, economic, cultural, or social identity, as well as identification details regarding the person’s location.
The personal data described above are mainly processed when the Data Subject uses the Services and/or Web Booking.
Providing other types of personal data is optional but may be necessary for utilizing the Services and/or Web Booking, such as data required for making offers, purchasing, or selling, which are needed to complete a contractual transaction.
Personal data may be provided directly by the Data Subject and/or acquired automatically via devices when using the Services and/or Web Booking, submitting data through a web form on our sites, creating and/or updating an account, contacting us by any means, or providing explicit consent.
IV. Types and Categories of Data Processed
Among the personal data described above, and for the provision of Web Booking, the Data Controller (or, on its behalf, the Data Processor) collects only the following types:
a) Identification details: name, surname, date and place of birth, residence, tax code, VAT number, ISS code, phone number, email (including certified email), username, password, gender, or other data required or authorized by law to authenticate or identify the User, verify provided and collected information;
b) IP address and browsing data, as well as data regarding the User's interaction with the Services and/or Web Booking, such as page views, searches, account creation or login, and data concerning devices or computers used, including browser type, unique device code, language, operating system, referring webpage, visited pages, location, and cookie data;
c) Offer, purchase, or sale data related to pre-contractual negotiations and subsequent fulfillment, and any data provided in relation to these operations;
d) Billing data (and shipping if necessary) related to the Services and/or Web Booking;
e) Financial data, as some Services and/or Web Booking support payments and transactions with third parties. Identification data and payment method details, such as name, surname, credit/debit card number, and card expiration date, may be required. These details, if collected by the Data Processor, will be stored in encrypted form, and only the last four digits of the card may be retained for faster future transactions;
f) Geolocation data, especially when using mobile devices;
g) Cookies and similar technologies. Passepartout uses unique identifiers and similar technologies to collect data on visited pages and links and other actions, within advertising content or email, according to the terms, methods, and conditions set out in the applicable policy.
h) Processing of special categories of personal data (so-called sensitive data): No special categories of personal data are collected or processed, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or data concerning health or a person's sex life or sexual orientation.
V. Purposes and Methods of Data Processing
The personal data collected are processed solely for the following purposes:
a) Fulfilling contracts for the Services and/or Web Booking, including related activities, such as administration and accounting, tax compliance, payments, and invoicing;
b) Ensuring the security of both received personal data and adopted security systems;
c) Communicating with the Data Subject.
The data may be used to contact the User for purposes covered in this notice and required by law, via email (including certified), phone, SMS, regular mail, and push notifications on mobile devices;
d) Conducting marketing activities with the User's explicit consent. Personal information may be used to promote new products or services that may interest the User.
The data will be processed in compliance with GDPR, using manual or automated systems to store, manage, and transmit the data (both in paper and electronic format) solely for the purposes indicated here. Access to the collected personal data will be granted only to duly authorized personnel.
VI. Legal Basis for Data Processing
The legal bases for processing personal data may include:
1. The contracts established or to be established with the Data Subjects for the use of the Services;
2. The Data Subject’s consent, which may be revoked as outlined in paragraph X, letter a);
3. Our legitimate interests, such as fraud prevention, direct marketing, service improvement, and data protection.
VII. Data Processor
As mentioned in Section II, Passepartout will process only the personal data provided to the Data Controller for the use of Web Booking, in compliance with the GDPR guarantees (per Article 46) for data transfers to non-EU countries.
VIII. Information Sharing with Third Parties
Personal data may be shared with third parties in the following cases:
1. Data Subject's consent: The Data Subject may authorize us to share (or disclose) their data with third parties;
2. Processing by external entities: Personal data may be shared with affiliated entities, service providers, and business partners as per instructions given (e.g., customer support, IT services, payment and sales management, marketing, data analysis, research);
3. Justice, legal, or protective requirements. Data may be retained or disclosed as necessary to fulfill legal requirements.
IX. Data Retention Period
The retention period is determined by the purpose or legal basis for processing. Personal data for contract execution will be retained as needed to fulfill the contract and related obligations, with a maximum retention of ten years post-Web Booking termination. For marketing purposes, data is retained until consent is revoked.
X. Rights of the Data Subject
Under GDPR, Data Subjects can exercise the following rights:
a) Right of access, rectification, data erasure, restriction, and objection to data use, and right to withdraw consent.