Pursuant to article 13 of EU Regulation no. 2016/679 dated 27th April 2016 (GDPR), we hereby provide data subjects with information on the data processing that we carry out.
I – Data Controller
MDM S.r.l. is a company that has been working in the luxury hotel industry for years, guaranteeing excellent hospitality services and constantly pursuing top quality standards. When carrying out its activities, the company collects certain information about its guests and visitors who come into contact with the hotel.
The data controller is MDM S.r.l. (VAT no. 138903310051), in the person of its pro-tempore legal representative, with headquarters in Via di Santa Chiara, 4 – 00186 Rome.
II – Types of data collected
MDM S.r.l. collects your data in order to provide its services. Data is collected when you voluntarily disclose it upon arrival at the hotel, or through prior telephone/e-mail communications, or by navigating the hotel’s website and booking rooms, or through online platforms that offer booking services.
We collect different types of data, including all the information necessary to ensure you get the best level of service possible. To this end, we ask for our guests’ personal details, such as name, surname, address and postcode, as well as a copy of their identity document. We also collect your contact details, such as e-mail address, telephone and fax number, in order to be able to contact you and/or reply to any requests or requirements you may have, as well as data relating to your stay (duration, type of room, rate applied) and payment details (credit card number, expiry date and cardholder name). Depending on your specific needs, we may sometimes collect special categories of data, only if you voluntarily decide to provide said data (notifications of food allergies, or mobility problems, etc.). There are video cameras and surveillance systems in operation in our hotel, so you may be filmed by our system. Furthermore, any information that you voluntarily provide during your stay will also be collected (e.g. anniversaries and special occasions).
III – Recipients of personal data
MDM S.r.l. outsources certain services to external entities, meaning that your data may be sent to them. To guarantee that the information sent shall remain secure and confidential, these entities are appointed as Data Processors, pursuant to article 28 of the GDPR and shall be obliged to comply with the instructions issued by MDM S.r.l. with regard to the methods, purposes and security measures applicable to the data processing entrusted to them. Data processors manage bookings on behalf of MDM S.r.l., take care of the accounting of said bookings, offer web hosting services and archive company data in physical and cloud servers. With the exception of these cases, data shall not be disclosed nor handed over to anyone, unless we have explicit consent to share data with third parties, or if this is necessary to perform a service requested by the data subject or to respond to requests from judicial authorities or public security authorities.
You can ask the hotel’s management for the up-to-date list of external Data Processors.
IV – Purposes of the processing
The data we collect will be used for different purposes, first and foremost to fulfil the contractual obligation undertaken vis-à-vis our customers, and therefore to provide you with assistance before and after your booking or to reply to any questions you may ask, to process the payment relating to your stay and to send you the relative receipt, as well as to meet your particular needs and any requests to customise your stay. To guarantee security and surveillance of our hotel, video cameras have been installed, meaning that you may be filmed.
In order to comply with legal public security obligations, we send the identification data of the guests staying at our hotel to the Rome police headquarters. For tax and accounting purposes, we store details of the payment relative to your stay.
Only with your explicit consent to do so will we use the data collected to carry out promotional activities in line with the preferences that you have expressed, store your data in order to speed up the check-in process should you stay at our hotel in the future, or send you external communications.
In some cases, we may ask for your personal data in order to provide you with the services requested. If you do not provide us with the data requested, or you forbid us from collecting said information, then we may not be able to provide you with the services requested.
V – Legal basis for processing
Our data processing is justified by the fact that we are performing pre-contractual or contractual measures undertaken vis-à-vis our customers, as well as fulfilling the legally-required public security, law enforcement and tax obligations to which we are subject.
Should processing not fall under one of these categories, then it shall only be carried out if you voluntarily provide your data or provide your explicit consent to processing. In certain, limited cases, data may be processed based on the Data Controller’s legitimate interest (e.g. video surveillance or obtaining credit card details).
We may also process your data to ascertain, exercise or defend a right as part of judicial proceedings or whenever judicial authorities exercise their judicial functions.
VI – Processing methods
Your personal data shall be processed using paper and electronic tools and fully or partially automated methods. Specific security measures are respected in order to prevent the loss and unlawful or improper use of data and any unauthorised access. These refer to technical measures including, for example, back-up systems, anti-viruses and firewalls, and organisational measures which involve appointing MDM S.r.l. employees as individuals authorised to carry out data processing and disciplinary policies/job descriptions with which said individuals must comply. Regular checks are carried out into the effectiveness of the procedures and security protocols in place.
VII – Processing of sensitive data
Should you voluntarily provide “special” data (art. 9 of the GDPR), then said data will be processed in such a way as to guarantee the confidentiality, integrity, accuracy and security of the information contained therein.
VIII – Data retention period
We will only store your data for the amount of time that is necessary to provide the products and services requested, unless we have to store it for longer in order to comply with laws and regulations or to resolve disputes or judicial investigations. Should your data no longer be necessary for legal or regulatory requirements and the legal basis for processing is not based on consent, then MDM S.r.l. shall take reasonable measures to destroy said data or to convert it into permanently anonymous format.
Should the legal basis for processing be based on your consent or your voluntary provision of data, then the data in question will be stored until you withdraw your consent and, in any case, for no longer than three years.
Personal data from video surveillance will be stored for a maximum of 48 hours.
E-mails used for commercial purposes, with express prior consent, shall be sent until the data subject exercises their right to remove their name from the newsletter mailing list, which can be done directly from the e-mail received.
IX – Rights of the data subject
You may, at any time and using any means available, ask us for confirmation regarding the existence of data concerning you and, should said data exist, for its details; you may ask about the source of said data, how it is processed and for what purposes; you may ask for said data to be amended or eliminated and this request will be forwarded also to any third-parties who have received the data, and you also have the right to receive due notification in the cases referred to by art. 19 of the GDPR. Furthermore, you may exercise your right to restrict processing, to object to processing and to request data portability. For all data processing based on your consent, you may withdraw said consent at any time and without any formality. Should there be a data breach, we will notify you without undue delay. As data subjects, you also have the right to lodge a complaint with the supervisory authority.
For further information, observations or to exercise your rights, please contact us by writing to the address: firstname.lastname@example.org.
X – Transferring data to other countries
MDM S.r.l. ensures that personal data will only be transferred to other countries in accordance with the adequate guarantees provided for by the GDPR. Alternatively, data transfers will be based on a decision regarding adequacy or the Standard Model Clauses approved by the European Commission; should data be transferred to the USA, the Privacy Shield principles will be respected. Please contact the data controller for any further information or clarifications in this regard.