This page describes the personal data protection policies implemented by MDM S.r.l. for users who visit the website and, more in general, for data subjects who interact with The Pantheon Iconic Hotel for various reasons.
This information notice is provided pursuant to art. 13 of the EU General Data Protection Regulation no. 2016/679 (hereafter referred to as GDPR – General Data Protection Regulation), in particular for those who interact with the web services offered by Tridente group, accessible online through the following address: https://www.thepantheonhotel.com/
This information notice is based on Recommendation no. 2/2001 adopted on 17th May 2001 by the European personal data protection authorities, which met in the Group created by art. 29 of directive no. 95/46/EC. The purpose of this Recommendation was to identify a number of minimum requirements for the collection of personal data online and, in particular, the procedures, time frames and type of information that data controllers must provide to users when the latter visit webpages, regardless of why they visit them.
DATA CONTROLLER AND DATA PROCESSORS
When users-data subjects make a booking using The Pantheon Iconic Hotel website, the data that they insert shall belong to MDM. S.r.l.
MDM S.r.l. outsources a number of services to external service providers, meaning that your data may be sent to them. To guarantee that the information sent shall remain secure and confidential, these entities are appointed as Data Processors, pursuant to article 28 of the GDPR and shall be obliged to comply with the instructions issued by MDM S.r.l. For further information in this regard, please send an e-mail to: email@example.com
WHERE DATA IS PROCESSED
Data processing linked to the online services provided by this website is carried out at the headquarters of the data controller and of the data processors, by technical service personnel in charge of the processing.
Personal data provided by users who send requests for information shall only be used to provide the service requested, whereas certain data acquisition forms state that it may be possible for the data subject’s personal data to be sent to service providers in order to perform the contract and provide the services requested.
TYPES OF DATA PROCESSED
Data provided voluntarily by the user
As part of their standard operations, the IT systems and software procedures used to run this website acquire certain pieces of personal data, which must be transmitted in order to use internet communication protocols. This information is not collected to be associated with specific individuals, but could, for its very nature, allow the users to be identified if processed and associated with data held by third parties. This category of data includes the IP addresses or the domain names of the computers used by those visiting the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to issue the request to the server, the size of the file received in response, the numerical code indicating the status of the reply given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s computing environment. This data is used for the sole purpose of gathering anonymous statistical information on the use of the website and to check that it is working properly, and is immediately cancelled after processing. Data could be used to establish responsibility in the case of potential computer crimes damaging the website: with the exception of this possibility, as things currently stand, web contact details are not kept for more than thirty days.
Cookies are small text files that websites may use to make the navigation experience more efficient for users. There are different types of cookies which, depending on their characteristics and functions, may remain on your device for a predefined amount of time (which may also last for years), defined as “persistent cookies”, or may be automatically cancelled when you close the browser, known as “session cookies”.
These cookies are technical and allow the website to work correctly. This category includes cookies that are essential for the website to work correctly and cookies that allow users to adjust their navigation experience based on their own choices (e.g. choice of language, etc.).
We also use technical cookies to keep track of the consent given by users regarding profiling cookies and third-party analytical cookies, in compliance with applicable legislation.
Use of permanent technical cookies or ‘session’ cookies (i.e. which are not stored on the user’s computer for longer than the browsing session and are eliminated when the browser is closed) is strictly limited to the technical provision of the service requested by the user and to sending session identification data (made up of random numbers generated by the server). This data is necessary to allow for safe and efficient browsing of the website and its applications.
The technical cookies used by this website avoid having to use other data processing technologies which may otherwise compromise the confidentiality of users’ navigation activities.
These cookies provide us with anonymous and aggregated data, helping us to understand how users interact with our website, as they give us information on the pages visited, the amount of time spent on the website, the type of platform used, the number of clicks made on a specific page, any malfunctions, etc.
Statistical cookies help website owners to understand how visitors interact with their websites by collecting and transferring information in anonymous format.
We use Google Analytics to collect and analyse anonymous information on how our website is used. We do this for statistical purposes without acquiring users’ personal details. Considering the way we use these cookies, they are similar to technical cookies for all intents and purposes, meaning that we do not require explicit consent from the data subject.
We do not use first-party or third-party profiling cookies.
|First-party technical cookies||FIRST-PARTY TECHNICAL COOKIES
First-party technical cookies are instrumental and essential for the website to work correctly.
In accordance with European legislation on cookies, we use a technical cookie to keep track of users’ consent regarding acceptance of third-party and profiling cookies.
|At the end of the navigation session||
|Google Analytics||THIRD-PARTY ANALYTICAL COOKIES
Google Analytics is an analysis tool provided by Google which helps website owners to understand how visitors interact with the content of their websites (pages visited, navigation times, etc.), providing useful statistics aimed at optimising and improving website navigation without personally identifying users.
This cookie is only used to collect information, in aggregated and anonymous format, on the number of users and how they visit the website.
We use this cookie in anonymous format, anonymising users’ IP addresses and not corresponding this information with third parties.
|_utma – 2 years_utmt – 10 minutes
_utmb – 30 minutes
_utmc – until the session is closed
_utmz – 6 months
_utmv – 2 years
Users may selectively disable the action of Google Analytics by installing the opt-out component provided by Google on their browser. To disable Google Analytics, please follow the link below:
|Google Tag Manager||THIRD-PARTY COOKIES
Tags are small portions of website code that allow us to analyse traffic and visitors’ behaviour, check the effectiveness of online advertising and social media, use remarketing and audience targeting and experiment with the website in order to optimise it.
|_dc_gtm_UA – At the end of the session||https://www.google.com/intl/it/tagmanager/|
Disabling cookies may lead to problems with website navigation or may stop you from using all the services available on the website (e.g. booking service, etc.). In order to remove cookies, we invite users to follow the instructions provided on the dedicated pages of the various browsers.
This website’s services are not destined for minors. We do not knowingly collect data, including personal data, belonging to minors. Should we become aware that we have collected the personal data of a minor, we will immediately eliminate it, unless we are legally obliged to retain said data. Users are kindly requested to contact us should they believe that the Hotel has mistakenly or involuntarily collected information relating to a minor.
Personal data is processed using automated tools for the time that is necessary to fulfil the purposes for which it has been collected. Specific security measures are respected in order to prevent the loss and unlawful or improper use of data and any unauthorised access.
PURPOSES AND LEGAL BASIS FOR PROCESSING AND NATURE OF DATA PROVISION
Personal data provided through the Website shall be processed by the data controller for the following purposes:
- purposes concerning the performance of a contract to which the data subject is party or to take the pre-contractual measures adopted at the data subject’s request (e.g. booking, signing-up to special offers, etc.). Consent not necessary;
- purposes linked to sending advertising and sales material via e-mail after the user has voluntarily signed-up to the Hotel’s newsletter. Requires the data subject’s explicit consent or the running of soft spam;
- research and statistical analysis purposes using anonymous, aggregated data, aimed at gauging how the website works, measuring traffic and assessing usability and levels of interest in order to make it more functional and improve performance; Consent not necessary as this does not constitute the processing of personal data
- purposes relating to compliance with laws and regulations; Consent not required
- Purposes necessary to ascertain, exercise or defend a right as part of judicial proceedings or whenever judicial authorities exercise their judicial functions. Consent not required
Data processed by us may include special categories of personal data, as defined by article 9 of the GDPR no. 2016/679, i.e. personal data regarding health conditions or religion (food allergies, services for disabled guests, menus ascribable to a specific religion, etc.) which you voluntarily provide in the Note section of the booking form.
This type of data will be processed guaranteeing suitable security measures, only for the data and operations that are necessary in order to fulfil pre-contractual obligations which the hotel undertakes in its sector of activity, in order to provide specific goods or services requested by the data subject.
Pursuant to article 9 of the GDPR no. 2016/679, we will nonetheless always ask for specific authorisation to process personal data, as we cannot know a priori if the data subject will voluntarily indicate data that falls under special categories of data on the personal data acquisition forms.
This information notice, drawn up in compliance with article 13 of EU Regulation no. 2016/679, may also be used by the data controller for any adverts published to search for personnel using websites or portals that the data controller does not manage directly. The Company shall process CVs received via e-mail or from third-party recruiters (publications on portals, etc.), in order to assess potential applications within the company or which may come up in the near future. Processing is carried out using electronic means, excluding any CVs received via normal post.
CVs considered “interesting” shall be stored at the headquarters and on the company’s database for no longer than eighteen months and shall be processed in full respect of the minimum security measures stated by article 32 of the GDPR no. 2016/679. CVs that are not considered relevant or those that have been stored for longer than eighteen months will be thrown away.
CVs will not be sent to unauthorised third-parties, excluding the hotels and companies belonging to the Tridente collection brand (www.tridentecollection.com). These CVs may be assessed by hotel employees or co-workers who have been appointed to be in charge of the processing (article 29 and 32, paragraph 4, of the GDPR no. 2016/679).
Candidates are nonetheless invited to respect the following rules when sending their CVs in electronic format:
- Complete your CV in the standard EU format;
- send your CV as a pdf file;
- avoid including special categories of personal data in your CV, as defined by article 9 of the GDPR no. 2016/679 (in particular, relating to your health or religious, philosophical or political beliefs), which do not concern the offer of employment in question;
- give your consent to the processing of sensitive data relating to the creation of an employment relationship (e.g. if you belong to a “protected category”).
The company reserves the right to discard any CVs that do not respect the aforementioned requirements.
The purpose of processing linked to the management of CVs only refers to activities that strictly refer to the assessment, recruitment or selection of personnel, with the objective of establishing contract work, fixed term or permanent employment, internships, or to allow the selected candidate to prepare their degree thesis at our offices.
TRANSFERRING PERSONAL DATA
Without prejudice to the provisions relating to cookies, under no circumstances will your personal data be transferred to other countries or international organisations. By using third-party cookies, data may also be processed outside of the EU by Google and companies that install third-party profiling cookies.
For further information and clarifications in this regard, please write to: firstname.lastname@example.org.
The data controller will only process data subjects’ personal data for the amount of time that is strictly necessary to fulfil the purposes indicated in this information notice.
By means of example but not limited to this case, the hotel will process personal data for the newsletter service until the data subject decides to cancel their name from said service, which they can do by simply clicking on the link provided in the e-mail received.
Without prejudice to the above, the data controller shall process your personal data for the amount of time permitted by Italian law to protect its own interests.
For further information on the retention period for personal data and the criteria used to calculate said period, please send a request to: email@example.com.
RIGHTS OF THE DATA SUBJECT
Data subjects have the right, at any time, to obtain confirmation regarding the existence of personal data concerning them and to be informed of its content and source, check its correctness or ask for it to be integrated or updated, or rectified (art. 15 – 22 GDPR no. 2016/679). Pursuant to the same articles, data subjects also have the right to ask for processed data to be cancelled or transformed into anonymous format, or for any data to be blocked that has been processed in violation of the law, as well as to object, in any case, on legitimate grounds, to its processing.
In compliance with Section III of the GDPR no. 2016/679, the data subject has the right to ask, at any time, to access his/her personal data, to rectify or cancel said data or to object to its processing or restrict processing, as well as to receive his/her data in a structured, commonly used and machine-readable format. The data subject also has the right to object to profiling and to lodge a complaint with the supervisory authority.
The data subject also has the right to withdraw consent, at any time, without affecting the lawfulness of processing based on consent before its withdrawal. For the complete and comprehensive list of data subjects’ rights, please refer to articles 15-22 of the GDPR no. 2016/679.
Any requests should be sent via e-mail to the address: firstname.lastname@example.org
UPDATES AND AMENDMENTS