This page describes how to manage the site with reference to the processing of personal data of users who consult it. This is an information that is also provided pursuant to art. 13 of EU Regulation 2016/679 applicable from 25 May 2018 – General Regulation for the Protection of Personal Data (hereinafter referred to as GDPR) to those who interact with the web services of the Relais Osteria dell’Orcia accessible electronically starting from address: http://www.osteriadellorcia.com

The information is provided only for the site http://www.osteriadellorcia.com and not for other websites that may be consulted by the user via links and complies with Recommendation no. 2/2001 relating to the minimum requirements for online data collection in the European Union, adopted on 17 May 2001 by the Article 29 Working Group.
The information is also based on Directive 2009/136 / EC of 25 November 2009 and the General Provision of the Guarantor for the Protection of Personal Data “Identification of simplified procedures for information and the acquisition of consent for the use of cookies” of 8 May 2014.

Privacy Policy
Holder of the treatment
Pursuant to art. 4 point 7 of the GDPR 2016/679, the Data Controller is the company ORCIA OSPITALITA ’S.r.l. based in Via Case Sparse – Pod. Osteria 15 – 53023 Castiglione D’Orcia (SI).

Responsible for the treatment
Pursuant to art. 28 of the GDPR 2016/679, the data processor for reservations through the website in question is the company ORCIA OSPITALITA ’S.r.l. based in Via Case Sparse Podere Osteria, 15 – 53023 Castiglione D’Orcia (SI).

Place of data processing
The treatments connected to the web services of this site take place at the headquarters of the owner and the data processor. No data deriving from the web service is communicated to third parties or disseminated.
Using third-party cookies, the treatments can also take place outside the European community by Google and the companies that install third-party cookies. In this regard, please refer to the relevant Cookie Policy reported in this document.

Types of data processed
Navigation data
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site: except for this possibility, the data on web contacts do not currently persist for more than thirty days.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of e-mails to the addresses indicated on this site entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message.
The interested party is sent to view this privacy policy when completing the data acquisition forms on the site.

Processing methods
Personal data are processed with automated tools for the time necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

Purpose, legal basis and nature of the provision
The Personal Data you provide through the Site will be processed by ORCIA OSPITALITA ’S.r.l. for the following purposes:
a) purposes related to the execution of a contract of which the interested party is a party or to the execution of pre-contractual measures adopted at his request by making a reservation. Consent Not required. The legal basis is based on Article 6 par. 1 letter b) of the GDPR 2016/679 or the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same;
b) purposes related to the execution of a contract of which the interested party is a party or to the execution of pre-contractual measures adopted at his request by making a request for information regarding the special offers presented on the site. Consent Not required. The legal basis is based on Article 6 par. 1 letter b) of the GDPR 2016/679 or the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same;
c) purposes related to sending promotional and commercial material via email after registering for the Relais newsletter. Consent Required. The legal basis is based on the explicit consent of the interested party pursuant to Article 6 paragraph 1 letter. a) of the GDPR 2016/679;
d) profiling purposes through third-party cookies; Consent required as per Cookie Policy. The legal basis is based on art. 6 par. 1 letter a) of the GDPR 2016/679 in compliance with directive 2009/136 / EC of 25 November 2009;

e) statistical research and analysis on anonymous aggregate data, aimed at measuring the functioning of the Site, measuring traffic and evaluating usability and interest to make it more functional and performing; Consent not necessary as the processing of personal data is not configured
f) purposes related to compliance with laws and regulations; Consent Not Required The legal basis is based on Article 6 par. 1 letter c) of the GDPR 2016/679;
g) purposes necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions. Consent Not Required The legal basis is based on Article 6 par. 1 letter f) of the GDPR 2016/679 or the processing is necessary for the pursuit of a legitimate interest of the owner;

Transfers of personal data to third countries or international organizations
Some of the personal data of the interested party are transferred to Recipients who are located outside the European Community. The Data Controller and the Data Processor ensure that the electronic and paper processing of your Personal Data by the Recipients takes place in compliance with the Applicable Law which has a legal scope of applicability outside the EU.
Otherwise, the transfers are based alternatively on an adequacy decision or on the Standard Model Clauses approved by the European Commission as well as in compliance with the principles of the Privacy Shield in case of transfers to the USA.

Areas of communication of personal data
The personal data acquired through the website in question may be disclosed to:
• persons authorized to process the company Orcia Ospitalità S.r.l .;
• Athena Solutions S.r.l. based in Via Rovereto, 6 – 00198 Rome for online booking activities as an external manager;
• to Public Bodies or Offices according to legal and / or contractual obligations;
• to credit recovery companies and banking institutions for the management of receipts and payments deriving from the execution of the stay;
• to any consultants and external companies specifically appointed to carry out tax and tax consultancy on our behalf;
• to collaborators or service providers when the communication is necessary for the use by the interested party of the hotel services;
• third-party companies that install profiling cookies.
From the data controller it is possible to request the updated list of external managers appointed pursuant to art. 28 of the GDPR 2016/679.

Data retention
ORCIA OSPITALITA ‘S.r.l. will process the user’s personal data for the time strictly necessary to achieve the purposes indicated in this statement and up to the time allowed by Italian law to protect their interests (Article 2947 (1) (3) of the Italian Civil Code).
The user will remain registered in the company’s newsletter until they exercise the right of cancellation which can be exercised simply with a simple click directly from the email received.

Automated treatments
ORCIA OSPITALITA ‘S.r.l. does not carry out treatments based on an automated decision-making process, including profiling that produce legal effects or that can significantly affect your person. For details of any profiling cookies used by the external manager of the online booking platform integrated into the Relais site and their interaction with the social tools, consult the third party’s Cookie Policy.

Rights of interested parties
The user can freely exercise the rights referred to in Articles 15 et seq of the GDPR 2016/679, namely:
• withdraw consent at any time. The User can revoke the consent to the processing of their Personal Data previously expressed;
• oppose the processing of their data. The user can oppose the processing of their data when it occurs on a legal basis other than consent;
• access their data. The user has the right to obtain information on the data processed by the owner, on certain aspects of the processing and to receive a copy of the data processed;
• verify and ask for rectification. The User can verify the correctness of their Data and request its updating or correction;
• obtain the treatment limitation. When certain conditions are met, the User may request the limitation of the processing of their Data. In this case the Data Controller will not process the Data for any other purpose other than their conservation;
• obtain the cancellation or removal of their Personal Data. When certain conditions are met, the User can request the cancellation of their data by the Owner;
• receive their data or have it transferred to another owner. The User has the right to receive his / her Data in a structured format, commonly used and readable by an automatic device and, where technically feasible, to obtain its unhindered transfer to another owner. This provision is applicable when the Data is processed with automated tools and the processing is based on the User’s consent, on a contract to which the User is a party or on contractual measures connected to it;
• propose a complaint. The User can lodge a complaint with the competent personal data protection supervisory authority or act in court.

How to exercise your rights
To exercise the above rights, the interested party can contact the data controller by writing to the email address: privacy@osteriadellorcia.com