Data Protection Policy

Personal data protection information Art. 13 of Reg. 679/2016/EU

Pursuant to Article 13 of Reg.679/2016/EU "General Data Protection Regulation" hereinafter referred to as the "Regulation", the SOCIETÀ ITALIANA TURISMO E ALBERGHI S.r.l. with registered office and operational headquarters at Hotel STENDHAL in via del Tritone, 113 - 00153 Rome, as Data Controller is required to provide certain information regarding the processing of personal data carried out within the domain https://www.hotelstendhalrome.com/it/

I. DEFINITIONS

For the purposes of this notice

1) "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

2) "Processing" shall mean any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3) "restriction of processing" means the marking of personal data stored with the aim of limiting their processing in the future;

4) 'controller' shall mean the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be established by Union or Member State law;

5) 'controller' means the natural or legal person, public authority, service or other body which processes personal data on behalf of the controller;

6) 'recipient' means the natural or legal person, public authority, agency or other body receiving communication of personal data, whether a third party or not. However, public authorities that may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities is in accordance with the applicable data protection rules according to the purposes of the processing;

7) "Consent of the data subject' shall mean any freely given, specific, informed and unambiguous indication of the data subject's wishes, whereby the data subject indicates his consent, by way of a statement or unambiguous affirmative action, to personal data relating to him being processed;

8) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;

10) "Health-related data' means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person's state of health;

11) "processor": the natural person authorised to carry out processing operations by the controller or processor;

12) "Domain" means the domain, accessible via the world wide web service of the Internet, consisting of the data, applications, for the transmission and possible collection of information.

II. NATURE OF THE DATA PROCESSED

The following personal data may be processed: name, surname, place and date of birth, document number, telephone number, email address and any other data necessary for transit in our facility, in relation to which you will be asked for your consent to processing, where required by the Regulations. At any time you may express your rights as set out in Section XI

Depending on the service requested, the following data may be processed:

- Personal (formerly common): name, surname, date and place of birth, telephone number, email address, address, tax code and others that may be necessary for which you will be asked for your consent, if not already required by law;

- Particular (formerly sensitive): health-related data to meet your dietary needs. No green pass data will be retained (qr code and green pass expiry date).

III. PURPOSE OF PROCESSING

Personal and special data will be processed, no longer than necessary, for:

1) the management of the relationship with the Company: specifically, in order to design and deliver customised services, provided or envisaged;

2) purposes strictly connected and instrumental to the management of the aforementioned relationship (e.g. for the acquisition of pre-contractual information in order to design and correctly dimension the service provided and to execute services and operations, as contractually agreed);

3) purposes of analysing the information obtained with a view to proposing, by means of promotional information, including telematic information, goods and services considered to be of interest to you, always subject to your specific consent);

4) purposes relating to monitoring the performance of customer and supplier relations and services contractualised;

5) manage files and claims involving your guests or customers or patients and the like;

6) purposes connected with legal obligations and instructions from the authorities or supervisory bodies;

7) comply with what is required by law.

IV. DATA PROCESSING METHODS

In relation to the aforementioned purposes, the data you provide electronically by filling in the forms provided on our website will be subject to computer and paper processing and processed by special computer procedures in order to customise the services that the Company is able to offer you.

The data will be processed in such a way as to guarantee its logical and physical security and confidentiality, and may be processed by means of manual, computerised tools for storing, transmitting and sharing the data with our appointees.

The logic of the processing will be strictly related to the illustrated purposes, in particular, your data subject to all contractual processing will be stored and/or processed by means of special computer procedures:

- by the company units in charge of managing the activities referred to above, or authorised to carry out those necessary for the maintenance and/or execution and/or conclusion of the relationship established with you;

- by natural or legal persons who, under contract with the Company, provide specific processing services or carry out activities connected with, instrumental to or in support of those of the Company itself.

The data will be processed mainly by manual, electronic, computerised and telematic means with logic strictly related to the purposes indicated above and will be stored both on computerised and paper supports and on any other suitable support, in compliance with the security measures pursuant to Articles 32 and 35 of the Regulation.

V. DATA RETENTION TIME

Your data will be kept for the period prescribed by the regulations in force and, in any case, until the purposes indicated above are achieved, and then they will be deleted. With your explicit consent, your data may be kept for a maximum period of 5 years from your last visit for a more rapid reception at our facility. If you have not expressed your wish to be kept up-to-date on the activities of the facility, your data will be kept for the time strictly necessary for accounting balance checks.

VI. COMPULSORY OR OPTIONAL NATURE OF PROVIDING DATA

Some of your data must by law be communicated to third parties (e.g. Public Security) even without your express consent. Other of your data will or may be communicated, subject to your express consent in accordance with the law, to third parties. The provision of such data is not compulsory, but it is indispensable for the correct fulfilment of pre- contractual or contractual obligations, and in general to carry out all the fulfilments required by law. Any refusal to provide your personal data, or to give your consent to their processing or communication to subjects belonging to the aforementioned categories, will result in difficulties in the performance of any contractual relations between you and our Company, as well as in the use of the services connected thereto, and we may therefore be prevented from accepting you.

VII. COMMUNICATION OF DATA

Primarily, your data will be transmitted to:

1) Banks in charge of settling payments according to the agreed terms;

2) Insurance institutions for the settlement of any claims;

3) Authorised bodies or organisations for the fulfilment of the relevant obligations within the limits of the law;

4) Organisations that are part of the group to improve the quality of the services that the company is able to offer;

5) Natural or legal persons who, by virtue of a contract with the Company, provide specific processing services or carry out activities connected with, instrumental to or in support of those of the Company itself.

Our website contains hyperlinks constituting communication to other domains; however, the Company is not liable for any data protection violations carried out to your detriment by other sites that may have fraudulently cloned our website or fail to comply with the requirements of EU Regulation 2016/679.

VIII. RIGHTS OF THE DATA SUBJECT

Finally, we inform you of Rules 15 to 21, the text of which is reproduced in full in the annex, confer on the persons concerned the exercise of specific rights.

In particular, you may obtain from the Company confirmation of the existence or non-existence of your personal data and their provision

available in an intelligible form.

You may also request to know the origin of the data, as well as the logic and purposes on which the processing is based; you may also obtain modifications or cancellation of the processing.

IX. DATA CONTROLLER

The data controller is the SOCIETÀ ITALIANA TURISMO E ALBERGHI S.r.l. with registered office and operational headquarters at Hotel STENDHAL in via del Tritone, 113 - 00153 Roma. The list of External Companies responsible for particular processing operations will be kept updated and will be sent to you upon specific request. It will also be made available at the relevant offices of the Company.

X. SUBJECTS TO WHOM PERSONAL DATA MAY BE DISCLOSED

Personal data relating to the processing in question may be disclosed:

accounting companies, insurance companies; service companies including those for information technology for communication via the Internet; service companies including those for car rental, airline reservations, entertainment, etc. to enable the performance of services requested by the customer, for archiving procedures, for printing correspondence and for handling incoming and outgoing mail; companies in charge of fraud control, debt collection and the detection of credit and insolvency risks, to public administrations, in accordance with the law.

Without the data subject's consent to the communication of data to the aforementioned companies and to the related processing, the Company will only be able to carry out those operations and services that do not require consent because it is already implicit and authorised by law. No data will be transmitted either externally or to non-EU entities.

XI. CHANGES TO DATA PROCESSING

You are entitled at any time to revoke your consent to the processing of your data by activating the cancellation procedure or to change the processing. Obviously, cases of cancellation may result in the termination of the contract and services if they are in place.

If you wish the processing of your data to be changed, you can send an e-mail to privacy@hotelstendhal.com accompanied by a photocopy of your identity document, which will be immediately destroyed, with the following text: 'cancellation/limitation/rectification/opposition of consent to the processing of all (or say which) of my personal data'.

XII. DATA CONTROLLERS

The updated list of persons responsible for specific processing operations mentioned above is at your disposal at the relevant offices of the Company.

XIII. DATA PROTECTION OFFICER - RPD (DATA PROTECTION OFFICER - DPO)

The company has appointed Mr. Luca Lestingi as DPO/DPO (Data Protection Officer). Any report of a violation of the data subject's rights may be communicated in Italian or English to privacy@hotelstendhal.com.

XIV. CONTACTS

If you would like more information on the processing of your personal data, or if you would like to report a problem or lodge a complaint, you can send an email to privacy@hotelstendhal.com. You can also contact us at the same address or by telephone on +39 06 58611 for answers regarding the handling of information from

part of the Company. Before providing answers, we will need to verify your identity and answer a few questions. A reply from us will be provided as soon as possible.

Rome, 26.09.2022

Reg.679/2016/EU

Article 4 - Definitions

For the purposes of these regulations

1) "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

2) "processing" means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; [ ... ]

(11) 'the data subject's consent' means any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject indicates his or her agreement, by way of a statement or unambiguous affirmative action, that personal data relating to him or her should be processed; [ ... ]

Article 6 - Lawfulness of processing

1. Processing is lawful only if and to the extent that at least one of the following conditions is met:

a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre- contractual measures

adopted at its request;

c) processing is necessary to comply with a legal obligation to which the data controller is subject;

d) processing is necessary for the protection of the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of pursuing the legitimate interests of the controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject requiring the protection of personal data are not overridden, in particular where the data subject is a child. [ ... ]

Article 13 - Information to be provided when personal data are collected from the data subject

1. Where data relating to a data subject are collected from that data subject, the controller shall provide the data subject, at the time of

from which personal data are obtained, the following information:

a) the identity and contact details of the data controller and, where applicable, its representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended and the legal basis of the processing;

d) where the processing is based on Article 6(1)(f ), the legitimate interests pursued by the controller or by third parties;

e) the possible recipients or categories of recipients of the personal data;

(f ) where applicable, the intention of the data controller to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in case of transfers pursuant to Article 46 or 47 or to the second paragraph of Article 49, the reference to appropriate or adequate safeguards and the means for obtaining a copy of those data or the place where they have been made available.

2. In addition to the information referred to in paragraph 1, at the time the personal data are obtained, the controller shall provides the data subject with the following additional information necessary to ensure fair and transparent processing:

a) the period of retention of personal data or, if this is not possible, the criteria used to determine that period;

b) the existence of the data subject's right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning him or her or to object to the processing of personal data, as well as the right to data portability;

c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on consent given before the withdrawal;

d) the right to lodge a complaint with a supervisory authority;

e) whether the provision of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the data subject is under an obligation to provide the personal data, as well as the possible consequences of failure to provide such data;

f) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic used, as well as the importance of such processing for the data subject and the envisaged consequences thereof.

3. Where the controller intends to further process personal data for a purpose other than that for which they were collected, it shall provide the data subject with information on that other purpose and any further relevant information referred to in paragraph 2 prior to such further processing.

4. Paragraphs 1, 2 and 3 do not apply if and to the extent that the information is already available to the person concerned.

Article 15 - The data subject's right of access

1. The data subject has the right to obtain from the controller confirmation as to whether or not personal data are being processed concerning him/her and, if so, to obtain access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data in question;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations;

d) where possible, the intended period of retention of personal data or, if this is not possible, the criteria used to determine that period;

e) the existence of the data subject's right to request from the controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the data are not collected from the data subject, all available information on their origin;

h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic used, as well as the importance of such processing for the data subject and the envisaged consequences thereof.

2. If personal data are transferred to a third country or international organisation, the data subject has the right to be informed of the existence of adequate safeguards within the meaning of Article 46 relating to the transfer.

3. The data controller provides a copy of the personal data being processed.

In case of further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise specified by the data subject, the information shall be provided in a commonly used electronic format.

4. The right to obtain a copy referred to in paragraph 3 must not infringe the rights and freedoms of others.

Article 16 - Right of Rectification

The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing a supplementary declaration.

Article 17 - Right to erasure ('right to be forgotten')

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him/her without undue delay, and the controller shall be obliged to erase the personal data without undue delay if one of the following grounds applies

a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9, paragraph 2(a) and if there is no other legal basis for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate reason to proceed with the processing, or objects to the processing pursuant to Article 21(2);

d) personal data have been unlawfully processed;

e) personal data must be deleted in order to comply with a legal obligation under Union or Member State law to which the data controller is subject;

f) personal data were collected in connection with the provision of information society services as referred to in Article 8(1).

2. Where the controller has made personal data public and is obliged, pursuant to paragraph 1, to erase them, the controller shall, taking into account the available technology and the costs of implementation, take reasonable steps, including technical measures, to inform the controllers

who are processing personal data of the data subject's request to delete any link, copy or reproduction of his or her personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary:

a) for the exercise of the right to freedom of expression and information;

b) for compliance with a legal obligation to which the processing is subject under Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i), and of Article 9(3);

d) for archiving purposes in the public interest or for scientific or historical research or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously jeopardise the attainment of the objectives of such processing; or

e) for the establishment, exercise or defence of legal claims.