Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA OF USERS WHO VISIT THE DUPARCSUITES WEBSITE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679

With this Privacy Policy, MONTEGLIO S.p.A. wishes to inform visitors to the website "www.duparcsuites.com" (hereinafter the "Website") of the policies adopted regarding the protection of personal data, and to underline its commitment and attention with regard to protecting the privacy of Website users. The Website may be browsed freely and requires no registration. This policy applies only to the Website, to the exclusion of any other websites accessed via external links. Monteglio cannot be held responsible for the personal data provided by users to external subjects or to any websites linked to this Website.

Pursuant to and for the purposes of Regulation (EU) 2016/679, Monteglio S.p.A. hereby provides the following information.

1. Data Controller

The Data Controller is MONTEGLIO S.p.A., with registered offices in Corso Massimo d’Azeglio 21 (Turin), Italy, VAT No. 05699940010, Ph. +39.011.012.00.00 – info@duparcsuites.com (hereinafter "Monteglio").

2. Categories of personal data processed

Monteglio collects and processes the following data of users who access and visit the Website:

2.1 Connection and browsing data

During normal operations, the computer systems and software procedures used to operate this Website acquire some personal data, the transmission of which is an inherent feature of Internet communication protocols. This information is not collected in order to be associated with identified data subjects, but, by its very nature, could be processed and matched with data held by third parties, thus leading to the identification of users. Data connected with accessing and browsing the Website (such as the URI-Uniform Resource Identifier addresses of requested resources, the time of request, the method used to submit the request to the server, the returned file size, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters regarding the users' operating system and computer environment) are collected for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct operation, and are deleted immediately after processing.

2.2 Personal data conferred directly by you

• Personal details, contact details and other personal data conferred by you when filling in the forms on our Website (for example, to book a stay, to register for our newsletter, to contact us through the contact form): please read the policies that Monteglio publishes at the bottom of its forms and that contain more detailed information about the processing of personal data carried in that specific context;
• Any contact with Monteglio through Customer Service or through the optional and spontaneous sending of emails or traditional messages to the addresses specified on the Website entails the subsequent acquisition of the email or traditional address of the sender or of his or her telephone number, in order to respond to requests, as well as of any other personal data included in the related communications;

3. Processing purposes

Personal data is collected and processed for the purposes and according to the conditions of lawfulness (the so-called legal bases) specified below:

a) to allow you to browse our Website and use the services offered therein

• To provide you with assistance, whenever requested, by means of our Customer Service and to respond to your requests by email, telephone or WhatsApp Business;
• To manage your contractual relationship with regard to the services requested, to execute pre-contractual measures (such as, for example, requests for information or quotes), to acquire and confirm your booking of accommodation and ancillary services, and to provide the services requested. Legal basis for processing: execution of pre-contractual or contractual services requested. For more information on the use of your personal data for this purpose, please read our specific Privacy Policy [https://www.duparcsuites.com/en/privacy-policy] relating to the booking of accommodation and ancillary services;

b) for administrative purposes, for the fulfilment of legal (accounting, tax) obligations, and for pursuing the demands of the judicial authorities. Legal basis for processing: compliance with legal obligations;

c) marketing and quality surveys

• With your specific consent, to email regular newsletters. Legal basis for processing: consent of the data subject;
• To send customers marketing communications for the direct sale of services identical or similar to those already purchased (soft-spam). Legal basis for processing: legitimate interest of the Data Controller;
• To send customers questionnaires to be filled out in relation to the stay and the services used. Legal basis for processing: consent of the data subject;

d) in the event of receiving spontaneous Curriculum Vitaes at the addresses specified on the Website, exclusively for recruitment purposes. Legal basis for processing: execution of pre-contractual measures adopted at the request of the data subject for recruitment purposes;

e) protection of rights and compliance with the conditions of use of the Website.
To ascertain responsibility in case of hypothetical computer crimes against the Website and to protect our rights in court. Legal basis for processing: the need to pursue our legitimate interests (protection of our rights in court);

f) to provide you with assistance, whenever requested, and to respond to your requests by phone, email, through the "Contacts" form on the Website or WhatsApp Business channel. Legal basis for processing: the execution of a contract and of pre-contractual measures (art. 6.1b of the GDPR) at your request.

4. Optional/mandatory conferral of personal data
Conferral of data as per point 2.1 is not mandatory; however browsing the Website involves the automatic acquisition of same.

Conferral of data as per point 3 a), marked with an asterisk in the aforementioned forms, is mandatory for the purposes of providing the services requested. Failure to provide such data or disclosing data that is either incomplete or untrue will make it impossible to execute the services requested. Conferral of personal data for purposes other than those indicated above is optional; however, any refusal to confer same will result in the impossibility, whether full or partial, to pursue the aforementioned purposes.

Conferral of data as per point 3 b) is mandatory for the purposes of the law, and therefore any refusal to confer data in order to comply with the obligations specified therein will result in the impossibility of executing the services requested.

Conferral of data as per point 3 c) is not mandatory; however the refusal to confer data for such purposes and any objection to same will result in our being unable to keep you up-to-date on our offers, promotions and events or to send you questionnaires on the quality of the services rendered.

Conferral of data as per points 3 d) and 3 f) is not mandatory and takes place on your own initiative. Failure to provide data for the purposes of point 3 f) will result in our being unable to satisfy your requests.

Finally, you can object to conferring data for the purposes of point 3 e), except in the event of the Data Controller demonstrating a legitimate interest that overrides your fundamental rights and freedoms (article 6.1 (f) of the GDPR).

5. Processing methods and data retention period

Data may be processed both electronically and in paper form. Monteglio guarantees the lawful and fair processing of the personal data conferred through the Website, in full compliance with current legislation, as well as the utmost confidentiality of the data provided.

With regard to the transferral of data, Monteglio will store your personal data on servers located mainly within the European Economic Area, for the time strictly required to achieve the purposes indicated above, in compliance with data retention obligations for statutory and fiscal purposes and the limits established by law. However, the Data Controller also reserves the right to make use of services located in non-EU countries (e.g. Website hosting, social plugins such as Facebook, Instagram, TripAdvisor, google+), in which case the service providers are selected among those who provide adequate guarantees pursuant to articles 45 et seq. of the GDPR. With specific reference to the USA, the transferral of data is authorised based on specific decisions of the European Union and of the Italian Data Protection Authority, in particular Decision 1250/2016 (Privacy Shield). Except as stated above, the user data collected will be processed and stored for the terms set forth in specific privacy policies.

6. Data recipients

Users’ personal data may be accessed, within our organisation, by internal and external personnel requiring access by virtue of their duties in relation to the processing purposes specified in this document. We make sure that these people meet all the necessary security and confidentiality requirements.

The Data Controller also shares personal data with the following external subjects/categories of subjects:

• TRAVELCLICK Inc., Via Augusta 117, 0806 Barcelona (Spain), to process personal data provided by customers for the purpose of making bookings via the Website through management of the booking engine. More precisely, upon making a booking via the Website, the user will be connected to the booking search engine managed by Travelclick - https://reservations.travelclick.com./ - which ensures encrypted and protected login.
• Marketing companies, to manage the forwarding of email communications, with which we have signed an agreement in compliance with applicable legislations and with Article 28 of the GDPR.
• Other external service providers to which Monteglio may turn for professional, technical and organisational services in order to manage the Website and related activities, such as ensuring the Website’s maintenance, updating and security.
• Companies entrusted with assessing the quality of stays.

For a list of Data Protection Officers, please contact the Data Controller using the contact details provided above. The Data Protection Officers are suitably bound by contract to implement adequate security measures in order to protect the security and confidentiality of personal data.

Finally, whenever strictly necessary for the fulfilment of the aforementioned purposes, your personal data may also be communicated to independent third-party data controllers, such as the competent Authorities, and used by the police and by the judicial authorities to ascertain liability in the event of hypothetical computer crimes against the Website.

7. Data retention period

Data connected with accessing and browsing the Website and other parameters relating to the user’s operating system and computer environment are deleted immediately after the browser is closed. For the retention period of cookies, please refer to the specific policy on the Website.

Data processed in order to fulfil our contractual obligation with you may be stored for the entire duration of the contract and for the following 10 years starting from the end of the fiscal year following the one in question, in order to deal with any tax assessment and/or dispute that may arise. In the event of having to defend ourselves or take legal action or even make claims against you or third parties as part of a dispute, we may keep the personal data that we consider to be reasonably necessary for such purposes, for the period of time in which such a claim can be pursued.

For more information on data retention, please see the privacy policies present in the specific areas of the Website that offer the possibility of registering for certain services.

8. Rights of data subjects

In accordance with current legislation (articles 15 to 22 of the Regulation), users, in their capacity as data subjects, have the right to obtain access to data concerning them (art.15), the right to its rectification or integration (art. 16), the right to its cancellation (the so-called “right to be forgotten”, art.17), the right to restriction of processing (art.18), the right to data portability (art.20), the right to object to the processing of data for particular reasons (art. 21) and the right not to be subject to a decision based solely on automated processing (art.22). Moreover, users are also reminded that they have the right, pursuant to art. 77 of the Regulation, to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it). To exercise these rights, please email privacy@duparcsuites.com, or use the other contact details provided in the "Contact & Location" section of the Website. Data subjects also have the right to revoke, at any time, in full or in part, any consent given for marketing activities such as the sending of promotional and advertising material. In this case, users shall no longer receive any type of communication, by any method, whether electronically or in paper form. If they so wish, users may revoke their consent solely with regard to the sending of email communications, and continue to receive commercial communications exclusively by post or telephone, where contemplated.

9. Review clause

Monteglio reserves the right to review this Privacy Policy at any time. The most recent version of the Privacy Policy is always available on the Website. The full text of Regulation (EU) 2016/679 is available for consultation on the website of the Italian Data Protection Authority www.garanteprivacy.it.

This policy is updated as at 12.02.2021

INFORMATION TO DATA SUBJECTS ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679

Dear Client, pursuant to the applicable legislation on the protection of personal data (Regulation (EU) No. 2016/679 and Italian Legislative Decree 196/2003, as amended and supplemented), we wish to inform you that your personal data will be processed by .Monteglio S.p.A., with registered offices in Corso Massimo d'Azeglio 21, (Turin), Italy, VAT No. 05699940010, Data Controller and owner of the Hotel “DUPARC Contemporary Suites”. Pursuant to art. 13 of Regulation (EU) 2016/679, Monteglio S.p.A. hereby provides you with the following information on the processing of personal data.

PROCESSING PURPOSES, LEGAL BASES FOR PROCESSING AND PERSONAL DATA RETENTION PERIOD

Your personal data will be processed for the following purposes and in accordance with the following legal bases and data retention periods:

1. To process and confirm - also on behalf of minors for whom you have parental responsibility - bookings for accommodation and ancillary services, and to provide the services requested. Since processing is required in order to define the contractual agreement and for its subsequent implementation, the legal basis for processing in this case is the fulfilment of a contract to which the data subject is a party and the execution of pre-contractual measures adopted at the request of same (art.6, paragraph 1 b) of the GDPR). Your consent, therefore, is not required, except in the case of your conferring special categories of personal data required for the booking/to make use of the services. In the event of refusing to confer your personal data, we will be unable to confirm the booking or to provide you with the services requested.

Processing will cease upon your departure, but some personal data may or will have to continue to be processed, for the purposes and in line with the procedures specified below.

2. To offer you services aimed at increasing customer satisfaction, carried out at your request, and concerning your particular needs and/or preferences (or those of your family and children). For this purpose, you may decide to confer “special categories of personal data” within the meaning of art. 9 of the GDPR, in order to indicate a particular need with regard to the accommodation or ancillary services requested (e.g. information concerning your health, such as allergies, diseases, food intolerances, or other medical conditions). Such categories of data may only be processed by the Data Controller with your explicit, unequivocal and free consent, expressed in writing at the bottom of this Privacy Policy, and will only be stored for the time strictly required to perform the services requested, unless you consent to our storing them for longer.

3. To fulfil the obligations laid down by the “Consolidated Public Safety Act” (article 109 of Italian Royal Decree no. 773 of 18.6.1931) which, for reasons of public safety, requires us to give the Police the personal details of clients who stay with us in accordance with the rules laid down by the Ministry of the Interior (Decree of 7 January 2013). The legal basis for processing in this case is the fulfilment of legal obligations (art.6 paragraph 1 c) of the GDPR). Conferral of data is mandatory and does not require your consent. Failure to provide data will result in our being unable to host you in our facility. We will not retain the data acquired for this purpose, unless you consent to its storage as provided for in point 5.

4. To fulfil existing administrative, accounting and tax obligations. The legal basis for processing in this case is the fulfilment of legal obligations (art.6 paragraph 1 c) of the GDPR), and processing does not require your prior consent. Data is processed internally, by us and by our Data Processors, and is only communicated externally in compliance with legal obligations. In the event of refusing to confer the personal data required to fulfil said obligations, we will be unable to provide you with the services requested. The data acquired for these purposes will be stored for the period of time prescribed by the respective standards (10 years from the date of last entry, except in the event or disputes or tax assessments, in which case the data will be stored until completion of the proceedings/disputes).

5. To speed up registration procedures in the event of subsequent stays at our facility. The legal basis for processing your data is your explicit, unambiguous and free consent (article 6, paragraph 1 a) of the GDPR), which may be revoked at any time. Your data will be used when you are once more our guest, for the purposes referred to above, and will be store for no more than two years from your last stay.

6. For the direct sale of services, provided by the Data Controller, identical or similar to those already purchased by you. The legal basis for processing in this case is our overriding legitimate interest (art.6 paragraph 1 f) of the GDPR). You can object to such processing any time, either immediately at the time of booking or subsequently, by clicking on the specific link that you will find at the bottom of the emails received (opt-out). For this purpose, your data will be stored until you object (opt-out), at which time it will instantly be erased.

7. To send you our newsletter containing updates on rates, on the events we organise, and on deals relating to our hotel services. The legal basis for processing your data is your explicit, unambiguous and free consent (article 6, paragraph 1 a) of the GDPR), which may be revoked at any time. Upon acquiring your consent, your data will be kept for at most 2 years and will not be communicated to third parties.

8. To protect people, property and company assets through a video surveillance system in certain areas of the facility, easily identifiable by the presence of special signs. Processing in this case does not require your consent, as the legal basis is our legitimate interest (art. 6, paragraph 1 f) of the GDPR) to protect people and assets from possible aggression, theft, robbery, damage and vandalism and for the purposes of fire prevention and safety in the workplace. Recorded images are deleted after 24 hours, except during holidays or other periods when the facility is closed, and in any case at most after one week. Recorded images are not disclosed to third parties, except when requested to help in the investigations of the judicial authorities or the judicial police.

9. To send questionnaires on the quality of the services rendered. The legal basis for processing your data in this case is your explicit, unambiguous and free consent (article 6, paragraph 1 a) of the GDPR), which may be revoked at any time. The personal data supplied for this purpose will be kept for up to two years and then erased or made anonymous.

CATEGORIES OF DATA RECIPIENTS

Your personal data may be shared, for the purposes specified above, with:

• Persons authorised by the Data Controller to process personal data in order to fulfil activities closely related to the provision of the accommodation and ancillary services booked by you, who duly comply with legal confidentiality obligations and who process personal data within their sphere of competence and in accordance with the instructions provided by the Data Controller;
• Companies providing assistance and maintenance for the ERP systems used by the Data Controller to manage hotel bookings and for accounting purposes;
• Companies providing the ancillary services (spa, food & beverage) included in the client’s booking;
• Companies entrusted with managing and processing data for marketing purposes on behalf of the Data Controller;
• Credit institutions and payments companies to manage payment services;
• Other parties carrying out activities on behalf of the Data Controller, such as: persons, companies or professional firms providing technical assistance and consultancy services to the Data Controller with regard to legal, accounting, tax and insurance matters;
• IT companies entrusted by the Data Controller with managing the maintenance, assistance, safety and technological upgrading of its IT and electronic systems and of the website www.duparcsuites.com;
• Companies, associations and professionals providing any ancillary services requested by the client;
• Public administrations, supervisory authorities and judicial authorities, in order to fulfil the obligations of laws, rules and relevant national or EU regulations or to defend the Data Controller in court.

The complete list of fully independent data controllers and Data Protection Officers, who operate on the instructions of the Data Controller, is constantly updated and can be obtained easily and free of charge from the Data Controller.

PROCESSING METHODS AND DATA TRANSFER

Your personal data may be processed either manually (in paper form) or electronically (in automated form) in a manner closely correlated to the purposes set out below and applying appropriate security measures such as to ensure compliance with the principles of lawfulness, fairness, transparency, storage limitation, data minimisation, accuracy, integrity and confidentiality, in accordance with the GDPR and applicable national regulations.

Monteglio stores personal data on servers located mainly within the European Economic Area, for the time strictly required to achieve the purposes indicated above, in compliance with data retention obligations for statutory and fiscal purposes and the limits established by law. However, the Data Controller also reserves the right to make use of services located in non-EU countries (e.g. the Travelclick online booking engine), in which case the service providers are selected among those who provide adequate guarantees pursuant to articles 45 et seq. of the GDPR. With specific reference to the USA, the transferral of data is authorised based on specific decisions of the European Union and of the Italian Data Protection Authority, in particular Decision 1250/2016 (Privacy Shield).

RIGHTS OF DATA SUBJECTS

Monteglio S.p.A. also wishes to inform you that, pursuant to the EU Regulation, data subjects have certain rights, such as:

Right of access. Data subjects may ask to obtain confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, to obtain access to their personal data and to information such as the processing purpose, the categories of data processed, and the existence of other exercisable rights as specified below. Data subjects may also ask to obtain a copy of their data.

Right to rectification. Data subjects have the right to obtain the rectification of inaccurate personal data concerning them and/or to have incomplete personal data completed.

Right to erasure. Data subjects have the right to obtain the erasure of personal data concerning them, without undue delay, if (i) the personal data is no longer necessary in relation to the purposes for which it was collected, (ii) the data subjects withdraw consent on which the processing is based (unless there are other legal grounds for the processing), (iii) the data subjects object to the processing (as indicated below) and there are no overriding legitimate grounds for the processing, or the data subjects object to the processing for marketing purposes, (iv) the personal data has been unlawfully processed, (v) the personal data has to be erased for compliance with a legal obligation.
This right does not apply if the data processing is necessary, inter alia:
-    for compliance with a legal obligation;
-    for the establishment, exercise or defence of legal claims.

Right to restriction of processing. Data subjects have the right to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subjects, for a period enabling the Data Controller (the Company) to verify the accuracy of the personal data;
- The processing is unlawful and the data subjects oppose the erasure of the personal data and request the restriction of their use instead;
- The personal data is required by the data subjects for the establishment, exercise or defence of legal claims;
-The data subjects have objected to processing, as indicated below, pending the verification whether the legitimate grounds of the Data Controller override those of the data subjects.

Right to data portability. Data subjects have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format and have the right to transmit said data to another data controller when the processing is based on consent or on a contract, and when the processing is carried out by automated means. Moreover, data subjects have the right to have their personal data transmitted directly from one controller to another, where technically feasible. This shall be without prejudice to the right to the erasure of data, as indicated above.

Right to object. Data subjects have the right to object, at any time, to the processing of personal data concerning them based on a legitimate interest of the Data Controller, unless the latter demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects or that the processing is necessary for the establishment, exercise or defence of legal claims.
Moreover, where processing is based on the data subjects’ explicit consent, the latter have the right to revoke their consent.

For further information, and to enforce your rights under the EU Regulation, please contact the Data Controller: Monteglio S.p.A. Corso Massimo d’Azeglio 21, (Turin), Italy, VAT No. 05699940010, email privacy@duparcsuites.com

Pursuant to art. 77 of the GDPR, data subjects also have the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority, http://www.garanteprivacy.it), whenever they consider that the processing of personal data relating to them infringes the applicable legislation.

The Data Controller reserves the right to amend this policy from time to time.

This policy is updated as at 25.10.2019

INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF SENDING NEWSLETTERS
pursuant to article 13 of Regulation (EU) 2016/679

1.PRIVACY POLICY
This Privacy Policy is distributed in compliance with art. 13 of Regulation 2016/679 (GDPR), and relates to the processing of your personal data for the purpose of sending the newsletters of MONTEGLIO S.p.A., in accordance with the procedures detailed below.

2. DATA CONTROLLER
The Data Controller is MONTEGLIO S.p.A., with registered offices in Corso Massimo d’Azeglio 21 (Turin), Italy, VAT No. 05699940010, email: privacy@duparcsuites.com (hereinafter also the "Data Controller").

3. DATA COLLECTED
Once a newsletter has been sent, the platform used makes it possible to detect when the message is opened and the clicks made within the newsletter itself, together with details of the IP and of the browser/device used.

 4. PROCESSING PURPOSES
The Data Controller will use your personal data exclusively for the purpose of sending you the Newsletter containing updates on rates, on the events we organise, and on deals relating to our accommodation and to the ancillary services offered both by us and by third parties within our facility.

5. PROCESSING METHODS
Your personal data will be processed in accordance with the principles of fairness, lawfulness and transparency, through the use of instruments and procedures guaranteeing the utmost security and confidentiality, and with the help of digital, IT and electronic tools. Specific security measures are observed in order to prevent the loss of data, its illicit or improper use, and any unauthorised access. We will not use your personal data for purposes other than those described in this policy, unless we have informed you beforehand and, if necessary, only after obtaining your consent.

6. LEGAL BASIS FOR PROCESSING AND CONSEQUENCES OF FAILING TO CONFER DATA
The legal basis for processing your data is your explicit, unambiguous and free consent (article 6, paragraph 1 a) of the GDPR), which may be revoked at any time. Conferring data for the purpose of sending our newsletter is optional, however the refusal to do so will result in our not being about to send you our newsletter and therefore keep you up-to-date on our rates and on any deals relating to our accommodation, our hotel services and the events organised by the Data Controller.

 7. UNSUBSCRIBING TO OUR NEWSLETTER
You can unsubscribe to the newsletter service at any time by clicking on the specific link that you will find at the bottom of the emails received (so-called “opt-out”) or by emailing your request to privacy@duparcsuites.com .

 Unsubscribing does not affect:
• the lawfulness of data processing performed before the revocation;
• further processing of the same data based on other legal bases.

8. DATA RECIPIENTS
The parties to whom your personal data may be disclosed, within the limits strictly required to fulfil the aforementioned purposes, are parties specifically authorised to process personal data by Monteglio S.p.A.

The Data Controller avails of external parties and/or companies to perform certain duties connected with managing the newsletter service and the website, and these therefore need to receive the relevant data.

These external parties and/or companies, in particular, are:
• Site hosting companies (in the event of sending CVs through the website);
• Advertising companies;
• Companies entrusted with the technological maintenance of the website.

For a complete list of Data Protection Officers, please email privacy@duparcsuites.com.

9. DATA TRANSFER
In the event of personal data being transferred outside the European Union, for technical and operational purposes and to ensure high levels of service continuity, the Data Controller ensures that the transfer is based on the Commission's decision on adequacy, so at to ensure that the level of protection of natural persons guaranteed by current legislation, and in particular by Regulation (EU) 2016/679, is not affected.

10. DATA RETENTION PERIOD
Upon acquiring your consent, your data will be kept until you unsubscribe (following the procedure described in paragraph 7). In any case, we will re-obtain consent every two years when there has been no interaction with the user (e.g. emails/communications).

11. RIGHTS OF THE DATA SUBJECT
Pursuant to the articles 15-22 of Regulation (EU) 2016/679 you, as a data subject, have the following rights:

• Right of access: pursuant to art. 15, data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, to obtain a copy thereof. Moreover, they have the right to obtain access to their personal data and to information such as the processing purpose, the categories of recipients, the data retention period and any exercisable rights.
• Right to rectification: pursuant to art. 16, data subjects have the right to obtain the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.
• Right to erasure: data subjects have the right to obtain the erasure of personal data concerning them, without undue delay, where one of the grounds provided for by art. 17 applies.
• Right to restriction of processing: data subjects have the right to obtain from the controller restriction of processing where one of the cases provided for by article 18 of Regulation 2016/679 applies.
• Right to data portability: data subjects have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format and have the right to transmit said data to another data controller without hindrance, in accordance with the provisions of art. 20 of Regulation 2016/679;
• Right to object: data subjects have the right to object to the processing of personal data concerning them as provided for by art. 21 of Regulation 2016/679.
• Right to lodge a complaint: data subjects also have the right to lodge a complaint with the competent supervisory authority, in this case the Italian Data Protection Authority. Requests to exercise the rights referred to in the previous points must be addressed in writing to the Data Controller.
The Data Controller will respond promptly to any requests to exercise the rights of data subjects, within the time limits established by current legislation.
For more information or clarifications, please write to the Data Controller using the contact details specified above.

12. UPDATES AND AMENDMENTS
The Data Controller reserves the right to amend, supplement or update this Policy on a regular basis, in line with the applicable legislation or the provisions adopted by the Italian Data Protection Authority. Such amendments or additions will be brought to the attention of the data subjects. We invite users to view the Privacy Policy regularly, in order to keep up-to-date with the latest version and decide whether or not to continue using the services offered.

This policy is updated as at 25.10.2019

FULL VIDEO-SURVEILLANCE PRIVACY POLICY
pursuant to art. 13 of Regulation (EU) 2016/679

Dear Visitor, In accordance with the provisions of the Italian Data Protection Authority and of current legislation on the processing of personal data, please note that the Hotels “DUPARC Contemporary Suites”, situated in Corso Massimo d’Azeglio 21, and “Belfiore Appartamenti”, situated in Via Belfiore 53, both in the city of Turin (Italy), have adopted an image-recording video surveillance system to protect corporate assets and personal safety. In accordance with Regulation (EU) 2016/679 (hereinafter the “EU Regulation), such processing of data is based on the principles of minimisation, purpose limitation, fairness, lawfulness and transparency, as well as on protecting your privacy and rights. Pursuant to art. 13 of the EU Regulation, therefore, we hereby provide you with the following information on the processing of personal data.

DATA CONTROLLER
With reference to the images processed as above, please note that the Data Controller is the company Monteglio S.p.a. with registered offices in Corso Massimo d'Azeglio 21, (Turin), Italy, VAT No. 05699940010.

PROCESSING PURPOSES
The company has installed a video surveillance system on its premises for the purpose of protecting its corporate assets. Recordings are made in compliance with current personal data protection rules and in particular with the EU Regulation, the video surveillance measures issued by the Italian Data Protection Authority, and the Workers’ Statute (Italian Law 300/1970). This system has been authorised by the Labour Inspectorate with Authorisations no. ITL_TO/0029004/dg and ITL_TO/0029005/dg dated 31 May 2019, available on request. The legal basis for processing is the legitimate interest of the Data Controller to protect the company’s assets (Art. 6(f) of the GDPR).

PROCESSING METHODS
The processing shall be conducted in compliance with the methods and data requirements laid down by art. 5 of the EU Regulation as well as with the provisions of the applicable measures issued by the Italian Data Protection Authority, and shall include all the operations or sets of operations required for the processing in question, including communication to the subjects referred to below (see “Communicating Data”). Processing shall occur through the use of an Interlogix DVR 15HD video recorder, and shall be managed by purposely authorised staff. The areas covered by the video cameras are: the entry gate and external perimeter areas, stairways and garages. The company has put in place special security procedures for accessing areas subject to video surveillance. Said areas are indicated by signs informing visitors of the presence of a video surveillance system. These signs are positioned in such a way as to inform visitors before being recorded and allow anyone not wishing to be recorded to act accordingly.

STORING IMAGES
Images are stored for 24 hours after being recorded, except during holiday periods and when the company is closed or when requested to help in the investigations of the judicial authorities.

COMMUNICATING DATA
The personal data relating to the processing in question, for the purposes indicated above, may be communicated to companies or professionals entrusted by the Data Controller to ensure the maintenance and security of the video surveillance system or to the judicial authorities and/or the law enforcement agencies when requested for the prevention/investigation of criminal offences. In such cases, access to images will be strictly limited to the execution of the task entrusted by us to the subjects specified above. In particular, the images may come to the attention of authorised parties operating under the direct authority of the Data Controller or Data Protection Officers in accordance with the instructions imparted. Moreover, the images may occasionally come to the attention of external companies and undertakings entrusted with the maintenance and repair of video equipment and cameras.

MANDATORY/OPTIONAL NATURE OF THE CONFERMENT OF DATA AND CONSEQUENCES OF FAILING TO CONFER SAME
The recording of images is not mandatory, however it is necessary for the purposes of security and to protect the company’s assets. Consequently, should you object to the recording, you will not be guaranteed entry to the Hotel.

RIGHTS OF DATA SUBJECTS
Monteglio S.p.A. also wishes to inform you that, pursuant to the EU Regulation, data subjects have certain rights, such as:

Right of access. Data subjects may ask to obtain confirmation as to whether or not images concerning them are being processed, and, where that is the case, to obtain access to such data and to information such as the processing purpose, the categories of data processed, and the existence of other exercisable rights as specified below.

Right to rectification. Data subjects have the right, where possible, to obtain the rectification of inaccurate personal data concerning them and/or to have incomplete personal data completed.

Right to erasure. Data subjects have the right to obtain the erasure of images concerning them, without undue delay, if (i) the images are no longer necessary in relation to the purposes for which they were collected, (ii) the data subjects object to the processing (as indicated below) and there are no overriding legitimate grounds for the processing, (iv) the images have been unlawfully processed, (v) the images have to be erased for compliance with a legal obligation.
This right does not apply if the processing is necessary, inter alia:
- for compliance with a legal obligation;
- for the establishment, exercise or defence of legal claims.

Right to restriction of processing. Data subjects have the right to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subjects, for a period enabling the Data Controller (the Company) to verify the accuracy of the personal data;
- The processing is unlawful and the data subjects oppose the erasure of the personal data and request the restriction of its use instead;
- The personal data is required by the data subjects for the establishment, exercise or defence of legal claims;
-The data subjects have objected to processing, as indicated below, pending verification whether the legitimate grounds of the Data Controller override those of the data subjects.

Right to object. Data subjects have the right to object, at any time, to the processing, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects or that the processing is necessary for the establishment, exercise or defence of legal claims.
For further information, and to enforce your rights under the EU Regulation and applicable Italian legislation, please contact the Data Controller either by email at privacy@duparcsuites.com or by writing to us at the address specified above.
Pursuant to art. 77 of the GDPR, data subjects also have the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority, http://www.garanteprivacy.it), whenever they consider that the processing of personal data relating to them infringes the applicable legislation.

Turin, 31 May 2019