Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA OF USERS WHO VISIT THE DUPARCSUITES WEBSITE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679

With this Privacy Policy, MONTEGLIO S.p.A. wishes to inform visitors to the website "www.duparcsuites.com" (hereinafter the "Website") of the policies adopted regarding the protection of personal data, and to underline its commitment and attention with regard to protecting the privacy of Website users. The Website may be browsed freely and requires no registration. This policy applies only to the Website, to the exclusion of any other websites accessed via external links. Monteglio cannot be held responsible for the personal data provided by users to external subjects or to any websites linked to this Website.

Pursuant to and for the purposes of Regulation (EU) 2016/679, Monteglio S.p.A. hereby provides the following information.

1. Data Controller

The Data Controller is MONTEGLIO S.p.A., with registered offices in Corso Massimo d’Azeglio 21 (Turin), Italy, VAT No. 05699940010, Ph. +39.011.012.00.00 – info@duparcsuites.com (hereinafter "Monteglio").

2. Categories of personal data processed

Monteglio collects and processes the following data of users who access and visit the Website:

2.1 Connection and browsing data

During normal operations, the computer systems and software procedures used to operate this Website acquire some personal data, the transmission of which is an inherent feature of Internet communication protocols. This information is not collected in order to be associated with identified data subjects, but, by its very nature, could be processed and matched with data held by third parties, thus leading to the identification of users. Data connected with accessing and browsing the Website (such as the URI-Uniform Resource Identifier addresses of requested resources, the time of request, the method used to submit the request to the server, the returned file size, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters regarding the users' operating system and computer environment) are collected for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct operation, and are deleted immediately after processing.

2.2 Personal data conferred directly by you

• Personal details, contact details and other personal data conferred by you when filling in the forms on our Website (for example, to book a stay, to register for our newsletter, to contact us through the contact form): please read the policies that Monteglio publishes at the bottom of its forms and that contain more detailed information about the processing of personal data carried in that specific context;
• Any contact with Monteglio through Customer Service or through the optional and spontaneous sending of emails or traditional messages to the addresses specified on the Website entails the subsequent acquisition of the email or traditional address of the sender or of his or her telephone number, in order to respond to requests, as well as of any other personal data included in the related communications;

3. Processing purposes

Personal data is collected and processed for the purposes and according to the conditions of lawfulness (the so-called legal bases) specified below:

a) to allow you to browse our Website and use the services offered therein

• To provide you with assistance, whenever requested, by means of our Customer Service and to respond to your requests by email, telephone or WhatsApp Business;
• To manage your contractual relationship with regard to the services requested, to execute pre-contractual measures (such as, for example, requests for information or quotes), to acquire and confirm your booking of accommodation and ancillary services, and to provide the services requested. Legal basis for processing: execution of pre-contractual or contractual services requested. For more information on the use of your personal data for this purpose, please read our specific Privacy Policy [https://www.duparcsuites.com/en/privacy-policy] relating to the booking of accommodation and ancillary services;

b) for administrative purposes, for the fulfilment of legal (accounting, tax) obligations, and for pursuing the demands of the judicial authorities. Legal basis for processing: compliance with legal obligations;

c) marketing

• With your specific consent, to email regular newsletters. Legal basis for processing: consent of the data subject;
• To send customers marketing communications for the direct sale of services identical or similar to those already purchased (soft-spam). Legal basis for processing: legitimate interest of the Data Controller.

d) protection of rights and compliance with the conditions of use of the Website.
To ascertain responsibility in case of hypothetical computer crimes against the Website and to protect our rights in court. Legal basis for processing: the need to pursue our legitimate interests (protection of our rights in court);

e) to provide you with assistance, whenever requested, and to respond to your requests by phone, email, through the "Contacts" form on the Website or WhatsApp Business channel. Legal basis for processing: the execution of a contract and of pre-contractual measures (art. 6.1b of the GDPR) at your request.

4. Optional/mandatory conferral of personal data

Conferral of data as per point 2.1 is not mandatory; however browsing the Website involves the automatic acquisition of same.

Conferral of data as per point 3 a), marked with an asterisk in the aforementioned forms, is mandatory for the purposes of providing the services requested. Failure to provide such data or disclosing data that is either incomplete or untrue will make it impossible to execute the services requested. Conferral of personal data for purposes other than those indicated above is optional; however, any refusal to confer same will result in the impossibility, whether full or partial, to pursue the aforementioned purposes.

Conferral of data as per point 3 b) is mandatory for the purposes of the law, and therefore any refusal to confer data in order to comply with the obligations specified therein will result in the impossibility of executing the services requested.

Conferral of data as per point 3 c) is not mandatory; however the refusal to confer data for such purposes and any objection to same will result in our being unable to keep you up-to-date on our offers, promotions and events or to send you questionnaires on the quality of the services rendered.

Conferral of data as per points 3 e) is not mandatory and takes place on your own initiative. Failure to provide data for the purposes of point 3 e) will result in our being unable to satisfy your requests.

Finally, you can object to conferring data for the purposes of point 3 d), except in the event of the Data Controller demonstrating a legitimate interest that overrides your fundamental rights and freedoms (article 6.1 (e) of the GDPR).

5. Data processing methods

Data may be processed both electronically and in paper form. Monteglio guarantees the lawful and fair processing of the personal data conferred through the Website, in full compliance with current legislation, as well as the utmost confidentiality of the data provided.

With regard to the transferral of data, Monteglio will store your personal data on servers located mainly within the European Economic Area, for the time strictly required to achieve the purposes indicated above, in compliance with data retention obligations for statutory and fiscal purposes and the limits established by law. However, the Data Controller also reserves the right to make use of services located in non-EU countries (e.g. Website hosting, social plugins such as Facebook, Instagram, TripAdvisor, google+), in which case the service providers are selected among those who provide adequate guarantees pursuant to articles 45 et seq. of the GDPR.

6. Data recipients

Users’ personal data may be accessed, within our organisation, by internal and external personnel requiring access by virtue of their duties in relation to the processing purposes specified in this document. We make sure that these people meet all the necessary security and confidentiality requirements.

The Data Controller also shares personal data with the following external subjects/categories of subjects:

• TRAVELCLICK Inc., Via Augusta 117, 0806 Barcelona (Spain), to process personal data provided by customers for:
  • the purpose of making bookings via the Website through management of the booking engine. More precisely, upon making a booking via the Website, the user will be connected to the booking search engine managed by Travelclick which ensures encrypted and protected login.
  • the provision of professional, technical and organizational services functional to the management of the Site and the activities carried out therein, such as those dealing with the maintenance, updating and security of the Site.
• Marketing companies, to manage the forwarding of email communications, with which we have signed an agreement in compliance with applicable legislations and with Article 28 of the GDPR.

Finally, whenever strictly necessary for the fulfilment of the aforementioned purposes, your personal data may also be communicated to independent third-party data controllers, such as the competent Authorities, and used by the police and by the judicial authorities to ascertain liability in the event of hypothetical computer crimes against the Website.

7. Data retention period

Data connected with accessing and browsing the Website and other parameters relating to the user’s operating system and computer environment are deleted immediately after the browser is closed. For the retention period of cookies, please refer to the specific policy on the Website.

Data processed in order to fulfil our contractual obligation with you may be stored for the entire duration of the contract and for the following 10 years starting from the end of the fiscal year following the one in question, in order to deal with any tax assessment and/or dispute that may arise. In the event of having to defend ourselves or take legal action or even make claims against you or third parties as part of a dispute, we may keep the personal data that we consider to be reasonably necessary for such purposes, for the period of time in which such a claim can be pursued.

For more information on data retention, please see the privacy policies present in the specific areas of the Website that offer the possibility of registering for certain services and in any case until the pursuit of the purposes stated above.

As regards the subscription to the newsletter, your data will be kept until you unsubscribe and in any case requesting your consent again every 4 years.

8. Rights of data subjects

In accordance with current legislation (articles 15 to 22 of the Regulation), users, in their capacity as data subjects, have the right to obtain access to data concerning them (art.15), the right to its rectification or integration (art. 16), the right to its cancellation (the so-called “right to be forgotten”, art.17), the right to restriction of processing (art.18), the right to data portability (art.20), the right to object to the processing of data for particular reasons (art. 21) and the right not to be subject to a decision based solely on automated processing (art.22). Moreover, users are also reminded that they have the right, pursuant to art. 77 of the Regulation, to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it). To exercise these rights, please email privacy@duparcsuites.com, or use the other contact details provided in the "Contact & Location" section of the Website. Data subjects also have the right to revoke, at any time, in full or in part, any consent given for marketing activities such as the sending of promotional and advertising material. In this case, users shall no longer receive any type of communication, by any method, whether electronically or in paper form. If they so wish, users may revoke their consent solely with regard to the sending of email communications, and continue to receive commercial communications exclusively by post or telephone, where contemplated.

9. Review clause

Monteglio reserves the right to review this Privacy Policy at any time. The most recent version of the Privacy Policy is always available on the Website. The full text of Regulation (EU) 2016/679 is available for consultation on the website of the Italian Data Protection Authority www.garanteprivacy.it.

This policy is updated as at 12.02.2021

PRIVACY NOTICE PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679

Dear Guest, 
Pursuant to the current legislation on the protection of personal data (EU Regulation No. 2016/679 and Legislative Decree 196/2003 and subsequent amendments), we wish to inform you that your personal data is processed by Monteglio S.p.A., with registered office in Corso Massimo d’Azeglio 21, (Torino), Italy, VAT number 05699940010, data controller and owner of the Hotel “DUPARC Contemporary Suites”. In relation to the aforementioned processing, and in compliance with Article 13 of EU Regulation 2016/679, we inform you of the following.

PURPOSES, LEGAL BASIS, AND DATA RETENTION PERIODS

Your personal data is processed for the following purposes, based on the following legal grounds, and is retained for the following periods:

1. To acquire and confirm, even with respect to minors for whom you exercise parental authority, the booking of accommodation services and ancillary services and to provide the requested services. Since this processing is necessary for the definition of the contractual agreement and its subsequent implementation, the legal basis for such processing is the performance of a contract to which the data subject is party and the implementation of pre-contractual measures taken at the data subject's request (Article 6(1)(b) GDPR). Your consent is therefore not required, except in the case where you provide special categories of data necessary for booking/using the services. In case of refusal to provide personal data, we will not be able to confirm the booking or provide you with the requested services. Processing will cease upon your departure, but some of your personal data may or must continue to be processed for the purposes and in the manner indicated in the following points.

2.  To provide you with services aimed at customer satisfaction, carried out at your request, concerning your needs and/or preferences (or those of your family members and minors). For this purpose, you may decide to provide the Data Controller with "special categories of data" pursuant to Article 9 of the GDPR in order to report a particular need of yours in terms of accommodation or the provision of ancillary services (e.g., information concerning your health, such as allergies, pathologies, and/or food intolerances or of other nature). Such categories of data may be processed by the Data Controller only upon your explicit, unequivocal and freely given consent, expressed in writing at the bottom of this information notice, and will be stored exclusively for the time strictly necessary to perform the requested service, unless you give us your consent to keep them for a longer period.

3. To comply with the obligation provided for by the "Consolidated Law on Public Security" (Article 109 R.D. 18.6.1931 n. 773) which requires us to communicate to the Prefecture, for public security purposes, the personal details of guests as established by the Ministry of the Interior (Decree of 7 January 2013). The legal basis for this processing is the compliance with legal obligations (Article 6(1)(c) GDPR). The provision of data is mandatory and does not require your consent, and in case of refusal to provide them we will not be able to accommodate you in our facility. The data acquired for this purpose are not retained by us, unless you give us your consent to retention as provided for in point 5.

4. To comply with current administrative, accounting and tax obligations. The legal basis for this processing is the compliance with legal obligations (Article 6(1)(c) GDPR) and the processing is carried out without the need to obtain your consent. The data is processed by us and by our appointees, and is communicated externally only in compliance with legal obligations. In case of refusal to provide the data necessary for the above-mentioned fulfilments, we will not be able to provide you with the requested services. The data acquired for these purposes is retained by us for the time provided for by the respective regulations (10 years from the last registration, except in the case of disputes or tax audits, for which the data will be retained until the outcome of the proceedings/disputes).

5. To speed up the registration process in the event of your subsequent stays at our facility. The legal basis for this processing is your explicit, unequivocal and freely given consent (Article 6(1)(a) GDPR), which can be revoked at any time. Your data will be used when you are our guest again for the purposes referred to in the preceding points and will be retained for no more than two years from your last stay.

6. For the purpose of sending questionnaires on the quality of the stays enjoyed by customers. The legal basis for this processing is your explicit, unequivocal and freely given consent (Article 6(1)(a) GDPR), which can be revoked at any time. Your personal data provided for this purpose will be retained for a maximum of two years; at the end of this period, the data will be deleted or made anonymous.

7. For the purpose of direct marketing of services provided by the data controller that are equal to or similar to those you have already purchased. The legal basis for this processing is our legitimate prevailing interest (Article 6(1)(f) GDPR). You may object to this processing at any time, immediately at the time of booking the services or even later by clicking on the appropriate link at the bottom of the emails received (opt-out). For this purpose, your data will be retained until your eventual opposition (exercise of the opt-out) which will result in the immediate cancellation of the same.

8. To send you our newsletter containing updates on rates, offers on our hotel services, and events organized by us. The legal basis for this processing is your explicit, unequivocal and freely given consent (Article 6(1)(a) GDPR), which can be revoked at any time. Upon obtaining your consent, your data will be retained for a maximum of 2 years and will not be communicated to third parties.

9. For the purpose of protecting people, property and company assets through a video surveillance system in certain areas of the facility, identifiable by the presence of appropriate signs. For this processing, your consent is not required, as the legal basis is our legitimate interest (Article 6(1)(f) GDPR) to protect people and property against possible assaults, thefts, robberies, damage, acts of vandalism and for fire prevention and workplace safety purposes. The images recorded are deleted after 24 hours, except on holidays or other cases of closure of the business, and in any case no later than one week. They are not communicated to third parties, except in the case of a specific investigative request by the judicial authority or the judicial police.
 

CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your personal data may be shared, for the purposes listed above, with:

• persons authorized by the Data Controller to process personal data for the performance of activities strictly related to the provision of accommodation services and ancillary services booked by you, who have an adequate legal obligation of confidentiality and who process personal data within the limits permitted to them and in accordance with the instructions given by the Data Controller;
• companies that assist and maintain management systems used by the data controller for the management of hotel bookings and for accounting;
• companies that provide ancillary services (SPA, catering) included in the stay booked by the customer or subsequently requested by the same;
• companies for data management and processing activities for marketing purposes on behalf of the data controller;
• credit institutions, payment companies for the management of payment services;
• other subjects who carry out activities on behalf of the Data Controller such as, for example: persons, companies or professional firms that provide assistance and consultancy to the Data Controller in legal, accounting, tax and insurance matters;
• IT companies appointed by the Data Controller for the maintenance, assistance, security and technological updating of the IT and telematic system and the website www.duparcsuites.com; 
• Companies, associations or professionals for the provision of ancillary services to the stay, if requested by the customer;
• public administrations, supervisory and judicial authorities in order to fulfil the obligations provided for by laws, regulations and national or European legislation or to allow the Data Controller to defend itself in court.

The complete list of subjects operating in total autonomy as Data Controllers and of the subjects in charge of the processing, who operate on instructions from the Data Controller, is constantly updated and can be easily and freely requested from the Data Controller.

METHODS OF PROCESSING AND TRANSFER OF PERSONAL DATA

Your personal data is processed through manual (paper-based) and automated (IT and telematic) means, using logic strictly related to the purposes indicated below, and applying security measures suitable to guarantee compliance with the principles of lawfulness, fairness, transparency, storage limitation, data minimization, accuracy, integrity, and confidentiality, in accordance with the GDPR and applicable national legislation. 
Monteglio stores personal data through servers primarily located within the European Economic Area for the time strictly necessary to achieve the purposes indicated above, in compliance with civil and tax obligations to retain data and the limits provided by law. However, the Data Controller reserves the right to use services located in non-EU countries (e.g., online booking engine of Travelclick), in which case the service providers are selected from among those who provide adequate guarantees pursuant to Articles 45 and following of the GDPR. With specific reference to the USA, the transfer of data is authorized based on specific decisions of the European Union and the Italian Data Protection Authority, in particular Decision 1250/2016 (Privacy Shield). 

DATA SUBJECT RIGHTS

We would also like to inform you that the European Regulation grants you the following rights:

1. Right of access. You may request confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to that personal data and specific information about the processing, such as the purposes, the categories of personal data concerned, and the existence of the other rights listed below. You may also request a copy of your personal data.
2. Right to rectification. You have the right to obtain rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data. 
3. Right to erasure. You may obtain the erasure of your personal data without undue delay where one of the following grounds applies: (i) the personal data is no longer necessary in relation to the purposes for which it was collected, (ii) you have withdrawn your consent on which the processing was based (except where there is another legal ground for the processing), (iii) you object to the processing and there are no overriding legitimate grounds for the processing or you object to the processing for direct marketing purposes, (iv) the personal data has been unlawfully processed, or (v) the personal data has to be erased for compliance with a legal obligation. This right does not apply where processing is necessary, for example: 
   • for compliance with a legal obligation;
   • for the establishment, exercise or defense of legal claims.
4. Right to restriction of processing. You have the right to obtain restriction of processing where one of the following applies: 
   • you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data;
   • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;  
   • you need the personal data for the establishment, exercise or defense of legal claims;
   • you have objected to processing, pending the verification whether the legitimate grounds of the controller override your own
5. Right to data portability. You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, in the cases where the processing is based on consent or on a contract and the processing is carried out by automated means. You also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This is without prejudice to the right to erasure.
6. Right to object. You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on legitimate interests of the controller, except where there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. 

If processing is based on consent, you have the right to withdraw your consent at any time.

For any further information, and to exercise your rights under the European Regulation, you may contact the Data Controller: Monteglio S.p.A., Corso Massimo d’Azeglio 21, (Torino), Italy, VAT number 05699940010, email privacy@duparcsuites.com. As a data subject, you also have the right, pursuant to Article 77 of the GDPR, to lodge a complaint with the supervisory authority, the Italian Data Protection Authority (Garante Privacy, http://www.garanteprivacy.it), if you consider that the processing of your personal data infringes this Regulation.

The Data Controller reserves the right to amend this policy from time to time.

This policy is updated as at December 17th, 2024

FULL VIDEO-SURVEILLANCE PRIVACY POLICY
pursuant to art. 13 of Regulation (EU) 2016/679

Dear Visitor, In accordance with the provisions of the Italian Data Protection Authority and of current legislation on the processing of personal data, please note that the Hotel “DUPARC Contemporary Suites”, situated in Corso Massimo d’Azeglio 21 in the city of Turin (Italy), haS adopted an image-recording video surveillance system to protect corporate assets and personal safety. In accordance with Regulation (EU) 2016/679 (hereinafter the “EU Regulation), such processing of data is based on the principles of minimisation, purpose limitation, fairness, lawfulness and transparency, as well as on protecting your privacy and rights. Pursuant to art. 13 of the EU Regulation, therefore, we hereby provide you with the following information on the processing of personal data.

DATA CONTROLLER
With reference to the images processed as above, please note that the Data Controller is the company Monteglio S.p.a. with registered offices in Corso Massimo d'Azeglio 21, (Turin), Italy, VAT No. 05699940010.

PROCESSING PURPOSES
The company has installed a video surveillance system on its premises for the purpose of protecting its corporate assets. Recordings are made in compliance with current personal data protection rules and in particular with the EU Regulation, the video surveillance measures issued by the Italian Data Protection Authority, and the Workers’ Statute (Italian Law 300/1970). This system has been authorised by the Labour Inspectorate with Authorisations no. ITL_TO/0029004/dg and ITL_TO/0029005/dg dated 31 May 2019, available on request. The legal basis for processing is the legitimate interest of the Data Controller to protect the company’s assets (Art. 6(f) of the GDPR).

PROCESSING METHODS
The processing shall be conducted in compliance with the methods and data requirements laid down by art. 5 of the EU Regulation as well as with the provisions of the applicable measures issued by the Italian Data Protection Authority, and shall include all the operations or sets of operations required for the processing in question, including communication to the subjects referred to below (see “Communicating Data”). Processing shall occur through the use of a video recorder, and shall be managed by purposely authorised staff. The areas covered by the video cameras are: the entry gate and external perimeter areas, stairways and garages. The company has put in place special security procedures for accessing areas subject to video surveillance. Said areas are indicated by signs informing visitors of the presence of a video surveillance system. These signs are positioned in such a way as to inform visitors before being recorded and allow anyone not wishing to be recorded to act accordingly.

STORING IMAGES
Images are stored for 24 hours after being recorded, except during holiday periods and when the company is closed or when requested to help in the investigations of the judicial authorities.

COMMUNICATING DATA
The personal data relating to the processing in question, for the purposes indicated above, may be communicated to companies or professionals entrusted by the Data Controller to ensure the maintenance and security of the video surveillance system or to the judicial authorities and/or the law enforcement agencies when requested for the prevention/investigation of criminal offences. In such cases, access to images will be strictly limited to the execution of the task entrusted by us to the subjects specified above. In particular, the images may come to the attention of authorised parties operating under the direct authority of the Data Controller or Data Protection Officers in accordance with the instructions imparted. Moreover, the images may occasionally come to the attention of external companies and undertakings entrusted with the maintenance and repair of video equipment and cameras.

MANDATORY/OPTIONAL NATURE OF THE CONFERMENT OF DATA AND CONSEQUENCES OF FAILING TO CONFER SAME
The recording of images is not mandatory, however it is necessary for the purposes of security and to protect the company’s assets. Consequently, should you object to the recording, you will not be guaranteed entry to the Hotel.

RIGHTS OF DATA SUBJECTS

1.    The data subject has the right to obtain confirmation of the existence or otherwise of their personal data, even if not yet registered, and their communication in an intelligible form.
2. The data subject has the right to be informed of:
a.    the origin of their personal data;
b.    the purposes and methods of processing;
c.    the logic applied in case of processing carried out with the aid of electronic instruments;
d.    the identification details of the controller, processors and the data protection officer appointed pursuant to Article 5, paragraph 2;
e.    the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of such data in a capacity as data protection officers in the territory of the State, processors or persons appointed to carry out processing.
3. The data subject has the right to obtain:
a.    the updating, rectification or, when interested, the integration of data;
b.    the deletion, transformation into anonymous form or blocking of data processed in violation of the law, including the retention of data not necessary in relation to the purposes for which the data were collected or subsequently processed;
c.    a statement that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, to subjects to whom the data have been communicated or disseminated, except in the event that such obligation proves impossible or involves the use of means manifestly disproportionate to the protected right;
d.    data portability.
4. The data subject has the right to object wholly or in part:
a.    for legitimate reasons to the processing of personal data concerning them, even if pertinent to the purpose for which the data were collected;
b.    to the processing of personal data concerning them for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication.
5. The data subject has the right to request the restriction of processing.

You may exercise your rights by sending an email to privacy@duparcsuites.com or by sending a written request to the addresses specified above.

Pursuant to Article 77 of the GDPR, data subjects also have the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority) or to file a complaint pursuant to Article 144 of Italian Legislative Decree 101/201, whenever they consider that the processing of their personal data infringes applicable legislation. 

This policy is updated as at July 12th, 2023