+39 320 756 5530

sicily@kapuhala.com

Contrada Maccari snc – 96017 Noto, Siracusa – Italia.

KAPUHALA SICILY

  /  Privacy Policy

Privacy Policy

Tenimenti Kapuhala Srl, in its capacity as Data Controller (hereinafter referred to as “Data Controller” or “Hotel”), provides you with the following information pursuant to and for the purposes of Regulation EU No. 2016/679 (hereinafter, “GDPR”) regarding the processing of personal data collected during the room booking process and the purchase of its products and services.

1. Personal Data Processed and Data Source

In connection with room bookings and the purchase of the Hotel’s products and services, the Data Controller processes personal and contact data (e.g., name, surname, email address, mobile phone number, nationality, etc.) of prospective guests, payment and credit card data, as well as any other information included in the “Notes” field. All such data is provided directly by the individual making the booking.

Regarding the “Notes” field, the Data Controller requests that no special categories of personal data be included, such as information related to health status (e.g., details on motor disabilities, allergies, intolerances, etc.), religious beliefs, sexual orientation, political, or philosophical opinions.

2. Purposes, Legal Basis of Processing, and Nature of Data Provision

In the context of room bookings and the purchase of the Hotel’s products and services, your data will be processed for the following purposes:

a) Managing bookings and requests for related services and products, as well as responding to inquiries.

  • The legal basis for processing is the performance of contractual obligations under Article 6(1)(b) of the GDPR.
  • The provision of personal data is mandatory; failure to provide the requested data will make it impossible to finalize and execute the room booking or purchase of related services and products.

b) Compliance with legal obligations to which the Data Controller is subject.

  • This includes, but is not limited to, tax obligations related to contract execution, administrative/accounting requirements, and obligations under online payment regulations.
  • The legal basis for processing is the legal obligation under EU and national law, pursuant to Article 6(1)(c) of the GDPR and Article 2-ter of Legislative Decree No. 196/2003.
  • The provision of personal data is mandatory; failure to provide the requested data will make it impossible to finalize and execute the room booking or purchase of related services and products.

c) Defense of the Data Controller’s rights in legal or extrajudicial settings.

  • The legal basis for processing is the pursuit of legitimate interests under Article 6(1)(f) of the GDPR, consisting of the protection of the Hotel’s interests and rights.
  • The provision of personal data is mandatory; failure to provide the requested data will make it impossible to finalize and execute the room booking or purchase of related services and products. However, you may object to this processing at any time by submitting a reasoned request to the Data Controller under Article 21 of the GDPR. Your request will be reviewed and addressed by the Data Controller.

3. Data Recipients

Data may be disclosed, for the purposes outlined above, to third parties such as public authorities, law enforcement agencies, legal firms, accountants, etc., who will process the data as independent Data Controllers for their own purposes. Additionally, access to the data may be granted to:

  • The Data Controller’s personnel, explicitly authorized to process the data in compliance with the instructions provided, pursuant to Articles 29 and 32(4) of the GDPR and Article 2-quaterdecies of Legislative Decree No. 196/2003.
  • Service providers acting on behalf of the Data Controller, designated as Data Processors, including booking system providers, IT service providers, etc. The updated list of Data Processors is available from the Data Controller upon request.

Personal data will not be publicly disclosed.

4. Data Retention Period

The data processed will be retained only for as long as necessary to fulfill the activities/purposes described above, specifically for the period required by tax law (10 years) or the statute of limitations for possible legal actions.

5. Transfer of Data Outside the European Economic Area

Data is stored and processed within the European Economic Area (EEA). If data is transferred to third countries outside the EEA, the Data Controller ensures that such transfers comply with Articles 44 and following of the GDPR, such as by adopting Standard Contractual Clauses approved by the European Commission, selecting parties participating in international data transfer programs, or operating in countries deemed safe by the European Commission, in line with the European Data Protection Board’s Recommendations 01/2020 of November 10, 2020.

In some cases, transfers may be based on exceptions under Article 49 of the GDPR, such as the data subject’s informed consent, the execution of a contract between the data subject and the Data Controller, pre-contractual measures, significant public interest reasons, legal claims, or vital interests. Further details regarding transfers and associated safeguards are available from the Data Controller upon request.

6. Data Subject Rights

You may exercise your rights or request information on the processing of your personal data by contacting the Data Controller. Under the GDPR, you are entitled to:

a) Withdraw consent previously given, without affecting the lawfulness of processing based on consent prior to withdrawal.
b) Access your personal data and obtain a copy, as well as information about the purposes of processing, data categories, recipients, data retention periods, and other related details.
c) Rectify or update inaccurate or outdated data.
d) Erase data when no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful.
e) Restrict processing if the accuracy of the data is contested, processing is unlawful, or you object to processing based on legitimate interest.
f) Data portability, meaning the right to receive your data in a structured, commonly used, and machine-readable format, and to transfer it to another Data Controller.
g) Object to processing based on the legitimate interest of the Data Controller, subject to evaluation.
h) Lodge a complaint with the relevant supervisory authority (for Italy, the Data Protection Authority at www.garanteprivacy.it).

7. Contact Information

The contact details of the Data Controller and, if appointed, the Data Protection Officer, are available in the privacy policy accessible from the footer of the Hotel’s website.

I confirm that I have read and understood the privacy notice regarding the processing of personal data.