This privacy policy sets out the provisions and policies regarding the collection, processing, use, and protection of personal data of guests who book at our facility. We are committed to ensuring the security and confidentiality of our guests' personal data and to complying with the applicable data protection laws.

The GDPR 679/2016 European Regulation on personal data protection in Articles 13 and 14, paragraphs 1, imposes the obligation to inform the data subject, in the case of direct and indirect collection of their data, on the fundamental elements of the processing. The undersigned company fully complies by informing you that:
La scrivente impresa vi adempie compiutamente informandoLa che:

DATA CONTROLLER
VACUNA SRLS, VAT IT08594621214, with registered office at Via Santa Maria 220, Quarto - 80010 (NA), Italy.
PEC: vacunasrls@pec.it
PHONE NUMBER: +39 08118086669
EMAIL: info@vacuna.it

PURPOSE OF DATA PROCESSING
Personal data will be processed, with consent where necessary, for the following purposes:
– to acquire and confirm your reservation for accommodation services and ancillary services and to provide the requested services;
– to comply with any obligations required by current laws, regulations, or community legislation, or to satisfy requests from authorities;
– to comply with the obligation provided by Art. 109 R.D. 18.6.1931 No. 773 "Consolidated Text of Public Safety Laws" which imposes the communication to the Police Headquarters, for public safety purposes, of the personal data of the accommodated clients – according to the procedures established by the Ministry of the Interior Legislative Decree 7. 1. 2013;
– to comply with the obligation of communication to the regional tourism observer to monitor the tourism sector through the acquisition, management, and dissemination of information and statistical data related to the flow between demand and supply of regional tourism;
– to comply with current administrative, accounting, and tax obligations;
– to speed up registration procedures in case of subsequent stays at our facility;
– to handle the reception of messages and phone calls addressed to you before, during, and after your stay;
– with prior consent, for marketing purposes (e.g., sending promotional messages and updates on rates and offers, newsletters).

PERSONAL DATA SUBJECT TO PROCESSING
The categories of personal data processed are:
– identifying and demographic data (e.g., name, surname, tax code, business name);
– demographic data (e.g., age, gender, country, and preferred language);
– contact information (e.g., address, phone, email);
– payment information (credit and debit card details provided for guarantee and/or balance);
– reservation data;
– health-related data (e.g., disabilities, food intolerances, allergies to fabrics);
– phone call data.

LEGAL BASIS FOR PROCESSING
The processing of data will be conducted in full compliance with current legal provisions, respecting the principles of lawfulness, correctness, and confidentiality. The processing of data will be based on:

• Pre-contractual and contractual obligations: Since these are necessary treatments for the definition of the contractual agreement and its subsequent implementation, the consent of the data subject is generally not required. However, if the data subject refuses to provide the requested personal data, this may result in the impossibility of confirming the reservation and/or providing the requested services.

• Legal obligations: The processing of data to comply with legal obligations is carried out without the need to obtain the consent of the data subject. However, if the data subject refuses to provide the data necessary to comply with these legal obligations, this may result in the impossibility of providing the requested services.

METHOD OF PROCESSING
The data processing will be carried out in accordance with Article 32 of GDPR 2016/679, both in an automated and manual manner, and will include the following operations: collection, registration, organization, storage, consultation, processing, extraction, use, communication, cancellation, and destruction of data.

The use of electronic tools or other automated technologies will be employed for data storage, management, and transmission, ensuring the appropriate configuration to guarantee the necessary confidentiality and protection.

In the event that data is present on paper support, appropriate custody measures will be adopted to prevent access by unauthorized persons.

Personal data may be provided directly by the data subject to the Data Controller or collected through third parties, such as OTAs (Online Travel Agencies), for example, Booking.com, Expedia.com, Airbnb, etc.

For reservations made online through the institutional website, the Data Controller company will use a third-party booking engine appointed as responsible pursuant to Article 28 of GDPR.

DATA COMMUNICATION
Personal data may be transferred and processed by third parties, acting as authorized, responsible, or data controllers, to fulfill pre-contractual, contractual, and legal obligations.
The possible categories of recipients include, but are not limited to:
– Authorized personnel
– System administrators
– Accounting consultants
– Legal consultants
– Banking and financial institutions
– Insurance entities
– Service companies for the maintenance of the hotel infrastructure
– Internet service and email provider companies
– Companies owning the booking system
– Police authorities (Police Headquarters)
– Business partners of VACUNA SRLS to whom it communicates data exclusively to handle and manage online reservations, such as Octorate S.r.l.

DATA RETENTION
The personal data of the data subject will be retained by the Data Controller for the period strictly necessary to carry out the activities related to the purposes described in this policy. In particular, the retention periods will be as follows:
– 10 years (as provided by civil obligations);
– A maximum of 3 months from the check-out date for credit card data;
– A maximum of 3 years from the date of the last check-out for specific personal data related to the stay for marketing purposes, unless otherwise indicated by the data subject.
Data sent to the Police Headquarters is deleted immediately after submission. However, digital submission receipts are retained for 5 years.

It should be noted that longer retention periods may be provided in accordance with specific sector regulations.

DATA SUBJECT'S RIGHTS
As a Data Subject and with respect to the processing described in this privacy policy, the client enjoys the rights specified in Articles 7, 15 to 21, and 77 of the General Data Protection Regulation (GDPR). These rights include:

– Right of access (Article 15 GDPR): The client has the right to obtain confirmation on whether or not personal data concerning them is being processed, as well as to access such personal data and obtain a copy of it.

– Right to rectification (Article 16 GDPR): The client has the right to request, without undue delay, the correction of inaccurate personal data concerning them or the completion of incomplete personal data.

– Right to erasure (right to be forgotten) (Article 17 GDPR): The client has the right to obtain the erasure of personal data concerning them, without undue delay.

– Right to restriction of processing (Article 18 GDPR): The client has the right to obtain the restriction of the processing of their personal data in the following circumstances: (a) contesting the accuracy of the personal data for the period necessary for the Data Controller to verify the accuracy; (b) unlawful processing of personal data and the data subject’s opposition to the erasure of personal data, requesting instead the restriction of its use; (c) necessity of the personal data for the establishment, exercise, or defense of a legal claim; (d) opposition to processing pursuant to Article 21 GDPR, pending verification of whether the legitimate grounds of the Data Controller prevail over those of the Data Subject.

– Right to data portability (Article 20 GDPR): The client has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit such data to another Data Controller without hindrance, provided the processing is based on consent and is carried out by automated means. In addition, the right to have the client’s personal data transmitted directly to another Data Controller where technically feasible;

– Right to object (Article 21 GDPR): The client has the right to object, at any time, for reasons related to their particular situation, to the processing of personal data concerning them based on the lawful interest condition or the execution of a task of public interest or the exercise of public powers, including profiling, unless there are legitimate grounds for the Data Controller to continue processing that prevail over the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of a legal claim. Additionally, the right to object at any time to the processing of personal data for direct marketing purposes, including profiling, to the extent related to such direct marketing;

– Right to withdraw consent – pursuant to Article 7 of the General Data Protection Regulation (GDPR), the Client has the right to withdraw their consent at any time. Such withdrawal will not affect the lawfulness of the processing based on the consent given before the withdrawal.

– Right to lodge a complaint – pursuant to Article 77 of the GDPR, the Client has the right to lodge a complaint with the Data Protection Authority. To do so, they may send a registered letter with acknowledgment of receipt to the address: Piazza Venezia No. 11, 00187 ROME. Alternatively, they can send a certified email message to the address protocollo@pec.gpdp.it.

The Client may exercise their rights at any time by sending a registered letter with acknowledgment of receipt to: VACUNA SRLS, with registered office at Via Santa Maria 220, Quarto - 80010 (NA), Italy, or by sending a PEC to: vacunasrls@pec.it. vacunasrls@pec.it.

NATURE OF DATA PROVISION
The provision of personal data constitutes an essential requirement for the conclusion of the contract in question. Therefore, if you refuse to provide such information, it will be impossible to proceed with the contractual fulfillment.

Regarding the purposes for which your consent is required, your refusal will not affect the obligations assumed.

TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION
Some of our external service providers operate outside the European Economic Area (EEA), which entails the transfer of personal data outside this area. Whenever we carry out such transfers, the Data Controller guarantees an adequate level of protection by adopting at least one of the following measures:

• Use of specific contracts approved by the European Commission or the United Kingdom Information Commissioner, which ensure the same level of protection for personal data as required in Europe, where certain service providers are used.
• Transfer of data to suppliers based in the United States only if they participate in the “Privacy Shield,” which requires them to provide equivalent protection for personal data shared between Europe and the United States.

DISCLOSURE AND PROFILING OF DATA
The personal data of the data subject will not be subject to disclosure or automated decision-making processes, including profiling.

In the case of indirect data collection under Article 14 of the General Data Protection Regulation (GDPR), the Data Controller will provide the information specified in paragraphs 1 and 2:

• Within a reasonable time after the collection of personal data, but in any case no later than one month, duly considering the specific circumstances in which the personal data is processed.
• In the case that personal data is intended to communicate with the data subject, the information will be provided no later than the time of the first communication to the data subject.
• If the personal data is to be communicated to third parties, the information will be provided no later than the first communication of personal data.
  

Privacy Policy of www.vacuna.it
This application collects some Personal Data of its users.

Data Controller: VACUNA SRLS
VAT Number: IT08594621214
Data Controller's Email Address: info@vacuna.it