Tripadvisor Instagram Facebook-f

Privacy Policy

Privacy Notice – Data Processing

Information document pursuant to Article 13 of EU Regulation 2016/679 – GDPR

B&B Maestà di Cudino – VAT No. 02287240515 – Via Molin Bianco 15/6 52100 Arezzo Italy – Cell. 331 4227166 Sabrina – E-mail: info@maestacudinoarezzo.com, with registered and operational headquarters at Via Molin Bianco 15/6 52100 Arezzo Italy, Sabrina Beni, as the data controller, informs you pursuant to Article 13 of EU Regulation No. 2016/679 (hereinafter referred to as “GDPR”) that your data will be processed in the manner and for the purposes outlined below:

Purpose of Processing

The Data Controller processes personal data, such as identifiers (e.g., name, surname, company name, address, phone number, email, banking and payment details)—hereinafter, “personal data” or simply “data”—that you have provided for the purposes of entering into service agreements with the Data Controller.

Purpose of Processing

Data collection and processing is carried out for the purpose of conducting:

Without your express consent [Article 6 letters b), e) GDPR], for the following Service Purposes:

  • Compliance with all operations required by regulatory, fiscal, and tax obligations arising from business activities.

  • Establishment and execution of ongoing contractual relationships.

  • Operations closely connected to and instrumental in starting the above relationships, including the acquisition of preliminary information for the conclusion of the Contract.

  • Compliance with legal requirements concerning administrative and management activities.

  • Providing the requested services and enabling efficient management of customer relationships to respond to information requests, assistance, and/or specific needs.

  • Measurement of customer satisfaction and the preparation of internal use statistics.

Only with your specific and separate consent (Article 7 GDPR), for the following Marketing Purposes:

  • Sending communications related to the services offered, newsletters, and personalized updates containing promotional material and initiatives about our activities and services, using traditional (calls with an operator) or automated methods (emails).

  • Sending commercial and/or promotional communications from third parties (e.g., business partners) via email, postal mail, and/or SMS and/or phone contacts.

  • Please note that if you are already our customer, we may send you commercial communications related to services similar to those you have already used, unless you object.

Processing Methods

The processing will be carried out automatically and/or manually, using methods and tools, in compliance with the security measures outlined in Article 32 of GDPR 2016/679, by persons specifically appointed in accordance with Article 29 GDPR 2016/679. Security measures will be used to ensure the confidentiality of personal data and to prevent unauthorized access by third parties or unauthorized personnel.

The data provided will be stored in our archives according to the following parameters:

  • For administration, accounting, order management, quotation management, production flow management, assistance and maintenance, shipping, invoicing, services, and litigation management activities: 10 years as established by law pursuant to Article 2220 of the Civil Code, unless late payments justify a longer period.

  • For the purposes outlined in paragraph 2.A points 2-3-4-5-6: until the expiration of the contract.

  • For marketing purposes (paragraph 2.B points 1-2): 24 months.

Data Access

Your data may be made accessible for the purposes outlined in paragraph 2.A:

  • To members, employees, and collaborators of the Data Controller, in their capacity as persons in charge of and/or internal managers of the processing and/or system administrators.

  • To companies/professional collaborators to whom B&B Maestà di Cudino entrusts certain activities.

  • To third-party companies or other entities that perform outsourced activities on behalf of the Data Controller, in their capacity as external data processors (e.g., software houses, law firms, certifying bodies, accounting/tax consultants, municipal entities, safety consultants and service companies for workplace safety).

For the sake of brevity, the detailed list of such figures is available at our office and is at your disposal.

Data Communication

Without the need for express consent (Article 6 letters b) and c) GDPR), the Data Controller may disclose your data for the purposes outlined in paragraph 2.A to supervisory bodies, judicial authorities, as well as to those persons to whom the communication is mandatory by law for the fulfillment of the said purposes. These entities will process the data in their capacity as independent data controllers. Your data will not be disclosed.

Data Transfer

Personal data is stored on servers located within the European Union in the offices of the legal headquarters. It is understood that the Data Controller, if necessary, may move servers even outside the EU, in compliance with applicable legal provisions and subject to the stipulation of the standard contractual clauses established by the European Commission.

Nature of Data Provision and Consequences of Refusal

The provision of data for the purposes outlined in paragraph 2.A is mandatory. Without it, we cannot guarantee you the services outlined in paragraph 2.A. The provision of data for the purposes outlined in paragraph 2.B is optional. You may decide not to provide any data or to later deny the processing of data already provided; in that case, you will not be able to receive newsletters, commercial communications, and advertising material related to the services offered by the Data Controller, but you will still be entitled to the services outlined in paragraph 2.A.

Rights of the Data Subject

Regarding the processing of personal data, each Data Subject may exercise the rights set forth in Articles 15 to 22 of the Regulation:

  1. Access to personal data (Article 15 GDPR);

  2. Rectification or erasure (right to be forgotten) or restriction of processing (Articles 16, 17, and 18 GDPR);

  3. Objection to processing (Article 21 GDPR);

  4. Data portability (Article 20 GDPR);

  5. Withdrawal of consent;

  6. Complaint to the supervisory authority (Privacy Authority – www.garanteprivacy.it).

Exercise of Rights

You may exercise your rights at any time by contacting:

B&B Maestà di Cudino, Via Molin Bianco 15/6 52100 Arezzo, Italy; Email: info@maestadicudinoarezzo.com.

Data Controller and Processors The Data Controller is B&B Maestà di Cudino, Via Molin Bianco 15/6 52100 Arezzo. The updated list of the persons in charge of processing is kept at the Data Controller’s registered office.

Last Update: 03/05/2019

Cookies

This section describes how this website and third parties use cookies and similar technologies. The use of cookies is in compliance with European legislation (Directive 2009/136/EC amended Directive 2002/58/EC “E-Privacy”) and national legislation (Decision of the Data Protection Authority of May 8, 2014, and subsequent clarifications, as well as the Cookie Guidelines and other tracking tools of June 10, 2021, No. 231).
For complete information regarding cookies, please refer to our cookie policy: www.maestacudinoarezzo.com.

Type of Data Processing

The processing of personal data is necessary for the pursuit of the legitimate interest of the Data Controller to provide information regarding Maestà di Cudino’s activity pursuant to Article 6, paragraph 1, letter f) of EU Regulation 2016/679, in compliance with the provisions of the same Regulation.

Log Files

This site uses log files in which information collected automatically during user visits is stored. The information collected may include the following:

  • Internet Protocol (IP) address;
  • Browser type and device parameters used to connect to the site;
  • Name of the Internet Service Provider (ISP);
  • Date and time of visit;
  • Web page of origin (referral) and exit page;
  • Number of clicks, if applicable.

This information is processed in an automated form and collected in an aggregated form solely to verify the correct functioning of the site and for security reasons. This information will be processed based on the legitimate interests of the Data Controller.

For security purposes (spam filters, firewalls, virus detection), automatically recorded data may also include personal data such as the IP address, which may be used, in compliance with applicable laws, to block attempts to damage the site itself or cause harm to other users, or otherwise harmful or criminal activities. These data are never used for the identification or profiling of the user but only for the purpose of protecting the site and its users. This information will be processed based on the legitimate interests of the Data Controller.

Type of Data Collected

Maestà di Cudino collects data from users directly from the site or from third parties. The data are necessary for the navigation of the site.

The data collected by Agriturismo Petriolo include:

  • Name and surname, address, email, company;
  • VAT number and tax code.

Data Provided by the User

If the site allows comments to be posted, or if specific services are requested by the user, the site automatically detects and records some user identification data, including the email address. These data are voluntarily provided by the user when requesting service delivery.

By posting a comment or other information, the user expressly accepts the privacy policy. The data received will be used exclusively for the provision of the requested service and only for the time necessary to provide the service.

The information that users of the site choose to make public through the services and tools provided to them is given by the user knowingly and voluntarily, exempting this site from any responsibility regarding possible violations of the law. It is the user’s responsibility to verify they have permission to enter personal data of third parties or content protected by national and international standards.

Voluntary, explicit, and voluntary sending of emails to the addresses indicated on this site entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message.

Specific summary information will progressively be reported or displayed on site pages set up for particular services upon request.

Purpose of Data Processing

The data collected by the site during its operation are used for the purposes mentioned above and for the following purposes:

  • Requesting personal data for marketing purposes and/or sending newsletters and informational emails.

Data Retention

In accordance with Article 5.1(c) of the Regulation, the IT systems and software programs used by Maestà di Cudino are configured to minimize the use of personal and identification data; such data will be processed only to the extent necessary to achieve the purposes indicated in this Policy.

The data will be stored for the period of time strictly necessary to achieve the purposes being pursued and, in any case, the criterion used to determine the retention period is based on compliance with the terms allowed by applicable laws and principles of data minimization and retention limitation.

Data used for security purposes (blocking site damage attempts) are kept for the time strictly necessary to achieve the purpose previously indicated.

User Rights

This site also incorporates plugins and/or buttons for social networks, to facilitate content sharing on your favorite social networks. The user’s rights regarding personal data protection are guaranteed. In line with what is reiterated and affirmed by the GDPR, regarding the processing of their personal data, the user has the right to request from the Data Controller:

  • Access: the user may request confirmation of whether data processing concerning them is in progress, as well as further clarifications regarding the information provided in this notice;
  • Rectification: the user may request to correct or supplement the data they have provided if it is incorrect or incomplete;
  • Erasure: the user may request that their data be deleted if it is no longer necessary for our purposes, in case of consent withdrawal or opposition to processing, in case of unlawful processing, or if there is a legal obligation of deletion or it refers to individuals under the age of fourteen;
  • Restriction: the user may request that their data be processed only for storage purposes, excluding other treatments, for the period necessary to rectify their data, in case of unlawful processing for which they oppose deletion, if they need to exercise their rights in court, and the data held by the Controller may be useful, and, finally, in case of opposition to processing while verifying the prevalence of the Controller’s legitimate reasons over their own;
  • Objection: the user can object at any time to the processing of their data, except where there are legitimate reasons for the Controller to proceed with the processing that prevail over theirs, such as for the exercise or defense in legal proceedings;
  • Portability: the user can request to receive their data, or have it transmitted to another controller they indicate, in a structured, commonly used, and machine-readable format;
  • Withdrawal: the user may withdraw their consent to the use of cookies (Cookie Policy) at any time, as this constitutes the basis for processing. Consent withdrawal does not prejudice the lawfulness of processing based on consent performed before the withdrawal itself.

The user may exercise the above rights at any time by contacting Maestà di Cudino at the following email address: info@maestacudinoarezzo.com.

Moreover, the user has the right to lodge a complaint with the Italian supervisory authority, the “Garante per la Protezione dei Dati Personali”, if they believe their rights have been violated by Maestà di Cudino or if they are not satisfied with Maestà di Cudino’s response to their requests.

Data Security

This site processes user data in a lawful and correct manner, adopting appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Processing is carried out using IT and/or telematic tools, with organizational methods and logics strictly related to the purposes indicated.

In addition to the Data Controller, in some cases, categories of personnel involved in the organization of the site (administrative, commercial, marketing, legal, and system administrators) or external parties (such as third-party technical service providers, postal couriers, hosting providers, IT companies, communication agencies) may have access to the data.

Changes to This Document

This site processes user data lawfully and correctly, adopting appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Processing is carried out using IT and/or telematic tools, with organizational methods and logics strictly related to the purposes indicated.

In addition to the Data Controller, in some cases, categories of personnel involved in the organization of the site (administrative, commercial, marketing, legal, and system administrators) or external parties (such as third-party technical service providers, postal couriers, hosting providers, IT companies, communication agencies) may have access to the data.