Pursuant to article 13 of EU Reg. 2016/679 (later GDPR), we inform you that Gregorio's Holiday processes the identification data of customers, suppliers and subjects who have voluntarily communicated, during direct contact or indirectly by telephone, mail, fax, e-mail, website their personal data to our offices.

According to the principle of accountability, it guarantees that the processing of personal data takes place in compliance with fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to protection of personal data.

In relation to the processing of personal data carried out, the Data Controller provides, among other things, the following information:

• "personal data" (pursuant to Article 4.1 of the GDPR), means any information relating to an identified or identifiable natural person ("interested party"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social;

• "processing" (pursuant to Article 4.2 GDPR), means any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, the organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

Identity and contact details of the Data Controller

Company name: Gregorio's Holiday

registered office address: Via Gregorio VII, 80, Vaticano Prati, 00165 Rome

Email contact details: gregoriosrooms@gmail.com

Personal data collected

The personal data collected are essentially related to:

- Identification data (name and surname, e-mail address, telephone, etc.).

Type of data processed

Navigation data

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's IT environment.

This information is not collected to be associated with identified interested parties, as the data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning, but by their very nature could, through processing and associations with data held by third parties, allow users to be identified.

It should be noted that the data could be used by the competent authorities to ascertain responsibility in the event of hypothetical computer crimes.

Cookies

The site uses cookies to improve the user's browsing experience. For more information on the type of cookies used, the purposes and methods of disabling it is possible to consult the specific section.

Data provided voluntarily by the user

To access some services reserved for users, it is necessary to register and enter some personal data.

The provision of certain identification data is necessary in order to authenticate and verify the legitimacy of access, in the various levels of the reserved areas, to the subjects who access them. Under no circumstances will sensitive or judicial data be processed.

The optional, explicit and voluntary sending of e-mails to the addresses indicated on this site involves the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data included in the message. Specific summary information will be progressively reported or displayed on the pages of the site set up for particular services on request.

Purpose

The data you provide may be processed for:

1) carrying out the operations strictly necessary in order to proceed with the provision of any services requested by you, including your navigation between the pages of the site;

2) the provision of technological services (mailing lists, newsletters, etc.), also by specifically authorized third parties;

3) activities imposed by laws, regulations or provisions for the execution of commercial orders;

4) statistical processing of aggregated data in relation to site performance;

5) assessments regarding the use of the site by users;

6) optimize the commercial offer also through focused and selected analyses;

7) send advertising and/or commercial proposals based on the profiling of your data, implemented to be able to highlight information and commercial proposals tuned to the interests you have expressed by accessing the pages and using the services available on this site.

In the pages of the site where your personal data are explicitly collected, you will find where necessary the additional specific privacy information, as well as the methods for acquiring your consent in cases where the owner resorts to this legal basis of treatment.

Legal basis

The processing of your personal data will be carried out on the basis of one or more of the following conditions. In particular, the treatments carried out for the purposes described above, which concern:

point 1 and point 2, have as their legal basis the need to execute your express requests to receive a service directly available through the site: it is therefore a question of providing data that is strictly necessary and connected to a pre-contractual and/or contractual or functional to respond to your specific request, as such the data collected from time to time are mandatory and, if you do not intend to provide them, it will not be possible to provide the service or respond to what you have requested;

point 3, will have as legal basis the need to comply with a legal obligation such as for example the obligation to implement security measures provided for by specific laws of the banking / financial sector applicable for certain services provided through the site and as such these data and related treatments are mandatory;

point 4, being anonymised data, i.e. data from which it is not possible to re-identify, even indirectly, a natural person, such data are no longer personal data, therefore the related treatments are removed from the application of the privacy legislation and are not necessary a particular legal basis

· points 5, 6 and 7, will have as legal basis your informed and free consent, which will be requested in specific pages of the site and preceded by our specific information or via cookies (see section dedicated to the cookie policy). In this case, the provision of data is absolutely free, and in the absence of your consent, the data will not be collected and used for these purposes in any way. If you have given your consent, you can revoke it at any time and starting from the revocation, the data will not be further processed for these purposes. For maximum clarity, we point out that the withdrawal of consent does not have retroactive effects on the data processed before the withdrawal itself.

Furthermore, if you are under the age of 16, for the processing of your data for these purposes it will be necessary to obtain the authorization from the holder of parental responsibility towards you.

Where the owner can make use of another legal basis (legitimate interest, public interest...), specific and specific information will be provided.

Processing methods, security measures and storage times

All data will be processed mainly in electronic format. Personal data as well as any other information that can be associated, directly or indirectly, with a specific user, are collected and processed by applying technical and organizational security measures such as to guarantee a level of security appropriate to the risk, taking into account the state of the art and of implementation costs, or, where envisaged, security measures prescribed by specific legislation such as, by way of non-exhaustive example: measures envisaged by applicable provisions issued by the Guarantor Authority for the protection of personal data or by specific laws and regulations for the banking sector /financial and will be accessible only to specifically authorized personnel.

Precisely with reference to the aspects of personal data protection, you are invited, pursuant to art. 33 of the GDPR to notify the owner of any circumstances or events from which a potential "violation of personal data (data breach)" may arise in order to allow an immediate assessment and the adoption of any actions aimed at countering this event, by sending a communication to databreach@iccrea.bcc.it . We remind you that personal data breach means "the breach of security which involves the accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed".

The measures adopted by the owner do not exempt the user/customer from paying the necessary attention to the use, where required, of passwords/PINs of adequate complexity, which must be updated periodically as well as carefully guarded and made inaccessible to others, in order to avoid improper and unauthorized use.

The personal data processed will be kept in a form that allows identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are processed, without prejudice to the need to keep them for a longer period following requests from the Competent authorities in the field of prevention and prosecution of crimes or, in any case, to assert or defend a right in court.

Categories of Recipients of personal data

Personal data will be processed by personnel specifically authorized by the owner as well as by third parties, also possibly established in foreign countries with respect to the European Union, only if this is necessary for operational and maintenance needs of the site and the services made available through the site itself, without prejudice to any obligations established by legal provisions (eg: inspections by the tax authority).

In no case will they be disclosed to the public.

As required by the GDPR, the holder appoints as personal data processing managers the third-party companies that carry out all or part of the activities in question exclusively on behalf of the holder. In the case of involvement of third parties established in foreign countries with respect to the European Union, the appropriate guarantees corresponding to the adequacy decisions issued by the European Commission and/or by the national Data Protection Authority are adopted for the relative transfer of data abroad. protection of personal data from time to time appropriate to the case. Further information regarding the cases of possible data transfers to foreign countries with respect to the European Union and the relative guarantees adopted, as well as information regarding the companies appointed as personal data processing managers, can be requested from the DPO.

The personal data provided by users who request dispatch of informative material (various documentation, reports, answers to questions, publications, etc.) are used only to perform the service or provision requested and are communicated to third parties only if where this is necessary for this purpose (example: publication delivery service).

Rights of the interested parties

In relation to the processing of your personal data carried out through this site, at any time, as an interested party, you can exercise the rights provided for by the GDPR. In particular it will be able to:

access your personal data, obtaining evidence of the purposes pursued by the owner, the categories of data involved, the recipients to whom the same may be communicated, the applicable retention period, the existence of automated decision-making processes, including profiling , and, at least in such cases, significant information on the logic used, as well as the importance and possible consequences for the interested party, where not already indicated in the text of this Information;

obtain without delay the rectification of inaccurate personal data concerning you;

· obtain, in the cases provided for by law, the cancellation of your data;

obtain the limitation of the treatment or to oppose it, when admitted on the basis of the provisions of the law applicable to the specific case;

in the cases provided for by law, request the portability of the data that you have provided to the owner, i.e. to receive them in a structured format, commonly used and readable by an automatic device, and also request the transmission of such data to another owner, if technically feasible;

· where it deems it appropriate, lodge a complaint with the supervisory authority.

For the processing of personal data for which the legal basis is consent, you can always revoke it and in particular exercise the right to object to direct marketing.

To exercise these rights, simply contact the DPO by referring to the contact details given at the beginning of this Policy.

For further information regarding your rights and privacy regulations in general, please visit the website of the Guarantor Authority for the protection of personal data, at the address http://www.garanteprivacy.it/

Information published on: 25 May 2018