Information pursuant to Articles 13 and 14 of EU Regulation 2016/679 of the European Parliament and of the Council
S.U. SERVICES SRL wishes to inform you that, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data or General Data Protection Regulation (hereinafter also referred to as the “GDPR”), it will process certain personal data collected automatically or provided by the user or third parties through navigation or use of the website https://shop.serenohotels.com/ (hereinafter referred to as the “Website”).
This Privacy Policy, therefore, refers exclusively to the Website and does not apply to other sites, pages or online services accessible through hyperlinks, even if published within it.
1. DATA CONTROLLER
The Data Controller is S.U. SERVICES SRL, VAT number 10171890964, registered in Milano, via Bartolomeo Eustachi n. 46 (hereinafter “Owner” of the treatment).
2. CONTACT PERSON FOR THE PROCESSING OF PERSONAL DATA
The Owner, considering the protection of personal data of primary importance, has appointed an internal contact person or “Designated Privacy” for the supervision of processing activities: this figure can be contacted by writing an e-mail to for each issue concerning the protection of personal data.
3. DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
In order to allow the use of the Website and its services, the Data Controller needs to know, acquire and process some of your personal data. In particular, when you browse or purchase on the Website (hereinafter, collectively, “Services”), or interact with the initiatives and activities carried out by the Owner processes the following personal data:
- to purchase the products on the Website: e-mail address, name, surname, address of residence, domicile or destination of the goods (yours or third parties), telephone number, date of birth, billing address;
- to use the Customer Service support: personal data that will be communicated by the User and / or requested by our assistance to respond to the User;
4. PURPOSE OF THE PROCESSING AND ITS LEGAL BASIS
The personal data in the possession of the Data Controller are those provided when browsing the Website and during the use of its Services.
Personal data are processed for the following purposes.
- Negotiate, conclude and execute the contract for the purchase of goods offered through the Website. The provision of your personal data for this purpose is mandatory, as, in the event of failure to provide, the Owner would not be able to process your order and therefore you could not buy any product. It is possible that your personal data, in order to conclude an order that contains a gift, have been provided to the Owner by a third party: in this case, this information also applies to you as the data subject.
The legal basis on which the treatment is based is the need to execute a contract of which you are a party and the need to comply with legal obligations.
- Manage the requests sent to the Customer Service and / or through contact forms and / or through different channels. The provision of your personal data for this purpose is optional. However, in the absence of such consent, it will not be possible for the Owner to process the requests you decide to make to our Customer Service.
The legal basis on which the treatment is based is the exercise of the legitimate interest of the owner and / or the need to comply with legal obligations.
Personal data may be processed either by computer or on paper, where this is necessary in relation to the type of service requested.
5. PERIOD OF RETENTION OF PERSONAL DATA
The Data Controller shall keep the personal data for a period of time not exceeding that necessary to achieve the purposes for which they were collected and processed.
In this context, in compliance with current legislation, including accounting, the Owner will keep your personal data acquired through the sale of its products for a period not exceeding 10 years. Subsequently, we will provide for their cancellation, or their transformation into anonymous form in a permanent and non-reversible.
In any case, once the purposes for which they were collected and processed have been achieved, we will remove them from our systems and records and/or take appropriate measures to make them anonymous, so as to prevent you from being identified.
This is without prejudice to the case where we need to keep such data in order to comply with legal obligations, or to ascertain, exercise or defend our rights in court.
6. CATEGORIES OF RECIPIENTS OF THE DATA
The personal data processed will not be disclosed to third parties. Your personal data may, however, be disclosed in relation to the processing purposes set out above:
- the subjects who can access the data by virtue of the provisions of the law provided for by the law of the European Union or by that of the Member State to which the Data Controller is subject;
- the subjects who carry out, within the borders of the European Union, in total autonomy, as separate data controllers, or as data processors appointed for this purpose by the Owner, auxiliary purposes to the activities and services referred to in paragraph 4, or bank operators, internet providers, couriers and forwarders, companies that offer IT infrastructure and services of IT assistance and consultancy, as well as design and implementation of software and Internet sites, law firms, companies that offer services useful to customize and optimize our services, companies that offer services of analysis and development of data, service centers, companies or consultants responsible for providing additional services to the Data Controller, within the limits of the purposes for which they were collected;
- the issuer of the credit card used by you, the service providers for the anti-fraud control connected to the payment process and (where necessary) for the activation of the anti-fraud control procedure.
In addition, our employees may also be informed of your personal data, provided that they have previously been designated as a person acting under the authority of the Data Controller pursuant to Art. 29 GDPR or as a System Administrator.
Any communication of your personal data will take place in full compliance with the legal provisions of the GDPR and with the technical and organizational measures put in place by the Data Controller to ensure an adequate level of security.
In no case will the personal data of the Users be disclosed, unless explicit, free and prior consent has been obtained on the basis of specific information in accordance with current legislation.
7. RIGHTS OF THE INTERESTED PARTY
In relation to the processing of your personal data, according to the GDPR, the person concerned has the right to:
- revoke your consent to the processing of your personal data at any time. It should be noted, however, that the revocation of consent does not affect the lawfulness of the processing based on consent prior to revocation, as provided for in Art. 7, paragraph 3, GDPR;
- ask the Data Controller for access to personal data, as provided for in Art. 15 GDPR;
- obtain from the Data Controller the rectification and integration of personal data deemed inaccurate, even by providing a simple supplementary declaration, as required by Art. 16 GDPR;
- obtain from the Data Controller the deletion of personal data if there is even only one of the reasons provided for in Art. 17 GDPR;
- obtain from the Data Controller the limitation of the processing of personal data in the event of the occurrence of one of the hypotheses provided for in Art. 18 GDPR;
- receive from the data controller personal data concerning him in a structured format, commonly used and readable by automatic device, and has the right to transmit such data to another owner of the treatment without hindrance, as provided by art. 20 GDPR;
- object at any time, on grounds relating to your particular situation, to the processing of personal data carried out pursuant to Article 6(1)(e) or (f);
- to lodge a complaint with a supervisory authority (art. 77) or to bring the matter before the appropriate courts (art. 79), if it considers that the processing of your data violates the GDPR. The complaint may be lodged in the Member State in which you are habitually resident, working or in the place where the alleged infringement occurred.
To exercise each of your rights, you can contact the Data Controller by sending a communication to the address of the registered office indicated above, or you can contact the Designated Company Privacy by writing to the e-mail address, providing the following personal data:
– Name, surname;
– Details of the request;
Where necessary, in order to verify the identity of the interested party by the Data Controller, the following additional information may be requested:
– Purchase code;
– Other data relating to the transaction initiated or completed.
8. CONSENT OF MINORS IN RELATION TO INFORMATION SOCIETY SERVICES
Children under the age of sixteen (16) are expressly prohibited from using the services provided through the Website. In consideration of the technologies available and the services provided, the Owner has set up systems of personal verification to ensure that the consent to the processing of personal data of the child is given or authorized by the subject exercising parental authority. By registering or purchasing on the Website, you confirm that you have reached the age of majority envisaged by your country of residence.
9. VERSION AND VALIDITY OF THIS DOCUMENT
This notice may be updated from time to time and will be based on the latest version, so please check this page regularly.