Privacy Policy

Information document pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (GDPR)

WHY THIS INFORMATION?

Pursuant to Regulation (EU) 2016/679 (hereinafter “GDPR”), this page describes how personal data are processed. This notice is provided in accordance with Article 13 of the GDPR. This notice does not apply to other third-party websites that may be consulted through links on this website, for which no responsibility is assumed.

1. WHO IS THE DATA CONTROLLER?

The Data Controller is Palazzo Venezia S.r.l., with registered office at via Regina n. 40, 22012, Cernobbio (CO), Italy, represented by its pro tempore Legal Representative. For any information, the Data Controller may be contacted by email at: privacy.pve@palazzovenezia.com.

2. DEFINITIONS AND CATEGORIES OF PERSONAL DATA PROCESSED

Please note that the GDPR provides the following definition of personal data: any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

In particular, with reference to this Privacy Notice, the categories of personal data processed include:

  • Contractor/User data: identification, personal and contact data such as name, surname, email address, telephone number, and any additional data necessary and relevant for the provision of the service.  
  • Browsing data: the IT systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category includes IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.
  • Data provided voluntarily: the optional, explicit, and voluntary sending of messages to the contact addresses indicated on this website and/or the completion of data collection forms entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the communication.

Information on the Processing of Personal Data through Social Media Platforms: regarding the processing of personal data carried out by the operators of the Social Media platforms used by the Data Controller, please refer to the information provided by such operators through their respective privacy policies. The Data Controller processes personal data provided by users through the dedicated pages on Social Media platforms to manage interactions with users (such as comments, public posts, etc.), in compliance with the applicable legislation.

Specific privacy notices: specific privacy notices may be available on certain pages of the Website in relation to particular services or specific data processing activities carried out through the website.

3. PURPOSE OF PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, AND NATURE OF DATA PROVISION

A. WEBSITE BROWSING

  • Purpose of the processing: the data necessary for the use of web services are also processed in order to obtain statistical information on the use of the services (such as the most visited pages, number of visitors by time slot or day, geographical areas of origin, etc.) and to monitor the proper functioning of the services offered.
  • Legal basis: the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the functioning of the website and for browsing itself (Art. 6(1)(f) and Recital 47 of the GDPR).
  • Data retention period: browsing data are retained for the duration of the browsing session.
  • Nature of data provision: the provision of data is necessary in order to allow navigation on the website.

B. USE OF COOKIES AND SIMILAR TECHNOLOGIES

  • Purpose of the processing: please refer to the Cookie Policy available in the website footer.
  • Legal basis: please refer to the Cookie Policy available in the website footer.
  • Data retention period: please refer to the Cookie Policy available in the website footer.
  • Nature of data provision: please refer to the Cookie Policy available in the website footer.

C. CONTACTS

  • Purpose of the processing: to provide assistance and respond to requests for information regarding rooms, events, and any other related needs.
  • Legal basis: the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) and Recital 44 of the GDPR).
  • Data retention period: maximum 12 months.
  • Nature of data provision: the provision of data is necessary. Failure to provide the required data will make it impossible to be contacted and to receive the requested information.

D. DIRECT MARKETING

  • Purpose of the processing: to send advertising or direct marketing material, conduct market research, and send commercial and promotional communications, including newsletters, through automated means (such as email and SMS) and traditional means (such as telephone and postal mail). Communications may contain promotional activities and/or logos of third-party partners and companies belonging to the same group. In order to compare and possibly improve the results of automated communications, the Data Controller uses reporting systems. Through such reports, the Data Controller obtains information such as: the number of readers, openings, unique clickers and clicks; the devices and operating systems used to read the communication; details of individual user activity; and details of emails sent, delivered, not delivered, or forwarded. This data is used to analyse and improve the effectiveness of communications.
  • Legal basis: the processing is based on the data subject’s consent to the processing of personal data (Art. 6(1)(a) and Recitals 42–43 of the GDPR).
  • Data retention period: until withdrawal of consent (or opt-out).
  • Nature of data provision: the provision of data is optional. Failure to provide the required data will make it impossible to receive direct marketing communications.

E. NON-AUTOMATED PROFILING

  • Purpose of the processing: personal data will be entered into databases or CRM systems in order to carry out analyses and evaluations and to segment data subjects into homogeneous groups based on specific characteristics related to business activities, with the aim of improving service management and sending targeted promotional communications.
  • Legal basis: the processing is based on the data subject’s consent to the processing of personal data (Art. 6(1)(a) and Recitals 42–43 of the GDPR).
  • Data retention period: until withdrawal of consent and, in any case, for a maximum period of 12 months.
  • Nature of data provision: the provision of data is optional. Failure to provide the required data will make it impossible to carry out analyses and send targeted communications.

F. MANAGEMENT OF ACCOMMODATION AND FOOD & BEVERAGE RESERVATIONS

  • Purpose of the processing: personal data will be processed for the management of requests for information and reservations related to accommodation at the hotel and to restaurant/bar services, as well as for all organisational and operational activities necessary for booking management, preparation of quotations, confirmation of the requested services and their provision. In the context of managing the accommodation at our hotel or restaurant/bar services, we may also process special categories of personal data (Art. 9 GDPR) relating to health conditions (e.g. dietary requirements, disabilities, etc.) solely for the purpose of ensuring the proper and safe provision of the services offered. The provision of such data is optional.
  • Legal basis: the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) and Recital 44 of the GDPR).
  • Data retention period: maximum 12 months.
  • Nature of data provision: the provision of data is necessary. Failure to provide the required data will make it impossible to stay at our hotel.

G. COMPLIANCE WITH ADMINISTRATIVE, ACCOUNTING AND LEGAL OBLIGATIONS

  • Purpose of the processing: personal data will be processed in order to comply with administrative, accounting, tax and regulatory obligations connected with the establishment and management of the contractual relationship relating to accommodation and restaurant/bar services. Such activities include, by way of example: the management of invoicing and accounting records, the protection of the Data Controller’s credit positions, the management of possible civil liability insurance coverage, as well as compliance with specific legal obligations, such as the communication of guest data to the Police Headquarter (Questura) for public security purposes and to the Lombardy Region for statistical purposes (Ross 1000).
  • Legal basis: the processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Art. 6(1)(c) and Recital 45 of the GDPR).
  • Data retention period: accounting and tax documentation are retained for 10 years from the date of the last accounting record (Art. 2220 of the Italian Civil Code), without prejudice to any contractual or non-contractual disputes that may arise and to different legal retention obligations. The communication of data to the Police Headquarter and to the Lombardy Region is retained only for the time necessary to fulfil the relevant legal obligations (respectively, maximum of 24 hours and one month).
  • Nature of data provision: the provision of personal data is mandatory, as it is necessary in order to comply with legal obligations.

H. MANAGEMENT OF DATA SUBJECT REQUESTS

  • Purpose of the processing: management of data subject rights pursuant to Articles 15 et seq. of the GDPR.
  • Legal basis: the processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Art. 6(1)(c) and Recital 45 of the GDPR).
  • Data retention period: 5 years from the closure of the request, unless dispute arises.
  • Nature of data provision: the provision of personal data is mandatory, as it is necessary in order to comply with legal obligations.

I. MANAGEMENT OF DISPUTES

  • Purpose of the processing: personal data may be processed in order to manage information useful for the proper handling of disputes and situations that may arise during the relationship, including any out-of-court and/or judicial proceedings, as well as for the defence in legal actions.
  • Legal basis: the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6(1)(f) and Recitals 47–50 of the GDPR).
  • Data retention period: 10 years, unless an objection is raised and without prejudice to the time necessary for the defence in legal proceedings.
  • Nature of data provision: the provision of data is necessary. Failure to provide the data will prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this section. Any refusal must be balanced against the legitimate interest of the Data Controller referred to in this section.

4. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS

Personal data may be disclosed to entities that process data as independent Data Controllers or as Data Processors (Art. 28 GDPR) and processed by natural persons (Art. 29 GDPR) acting under the authority of the Data Controller and the Data Processors on the basis of specific instructions provided regarding the purposes and methods of processing. Personal data may be disclosed to recipients belonging to the following categories:

  • Entities providing services for the website and communication networks, including email services, hosting services, and website management (including group companies, affiliates, and subsidiaries);
  • Bodies located in Italy that, under applicable accounting and tax legislation, are recipients of mandatory communications;
  • Banking institutions and similar financial entities;
  • Insurance companies in the event of civil liability or third-party liability;
  • Firms or companies providing tax consultancy services and administrative/accounting management support;
  • For direct marketing purposes, subject to consent, entities providing direct marketing services;
  • For profiling activities, subject to consent, entities providing profiling services;
  • Entities with which the Data Controller has entered into economic or commercial agreements;
  • Competent authorities for compliance with legal obligations and/or provisions issued by public authorities, upon request.

The list of Data Processors pursuant to Art. 28 GDPR is available upon request by writing to privacy.pve@palazzovenezia.com.

5. WILL THE DATA BE TRANSFERRED TO COUNTRIES OUTSIDE THE EEA?

Personal data will not be transferred to countries outside the European Economic Area (EEA). Should it become necessary to transfer data to countries outside the EEA, such transfer will take place in compliance with the limits and conditions set out in Articles 44 et seq. of the GDPR. In such cases, the data subject may obtain a copy of the safeguards adopted for the transfer by writing to privacy.pve@palazzovenezia.com.

6. IS THERE AN AUTOMATED DECISION-MAKING PROCESS?

Personal data will be processed through traditional manual methods as well as electronic and automated tools. It should be noted that no fully automated decision-making processes are carried out. About profiling activities, such activity will be carried out with human intervention: an operator will analyse and develop the data subject’s profile and examine the habits and consumption preferences in order to improve the Data Controller’s commercial offer and services (non-automated profiling).

7. COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY USED FOR?

For information regarding cookies and other tracking systems, please refer to the Cookie Policy available in the website footer or at the following link .

8. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?

Data subjects may exercise the rights provided for in Articles 15 et seq. of the GDPR by contacting the Data Controller at the following email address privacy.pve@palazzovenezia.com.

  • The Data Controller guarantees data subjects the possibility to request, at any time, access to their personal data (Art. 15), rectification (Art. 16), erasure (Art. 17), and restriction of processing (Art. 18). The Data Controller shall communicate (Art. 19) any rectification, erasure, or restriction of processing carried out to each recipient to whom the personal data has been disclosed. The Data Controller shall also inform the data subjects of such recipients if requested.
  • The Data Controller guarantees the right to data portability (Art. 20) and will provide the data subjects with their data in a structured, commonly used, and machine-readable format.
  • Data subjects have the right to object (Art. 21), at any time, to the processing of personal data based on the legitimate interest of the Data Controller by sending a request to the above contact address with the subject line “objection”.
  • Data subjects have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To stop receiving direct marketing communications, data subjects may send an email to privacy.pve@palazzovenezia.com with the subject line “marketing unsubscribe” or use the automatic unsubscribe systems available in marketing emails (opt-out).
  • At any time, data subjects are free to withdraw their consent to profiling (non-automated) by sending an email to privacy.pve@palazzovenezia.com with the subject line “no profiling”.

If data subjects believe that the processing of their personal data carried out by the Data Controller infringes Regulation (EU) 2016/679, they are entitled to lodge a complaint with a national Supervisory Authority, in particular in the Member State where they habitually reside, work, or where the alleged infringement of the GDPR occurred (Italian Data Protection Authority – www.garanteprivacy.it/web/garante-privacy-en/home_en), or to seek judicial remedies.

9. CHANGES TO THE PRIVACY NOTICE

The Data Controller may change, modify, add, or remove any part of this Privacy Notice. In order to facilitate the verification of any changes, this Privacy Notice will indicate the date of its latest update.

Last update: 10/05/2026