Privacy policy of FH55 Hotel Group

PERSONAL DATA PRIVACY NOTICE PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679

We hereby inform you, pursuant to Articles 13 and 14 of Regulation (EU) No. 2016/679 (hereinafter, the “GDPR”) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018, that your personal data, as provided by you, may be processed in compliance with the aforementioned legislation and applicable confidentiality obligations, using the methods and for the purposes described below.

The recipients of this notice are Guests accessing the Facilities/premises and Services offered by the Data Controller.

1. DATA CONTROLLER

The Data Controller pursuant to Regulation (EU) No. 2016/679 is:

- Montecarlo SPA Immobiliare Registered Office in Florence, Lungarno del Tempio 44, Tax Code and VAT No. 00434210480, hr@fhhotelgroup.com, for all its operational offices and local units (hereinafter, the “Company” or the “Controller”).

2. SOURCE AND CATEGORIES OF DATA PROCESSED

The personal data that the Company may collect is typically provided directly by you and may include, for example:

• Identifying and personal information (e.g., first and last name, address, phone number, email, photo contained in ID documents, etc.);
• Financial and asset-related information, including banking and payment details;
• Your image, with your explicit consent, within the scope of the purposes outlined in Section 3 below;
• In exceptional cases, and solely to safeguard your access to the Facilities/premises and services offered by the Controller, information related to your physical condition or health (e.g., pregnancy status required for access to the SPA, or any intolerances/allergies).

Please note that data concerning minors may also be processed for the same purposes described in the following section.

3. PURPOSES AND LEGAL BASIS OF PROCESSING

Personal data will be collected and processed by the Company for the following purposes:

1. To allow you to access the Controller’s Facilities and premises, as well as the services and products offered;
2. To allow you to access the Wi-Fi Service;
3. To carry out all administrative, accounting, and tax-related activities connected to the purpose outlined in item (a) above;
4. To exercise the Controller’s rights, particularly with regard to the right to legal defense;
5. Marketing purposes, involving the sending—subject to your prior consent—of commercial and promotional communications through automated contact methods (e.g., email, SMS) regarding Montecarlo SPA Immobiliare’s products/services or events, as well as sending you surveys or questionnaires to assess your level of satisfaction with your stay, services, and activities organized by the Controller;
6. Profiling purposes, involving the analysis of your preferences, habits, behavior, interests, and products and services purchased during your stay, in order to improve the service provided and send personalized commercial communications, promotions, and services based on your needs and preferences, or to recommend other products aligned with your past purchases;

The processing of personal data, including special categories of data as defined under Article 9 of the GDPR (i.e., “sensitive data”), within the scope of the purposes indicated above, is carried out based on the following legal grounds:

• 6, sect. 1. Lett. B) of the GDPR, since, with regard to purposes a), b), and c) of the previous section, the processing is necessary for the fulfillment of the contract binding you to the Controller;
• 6, sect. 1. Lett. C) of the GDPR, considering that, in relation to the purpose outlined in letter c), the processing is also necessary for compliance with legal obligations to which the Controller is subject;
• 6, sect. 1. Lett. F) of the GDPR, since, within the scope of the purpose outlined in letter d) of section 3 above, the processing is necessary for the establishment, exercise, or defense of the Controller’s rights, whether in judicial or extrajudicial proceedings.

As a result, processing for the aforementioned purposes is mandatory. Failure to provide your data—or providing inaccurate or incomplete data—will make it impossible for you to access the Controller's Services and Facilities/premises.

• 6, sect. 1 Lett. A), insofar as, for the purposes described in letters e) and f), processing is permitted only with your consent.

4. NATURE OF DATA PROVISION AND CONSEQUENCES.

The provision of data for the purposes outlined in letters a), b), c), and d) of Section 3 above is necessary for fulfilling pre-contractual and contractual obligations, as well as for complying with legal obligations applicable to the Controller. Therefore, failure to provide such data will result in the Controller being unable to grant you access to its Facilities/premises, Activities, or Services.

On the other hand, providing data for the purposes outlined in letters e) and f) of Section 3 above is optional, and processing of such data requires your prior consent. If you choose not to provide consent, the Controller will not be able to process your data for those specific purposes.

5. DISCLOSURE, TRANSFER AND DISSEMINATION OF DATA

We inform you that your data will be stored at our headquarters, as well as at the Facility/Service where you are a guest, and will be disclosed exclusively to those entities responsible for carrying out the necessary services to ensure proper management of the relationship, ensuring full protection of your rights as a data subject. Your data will be processed, in particular, by the following categories of recipients:

• Third-party companies or other entities performing certain outsourced activities on behalf of the Controller, in their capacity as external data processors under a valid data processing agreement;
• Entities to whom disclosure is required by law;
• Joint data controllers with whom the Controller has entered into a Joint Controllership Agreement in accordance with Article 26 of the GDPR;
• Entities falling under the categories listed above will act either as Data Processors or Joint Controllers, depending on the case.

Employees and collaborators of the Controller may also become aware of your data, in their capacity as persons authorized to process personal data pursuant to Article 29 of the GDPR, as well as any individuals who, in general, have access to the company intranet and/or corporate social media profiles. Your personal data will be processed in Italy and stored in electronic archives located in countries that are part of the European Union.

Your data will not be transferred outside the European Union and will not be disseminated, meaning it will not be made available to unspecified parties in any form.

6. DATA PROCESSING METHODS

The data collected will be processed using electronic or otherwise automated, IT, and telematic tools, or through manual processing with procedures strictly related to the purposes for which the personal data was collected. In all cases, the processing will ensure the security and confidentiality of the data. Additionally, the Company uses information systems and software programs configured to minimize the use of personal data, excluding processing where the intended purposes can be achieved through the use of anonymous data and/or data that identifies the data subject only when strictly necessary.

7. DATA RETENTION

The data will be retained—in a form that allows identification of the data subject—for only as long as necessary to achieve the purposes for which the data was collected, and always in compliance with applicable laws and legal obligations. Specifically, unless an earlier request for deletion is made by the data subject (if applicable and legally permissible), the personal data collected will be retained by the Company for the entire duration of the contractual relationship and, generally, for 10 years following its termination, in order to fulfill specific legal or contractual obligations, including those set out under civil and tax laws. Retention of data is also permitted after the termination of the contractual relationship if necessary for the exercise of the Controller’s rights—particularly the right of defense in case of legal disputes—in compliance with statutory limitation periods set out by the law.

These retention periods may be subject to change if required by specific circumstances that prevent the intended purposes from being achieved within the timeframes indicated above.

8. RIGHTS OF THE DATA SUBJECT

At any time, you may exercise the rights set out in Articles 15–21 of the GDPR, and, therefore, may access your data, object to its processing, or request the deletion, correction, restriction of processing, or updating of any personal information collected by the Controller. You may also request the portability of the collected data and withdraw any consent you previously granted (only with respect to the processing purposes for which that consent was given). Lastly, we remind you that if you believe the processing of your personal data violates the provisions of the Regulation, you may always lodge a complaint with the Italian Data Protection Authority or with the supervisory authority of the country where you habitually reside, work, or where the alleged violation occurred. To exercise any of the rights mentioned above, you may send an email to: hr@fhhotelgroup.it, also using the dedicated form made available by the Data Protection Authority at www.garanteprivacy.it.