Learn about the group
menu
eng
ita
eng
fra
deu
esp
por
Reservations
  • Hotel
  • Arrival
  • Departure
  • Rooms
  • Adults
  • Children
  • Discount code
  • Change reservation
Purchase a service
Create a gift

Privacy

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA – ART. 13 OF REGULATION (EU) 2016/679

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and Italian Legislative Decree 196/2003 as harmonised by Legislative Decree 101/2018, we inform you that the personal data concerning you and provided by you may be processed, in compliance with the above legislation and confidentiality obligations, in the manner and for the purposes set out below.
The recipients of this notice are Guests who access the facilities/premises and Services offered by the Data Controller.

1. DATA CONTROLLER
The Data Controller pursuant to Regulation (EU) 2016/679 is:
Montecarlo SPA Immobiliare – Registered office: Firenze, Lungarno del Tempio 44 – Tax code and VAT no. 00434210480 – hr@fhhotelgroup.com – for all operating sites and local units (hereinafter the “Company” or the “Controller”).
Email: dpo@fhhotelgroup.it
VAT: 00434210480

2. SOURCE AND CATEGORIES OF DATA PROCESSED
The personal data the Company may acquire are normally provided directly by you and include, by way of example:

  • identification and personal data (e.g., name and surname, address, telephone, email, image contained in an identity document, etc.);

  • economic and financial data, including bank and payment details;

  • your image, within the limits of the purposes under para. 3 below;

  • residually, and solely to protect you when accessing the facilities/premises and services offered by the Controller, data regarding your physical conditions or health (e.g., pregnancy status, mental or motor disabilities, intolerances/allergies).
    Data of minors may be processed for the same purposes indicated below.

3. PURPOSES AND LEGAL BASES OF PROCESSING
To comply with the obligation under Article 109 of the Consolidated Public Security Act (Royal Decree 18 June 1931, no. 773), which requires communication to the Police Headquarters (Questura) of the details of accommodated persons, in the manner established by the Ministry of the Interior (Decree of 7 January 2013). Legal basis: Art. 6(1)(c) GDPR (legal obligation).
Retention period: data are immediately transmitted to the Police Headquarters and are not stored on site; only the transmission receipt is kept for 5 years as provided by the Ministry of the Interior Circular of 24/03/2005.

Personal data will be collected and processed by the Company for the following purposes:
a) to allow you to access the Controller’s facilities and premises and the marketed services and products;
b) to allow you to access the Wi-Fi service;
c) to perform all administrative, accounting and tax activities related to the purpose under letter (a) above;
d) to exercise the Controller’s rights, in particular the right of defence in legal proceedings;
e) Marketing purposes: personal data, including contact details and email address, may be used to send promotional communications and newsletters relating to services offered by the Controller or affiliated facilities, via authorised platforms such as Guezzt by Serenissima Informatica. Processing will take place only with your explicit consent pursuant to Art. 6(1)(a) GDPR;
f) Profiling purposes, to analyse your preferences, habits, behaviours, interests, and products/services purchased during your stay in order to improve the service provided and to send personalised commercial communications, promotions and services based on your needs and preferences, or to recommend other products in line with your previous purchases.

Processing of personal data, including those referred to in Art. 9 GDPR (“special categories of data”) within the above limits, is based on the following legal bases:

  • Art. 6(1)(b) GDPR, insofar as, for purposes a), b), c) above, processing is necessary for the performance of the contract binding you to the Controller;

  • Art. 6(1)(c) GDPR, insofar as, for purpose c), processing is also necessary to comply with legal obligations to which the Controller is subject;

  • Art. 6(1)(f) GDPR, insofar as, within the limits of purpose d) above, processing is necessary for the establishment, exercise or defence of the Controller’s rights in judicial or extrajudicial proceedings.
    Accordingly, for the above purposes, processing is mandatory. Failure to provide, or inaccurate/incomplete provision of, data will make it impossible for you to access the Controller’s Services and facilities/premises.

  • Art. 6(1)(a) GDPR, insofar as, for purposes e) and f), processing is possible only where you give consent.

4. NATURE OF PROVISION AND CONSEQUENCES
Providing data for purposes a), b), c) and d) of paragraph 3 is necessary to fulfil pre-contractual and contractual obligations as well as legal obligations incumbent on the Controller; failure to provide such data will make it impossible for the Controller to allow you to access its facilities/premises, activities or Services.
Providing data for purposes e) and f) of paragraph 3 is optional and processing requires your prior consent; if consent is not given, the Controller will not process data for such purposes.

5. DISCLOSURE, TRANSFER AND DISSEMINATION OF DATA
Personal data are stored—in a form that permits identification—for the time strictly necessary to achieve the purposes for which they are collected and in compliance with applicable laws and obligations. In particular, data collected for contractual and statutory obligations will be retained for 10 years from termination of the relationship, even without explicit consent, pursuant to Art. 6(1)(c) and (f) GDPR. Data processed for optional purposes (e.g., marketing, profiling) will be retained until consent is withdrawn and in any case no longer than 24 months. Longer retention is permitted only where required by law or for the establishment, exercise or defence of legal claims, in accordance with limitation periods.
Personal details transmitted to the Police Headquarters are removed the day after communication.
Your data will be processed, in particular, by the following categories of recipients:

  • third-party companies or other entities that carry out certain activities on behalf of the Controller as external processors pursuant to a valid contract;

  • entities to whom communication is mandatory by law;

  • joint controllers with whom a Joint Controllership Agreement under Art. 26 GDPR exists;

  • the subjects in the above categories will act as data processors or as joint controllers, as applicable.
    Employees and collaborators of the Controller, as persons authorised to process under Art. 29 GDPR, as well as all subjects who have access to the company intranet and/or corporate social profiles, may also become aware of your data. Your personal data will be processed in Italy and stored on electronic archives located in EU Member States.
    They will not be transferred outside the EU and will never be disseminated, i.e., made available to unspecified parties, in any form.

6. EXTERNAL DATA PROCESSORS
Your personal data may also be communicated to third parties designated as external processors pursuant to Art. 28 GDPR, including:

  • Blastness S.r.l., provider of the online booking engine;

  • Serenissima Informatica S.p.A., for managing contact forms and newsletters via the Guezzt software;

  • Allibo (Zucchetti Group), for collecting applications via the “Work with us” area;

  • Whistlesblow.it (True Solutions S.r.l.), for managing the whistleblowing channel in compliance with Legislative Decree 24/2023;

  • Oscar WiFi (INWYA S.r.l.), for managing corporate Wi-Fi connections and customer satisfaction data collection;

  • Prenota-web – E-Group s.r.l. – IT partner for restaurants – Restaurant website https://www.ristoranteserrae.it;

  • Netparking provided by NetHome – Parking management software – Garage website https://garagemediterraneo.it.
    All the above parties operate on servers located within the European Union and are bound by specific contractual agreements to guarantee an adequate level of protection of the personal data processed on behalf of the Controller.

7. FURTHER PURPOSES
Subject to your consent, data may also be processed for:

  • sending promotional communications relating to similar services;

  • customer satisfaction surveys;

  • recognising and managing stated preferences (e.g., room type, dietary needs);

  • facilitating future check-ins and administrative operations in subsequent stays;

  • managing receipt of phone calls and messages addressed to you during your stay. This processing takes place exclusively with your consent and only for the duration of your stay;

  • storing specific preferences (e.g., room floor, pillow type, dietary needs) to personalise service during your stay, possibly using special category data (e.g., intolerances). Processing based on consent;

  • facilitating administrative procedures in the event of subsequent stays by re-using information already provided, only with your consent. Data will be retained for a maximum of 10 years, unless consent is withdrawn;

  • sending questionnaires to assess satisfaction and service quality. Legal basis: Controller’s legitimate interest. Retention: strictly necessary for overall assessment;

  • sending promotional communications relating to services similar to those already purchased or requested, even without your explicit consent, in compliance with Art. 130(4) of Legislative Decree 196/2003, without prejudice to your right to object at any time. Legal basis: Art. 6(1)(f) GDPR. Retention: 12 months from collection.

8. BROWSING DATA AND COOKIES
While browsing the company website, IT systems acquire certain personal data (e.g., IP addresses, URLs, time of the request) whose transmission is implicit in Internet communication protocols. Such data are used only for anonymous statistical purposes and to check the correct technical functioning of the site. For more details, please refer to the online Cookie Policy.

9. VIDEO SURVEILLANCE
Some areas of the hotel facilities may be video-surveilled to protect people and property, ensure corporate security and prevent fires. Images are kept for up to 72 hours, except during holidays or upon requests from Authorities. Information signs are posted in the areas subject to video surveillance in compliance with the Data Protection Authority’s Guidelines.

10. METHODS OF PROCESSING
Data collected will be processed by electronic or otherwise automated, IT and telematic means, or by manual processing with logics strictly related to the purposes for which the personal data were collected and, in any case, in such a way as to guarantee their security and confidentiality. The Company also uses IT systems and software configured to minimise use of personal data, excluding processing where purposes can be achieved through anonymous data and/or data enabling identification only when necessary.

11. DATA RETENTION
Personal data are stored—in a form that allows identification—for the time strictly necessary to achieve the purposes for which they are collected and in compliance with applicable laws and obligations. In particular, data collected for contractual and statutory obligations will be retained for 10 years from termination of the relationship, even without explicit consent, pursuant to Art. 6(1)(c) and (f) GDPR. Data processed for optional purposes (e.g., marketing, profiling) will be retained until consent is withdrawn and in any case no longer than 24 months. Longer retention is permitted only where required by law or for the establishment, exercise or defence of legal claims, in accordance with limitation periods. These timeframes may vary where special circumstances prevent achieving the purposes within the above terms.

12. RIGHTS OF THE DATA SUBJECT
At any time you may exercise the rights under Articles 15–21 GDPR, namely to access your data, object to processing or request erasure, rectification, restriction of processing or updating of all personal information collected by the Controller, as well as obtain data portability and withdraw consent given (only for those purposes based on consent). You may also lodge a complaint with the Italian Data Protection Authority or with the Authority of the country where you habitually reside, work or where the alleged infringement occurred.
To exercise the above rights you may email: hr@fhhotelgroup.it, also using the specific form made available by the Authority at www.garanteprivacy.it.

Offers and packages

Grand Hotel Mediterraneo
Bocelli at the Teatro del Silenzio - Lajatico 2026
Package with round-trip transfer to the Teatro del Silenzio included
Learn more
Grand Hotel Mediterraneo
City Break
With garage and dinner on arrival included
Learn more
Grand Hotel Mediterraneo
Firenze Marathon
Stay with dinner, breakfast from 6:30 am and late check-out included
Learn more
Grand Hotel Mediterraneo
Christmas Offer
Package with overnight stay, breakfast and Christmas lunch included
Learn more
Grand Hotel Mediterraneo
New Year's Eve Package with Dinner and Brunch
Package with Dec. 31 dinner and Jan. 1 brunch included
Learn more
Grand Hotel Mediterraneo
New Year's Eve Package with Dinner
Package with dinner on December 31 included
Learn more
Grand Hotel Mediterraneo
Family Promo - Free Cancellation
With dinner on the evening of arrival (drinks not included) and parking space in our garage
Learn more
Grand Hotel Mediterraneo
Dinner and Breakfast included - free cancellation
The Package includes: Bed and Breakfast and Dinner every day.
Learn more
©2022 FH55 Group | All rights reserved
WEBSITE BY BLASTNESS
Book now close
ita
eng
fra
deu
esp
por