Privacy Policy

PERSONAL DATA PROCESSING POLICY pursuant to Articles 13–14 of EU Regulation 2016/679 (the GDPR)

Ultimo aggiornamento: July 21st, 2025

This Policy clearly and transparently describes how we process the personal data of the users who browse the huopenair.com website and all second-level domains and connected subdomains (*.huopenair.com). The Policy also applies to users of the myhu web app (web application dedicated to in-stay management) and the myhu profile (personal profile used to access the services provided by the sites), as well as all other digital services available within the websites indicated above. It therefore applies to all data collection and management activities that occur when the user accesses our pages, consults the information sections or interacts with the tools made available on the websites. This Policy does not concern any of the information collected through other methods and/or websites that can be accessed via the links on our portals, which are covered by specific policies. 

This Policy is amended, supplemented or updated periodically, including in consideration of any changes in the applicable legislation or provisions of the Data Protection Authority and/or the European Data Protection Board.

Changes and updates to the Policy will be brought to the attention of data subjects by updating the link to the Privacy Policy in the footer and/or in other specific sections of the website. Data subjects are therefore invited to regularly consult this Policy to understand the latest updated version, ensuring that they are always informed about the methods of collection and processing of their personal data. 

1. Data Controllers

The processing of personal data described in this privacy notice is carried out under a joint controllership arrangement, pursuant to Article 26 of Regulation (EU) 2016/679 (“GDPR”), by the following companies belonging to the Human Company Group (hereinafter, jointly, the “Companies” or “Human Company”):

  • hu Holding S.p.A. ith its registered office at Via Generale C.A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code and VAT ID:  07377040485, which can be contacted at the following email address: [email protected].
    The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].   

  • hu Openair S.r.l. with its registered office at Via Generale C. A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code: 02098970482 and VAT ID: 00282740976, which can be contacted at the following email address: [email protected].
    The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].  

  • Roma Camping S.r.l. with its registered office at Via Aurelia 831 – 00165 – Rome (Rome), Tax Code: 01029610589 and VAT ID: 00954081006, which can be contacted at the following email address: [email protected].
    The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].

  • Roma Gestioni S.r.l. with its registered office at Via Aurelia 831 – 00165 – Rome (Rome), Tax Code and VAT ID: 08219321000, which can be contacted at the following email address: [email protected].
    The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].     

  • Camping International S.a. with its registered office at Um Birkelt n.1, Larochette, Luxembourg, VAT ID: LU13005324, which can be contacted at the following email address: [email protected].
    The Data Protection Officer (DPO) can be contacted at the following email address: [email protected]. 

  • Human Company S.r.l. with its registered office at Via Generale C. A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code and VAT ID: 06152400484, which can be contacted at the following email address: [email protected].
    The Data Protection Officer (DPO) can be contacted at the following email address: [email protected]. 

Companies have jointly determined the purposes and means of the processing of personal data within the context of digital services, as well as commercial, administrative, and centralized management activities carried out through the Human Company Group’s websites, platforms, and applications.

Pursuant to Article 26 of the GDPR, the Companies have entered into a specific joint controllership agreement governing their respective responsibilities in relation to the processing of personal data and the exercise of data subjects’ rights.

2. Data Types

Below are the types of personal data processed within the limits of the purposes defined in this Policy:

  • Personal data provided by the user
    In the course of using the websites, the user may voluntarily provide the following personal data, which is necessary to access the available services and functions:

    • Personal and contact data, such as their first name, last name, date of birth and/or age group, gender, nationality, language, address, telephone numbers, email addresses and any other data provided by the user, for example, to make bookings and/or check in online, to register for a myhu profile, as well as to participate in other initiatives promoted by the Human Company Group Companies, such as prize competitions.
      It should also be noted that, within the scope of an online booking and/or check-in, the user may provide personal data relating to other people (for example, travelling companions and/or accompanying minors). In such cases, the user is required to inform the data subjects about the processing of their personal data, including the type of data collected, the purposes and retention times, and the parties who may access it, as well as the methods by which they can exercise the rights provided for by the GDPR, including by sharing this Privacy Policy;

    • Details of bookings made, such as the booking number, site, and arrival and departure date;

    • Purchase data, i.e. information relating to purchases made by the user on the websites, such as the list of bookings made and the dates and amounts of such purchases;

    • Tax data, such as the tax code or VAT ID;

    • Payment data, such as the credit/debit/bank card number (limited to the data necessary to identify/track the transaction, with the number partially obscured), including data relating to the means of payment (type of card) and the payment networks used;

    • **Data necessary to execute the rules of a programme or competition **that may be promoted by Human Company, such as accumulated points;

    • Demographic data and interests, such as geographical origin, family unit or group composition, preferred services/experiences/activities;

    • Data that Human Company receives from other sources to perform its services, such as booking services;

    • Audio recording of calls to the call centre, containing the user's voice;

    • Data contained within a message sent via support and help centre services;

    • Username and password;

    • ID and/or passport number, as well as the number plate required at check-in.

  • Browsing data

By browsing the website, certain technical information relating to the hardware and software used by users may be collected automatically by the computer systems that allow the website to function. The transmission of this information is implicit in Internet communication protocols. It may include, for example, the user's IP address, the domain name of the device used, the identifier of the requested resources (URI), the browser type and version, the presence of plug-ins, the identifier of the mobile device (such as the IDFA or Android ID), and further parameters relating to the operating system and the computing environment.      

  • Data collected using cookies

The websites use technical cookies necessary for their operation and, only with the user's consent, profiling cookies or third-party cookies. Information on the types of cookies used, their purposes, retention times, and how to revoke or modify consent can be found in the Cookie Policy, which can be consulted in full.  

3. Purposes and Legal Bases of Processing

The personal data collected via the website is processed exclusively for the purposes described in this section, in compliance with the legal bases provided for by the GDPR. 

  • Website browsing

During the simple consultation of the pages, some data is processed to ensure the proper functioning of the websites, monitor their traffic, identify any malfunctions and prevent abuse or illegal activities. These are essential activities to keep the platforms secure and to offer users a stable and reliable service.  

The legal basis for this processing is the legitimate interest of the Data Controller, as provided for by Article 6, paragraph 1, point f of the GDPR, consisting of the protection of data security, the proper functioning of the website, and the improvement of service standards.    

  • Statistical analysis on an aggregate basis

The information collected through cookies and similar technologies may be processed in an aggregate and anonymous manner for the sole purpose of improving the quality of the service and providing statistics concerning the use of the website. 

Within the scope of such activities, the Data Controller may also send to the data subject, by means of electronic mail, satisfaction questionnaires and customer satisfaction surveys relating to the services used, in order to collect feedback and improve the quality of the offering. 

The legal basis for the processing is the legitimate interest of the Data Controller in improving its services and carrying out commercial research, as well as in assessing customer satisfaction (Article 6(1)(f) GDPR).

  • Request management (via web, email or call centre)

The personal data acquired when the user uses the addresses indicated on the websites to send requests, fill in the contact or support forms, or contact the call centre, is processed by the Data Controller for the sole purpose of providing the requested information by way of an effective and comprehensive response.  The optional, explicit and voluntary sending of such communications involves the subsequent acquisition of the sender's address and any other personal data included in the message, which, unless otherwise duly communicated, will be stored for the time necessary to meet the requests.

When the user fills in the contact/support forms, they can, optionally, explicitly and voluntarily, enter any special requests in the free-text field. The Data Controller invites the user not to provide special data pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; religious beliefs associated with food preferences or service needs; data capable of revealing racial or ethnic origin, etc.); however, if the user decides to enter said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the request.

If the user decides to contact the Data Controller via the call centre, calls may be recorded with the consent of the data subject (Article 6, paragraph I, point a of the GDPR), in order to guarantee the protection and reproducibility of the verbal commitments made and allow, if necessary, the comparison with other data relating to the booking. If the call is recorded, the user will be informed at the beginning of the conversation. The data subject is also informed that the call centre service may use automated systems, including tools based on artificial intelligence technology, used exclusively to facilitate call management. These systems may process personal data such as the voice and information provided during the call, exclusively to route users' calls, recognise the type of requests and improve the efficiency of the support service. The use of these tools does not involve automated decision-making processes that produce legal effects or that significantly affect the data subject in a similar way pursuant to Article 22 of the GDPR, since every request or interaction is always managed operationally by human staff, i.e. the only party authorised to make relevant decisions regarding the data subject.

This processing is necessary to follow up on requests of a pre-contractual nature, pursuant to Article 6, paragraph 1, point b of the GDPR, as well as to satisfy the Data Controller’s legitimate interest in correctly managing the communications received, as provided for by Article 6, paragraph 1, point f of the GDPR. With regard to any special categories of data referred to above, the legal basis of processing is the consent of the data subject (Article 9, paragraph II, point a of the GDPR).

  • Online booking service

The data subject’s personal data collected at the time of booking will be processed by the Data Controller to allow the user to book at the sites, pay, and follow up on booking requests, in addition to enabling the communication of service notices relating to the booking.

Within the scope of the booking, the user can, optionally, explicitly and voluntarily, enter any special requests relating to their stay in the "notes" field. The Data Controller invites the user not to provide special data pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; data capable of revealing racial or ethnic origin; religious beliefs associated with food preferences or service needs, etc.); however, if the user decides to enter said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the booking.

The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of data is mandatory, as it is necessary to follow up on booking requests, and failure to provide data may make it impossible to meet these requests.

  • Online Check-In Service

The personal, contact and booking data, including the identity document number and car number plate, will be processed by the Data Controller to allow the data subject to use the online Check-In service and to carry out all the activities necessary for the provision of the requested service.

The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR). The provision of data is mandatory, as it is necessary to follow up on the activities related to the online Check-In service, and failure to provide data may make it impossible to meet these requests. The data subject will still be able to check in at the site reception via the staff in charge of this procedure, according to the traditional methods.

  • Registration, booking and participation in experiences and events

The user’s contact details and, where payment is required, payment details may be used to allow them to register and/or book, including via third-party platforms, and to participate in experiences at the sites and other events organised by Human Company Group Companies.

Within the scope of the booking, the user can, optionally, explicitly and voluntarily, enter any special requests relating to their stay in the "notes" field. The Data Controller invites the user not to provide special data pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; data capable of revealing racial or ethnic origin; religious beliefs associated with food preferences or service needs, etc.); however, if the user decides to enter said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the booking.

The legal basis is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of data is mandatory, as it is necessary for registration and participation in experiences and/or events, and failure to provide data may make it impossible to participate in such initiatives.

If the user has booked an experience or an event online that takes place within the campsite but is not staying at the site, and therefore accesses it as an "external visitor", the staff in charge may request that the data subject presents a valid identity document. This verification is necessary to ensure the correspondence between the booking and the person accessing the site, and to ensure the safety and protection of guests present at the campsite. The data relating to document checks will be processed exclusively for the purposes indicated above and will not be used for further purposes.

  • Registration, access to and management of the myhu personal account

The data subject’s personal and contact data (first name, last name, email address, date of birth and nationality), as well as the username and password provided during registration, will be processed to allow the user to complete the registration procedure for their myhu profile, access their personal area, and manage their account (for example, to use the features reserved for registered users only).
The legal basis of the processing is the execution of pre-contractual/contractual measures pursuant to Article 6, paragraph I, point b of the GDPR. The provision of contact data is optional; however, failure to provide it will make it impossible to complete the registration procedure and to use the services reserved for registered users.

  • Fulfilment of purchase orders made via the "SKIP THE LINE" service and the activities related to order management

The data of the data subject, provided to register for a myhu profile, will be processed by the Data Controller for all purposes related to the processing of their purchases made through the online "Skip the Line" service and for the management of related orders, such as, for example, the receipt of any requests for information regarding the products purchased and/or reports, payment management, sending order status communications, collection at the agreed point of sale, and providing assistance to the consumer.

Within the scope of the order booking, the user can, optionally, explicitly and voluntarily, enter any special requests in the "notes" field. The Data Controller invites the user not to provide special data pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; data capable of revealing racial or ethnic origin; religious beliefs associated with food preferences or service needs, etc.); however, if the user decides to enter said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the booking.

The legal basis of the processing is the execution of pre-contractual/contractual measures pursuant to Article 6, paragraph I, point b of the GDPR and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of the data subject’s data is mandatory, as it is necessary for the processing and management of orders, and failure to provide the data may make it impossible to proceed with the order.

  • Management of external visitor bookings at catering sites

The Data Controller processes the personal data of users (first name, last name, telephone number and/or email address), as provided through the dedicated sections of the website, in order to allow the management of bookings at the catering sites present within the campsites.

The legal basis of the processing is the execution of pre-contractual/contractual measures related to the service requested pursuant to Article 6, paragraph I, point b of the GDPR.

When the external visitor accesses the site to use the booked service, the staff in charge may request that the data subject presents a valid identity document. This verification is necessary to ensure the correspondence between the booking and the person accessing the site, and to ensure the safety and protection of guests present at the campsite. This data will be processed exclusively for the purposes indicated above and will not be used for further purposes.

  • Sending of informative and promotional communications relating to purchased products/services via email (so-called soft spam)

The data subject’s contact details (e-mail address) may be processed by the Data Controller in order to ensure that the data subject receives communications relating to services and products similar to those already purchased, pursuant to Article 130(4) of Italian Legislative Decree No. 196/2003. 

This provision allows the Data Controller to carry out such processing without the data subject’s consent, without prejudice to the data subject’s right to object to the processing at any time. To this end, the data subject may request not to receive further such communications by clicking on the unsubscribe link included in each communication sent. 

Such request shall not affect the sending of any communications for marketing purposes to which the data subject has expressly consented. 

  • Profiling activities

Subject to specific and express consent from the data subject, the data provided by the user may be used by Human Company to offer the user personalised products and/or services in line with their preferences, interests and/or behaviour, and to send personalised commercial communications.

The legal basis for this processing is the consent of the data subject (Article 6, paragraph I, point a of the GDPR). Any consent given may be freely withdrawn at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal. The withdrawal of consent may be communicated in the manner described in Section 9, "Rights of data subjects", of this Policy.

  • Marketing activities

Subject to the specific and express consent of the data subject, the data concerning them may be processed by the Data Controller for the purpose of sending advertising, promotional and/or direct sales material, or for carrying out market research or other forms of commercial communication (including personalised communications, if the user has consented to profiling).

The legal basis for this processing is the consent of the data subject (Article 6, paragraph I, point a of the GDPR). Any consent given may be freely withdrawn at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal. The withdrawal of consent may be communicated in the manner described in Section 9, "Rights of data subjects", of this Policy.

If the user does not also consent to the processing of their data for profiling purposes, pursuant to the previous point, the communications sent for marketing purposes may be merely partitioned (for example, on a geographical basis, if the user has indicated a reference site, or on the basis of their chosen language, including through the indication of their nationality), without making predictions or drawing conclusions about personal aspects of the user, such as their purchasing preferences, interests, tastes and habits, online behaviour, etc.

  • Prize events and/or competitions

The data of the data subject will be processed to comply with the rules of the prize events and/or competitions that may be promoted by the Companies of the Human Company Group, to send all functional communications for participation in the aforementioned events (for example, wins, non-wins, etc.), as well as for the possible allocation and delivery of prizes, and to respond to their requests.

The legal basis of the processing is the execution of pre-contractual/contractual measures pursuant to Article 6, paragraph I, point b of the GDPR). The provision of data is mandatory to allow the user to participate in the events and for the possible assignment and delivery of any prizes, and failure to provide data may make it impossible to proceed with participation in the events as well as to assign and deliver any prizes.

  • Company/service communications

The user's contact data will be processed for company/service communication purposes, for example, to report the updating of contractual conditions, rules relating to loyalty cards/prize events/competitions, or website and/or app conditions, or for information purposes.

The legal basis is the execution of pre-contractual/contractual measures pursuant to Article 6, paragraph I, point b of the GDPR.

  • Loyalty programmes

The user’s data (for example, contact data, data relating to bookings made, accumulated points, etc.) will be processed by the Data Controller for the management and execution of loyalty programmes organised by the Group Companies, for adherence to the agreements stipulated between Human Company and the different entities, to allow the data subject to benefit from the prizes and discounts associated with these programmes, and to proceed with the issuance and management of the Huniverse Card necessary to take advantage of the related benefits.

The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR). The provision of such data is mandatory, as it is necessary for the management and execution of loyalty programmes and/or agreements; in the absence of such provision, it will not be possible for the data subject to participate in such programmes and/or benefit from such agreements.

  • Purposes related to the protection of rights, including those of the data subject.

Personal data will be processed by the Company to protect its rights, including with respect to any requests, or to take legal action, including with regard to claims made against it or third parties, as well as to prove that it has provided a response to any requests for the exercise of one or more of the data subject's rights.

The legal basis of the processing is the Company’s legitimate interest in the protection of its rights (Article 6, paragraph I, point f of the GDPR).

  • Compliance with legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities.

The personal data of the data subject may be processed to comply with a legal obligation and/or provisions/requests from the competent authorities, including supervisory authorities.

In this case, the legal basis is the fulfilment of legal obligations to which the Company is subject (Article 6, paragraph I, point c of the GDPR).

4. Data retention period

Personal data is stored for different periods of time depending on the specific purpose for which it was collected. The retention periods are established in compliance with the principles of limitation and minimisation provided for by the GDPR, and the data is deleted or anonymised once the period associated with its processing purpose has expired. 

Below are the retention periods for the different purposes listed above:

  • Website browsing:Browsing data is stored for a maximum period of 30 days, unless longer times are necessary for system security needs or for the detection of any cybercrime. 

  • Aggregate analysis and improvement of products/services: The data processed for the pursuit of this purpose is processed in aggregate and anonymous form.

  • Request management (via web, email or call centre): The data collected when the user uses the various channels is stored for the time strictly necessary to manage and respond to the user’s request, after which it is deleted or anonymised.

  • Online booking and check-in services: The data processed for the pursuit of these purposes will be stored for a period of time not exceeding 10 years from the booking or check-in date.

  • Registration, booking and participation in experiences and events: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 10 years from the date of the experience and/or event, or in any case, the use of the service. 

  • Registration, access to and management of the myhu personal account: The data processed for the pursuit of this purpose will be stored for the period necessary to finalise registration for the myhu profile and for the entire duration of said profile.

  • Fulfilment of purchase orders made via the "SKIP THE LINE" service and the activities related to order management: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 10 years from the date of purchase.

  • Management of external visitor bookings at catering sites: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 1 years from the booking date.

  • Sending of informative and promotional communications relating to purchased products/services via email: The data processed for this purpose shall be retained for a period not exceeding two years from the date of purchase or check-out by the data subject, without prejudice to cases in which such processing is also necessary for other purposes.

  • Profiling activities: The data processed for the pursuit of the profiling purpose will be stored for a period of time not exceeding 12 months from its registration, without prejudice to the possibility to withdraw consent and the right to object.

  • Marketing activities: The data processed for the pursuit of these purposes will be stored for a period of time not exceeding 24 months from its registration, without prejudice to the possibility to withdraw consent and the right to object.

  • Prize events and/or competitions: The data processed for the pursuit of this purpose will be stored for the entire duration of the individual events (or other initiatives associated with prizes) and, subsequently, for a period of time not exceeding ten years from the conclusion of said events.

  • Company/service communications: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 1 year from the sending of each individual communication, unless the processing of such data is also necessary for the pursuit of other purposes described in this Policy, without prejudice to the right to object.

  • Loyalty programmes: The data processed for the pursuit of this purpose will be stored for the entire duration of the individual programmes and, subsequently, for a period of time not exceeding 10 years from the date of full enjoyment of the individual programmes.

  • Purposes related to the protection of rights, including those of the data subject: The data processed for the pursuit of this purpose will be stored for the entire duration of the related proceedings, and, in any case, for the time deemed reasonably necessary by the Company for the protection of its rights, including in relation to the related limitation periods.

  • Fulfilment of legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities: The data processed for the pursuit of this purpose will be stored for the entire duration of the proceedings before the competent authorities, in addition to the relevant limitation periods.

5. Processing methods and security measures

The processing is carried out using IT and/or telematic tools, with organisational methods and logic strictly related to the purposes indicated, always in full compliance with the principles of lawfulness, fairness, transparency, minimisation, integrity, confidentiality and security provided for by the GDPR. 

The processing is carried out in a suitable manner in order to guarantee data protection at every stage, from collection to storage, through to any deletion. The Data Controller adopts the appropriate security measures in order to prevent unauthorised access, disclosure, modification or destruction of personal data. 

6. Data communication

Only parties duly authorised and instructed by the Company may have access to the data. In particular, for the performance of certain processing activities, the Data Controller may communicate the data to the following categories of external parties, who will process such data, depending on the role they play in relation to the processing, as independent data controllers or as data processors pursuant to Article 28 of the GDPR, if and within the limits of what is strictly necessary for the pursuit of the purposes described in this Policy:  

  • other companies in the Human Company Group; 

  • other consultants and external suppliers who carry out activities auxiliary to the purposes stated above, such as cloud, IT or hosting service providers; postal couriers; communication agencies; and third-party companies that, by virtue of agreements with the Data Controller, provide support in the management of competitions, initiatives and prize events;

  • professional firms, especially where necessary for the protection of the Company's rights; 

  • banks and credit institutions, insurance companies; 

  • third-party companies, Human Company partners, including those working to promote products and/or offer services. With particular reference to payment services, Human Company relies on Stripe Payments Europe, Ltd (C/O A&L Goodbody, Ifsc, North Wall Quay, Dublin 1), which has been fully entrusted with the management of payment transactions. On the other hand, the management of booking services for events is entrusted to the Company OBD SRL (Via Romolo Gessi 48, 20146 – VAT and Tax Code: 12830740960).

  • companies responsible for sending commercial and/or promotional communications in the context of marketing campaigns;

  • parties who may access the data by virtue of a provision of law, regulation or EU legislation, within the limits established by these rules. 

The updated list of data recipients is available by request to the Data Controller’s email address.   

In any case, the data will never be transferred to third parties for the pursuit of marketing purposes unrelated to those described in this policy.

7. Data transfers

The Data Controller does not transfer personal data to countries outside the European Economic Area (EEA). If necessary, the data subjects will be informed in advance, and guarantee measures will be adopted for the transfer to the recipients, which, depending on the case, may entail: verification of the existence of adequacy decisions for the recipient country by the European Commission, signing of standard contractual clauses, and verification of the adoption of any additional measures in implementation of the EDPB Recommendations 01/2020.   

8. Disclosure of data

Personal data collected via the website is not publicly disclosed.       

9. Rights of data subjects 

Regulation (EU) 2016/679 (GDPR) grants data subjects specific rights. In particular, in relation to the processing of their personal data covered by this Policy, the data subject may exercise the following rights with respect to the Data Controller; 

  • the right of access: the data subject may request confirmation that data concerning them is being processed, as well as further clarification about the information referred to in this Policy (Article 15 of the GDPR); 

  • the right to rectification: the data subject may request to rectify or supplement the data provided, if it is inaccurate or incomplete (Article 16 of the GDPR);  

  • the right to erasure: the data subject may request that their data be erased if it is no longer necessary for the aforementioned purposes, in the event of withdrawal of consent or objection to processing, in the event of unlawful processing, or in case of a legal obligation to erase (Article 17 of the GDPR);   

  • the right to restriction: the data subject may request that the processing of their personal data be restricted in the event that they dispute its accuracy, for the time necessary to verify it, in the event of unlawful processing for which they oppose the deletion of their personal data; in the event that their personal data is necessary for the ascertainment, exercise or defence of a right in court; and finally, in the event of objection to the processing, pending verification that the legitimate reasons of the Data Controller Company take precedence over their own (Article 18 of the GDPR); 

  • the right to portability: the data subject may request to receive their data, or to have it transmitted to another Data Controller indicated by the former, in a structured, commonly used and machine-readable format (Article 20 of the GDPR) 

  • the right to object: the data subject may object at any time to the processing of their data, unless there are legitimate reasons to proceed with the processing that take precedence over their own, for example, the defence in court or exercise of rights of the Data Controller Company (Article 21 of the GDPR). 

To simplify interactions with data subjects, hu Holding S.p.A. has been designated as the single point of contact for the exercise of the rights set forth in Articles 15 et seq. of the GDPR and for any requests relating to the processing of personal data. It can be contacted at the following email address: [email protected].

The following contact details of the Data Protection Officers (DPOs) of the individual Companies remain, however, available:

Company Email
hu Holding S.p.A. [email protected]
hu Openair S.r.l. [email protected]
Roma Camping S.r.l. [email protected]
Roma Gestioni S.r.l. [email protected]
Camping International S.a. [email protected]
Human Company S.r.l. [email protected]

It is understood that the data subject may exercise their rights with respect to each Joint Controller pursuant to Article 26 of the GDPR.

To ensure the correct handling of the request and data protection, the Company will verify the identity of the applicant before proceeding. Once the identity has been verified, the Data Controller will respond within 30 days of receipt of the request, except in complex cases that may require an extension, within the time limits provided for by law.  

Users also have the right to lodge a complaint with the Data Protection Authority if they believe that the processing of their data violates current legislation. The Italian Data Protection Authority can be contacted via the telephone switchboard at +39 (0)6 696771, via email at [email protected] or via certified email at [email protected].  

Last updated: 08/06/2026