Guest information
Ultimo aggiornamento: April 21st, 2026
This policy clearly and transparently explains how we process the personal data of guests and, more generally, of all those who visit or use the services offered by our sites.
This Policy is amended, supplemented or updated periodically, including in consideration of any changes in the applicable legislation or provisions of the Data Protection Authority and/or the European Data Protection Board. Data subjects are therefore invited to regularly consult this Policy, available on our websites and/or at the reception of our sites, to understand the latest updated version, ensuring that they are always informed about the methods of collection and processing of their personal data.
hu Openair S.r.l. with its registered office at Via Generale C. A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code: 02098970482 and VAT ID: 00282740976, which can be contacted at the following email address: [email protected].
The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].
Roma Camping S.r.l. with its registered office at Via Aurelia 831 – 00165 – Rome (Rome), Tax Code: 01029610589 and VAT ID: 00954081006, which can be contacted at the following email address: [email protected].
The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].
Roma Gestioni S.r.l. with its registered office at Via Aurelia 831 – 00165 – Rome (Rome), Tax Code and VAT ID: 08219321000, which can be contacted at the following email address: [email protected].
The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].
ECV Shops S.r.l. with its registered office at Via Generale C. A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code and VAT ID: 06441810485, which can be contacted at the following email address: [email protected].
The Data Protection Officer (DPO) can be contacted at the following email address: [email protected].
Personal data provided by the data subject
During the stay/visit, the data subject may voluntarily provide the following personal data necessary to access the services offered at the sites:
Personal and contact data, such as their first name, last name, date of birth, nationality, address, telephone numbers, email addresses and any other data provided, for example, to make bookings and/or check in, to register for the Wi-Fi service, and to participate in other initiatives or events organised at the sites.
It should also be noted that, within the scope of the booking and/or check-in, the data subject may provide personal data relating to other persons (for example, travelling companions and accompanying minors, as well as the data of the parents/guardians of such minors, from whom the data subject has obtained specific written authorisation). In such cases, they are required to inform the data subjects about the processing of their personal data, including the type of data collected, the purposes and retention times, and the parties who may access it, as well as the methods by which they can exercise the rights provided for by the GDPR, including by sharing this Privacy Policy;
Data relating to bookings made, such as the booking number, the reference site, the occupied accommodation, the arrival and departure date, as well as data relating to the services/experiences/activities requested during the stay at the sites;
Purchase data, i.e. information relating to purchases made, such as the list of bookings made and the dates and amounts of such purchases.
Payment data, such as the credit/debit/bank card number (limited to the data necessary to identify/track the transaction, with the number partially obscured), including data relating to the means of payment (type of card) and the payment networks used;
Demographic data, such as the composition of the family unit or group.
Data that Human Company receives from other sources to perform its services, such as booking services
ID and/or passport number as well as the number plate required at check-in
Browsing data
In the event that the data subject uses the Wi-Fi Internet access service available at the sites, certain technical information relating to the hardware and software used by users may be automatically collected by the computer systems that allow the service to operate. The transmission of this information is implicit in Internet communication protocols. It may include, for example, the IP address, the domain name of the device used, the identifier of the requested resources (URI), the browser type and version, the presence of plug-ins, the identifier of the mobile device (such as the IDFA or Android ID), and further parameters relating to the operating system and the computing environment.
Management of the booking and related services
The personal data of the data subject collected at the time of booking will be processed to allow the Data Controller to manage the booking at the sites and follow up on all associated requests, including those related to the ancillary and complementary services offered during the stay. This data is also used to send service alerts related to the booking and, more generally, to guarantee the guest the full use of the services during the entire period of stay on our site.
During the stay, the data subject may indicate any specific requests related to their desired services. The Data Controller invites the data subject not to communicate data belonging to special categories pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; religious beliefs associated with food preferences or service needs; data capable of revealing racial or ethnic origin; etc.); however, if they decide to provide said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the booking.
The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of data is mandatory, as it is necessary to follow up on requests related to the booking, and failure to provide data could make it impossible to fully manage the booking and the requested services.
Check-In Service
The personal, contact and booking data, including the data contained in the passport or other identity document and number plate, will be processed by the Data Controller to allow the data subject to complete check-in at the site. This data will also be processed to verify the identity of the person who will be staying and to carry out all the activities necessary to provide the requested service.
In particular, the personal data contained in the passport or other identification documents will be shared with the competent public security authorities, limited to the information necessary for the Data Controller to fulfil the obligations referred to in Article 109 of Royal Decree no. 773 of 18 June 1931 (act consolidating the public safety laws, TULPS), in the manner established by the relevant decrees.
It should be noted that, in the case of minors accompanied by persons other than their parents/guardians, Human Company may request the presentation of written authorisation and a copy of the parent/guardian’s identity document. This copy will only be viewed in order to verify the veracity of the authorisation and will not be acquired or stored by the sites.
The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and the fulfilment of legal obligations (Article 6, paragraph 1, point c of the GDPR).
The provision of data is mandatory, as it is necessary to follow up on the activities related to the check-in service, and failure to provide data may make it impossible to satisfy the booking request at our sites.
Purchase of products or services at the sites
The contact data and payment data of the data subject will be processed by the Data Controller for all purposes related to the processing of purchases made at the sites and for the management of related orders, such as, for example, the receipt of any requests for information regarding the products and services purchased and/or reports, payment management, sending order status communications, collection at the agreed point of sale, and providing assistance to the consumer.
At the time of purchase, the data subject may, on an optional, explicit and voluntary basis, indicate any special requests. The Data Controller invites the data subject not to provide special data pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; religious beliefs associated with food preferences or service needs; data capable of revealing racial or ethnic origin; etc.); however, if they decide to provide said data, such data will be processed exclusively to process the request.
The legal basis of the processing is the execution of pre-contractual/contractual measures pursuant to Article 6, paragraph I, point b of the GDPR and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of the data subject’s data is mandatory, as it is necessary for the processing and management of orders, and failure to provide the data may make it impossible to proceed with the purchase order.
Registration, booking and participation in experiences and events
The contact data, any categories of special data pursuant to Article 9 GDPR (for example: health-related information, such as the indication of diseases; requests related to reduced mobility or disability; membership of protected categories) and, where required, payment data of the data subject may be used to allow them to register and/or book and participate in experiences at the sites and other events organised by the Companies of the Human Company Group.
The legal basis is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of data is mandatory, as it is necessary for registration and participation in experiences and/or events, and failure to provide data may make it impossible to participate in such initiatives.
If the data subject has booked an experience or an event that takes place within the campsite but is not staying at the site, and therefore accesses it as an "external visitor", the staff in charge may request that the data subject presents a valid identity document. This verification is necessary to ensure the correspondence between the booking and the person accessing the site, and to fulfil guest safety and protection obligations. The data relating to document checks will be processed exclusively for the purposes indicated above and will not be used for further purposes. This identity document will only be viewed in order to verify the actual correspondence between the booking and the person accessing the site, and will not be acquired or stored by the sites.
Data subjects are also informed that during the events organised at the sites, photos or video recordings may be made for promotional purposes, company communications or documentation of the activities carried out, as well as to enhance the image of the sites and services offered through publication on the website and on official social media channels.
When taking the images and video recordings, care will be taken not to directly capture the data subjects and to avoid, as far as possible, the recording of identified or identifiable subjects. The photos and videos will therefore be focused on environments, general contexts and details that do not allow for the identification of the people present. If, due to the nature of the proposed event or activity, it is necessary to record or photograph participants in a recognisable way, the Human Company Group Companies will request the signing of a specific release in advance from the data subjects, through which they give consent to the processing of their image, in compliance with the GDPR and applicable legislation on image rights. In the absence of consent, the data subject will not be able to be filmed or, if this is not technically possible, the images will be obscured or rendered unidentifiable. In any case, the data subject may withdraw any consent given at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal.
Use of the Wi-Fi service
The contact data of the data subject, together with the browsing data, will be processed by the Data Controller for all the purposes necessary to register for, access and use the Wi-Fi service available at the sites, as well as to guarantee the security of the network, i.e. for control and maintenance activities, if necessary.
The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR), as well as the legitimate interest of the Data Controller in ensuring the proper functioning and security of the Wi-Fi network, including with a view to improving the service (Article 6, paragraph 1, point f of the GDPR).
Video surveillance
The data subject’s personal data will be processed through the video surveillance system installed at the sites exclusively for the following purposes: to protect the safety of personnel, property, assets and persons within the sites; to prevent unlawful acts of any kind; and to facilitate the Data Controller’s right of defence in the event of any unlawful acts. The video recordings produced by the system may also be used to comply with orders issued by the judicial authority and/or the judicial police; to assert or defend a right, including by a third party; and, possibly, to complete the documentation accompanying claims forwarded to insurance companies.
LThe images are automatically captured when passing through or entering the premises subject to video surveillance, and the presence of cameras is indicated within the site by special signs placed near the cameras.
The video surveillance systems have been installed in compliance with current regulations (including Article 4 of Law no. 300/1970) and the indications provided by the Italian Data Protection Authority (General provision on video surveillance of 8 April 2010).
The legal basis of the processing is the legitimate interest of the Data Controller in guaranteeing security within the sites and preventing illegal acts of any kind, as well as to ascertain, defend and exercise the rights of the Data Controller or third parties. (Article 6, paragraph 1, point f of the GDPR).
Purposes related to the protection of rights, including those of the data subject
Personal data will be processed by the Company to protect its rights, including with respect to any requests, or to take legal action, including with regard to claims made against it or third parties, as well as to prove that it has provided a response to any requests for the exercise of one or more of the data subject's rights.
The legal basis of the processing is the Company’s legitimate interest in the protection of its rights (Article 6, paragraph I, point f of the GDPR).
Compliance with legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities.
The personal data of the data subject may be processed to comply with a legal obligation and/or provisions/requests from the competent authorities, including supervisory authorities.
In this case, the legal basis is the fulfilment of legal obligations to which the Company is subject (Article 6, paragraph I, point c of the GDPR).
Managing the booking and check-in service: The data processed for the pursuit of these purposes will be stored for a period of time not exceeding 10 years from the booking or check-in date. In particular, the data relating to the passport or other identity document and the information contained therein, as collected in order to allow the Data Controller to fulfil its legal obligations, will be stored exclusively for the time strictly necessary for the fulfilment of the obligation relating to the communication of guests to the public safety authorities provided for by Article 109 of Royal Decree no. 773 of 18 June 1931 and subsequent amendments.
Purchase of products or services at the sites: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 10 years from the date of purchase.
Registration, booking and participation in experiences and events: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 10 years from the date of the experience and/or event, or in any case, the use of the service.
Use of the Wi-Fi service: Browsing data is stored for a maximum of 6 months from the last use.
Video surveillance: The images from the video surveillance system are stored by the Data Controller for a maximum period of 48 hours, after which the images will be automatically deleted. For the hu I Pini village and hu Roma camping in town sites – managed by the company Roma Camping S.r.l. – the retention period of the images is 24 hours.
Purposes related to the protection of rights, including those of the data subject: The data processed for the pursuit of this purpose will be stored for the entire duration of the related proceedings, and, in any case, for the time deemed reasonably necessary by the Company for the protection of its rights, including in relation to the related limitation periods.
Fulfilment of legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities: The data processed for the pursuit of this purpose will be stored for the entire duration of the proceedings before the competent authorities, in addition to the relevant limitation periods.
To exercise these rights, data subjects may contact the Data Controller Company at any time by sending a request to the email address shown in the table.
| Società | |
|---|---|
| hu Openair S.r.l. | [email protected] |
| Roma Camping S.r.l. | [email protected] |
| Roma Gestioni S.r.l. | [email protected] |
| ECV Shops S.r.l. | [email protected] |
