Guest information

Disclosure provided to GUESTS on the processing of their personal data (Art 13-14, Reg. EU 679/16)

Ultimo aggiornamento: October 28th, 2024


Dear Guest, confidentiality has always been an essential component of our working philosophy.
That being said, it is not only to comply with the obligations imposed by personal data protection legislation that we have made available this document and specific notices, but also to allow guests to appreciate the transparency of our policies. Guests are invited to examine them at reception and whenever they are delivered or made available.

1. DATA CONTROLLER

The data controllers are:
- Figline Agriturismo S.r.l. (Via Spadini 31 – Prato - VAT number 01681640973) for hu Norcenni Sunflower Village And Palagina la dimora
- Elite Firenze Gestioni S.r.l. (Via Norcenni 7 - Figline Incisa V.no (FI) VAT number 05813700480) for Plus Florence, hu Florence Camping in Town And Florence Certosa camping
- Roma Camping S.r.l. (Via Aurelia 831-Rome - VAT number 00954081006) for hu I Pini Village And hu Rome Camping in Town
- Elite Livorno Gestioni S.r.l. - (Via Norcenni 7 - Figline Incisa V.no (FI) - VAT number 05813780482) for hu Park Albatros village and hu Motescudaio village
- Delta S.r.l. (Via G.Leopardi 31 - Montevarchi (AR) - VAT number 01954310510) for hu Venice Camping in Town
- Società Agricola Le Driadi S.r.l. (Via Norcenni 21 - Figline Incisa V.no VAT number 05627800484) for Palagina la cascina
- Plus Prague S.r.o. (Privozni 1562/1 - Prague - VAT number CZ699003294) for Plus Prague
- Plus Berlin G.m.b.h. (Warschauer Platz 6\8 - Berlin - VAT number DE270699817) for Plus Berlin
- Elite Veneto Gestioni S.r.l. - Via Norcenni 7 - Figline Incisa V.no (FI) VAT number 05813690483) for hu Altomincio village
- Roma Gestioni S.r.l. (Via Aurelia 831 – Rome - VAT number 08219321000) for Fabulous village
- Camping International S.A. [VAT number: LU13005324] for the hu Birkelt village – Luxembourg
- Elite Vacanze Gestioni S.r.l and all companies controlled by it and listed above for the purpose of communication and marketing and promotion of hu Holding
- Adakitalia S.r.l. (Via Norcenni 7 - Figline Incisa V.no (FI) VAT number 04719560486) for Norcenni Tour, hu at Pra' delle Torri Camping Village, hu at Union Lido Camping Village, hu at Bella Italia Camping Village, hu at Cisano Camping Village.
This disclosure is drawn up by hu Holding S.r.l. as the entity to which the Data Controllers have delegated functions related to the coordination of the privacy management system, ICT service management and communication and marketing.
hu Holding has appointed a Data Protection Manager, who is responsible for supervising, completely independently and in the absence of any conflicts of interest, its compliance with the legislation on the protection of personal data. The Data Protection Manager can be contacted at the following email address: [email protected]

2. RIGHTS OF THE DATA SUBJECT

The data subject has the right:
- to ask the Data Controller to access their personal data and correct or delete it or to limit the processing of personal data concerning them and to object to its processing;
- if the processing is carried out by automated (computerised) means and on the basis of their consent, to receive in a structured, commonly used and machine-readable format personal data concerning them and/or to have it transmitted to another data controller, if technically feasible;
- to withdraw their consent at any time (without affecting the lawfulness of the processing carried out based on their consent before the withdrawal), which is obviously the case for processing carried out on that basis;
- to lodge a complaint with the Italian Data Protection Authority: Piazza Venezia 11, IT-00187, Rome - Telephone number: (+39) 06.696771 - Email address: [email protected] - certified email address [email protected]
To exercise their rights, Guests can contact [email protected] or the Director of the accommodation facility where they are staying or have stayed, who can be contacted at reception or using the contact details already known to the data subjects, bearing in mind that it will not be possible to respond to requests where the identity of the applicant is uncertain.

THE FOLLOWING DATA MAY BE PROCESSED

- Data provided by the guest or by a third party acting on their behalf, including through the entity (travel agency, company, association, other) that organised the guest's stay at our facilities or offered them the opportunity to stay there (e.g.: personal details, details of an identity document, personal details of companions, particular requests to satisfy special needs of the guest or of a companion);
- data relating to the guest's stay in our facilities (period and times of stay, room/villa/facility occupied or reserved, reservations);
- data relating to the services requested or used (phone calls made, minibar, alarm clock, additional services provided by associated companies or other suppliers, etc.);
- data that originate during the course of the stay in our facilities (guest's special needs dealt with by staff responsible for meeting them, requests and bookings made at or through reception, etc.);
- in certain cases known to the data subject, data relating to the entity (travel agency, company, association, other) that organised the stay at our facilities or offered them the opportunity to stay there;
- data that may have been acquired on satisfaction questionnaires or during telephone interviews, again aimed at assessing satisfaction levels;
- if the wifi Internet access service is used: browsing times, data volume, IP address from which browsing has taken place, potentially data relating to sites visited and online activities associated with the IP address used by the guest (browsing log). More specifically:
- the aforementioned data will be stored for 6 months and will remain available to the Police Authorities to whom they may be communicated in connection with activities related to the prevention or prosecution of offences;
- may be associated with the guest exclusively through specific procedures that will be activated only upon request of the competent Authority;
- in the event of payment by credit card or cheque, a photocopy of the identity document may be requested and obtained to ensure the Customer is correctly identified, and unless otherwise required it will be retained until payment has been successfully made and the time limit to lodge any disputes has passed.
It should be remembered that the legislation establishes specific protections for “special categories of data” [article 9(1) of Regulation (EU) 2016/679 includes in special categories “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”]. Normally, the systematic processing of such categories of data is not foreseen, however this could be necessary in the context of some services requested by the data subject regarding which the latter spontaneously communicates such data; in relation to this point, special care is taken to acquire data only and to carry out only those processing operations that are necessary to meet legitimate requests from the data subjects and only if relevant and necessary in relation to the purposes laid forth below.

4. SOURCE OF DATA

Data collection and updating are mainly carried out by the data subject or by individuals acting on their behalf (e.g. companions, family members, travel agencies, tour operators, associations, etc.) or by sources freely accessible to anyone, except for data relating to services requested/used, which originate during the stay.

5. WHY DATA IS PROCESSED

The necessary processing only will be carried out in relation to the purposes listed below, for each of which the “legal basis” that makes it possible is indicated in brackets [the “legal bases” are the conditions that make a purpose lawful according to the provisions of Regulation (EU) 2016/679, and are listed in article 6(1) and for special categories of data in article 9(c) 2]:
a) fulfil obligations arising from community laws, rules and regulations, including the obligation to communicate information on guests to the Public Security Authorities provided for by article 109 of Royal Decree no. 773 of 18 June 1931 and subsequent amendments [legal basis: legal compliance – article 6(1)(c), Regulation (EU) 2016/679];
b) fulfil contractual, accounting and tax obligations; carry out services requested by the data subject or by third parties on behalf of the data subject [legal basis: fulfilling contractual and legal obligations – article 6(1)(b-c-f), article 9 (2)(c) Regulation (EU) 2016/679 and, for some data of a particular nature, the data subject's consent – article 9(2)(a) Regulation (EU) 2016/679];
c) satisfy any requests from the data subjects [depending on the case and the nature of the request, the legal bases may be identified as: legitimate interest of the data subject corresponding to the object of the request – article 6(1), contractual fulfilment – article 6(1)(b) and protection of a vital interest article 6(c)(d) – article (9)(2)(c), Regulation (EU) 2016/679]; ensure the Guest receives attentive and personalised services throughout their stay within our facility including, for example: secretarial service, receiving messages, delivering mail and packages, transferring telephone calls to their room, booking external services, communications relating to special offers or events; [legal basis: contractual fulfilment – article (6)(1)(b), Regulation (EU) 2016/679 and, for any data of a particular nature, the data subject's consent – article 9(2)(a)];
d) data storage in order to recognise the guest and always ensure the same personalised services are provided even during new stays [legal basis: the data subject's consent - articles 6(1) and 9(2)(a), Regulation (EU) 2016/679] at all hu Holding facilities (indicated in the previous paragraph 1);
e) regarding any reports:
- ensure an unequivocal and timely response to Guest reports, facilitating the creation of an effective communication channel with the customer Guest
- maintain the customer knowledge acquisition system, necessary for checks and improving a service that is increasingly adapted to demand and environmental constraints
- maintain the system of recording and systematically analysing service non-conformities to correct defects
[legal basis: legitimate interest consisting in the efficient organisation of activities and improvement of services – article 6 (1)(f), for some data of a particular nature the data subject's consent – article 9(2)(a), Regulation (EU) 2016/679];
f) monitoring compliance with the rules and regulations in force at the facility communicated at check-in and/or highlighted on notices and signs displayed within the facility [legal basis: the purpose responds to a legitimate interest involving the protection of assets and the efficient organisation of activities – article 6(1)(f)];
g) access control and security of the venue and guests [legal basis: the purpose responds to a legitimate interest involving the protection of assets and the efficient organisation of activities – article 6 (1)(f)];.
h) possibly ascertaining, asserting or defending a right [legal basis: coinciding with the purpose of article. 6(1)(f) – article 9(2)(f), Regulation (EU). 2016/679].

5.1 Public relations, informazione, marketing, attività promozionali, comunicazioni di cortesia
- Unless otherwise indicated by the Customer/Guest, the email addresses provided when the booking is made and/or during check-in may be used by hu Holding to send courtesy communications and/or information material/offers relating to services similar to those which are covered by the established business relationship. It is understood that the Customer/Guest has the right to object to the aforementioned processing at any time. In this regard, it is noted that paragraph 4 of article 130 of Legislative Decree no. 196/2003 allows the email address provided by the data subject to be used for this purpose when purchasing products or services, provided that the data subject does not refuse such use [legal basis: legitimate interest involving processing personal data for direct marketing purposes, always taking into account the data subject's reasonable expectations based on their relationship with the Data Controller [article 6(1)(f)] - Legislative Decree no. 196/2003, article 130(4)].
- With the consent of the data subject, other contact details provided by the data subject may also be used for the same purposes.

6. HOW DATA IS PROCESSED AND HOW LONG IT IS STORED

The processing of personal data may take place using paper and/or computerised tools chosen in accordance with functionality, safety, effectiveness and speed criteria in the ongoing search to provide the best standard of service and protection for Guests, always guaranteeing the utmost confidentiality, relevance and limitation (collectively: data minimisation) with respect to the purposes described above. Except as provided for by the rules on the storage of administrative documentation, data shall be stored for the periods permitted/imposed by the current legislation that applies to the specific purpose for which the data is processed.
In particular:
- The administrative data processed for the purposes referred to in letters a, b of the previous point 5, unless further information is provided, will be stored in accordance with the provisions of articles 2220 and 2946 of the Italian civil code (10 years); the other data acquired or originating during a guest's stay at the facilities will be stored in confidential form, until payment has been made and the deadline within which any disputes may be received has passed, in any case no longer than 6 months;
- The data processed for the purposes referred to in letter c will be stored only if necessary in relation to the other purposes indicated in the previous point 5 related to the data subject's request;
- data processed for the purpose referred to in letter d will be stored, with the data subject's consent, for no longer than three years following their last stay in the facility for the sole purpose of recognising the guest and always ensuring the same personalised services are provided at all HU facilities;
- The data processed for the purposes referred to in letter e will be stored only if necessary in relation to the other purposes indicated in the previous point 5 related to the data subject's report;
- The data processed for the purposes referred to in letters f and g of the previous point 5 will be stored, unless further information is provided, within the time frame necessary to detect any breaches (maximum 7 days); data relating to breaches detected will be stored until the possible consequences of the breach have exhausted all their possible effects;
- The data processed for the purposes referred to in letter h will be stored until the circumstances or event from which the need for protection arises have exhausted all their possible effects;
- The data processed for the purposes referred to in the previous paragraph 5.1 will be stored for up to 12 months following the last communication or contact made with the data subject.

7. PERMITTED DATA PROCESSORS (OFFICERS AND APPOINTEES)

For the same purposes, data may be processed, always and only to the extent actually necessary to carry out its functions, by the following categories of appointees and/or managers: Company management; administration staff, reception staff responsible for managing the guest's stay, staff responsible for maintaining the systems or cleaning the facilities; resources responsible for the management/maintenance of the IT systems, and finally Parent/controlled/associated companies or other individuals (companies/professionals), appointed as Officers for this purpose, who need to access certain data for purposes ancillary to what is reported in the previous point 3, always to the extent strictly necessary to carry out the tasks delegated to them.

8. DATA RECIPIENTS

Personal data related to guests may be disclosed:
- to the individuals indicated by the guest or by a person acting on their behalf, upon acceptance or while staying in our facilities;
- to the Public Security Authority or to Public Bodies in compliance with the law;
- limited to accounting and tax data to banks, credit institutions, data processing companies and credit card issuing companies, for activities strictly connected to the execution and administrative management of the contract;
- to insurance institutions, public bodies and organisations for the purposes of fulfilling legal obligations;
- only at the guest's request, to foreign embassies/consulates indicated by the guest;
- to Companies (travel agencies, tour operators, etc.) in the form of confirmation, who have direct relationships with the guest and who have had responsibility for organising the stay;
- the only data on stays made at our facilities, possibly with reference to the room number, may be reported:
> with the guest's permission, to anyone who needs to contact them from outside the facility, e.g. by telephone;
> in the form of a list of names, to the companies that manage certain internal services of the facility where the guest is staying, such as:
- entertainment and mini club
- bar and restaurant management
- beach management
- excursion and trip services
- vehicle rental (bicycles, scooters, etc.)
- (where applicable) who retain ownership of all personal data processing necessary for them to manage their activities and who will, where necessary, independently fulfil legal obligations regarding privacy;
- to other subjects who need to access certain data for purposes ancillary to those reported in the previous point 3, always within the limits strictly necessary to carry out the tasks delegated to them such as: tax compliance, accounting, welfare, insurance, information systems management, financial services.
Naturally, all the communications described above are limited only to the data necessary for the recipient body/office (which will remain the independent owner for all consequent processing) for the performance of their duties and/or for the achievement of the purposes related to the communication itself.
NB: EXCEPT FOR THE CASES INDICATED ABOVE, hu Holding WILL NOT EXTERNALLY COMMUNICATE DATA RELATING TO STAYS MADE AT ITS OWN FACILITIES BY GUESTS UNLESS IT IS STRICTLY NECESSARY TO PROTECT THE HEALTH AND SAFETY OF THE DATA SUBJECT.

9. TRANSFERS TO NON-EU COUNTRIES

Personal data may also be transferred to entities located outside the European Union where this is necessary in relation to the purposes mentioned above; in particular to country/countries:
- of origin or destination of the guest and limited to the data strictly necessary, in relation to the guest's specific requests;
- where the data subject resides or is located;
- where the entity (agency, company, association, other) that offered the data subject access to the event is located.
The transfer will always be carried out in full compliance with the legislation and exclusively for the purposes mentioned above:
- in the event of one of the conditions established in article 49 of Regulation (EU) 2016/679:
a) the data subject has explicitly consented to the transfer;
b) transfer necessary for the performance of a contract concluded between the data subject and the data controller or for the performance of pre-contractual measures adopted at the data subject's request;
c) transfer necessary for the conclusion or performance of a contract stipulated between the data controller and another natural or legal person in favour of the data subject;
e) transfer necessary to ascertain, exercise or defend a right in court;
- and/or towards subjects required to guarantee an adequate level of protection also through the signing of standard contractual conditions indicated at European level (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) or adopt and document other forms of adequate guarantee as provided for in article 46 Regulation (EU) 2016/679.

10. DISCLOSURE

The data in question will not be disclosed. However, it is important to remember that the facility has many common areas where guests or visitors take video or photo shoots in which other guests or visitors may appear; these are intended for publication, for example, on social media channels or websites.

11. USE OF IMAGES

With the consent of the data subjects (obtained during the promoted initiatives and/or directly during check-in) photographs and/or films may be taken portraying and reproducing the face and/or person and/or voice of guests. Such recordings, mainly photographic, may be:
- reproduced in any known and future technical and/or multimedia application;
- modified without distorting their context/meaning, while always protecting the subjects' dignity and reputation, in order to adapt them to their intended purpose and format;
- published in magazines, brochures, catalogues, websites and within Hu Holding information/advertising/promotional material for an unlimited period of time, by any means, for the purpose of completing the company presentation or publishing images relating to events/initiatives sponsored or organised by Hu Holding;
- published on hu Holding's social channels.
IN NO EVENT will the images and recordings be used in contexts that jeopardise the personal dignity and reputation of the subjects

12. WHEN IS IT MANDATORY TO COMMUNICATE YOUR DATA

The communication of your data is:
- mandatory to the extent necessary for the processing referred to in letters a) and b) of the previous point 3 and any failure to provide them shall render it impossible to execute the contract;
- obviously optional in reference to the other items in the previous point 3, and in the absence of such data there will be no consequences except the impossibility of serving the guest in the best possible way.
It is important to specify that most of the treatments carried out are not subject to the obligation to obtain consent, except in the cases already mentioned or in the case of data processing details, also carried out at the guest's request.

13. VIDEO SURVEILLANCE

The possible presence of a video surveillance system is duly signalled by specific notices displayed in the monitored areas, which also indicate whether a video recording system is present. The images can be viewed in real time by reception and security staff in order to guarantee the necessary assistance and promptly identify any risk situations for the safety of guests; more specifically, the systems can be installed for the following purposes:
> supporting staff in security and access control activities
> preventing possible damage, theft or unauthorised removal of goods
> ensuring the safety of staff and guests by enabling the detection of particularly dangerous situations, incidents or accidents
> identifying the most suitable form of intervention, allowing it to be measured in the event of particularly dangerous situations, incidents or accidents
> allowing the dynamics of significant events to be reconstructed for the purposes of protecting personal safety or in the event of illicit acts committed against Guests and/or the facility and its staff.
In addition to the above, any video recordings produced by the system which are periodically deleted in full compliance with the legislation on privacy protection, may be used:
> to comply with instructions issued by the Judicial Authority and/or the Judicial Police;
> to assert or defend a right, even on behalf of a third party;
> possibly to complete documentation accompanying accident reports forwarded to insurance companies.
The legal basis for this processing is the legitimate interest of the Data Controller corresponding to the declared purposes.

This document has been drawn up by CIS S.r.l. - Florence, Via Circondaria 56/2 - email address: [email protected], for use by hu Holding Srl and its associated companies that adhere to the privacy management system managed by it. Copying, reproduction and any form of use, even partial, by persons not authorised by the author are prohibited. In any case, reproduction is only permitted if complete with this box.
Hu Holding Srl - Via Generale Dalla Chiesa 13 - 50136 - FLORENCE (FI) - VAT number: 07377040485