Privacy policy for the processing of personal data 
Information note pursuant to and by effect of article 13 of the GDPR 679/2016

In compliance with the provisions of GDPR 679/2016, we inform you about the processing of personal data concerning you and those of your family members, including minors, acquired by us as a result of contractual relationships and to enable us to properly carry out our activity  and in accordance with the provisions of the law in force. The methods of data processing, using both paper and IT means, meet the security guarantees required by the new regulations.

1.     CONTACTS OF THE DATA CONTROLLER AND THE DATA PROTECTION OFFICER (DPO)

The Data Controller is G.B.THERMAE HOTELS s.r.l., with registered office in Abano Terme (PD), via Valerio Flacco, 99, tax code, VAT number and registration number, at the Companies Register of Padua, 00220810287, e-mail: amm@gbhotelsabano.it, certified email address:  amm.gbthermaehotels@pec.it.

The Data Controller, pursuant to art. 37 of the European Regulation 679/2016, appointed a Data Protection Officer, which can be contacted by email at the following address: dpo@gbhotelsabano.it for all issues concerning the processing of personal data and the exercise of rights concerning it.

The identity of the DPO and further contact details are available on the website www.gbhotelsabano.it  in the “Privacy” section.

2.     PROCESSING PURPOSES AND LEGAL BASIS

The data will be processed by us for the performance of the following activities:

• Acquisition of pre-contractual/contractual information and fulfillment of obligations deriving from the residence contract and the ancillary agreements connected to it;
• Fulfillment of the obligations to communicate guest data to the Police Authorities in order to fulfill the obligation required by  the "Consolidated Law on Public Security" (article 109 of Royal Decree   No. 773, dated 18.06,1931);
• Direct marketing by sending newsletters and/or material and/or advertising and promotional communications concerning the products, services or events related to the activity of our Company
• Profiling of guests in order to ensure maximum satisfaction during their stay in the facilities and facilitate their registration in subsequent stays. 
• Implementation of a video surveillance system expressly marked as present in the concerned areas by special signs in order to protect people and property from the occurrence of possible offenses.
• The administrative and accounting management of clients, in particular: management of health documentation in agreement with the Local Health Authorities, management of contractual relationships, invoicing and tax obligations.

The provision of personal data even if it is not mandatory, is necessary to pursue the above mentioned purposes. Failure to provide the data makes it impossible to carry out the contractual relationship at the basis of the processing.

3.     SCOPE OF COMMUNICATION AND RECIPIENTS OF THE PROCESSING

Your data may be communicated by us exclusively to the third parties indicated below, and to the Police authorities if it is required by law:

• Accounting, tax, and legal consultants and management software managers.
• Public health authorities, courts and financial authorities and other institutions, if required by laws, regulations and EU directives.
• Company responsible for the surveillance of the premises. 
• Emergency Medical Service and occupational doctor and hotel health management team. 

The aforementioned parties act as external Data Protection Officers for the personal data provided.

The treating doctors are co-data controllers of the processing of the specific data entrusted to them for the implementation of the health service provision.

4.     STORAGE TIME OF THE DATA COLLECTED

Except for the legal obligations, the data collected will be stored for the entire period of the contractual relationship as well as for a further 5 years after the end of the relationship, in relation to the direct marketing and profiling purposes.

If the data are provided only during the pre-contractual stage, they will be stored for a 12-month period. 

In the event of a dispute, the data will be processed and stored until the dispute is settled.

After the storage period, as described above, the data  provided by you will be erased in full.

5.     RIGHTS OF THE CONCERNED PARTY

European Regulation No. 679/2016 recognizes to the concerned party special rights, which can be exercised only by contacting the Data Controller:

• Right of access to the data collected and processed - Art. 15
• Right to obtain the data correction - Art. 16
• Right to obtain the data erasure and the right to be forgotten - Art. 17
• Right to limit the data processing - Art. 18
• Right to portability of the data to another data controller - Art. 20
• Right to refuse processing - Art. 21
• Right not to be subjected to automatic processing - Art. 22
• Right to lodge a complaint at the Data Protection Authority - Art. 77;
• Right to lodge an appeal against the Data Protection Authority (Art. 78) and against the Data Controller and/or the Data Protection Officer  (Article 79);
• Right to revoke consent at any time, without prejudice to the lawfulness of the processing based on consent provided prior to the revocation.

6.     COMPLAINT TO THE DATA PROTECTION AUTHORITY

The concerned party has the right to lodge a complaint at the Data Protection Authority in the event that the requests for information, or requests to exercise the rights specified in the previous paragraph 5, did not obtain the expected response.
The Authority of reference is the Data Protection Authortiy

http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524

Privacy policy for the processing of special categories of personal data 
Information note pursuant to and by effect of article 13 of the GDPR 679/2016

In compliance with the provisions of GDPR 679/2016, we inform you about the processing of personal data concerning you and those of your family members, including minors, acquired by us as a result of contractual relationships and to enable us to properly carry out our activity  and in accordance with the provisions of the law in force.  The methods of data processing, using both paper and IT means, meet the security guarantees required by the new regulations. 

1.    CONTACTS OF THE DATA CONTROLLER AND THE DATA PROTECTION OFFICER (DPO)

The Data Controller is G.B.  THERMAE HOTELS s.r.l., with registered office in Abano Terme (PD), via Valerio Flacco, 99, tax code, VAT number and registration number, at the Companies Register of Padua, 00220810287, e-mail:  amm@gbhotelsabano.it, pec:  amm.gbthermaehotels@pec.it.

The Data Controller, pursuant to art. 37 of the European Regulation 679/2016, appointed a Data Protection Officer, which can be contacted by email at the following address:  dpo@gbhotelsabano.it for all issues concerning the processing of personal data and the exercise of rights concerning it.

The identity of the DPO and further contact details are available on the website www.gbhotelsabano.it  in the “Privacy” section.

2.    PROCESSING PURPOSES AND LEGAL BASIS

The data will be processed by us for the performance of the following activities:

• acquisition of information for the purpose of providing medical, therapeutic and/or aesthetic services on the basis of the medical information provided by the interested party or acquired following a specific medical examination.

The communication of categories of personal data by the interested party, even if it is not mandatory, is necessary to pursue the above mentioned purposes.  Failure to provide the data makes it impossible to carry out the contractual relationship at the basis of the processing.

3.    SCOPE OF COMMUNICATION AND RECIPIENTS OF THE PROCESSING

Your data may be communicated by us exclusively to the third parties indicated below, and to the Police authorities if it is required by law: 

4.    STORAGE TIME OF THE DATA COLLECTED.

The data collected will be processed for the entire period of the medical-healing treatments provided. Guests’ clinical records will be stored for the terms established by the law according to the agreements undertaken between the co-data controllers.

The data collected for the provision of aesthetic treatments will be processed for the entire period in which treatments are provided as well as for additional 5 years after the end of the relationship to allow adequate service provision to guests during subsequent stays. In the event of a dispute, the data will be processed and stored until the dispute is settled.

After the storage period, as described above, the data  provided by you will be erased in full.

5.    RIGHTS OF THE CONCERNED PARTY

European Regulation No. 679/2016 recognizes to the concerned party special rights, which can be exercised only by contacting the Data Controller:

• Right of access to the data collected and processed - Art. 15
• Right to obtain the data correction - Art. 16
• Right to obtain the data erasure and the right to be forgotten - Art. 17
• Right to limit the data processing - Art. 18
• Right to portability of the data to another data controller - Art. 20
• Right to refuse processing - Art. 21
• Right not to be subjected to automatic processing - Art. 22 
• Right to lodge a complaint at the Data Protection Authority - Art. 77;
• Right to lodge an appeal against the Data Protection Authority (Art. 78) and against the Data Controller and/or the Data Protection Officer  (Article 79);
• Right to revoke consent at any time, without prejudice to the lawfulness of the processing based on consent provided prior to the revocation.

6.    COMPLAINT TO THE DATA PROTECTION AUTHORITY

The concerned party has the right to lodge a complaint at the Data Protection Authority in the event that the requests for information, or requests to exercise the rights specified in the previous paragraph 6, did not obtain the expected response.
The Authority of reference is the Data Protection Authortiy
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524