Privacy Policy

The protection of our website Users’ privacy is a top priority for us. CA.PRI S.R.L., in accordance with Articles 13 and 14 of EU Regulation 2016/679 (the “GDPR” – General Data Protection Regulation), hereby wishes to inform you, pursuant to Art. 13 of EU Regulation 2016/679 (hereinafter “GDPR” or “Regulation”) and Legislative Decree 196/2003 (Privacy Code), as amended by Legislative Decree 101/2018 and subsequent amendments, regarding the purposes and methods of processing the personal data (hereinafter “Data”) of users who consult the following websites:

https://laquacollection.it
https://laquacountryside.it
https://laquabythesea.it
https://laquabythelake.it
https://villacrespi.it
https://cannavacciuologroup.it

Please Note: This privacy information is provided solely for the aforementioned websites and not for any other websites that may be accessed by the user via links. By connecting to the site and, where applicable, providing their data or expressing consent to its processing (when requested for specific purposes), the User declares to be over 16 years of age.

A) PARTIES INVOLVED IN DATA PROCESSING

Data Controller: CA.PRI S.R.L., Tax Code: 01938520036, with registered office at VIA GIUSEPPE FAVA 18, 28016 – Orta San Giulio (NO), Italy. Tel: +39 0322 911902 | Email: info@villacrespi.it | PEC: caprisrlorta@legalmail.it.

Data Protection Officer (DPO): The Data Controller has appointed Studio Bagaini e Rillo – Viale Marazza 4, 28021 Borgomanero (NO), VAT no. 01699250039, and the company New Sistem s.r.l. – Viale Marazza 4, 28021 Borgomanero (NO), VAT no. 01622410031, in the person of Ms. Maria Silvana Rillo, Tax Code: RLLMSL61C46H632Y, as the Data Protection Officer (DPO) for CA.PRI S.R.L.

Joint Data Controller: Cannavacciuolo Consulting s.r.l. Unipersonale, with registered office at Viale Marazza 4, 28021 Borgomanero (NO). PEC: cannavacciuoloconsultingsrl@legalmail.it

The complete and updated list of Data Processors is available at the Controller’s registered office. For information and the exercise of rights, the data subject may also write to: privacy@cannavacciuologroup.it

B) PERSONAL DATA SUBJECT TO PROCESSING

Through our website, the Controller (and any Processors) may collect and process the following personal data of Users:

· Common Personal Data: Identification data required for the provision of requested services/products: name and surname, email address, telephone number, tax data (where invoicing is required), and additional identifying data whose transmission to the competent Police Headquarters (Questura) is mandatory pursuant to Art. 109 R.D. no. 773/1931 (Consolidated Law on Public Safety) and Art. 2 of the Technical Annex to Ministerial Decree 07.01.2013, as well as any further personal data voluntarily provided by the User for assistance and information.

· Payment Data: Data relating to the method of payment will not be processed by the Controller but only by the authorized provider through specific secure protocols (see the selected provider’s privacy policy).

· Special Categories of Data: For booking purposes, “special” data may be collected: health-related data concerning allergies or food intolerances, as well as further data related to specific dietary regimes followed by the User.

C) PURPOSES, LEGAL BASIS, AND NATURE OF PROCESSING

The purposes for which the aforementioned data are processed by the Controller are as follows:

1. Management of reservation requests for the Restaurant;

2. Management of reservation requests for the Hotel;

3. Compliance with obligations imposed by current legislation (accounting, tax, etc.);

4. Compliance with obligations regarding the identification of guests in accommodation facilities and the notification of names to the competent local Police Headquarters (Questura) pursuant to Art. 109 R.D. no. 773/1931 and related regulations;

5. Sending newsletters containing commercial proposals relating to the Controller’s activities;

6. Management of website statistics based on non-anonymized data.

Legal Bases:

· For purposes 1 and 2: The legal basis is the performance of a contract to which the User is party or the execution of pre-contractual measures taken at the User’s request (Art. 6(1)(b) GDPR). For these same purposes, the legal basis for processing any special categories of data is the User’s free, specific, informed, and unambiguous consent (Art. 6(1)(a) GDPR).

· For purposes 3 and 4: The legal basis is the fulfillment of a legal obligation to which the Controller is subject (Art. 6(1)(c) GDPR).

· For purposes 5 and 6: The legal basis is the free, specific, informed, and unambiguous consent expressed by the User (Art. 6(1)(a) GDPR).

Nature of Provision:

· For purposes 1 and 2: Providing data is a contractual obligation; failing to provide it will prevent the Controller from entering into or performing the contract.

· For purposes 3 and 4: Providing data is a legal obligation; without it, the Controller cannot fulfill legal requirements, and the User cannot utilize the requested service.

· For purposes 5 and 6: Providing data is optional; without it, the User will not receive newsletters or be included in non-anonymized statistics.

D) RECIPIENTS

Data processed through this site, exclusively for the purposes stated above, may be communicated to parties external to the Controller (external collaborators, suppliers, etc.) appointed as Data Processors. For purpose no. 4, data are also communicated to the entities identified by current law (Competent local Police Headquarters and the Ministry of the Interior – Department of Public Security).

E) TRANSFERS

Data will never be transferred to third countries that do not comply with the conditions set out in Articles 45 et seq. – and in particular Article 46 – of the GDPR.

F) DATA RETENTION

Personal data will be processed in compliance with the principles of Art. 5 GDPR (lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability) using paper or electronic methods.

Retention Periods:

· Purposes 1 and 2: For the time necessary to perform the contract and—based on the Controller’s legitimate interest in legal defense—until the expiry of the statute of limitations for any actions based on the contract.

· Purposes 3 and 4: For the period required by law (e.g., accounting records, invoices, and correspondence must be kept for 10 years pursuant to Art. 2220 of the Italian Civil Code).

· Purposes 5 and 6: Until the specific purpose is achieved or until the User withdraws consent.

Once the retention period has expired, data will be deleted or irreversibly anonymized.

G) YOUR RIGHTS

The Controller informs the User of their rights under Articles 13(2)(b) and (d), 15, 16, 17, 18, 19, and 21 of the GDPR:

· Right of access (Art. 15);

· Right to rectification (Art. 16);

· Right to erasure / Right to be forgotten (Art. 17);

· Right to restriction of processing (Art. 18);

· Right to data portability (Art. 20);

· Right to object (Art. 21);

· Right to withdraw consent at any time (Art. 13(2)(c)).

Requests may be addressed to the parties listed in Section A by sending a registered letter with return receipt to the registered office of the Data Controller (or the Joint Controller/DPO) or via email to: privacy@cannavacciuologroup.it