Privacy Policy

Dear Customer,

In compliance with article 13 of REGULATION (EU) 2016/679 (hereinafter referred to as “GDPR” or “Regulation”) we would like to inform you about the use of your personal data as well as your rights, informing you of the following.

The Data Controller Eagle S.R.L., EAGLE S.R.L., with registered office in Trento (TN), Piazza Dante no. 20, Zip Code 38122, Tax code and VAT registration number 02814800229.

In order to exercise the rights recognised by the REGULATION (EU) 2016/679 (hereinafter “GDPR” or “Regulation”) or to ask for any further information regarding the processing of personal data, you may contact the Data Controller at the following: telephone no.: +39 0415321630 or by email at: privacy@hnh.it.

PURPOSE AND LEGAL BASIS

The data you provide will be processed in accordance with the principles set out in art. 5 of the GDPR and, specifically, the principles of lawfulness, fairness, transparency, relevance, non-excessiveness and proportionality for the following purposes:

1. PRIMARY AIMS

1.1. Management of reservation and stay

Description: Processing of the data necessary to manage your reservation, check-in, check-out and all activities related to your stay at our establishment, including the customisation of services requested.

Legal basis: Execution of pre-contractual measures and the contract to which you are party (art. 6, para. 1 (b) GDPR).

Data processed: Personal data, contact details, IP address (for online bookings), dates of stay, room preferences, payment method.

1.2. Handling of website enquiries

Description: Processing of the data provided via the contact forms on our website to respond to your requests for information, quotes or clarifications on our services.

Legal basis: Execution of pre-contractual measures taken at your request (art. 6, para. 1 (b) GDPR).

Data processed: First name, last name, e-mail address, telephone number (if provided), message content, IP address.

1.3. Operation of the website

Description: Processing of data necessary to ensure the proper functioning of the website, cybersecurity and the prevention of fraudulent activities.

Legal basis: Legitimate interest of the Data Controller (art. 6, par. 1 (f) GDPR).

Data processed: IP address, log data, information on the browser and device used, date and time of access.

Note: For detailed information on the use of cookies and other tracking tools, please see our Cookie Policy.

1.4. Fulfilment of legal obligations

Description: Communication of data to public security authorities as required by the Consolidated Law on Public Security; tax obligations, accounting and administrative fulfilments.

Legal basis: Fulfilment of a legal obligation to which the Controller is subject (art. 6, para. 1(c) GDPR).

Data processed: Personal data, identity document, tax code, tax and accounting data.

1.5. Additional services required during the stay

Description: Provision of expressly requested additional services such as room service, restaurant reservations, transfers, excursions, wellness and spa services.

Legal basis: Execution of the contract to which you are party (art. 6, para. 1 (b) GDPR).

Data processed: Personal preferences, specific requests, preferred times.

It is possible that, before and during your stay, hotel employees may become aware of special data, for example, information regarding your state of health or religious affiliation. In this regard, it is important to emphasise that we never request or solicit data of this nature. These data are only processed if voluntarily provided by you and are not recorded in any database or permanent archive. Should you decide to provide us with such information, it will only be used to fulfil specific requests (such as allergies or dietary preferences, room configuration needs), and only for as long as is strictly necessary to fulfil such requests.

1.6. Checking the quality of services

Description: Collection of feedback on the quality of services by means of questionnaires, checks, controls and audits, also by sending satisfaction questionnaires by e-mail after the stay.

Legal basis: Legitimate interest of the Controller in improving the quality of its services (art. 6, par. 1 (f) GDPR).

Data processed: Evaluations, comments, suggestions.

1.7. Protection of the Controller’s Rights

Description: Establishment, exercise or defence of a right in judicial and extra-judicial proceedings.

Legal basis: Legitimate interest of the Data Controller (art. 6, par. 1 (f) GDPR).

Data processed: Data pertaining to your stay, correspondence, payment data, and any complaints.

1.8. Speeding up registration procedures

Description: Data storage to simplify and speed up check-in procedures in case of subsequent stays at our establishment.

Legal basis: Legitimate interest of the Controller in providing a more efficient service to regular customers (art. 6, par. 1 (f) GDPR).

Data processed: Personal data, previous stay preferences, identity documents.

2. SENDING OFFERS TO CUSTOMERS

Description: Use of your contact data, in particular your email address, to send you offers for products or services similar to those you have already purchased.

Legal basis: Legitimate interest of the Data Controller in promoting similar products and services (art. 6, par. 1(f) GDPR; art. 130(4) Lgs. Decree 196/03).

Data processed: Email address, first name, last name, purchase history.

Right to Object to Processing: You have the right to object to the sending of such communications at any time and free of charge.

3. NEWSLETTER

Description: We regularly send out newsletters containing information on our offers, news, events and promotions to those who voluntarily subscribe via the form on our website.

Legal basis: Consent of the data subject (art. 6, para. 1 (a) GDPR).

Data processed: Email address, name (if provided).

Method: Newsletters sent exclusively by email.

Note: Subscription to the newsletter is completely optional. You may unsubscribe at any time by clicking on the unsubscribe link in each newsletter or by contacting us at the contact details given in this notice.

PROVISION OF DATA AND CONSEQUENCES IN THE EVENT OF FAILURE TO CONSENT TO PROCESSING

The provision of your personal data may be compulsory or optional, depending on the different purposes for which they are processed. The consequences of failure to provide or consent to processing are outlined below:

Data required for Primary Purposes (items 1.1 to 1.8)

The provision of personal data required for the Primary Purposes set out in points 1.1 to 1.8 is mandatory, as such data are indispensable for Managing your booking and your stay (1.1); Responding to your requests for information via the website (1.2); Ensuring the operation and security of the website (1.3); Fulfilling legal obligations, including communications to public safety authorities (1.4); Providing the additional services you request during your stay (1.5); Checking the quality of our services (1.6); Protecting your rights in the event of disputes (1.7); Expediting registration procedures for future stays (1.8).

Consequences of failure to provide data: failure to provide these data will make it impossible for the Controller to provide the information and/or services requested, to conclude the contract with you and, in general, to fulfil its obligations. In particular, without providing the data requested in the online forms, we will not be able to process your request or complete your booking.

Data for sending offers to customers (point 2)

You always have the right to object at any time and free of charge to the sending of such communications, without this affecting the possibility to use the services requested in any way.

Data for the purpose of sending the newsletter (point 3)

The provision of data for subscribing to the newsletter is always optional. Failure to provide data or consent to their processing for this purpose will have no consequence on the possibility to use the requested hotel services and will only involve the impossibility of receiving the newsletter.

Any consent given by you may be freely revoked at any time, without affecting the lawfulness of the processing based on the consent given before revocation. Withdrawal of consent may be communicated through the contact details indicated in the “Data Controller” section of this notice.

CATEGORIES OF PERSONAL DATA RECIPIENTS

Only persons authorised for processing and subjects who, processing data on behalf of the Controller and who have been identified as Data Processors will be able to access personal data. These subjects are bound by the obligation of confidentiality, including on the basis of specific internal regulations. In particular, the following will be able to access data: Technology service providers (Companies or consultants in charge of the installation, maintenance, updating and, in general, the management of hardware and software; Cloud and hosting service providers; Email and digital communication service providers; Booking engine providers; etc.); Hotel service providers (Consultants and/or other professionals with whom the Data Controller collaborates to provide the Hotel Services; External parties for the provision of additional services requested by the Data Subject such as transport services, restaurants, spas, excursions); Online Travel Agencies (OTA) and booking intermediaries (OTAs and traditional Travel agencies; Global reservation systems; Booking and price comparison portals); External consultants and professionals (Legal consultants; Tax consultants and accountants; Security and service quality consultants); Financial and payment institutions (Payment processing banks and credit institutions; Credit card issuers; Insurance companies); Public bodies (Public Security Authorities, as provided for by the Consolidated Text of Public Security Laws; Judicial Authorities, where required; Public bodies (e.g. Revenue Agency) for the fulfilment of fiscal and administrative obligations).

Data processed for the above-mentioned purposes will not be disseminated (i.e., they will not be disclosed to unspecified persons) and will not be used for automated decision-making processes.

Any person who comes into possession of your personal data will be obliged to use it exclusively for the stated purposes and in compliance with the data protection regulations. An updated list of Data Processors may be requested from the Data Controller by means of the addresses indicated in this notice.

The Data Controller undertakes to entrust your data only to parties with sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and guarantees the protection of your rights.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Data processed for the above-mentioned purposes will not – as a rule – be transferred outside the European Economic Area.

Should this be necessary (e.g. for the use of cloud-based IT systems or for the transmission of data to international OTAs), the Controller guarantees that this transfer will take place in compliance with the conditions set out in Chapter V of the GDPR and in particular:

• art. 45 GDPR: transfer on the basis of an adequacy decision adopted by the European Commission vis-à-vis the third country or international organisation. By way of example, Google LLC (provider of Google Analytics) adheres to the EU-U.S. Data Privacy Framework, guaranteeing an adequate level of protection within the meaning of art. 45 GDPR;
• art. 46 GDPR: transfer subject to appropriate safeguards, such as standard contractual clauses approved by the European Commission, binding corporate rules, codes of conduct or certification mechanisms;
• art. 47 GDPR: transfer based on binding corporate rules approved by the competent supervisory authority;
• Art. 49 GDPR: transfer on the basis of exceptions in specific situations, such as the explicit consent of the data subject, the need to perform a contract or pre-contractual measures, the need to exercise or defend a right in court or the need to protect the vital interests of the data subject or of other persons.

In order to obtain a copy of the guarantees adopted for the transfer of personal data outside the European Economic Area, or to know the place where they have been made available, a request can be made to the Data Controller via the contact details indicated in this notice.

DATA RETENTION CRITERIA

Personal data are processed for the time necessary to fulfil the purposes for which they were collected or for any other legitimate related purpose. Therefore, if personal data are processed for other purposes, they will be retained until the purpose with the longest retention period expires; however, they will no longer be processed for the purposes for which the retention period has expired. Personal data that are no longer needed, or for which there is no longer a legal basis for retention, will be irreversibly anonymised (or permanently deleted).

In particular, your personal data will be stored according to the following criteria:

1. Data processed for Primary Purposes (items 1.1 to 1.8)

Personal data acquired for primary purposes will be retained for 10 years from the date of the last stay or the last accounting entry, in accordance with obligations to keep accounting records and to ensure the protection of the Controller’s rights in the event of disputes or litigation. Exceptions to this are: Credit card data, which will be kept only for the time strictly necessary to complete the transaction and in any case no longer than 3 months after check-out; Data collected through the website contact forms (point 1.2): retained for 6 months from receipt of the request, unless a booking is made, in which case the above terms shall apply; Log data and IP addresses collected for the operation of the website (point 1.3): retained for a period not exceeding 6 months, unless required to be retained for the investigation of criminal offences.

2. Data processed for sending offers to Guests (point 2)

Data used to send offers for products or services similar to those already purchased will be retained until the data subject objects.

3. Data processed for sending the Newsletter (point 3)

The data used for sending the newsletter will be stored until you request cancellation from the service.

Retention in case of litigation

If it is necessary to defend or enforce a right of the Data Controller in court, the personal data relevant for this purpose will be retained for as long as necessary for the settlement of the dispute, even beyond the ordinary limitation period, until the time limit for appeals is exhausted.

Appropriate deletion or anonymisation operations will be carried out on the data collected at the end of the established retention periods or upon the occurrence of other circumstances that render the processing no longer necessary or legitimate.

DATA SUBJECT’S RIGHTS

The Data Controller informs you that the data subject has the right to ask for:

• access to personal data and information (art. 15 of the GDPR);
• correction or deletion of same (articles 16 and 17 of the GDPR);
• limits to processing personal data (art. 18 of the GDPR).

Finally, the data subject may:

• oppose the processing of their personal data under the conditions and within the limits as per art. 21 of the GDPR;
• exercise the right to data portability (art. 20 GDPR).

As far as concerns the processing operations based on consent, we inform you that the data subject has the right to revoke this consent at any time (without prejudice to the lawfulness of processing based on the consent given before revocation of same).

Please note that the data subject, if they believe processing to be in breach of the Regulations, has the right to submit a complaint to a control authority (Privacy Authority) or another competent authority pursuant to article 77 et seq. of the GDPR.