Hotel Eden di Dottarelli Luigi e C. S.A.S., located at Via Cassia 114.200, 46 – 01023 Bolsena (VT), Tax Code and VAT No. 01200860565 (hereinafter referred to as the “Controller”), in its capacity as data controller, informs you pursuant to Article 13 of Legislative Decree No. 196 of June 30, 2003 (hereinafter referred to as the “Privacy Code”) and Article 13 of EU Regulation No. 2016/679 (hereinafter referred to as the “GDPR”) that your data will be processed in the following ways and for the following purposes:

1. Object of Processing
The Controller processes personal, identifying, and non-sensitive data (in particular, name, surname, tax code, VAT number, email, and phone number – hereinafter referred to as “personal data” or simply “data”) provided by you during the registration phase on the Controller’s website and/or when subscribing to the newsletter service offered by the Controller or when filling out the contact form or requesting a quote.

2. Purpose of Processing
Your personal data are processed:
A) without your express consent (pursuant to Article 24 letters a, b, c of the Privacy Code and Article 6 letters b, e of the GDPR), for the following Service Purposes:
– to allow you to register on the website;
– to manage and maintain the website;
– to allow you to subscribe to the newsletter service provided by the Controller and any additional services you may request;
– to fulfill pre-contractual, contractual, and fiscal obligations arising from our relationship with you;
– to comply with legal obligations, regulations, EU legislation, or orders from authorities;
– to prevent or detect fraudulent activities or abuses harmful to the website;
– to exercise the Controller’s rights, such as the right to legal defense.
B) Only with your specific and separate consent (pursuant to Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following Marketing Purposes:
– to send you newsletters, commercial communications, and/or advertising material via email regarding products or services offered by the Controller.
Please note that if you are already our customer, we may send you commercial communications regarding services and products similar to those you have already used, unless you object (Article 130 paragraph 4 of the Privacy Code).
3. Methods of Processing
The processing of your personal data is carried out through the operations listed in Article 4 of the Privacy Code and Article 4(2) of the GDPR, specifically: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Your personal data are processed both in paper format and electronically and/or in an automated manner.
The Controller will process personal data for the time necessary to fulfill the purposes mentioned above and, in any case, for no longer than **10 years** after the end of the relationship for Service Purposes and no longer than **2 years** from the collection of data for Marketing Purposes.

4. Access to Data
Your data may be made accessible for the purposes referred to in Articles 2.A) and 2.B):
– to employees and collaborators of the Controller, in their capacity as authorized personnel and/or internal data processors and/or system administrators;
– to third parties (e.g., providers for website management and maintenance, suppliers, credit institutions, professional firms, etc.) who perform outsourced activities on behalf of the Controller, in their capacity as external data processors.
5. Data Disclosure
Without your express consent (pursuant to Article 24 letters a), b), d) of the Privacy Code and Article 6 letters b) and c) of the GDPR), the Controller may disclose your data for the purposes referred to in Article 2.A) to supervisory bodies, judicial authorities, as well as to all other parties to whom communication is mandatory by law for the fulfillment of the aforementioned purposes. Your data will not be disseminated.

6. Data Transfer
The management and storage of personal data will take place on servers located within the European Union, owned by the Controller and/or third-party companies appointed and duly designated as Data Processors. Currently, the servers are located in Europe. Data will not be transferred outside the European Union.
However, it is understood that the Controller, if necessary, will have the right to move the server location to Italy and/or within the European Union and/or non-EU countries. In such cases, the Controller hereby ensures that any transfer of data outside the EU will be carried out in compliance with applicable legal provisions, entering into agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission, if necessary.
7. Nature of Data Provision and Consequences of Refusal to Provide Data
The provision of data for the purposes referred to in Article 2.A) is mandatory. Without it, we will not be able to guarantee your registration on the website or the Services referred to in Article 2.A).
The provision of data for the purposes referred to in Article 2.B) is optional. You may therefore choose not to provide any data or subsequently deny the processing of data already provided: in this case, you will not receive newsletters, commercial communications, and advertising material related to the Services offered by the Controller. In any case, you will still be entitled to the Services referred to in Article 2.A).

8. Rights of the Data Subject
As a data subject, you have the rights set forth in Article 7 of the Privacy Code and Article 15 of the GDPR, specifically the right to:
i. obtain confirmation as to whether or not personal data concerning you exist, even if not yet recorded, and their communication in an intelligible form;
ii. obtain the following information:
a) the origin of the personal data;
b) the purposes and methods of processing;
c) the logic applied in the event of processing carried out with the aid of electronic tools; d) the identification details of the controller, processors, and the designated representative pursuant to Article 5. d) the identification details of the controller, processors, and the designated representative pursuant to Article 5, paragraph 2 of the Privacy Code and Article 3, paragraph 1 of the GDPR; e) the subjects or categories of subjects to whom personal data may be communicated or who may become aware of them in their capacity as designated representatives in the State’s territory, data processors, or authorized personnel;
iii. iii. obtain: a) the updating, rectification, or, when interested, integration of the data; b) the erasure, transformation into anonymous form, or blocking of data processed in violation of the law, including those for which retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the certification that the operations referred to in letters a) e b) have been made known, including as regards their content, to those to whom the data have been communicated or disseminated, except in cases where this obligation proves impossible or involves a manifestly disproportionate effort compared to the right being protected;
iv. object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if relevant to the purpose of the collection; b) to the processing of personal data concerning you for the purpose of sending advertising materials, direct sales, carrying out market research, or commercial communications, through the use of automated call systems without operator intervention, via email and/or through traditional marketing methods using telephone and/or postal mail. It should be noted that the data subject’s right to object, as stated in the previous point, b), for direct marketing purposes using automated methods, also extends to traditional methods. However, the data subject retains the right to exercise the right to object even partially. Therefore, the data subject may choose to receive communications only through traditional methods, only through automated methods, or neither type of communication.
Where applicable, you also have the rights referred to in Articles 16-21 of the GDPR (right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.

9. Methods of Exercising Your Rights
You may exercise your rights at any time by sending:
– a registered letter with return receipt to *Hotel Eden di Dottarelli Luigi e C. S.A.S.*, located at Via Cassia 114.200, 46 – 01023 Bolsena (VT);
– an email to *info@hoteledenbolsena.it*.

10. Minors
This Website and the Controller’s Services are not intended for individuals under 18 years of age, and the Controller does not knowingly collect personal information related to minors. In the event that information regarding minors is unintentionally recorded, the Controller will promptly delete it upon user request.

11. Data Controller, Processors, and Authorized Personnel
The Data Controller is *Hotel Eden di Dottarelli Luigi e C. S.A.S.*
The updated list of data processors and authorized personnel is kept at the Controller’s registered office.

12. Changes to This Privacy Policy
This Privacy Policy may be subject to changes. It is therefore recommended to regularly check this Privacy Policy and refer to the most updated version.