Dear User,
on this page you will find information on how we handle your personal data through our website. We are providing this information not only to comply with our legal obligations regarding the protection of personal data as set out in Regulation (EU) 2016/679 or the "Regulation", but also because we believe that the protection of personal data is a fundamental value of our business activity and we want to provide you with any information that may help you to protect your privacy and to control the use that is made of your data in relation to your browsing experience on our site.
1. DATA CONTROLLER AND CONTACTS
The Data Controller is the person who makes the decisions on the methods and purposes of processing.
The Data Controller is Xenia Hotellerie Solution S.p.A. Società Benefitwith registered office in Guardiagrele (CH), via Antonio Gramsci, n. 79, VAT No. and Taxpayer Code 01691390692. For any question concerning the processing of your personal data, you may contact the Data Controller by ordinary mail at the above addresses or by writing to the email address privacy@xeniahs.com.
Xenia S.p.A. SB has not appointed a DPO (Data Protection Officer).
2. PURPOSE OF PROCESSING, DATA PROCESSED, LEGAL BASIS, MANDATORY PROVISION OF DATA, STORAGE PERIOD
A purpose is a reason for which we process your personal data. Below is a list of our purposes. Each and every
purpose has one or more legal bases.
a) Viewing and browsing the website
Purpose: to allow correct navigation on the website and, in the event of computer crime, to ascertain possible liability.
Data processed:: IP addresses, domain names, URIs and navigation data. These data are acquired by the computer systems responsible for the operation of this website.
Legal basisdata are processed on the basis of the need to provide users with the necessary tools to
visit the website and access the functions made available. The legal basis is that provided for in Article 6, par.2, lett.f of the GDPR: the legitimate interest of the Data Controller (consisting in ensuring the proper functioning of the IT systems and in investigating possible offences - possibly also on the basis of the existence of a legal obligation).
Obligatory nature of the provision of data: the provision of data is left to your will, but it is indispensable in order to visit the website and access its various functions.
Notes on processing and storage time:
displaying the website and navigating within it involve, for reasons inherent to the use of computer protocols, an exchange of technical information between the Data Controller's computer system and that of the user. The information transmitted is, for example, the following: operating system used, browser and its version, time of the request, size of the information flow.
b) Site Analytics
Purpose: statistical research/analysis on aggregated or anonymous data aimed at measuring the
proper functioning of this website.
Legal basis: this is anonymised data to which the legislation on the protection of personal data does not apply (they do not allow the user to be traced and identified or made identifiable).
Obligatory nature of the provision of data: the provision of data is left to your will, but it is indispensable in order to visit the site and access its various functions.
Notes on processing:
The Data Controller uses the Google Analytics service to collect aggregate data on site performance. See the analytics cookies section for more information.
c) Management of user request form (contacts, stakeholders, accesses)
Purpose: acknowledgment/fulfilment of direct request from user (for example with the spontaneous sending of messages, electronic mail to the addresses of Xenia S.p.A. SB indicated on the site that involve the subsequent acquisition of their name and surname and other personal data that may be included in the relative communication).
Data processed:: identification data (such as, for example, name, surname, etc.) and contact data (such as, for example, email address, telephone number, etc.) or other data provided by the user in requests.
Legal basisperformance of a contract to which the data subject is party or performance of pre- contractual measures taken at the data subject's request, Art. 6, par. 1, lett. b) of the GDPR.
Obligatory nature of the provision of data: the provision of data is left to your will, but it is indispensable in order to comply with your requests.
Notes on processing and storage time: Currently, the website supports three types of direct requests:
Contact via the contact form. We only collect the data strictly necessary to respond to the contact request.
Stakeholder requests for documents. We only collect the data strictly necessary to answer the stakeholder's request.
Request for access to the reserved area. We only collect the data strictly necessary to enable user authentication in order to allow access to the reserved area.
The personal data transmitted by filling in the above-mentioned forms are exclusively used for the above-mentioned purpose, and are not processed for marketing or profiling purposes or for any other purpose other than those indicated. They are not transmitted to third parties. They are deleted once the customer's request has been fulfilled. Authentication logs are deleted when the session is closed.
d) Recruitment
Purpose: management of applications received and selection of personnel for possible establishment
of a work relationship or collaboration.
Data processed: identification data (such as, for example, name, surname, tax code, etc.), contact data (such as, for example, email address, telephone number, address of residence and/or domicile, etc.), data relating to work experience and course of study.
Legal basisperformance of a contract to which the data subject is party or performance of pre- contractual measures taken at the data subject's request, Art. 6, par. 1, lett b) of the GDPR.
Obligatory nature of providing data: the provision of data is left to your will, but is indispensable for the evaluation of your application by Xenia S.p.A. SB.
Notes on processing and storage time:
The CVs transmitted are used exclusively for recruitment purposes. In case of non-recruitment they are kept for a period of 6 months.
In the event of recruitment, the CV will be retained for the entire duration of the employment relationship for the purpose of verifying the information provided, as it is an element of the employment contract. Furthermore, the Owner adheres to quality certification systems that require the retention of the CVs of those hired.
CV data are not passed on to third parties. They may be processed by data processors that the Controller uses in its business organisation.
e) Verification, exercise, and/or defence of a right
Purpose: defence of rights.
Legal basis: legitimate interest, art. 6, par. 1, lett. f) of the GDPR.
otes on processing and storage time:
The legitimate interest of the Data Controller is to exercise rights and defend itself both judicially (including pre-litigation) and extra-judicially against third parties (including public entities) and against data subjects.
Personal data collected for this purpose are retained for 10 years, as provided for by the ordinary limitation period (Art. 2946 of the Civil Code), unless the limitation period is interrupted.
3. RECIPIENTS OF DATA
Data are processed by authorised personnel (pursuant to art. 29 of the Regulations) by Xenia S.p.A. SB or by suppliers specifically appointed as Data Processors (pursuant to art. 28 of the Regulations) who act on the instructions of the Data Controller.
The complete and updated list of data processors can be requested from the Data Controller at the addresses indicated above.
4. TRANSFER OF DATA ABROAD
We also use back office services located outside the EU/EEA (Albania). This processing is carried out in accordance with the applicable legislation, through the use of legal guarantees, in particular standard contractual clauses approved by the European Commission. You may obtain a copy of these by making a request to the Controller.
5. RIGHTS OF THE DATA SUBJECT
You can exercise your rights under the GDPR regarding your personal data by writing to privacy@xeniahs.com. We will endeavour to respond to your request as soon as possible and in any event no later than thirty days from receipt of your report. In certain cases, we will ask you for a copy of an identification document if, in connection with your request, it is necessary to verify your identity. In particular, you may exercise the following rights:
• Right of access, i.e. the right to know whether personal data concerning you is being processed and, if confirmed, to obtain a copy of such data and to be informed about: the source of the data, the categories of personal data processed, the recipients of the data, the purposes of the processing, the existence of automated decision making (including profiling), the data retention period, the rights under the GDPR;
• Right to have your data corrected or supplemented;
• Right to obtain the deletion of personal data if such data are no longer necessary for the purposes for which they were collected, or if we are no longer authorised to process them;
• Right to obtain restriction of the processing of personaldata in the following cases: i) you have contested the accuracy of the personal data. You may request a restriction of the processing for the period necessary to verify the accuracy of the data; ii) we are no longer authorised to process the data, and instead of deleting it, you may ask us to restrict its use; iii) if the personal data in our possession, although no longer necessary for the purposes for which it was collected, is necessary for you to establish, exercise or defend a right in court;
• Right to data portability i.e. the right to receive in a structured, commonly used and machine- readable format the personal data concerning you, as well as the right to request that such data be transmitted to another Controller;
• Right to withdraw consent , for processing based on it;
• Right to object at any time to the processing of your personal data based on our legitimate interest. You also have the right to lodge a complaint with the competent data protection supervisory authority if you consider that the processing of your data is contrary to the provisions of the GDPR.
We reserve the right to update the content of this page from time to time. We encourage you to consult this policy regularly in order to keep up to date with any changes that have occurred since your last consultation.
From this link you can download REQUEST FORM FOR THE EXERCISE OF PERSONAL DATA PROTECTION RIGHTS.
