Guest Policy
GDPR EU REGULATION 2016/679, Legislative Decree 101/2018, Amended Legislative Decree 196/2003 CUSTOMER NOTICE
Whereas:
- The Data Controller determines the purposes and means of processing personal data;
- The Data Controller promotes, offers, and provides catering and entertainment services to its Customers;
- In the context of providing services, the Data Controller processes the Customer's personal data the following information is provided:
- DATA CONTROLLER - The Data Controller of personal data ("Controller") is MEDEX S.R.L., VAT No. 07251260969, located at Viale Costa Smeralda 27 – 07021 ARZACHENA (SS), Tel. 0789955012, e-mail: amministrazione@phibeach.com, certified e-mail (PEC): medex@legalmail.it
- PURPOSES OF PROCESSING - All operations of personal data processing are performed for the purposes of: collecting reservations, directly or through online platforms; providing entertainment and catering services; commercial communications in which the Controller promotes its products and services; collecting reviews on service quality; 3) publishing events on social platforms and the Controller's website
- LEGAL BASIS FOR PROCESSING - The legal basis justifying the processing of personal data consists of: • legitimate interest on the part of the Controller to process such personal data.
- PERSONAL DATA PROCESSED - The personal data subject to processing are: contact details, photographs, and videos not suitable for uniquely identifying and/or authenticating an individual.
- PROVISION OF PERSONAL DATA - The provision of personal data is necessary for the pursuit of the purposes indicated in point 2). Therefore, any refusal to provide them would prevent the Controller from establishing or executing the relationship with the Client. Specifically referring to Recital 51 of the GDPR, it is noted that "photographs should not systematically constitute processing of special categories of personal data, as they fall within the definition of biometric data only when processed through a specific technical device that allows the unique identification or authentication of a physical person". Therefore, it is observed that photography and/or video image may fall under the category of special data when they are suitable for uniquely identifying and/or authenticating a physical person. Given the nature and context of the services provided by the Controller, this case is excluded. Moreover, Article 97 of the Copyright Law indicates that "the consent of the person depicted is not required when the reproduction of the image is justified by the notoriety or by the public office covered, by necessity of justice or police, by scientific, educational or cultural purposes, or when the reproduction is connected to facts, events, ceremonies of public interest or held in public". In this specific case, it concerns events, catering, and entertainment held in public.
- METHODS AND ACTIVITIES OF PROCESSING PERSONAL DATA - The processing of personal data, for the purposes set out in point 2), takes place both through automated means (digitization and computerized processing) and non-automated means (paper support) in compliance with the confidentiality and security rules provided by law, respecting the Controller's provisions. Processing activities include: acquisition, recording, access, consultation, storage, communication. No automated decision-making process, including profiling, will be conducted.
- LOCATION OF PERSONAL DATA PROCESSING - Personal data are processed at the operational headquarters of MEDEX S.R.L., "Phibeach" Forte Cappellini- Loc. Baja Sardinia – 07021 ARZACHENA (SS); they may also be processed on behalf of the Controller by external companies and/or professionals within the limits necessary for the performance of the services entrusted to them.
- COMMUNICATION OF PERSONAL DATA - The processed personal data may be communicated to internal appointees authorized by the Controller and to external parties, within the limits necessary for the performance of the entrusted services, respecting the confidentiality and security rules established by the Controller in accordance with the regulations.
- TRANSFER OF PERSONAL DATA ABROAD - The processed personal data are not currently transferred abroad; should this need arise, the Controller will request specific consent by specifying the destination country and the guarantees adopted to make the transfer secure and in compliance with the regulations.
- RETENTION PERIOD OF PERSONAL DATA - The provided data may be stored: • for the entire duration of the service relationship established and compatibly with the times of the purposes indicated • for the period of conducting commercial communications through which the Controller promotes the products and/or services provided; the Customer has the right to express at any time their refusal (so-called opt-out) to processing operations for direct marketing purposes.
- CUSTOMER RIGHTS – The Customer may exercise the right to access personal data concerning them and to their portability; they may request