According to Article 4, paragraph 7, and 26 of the GDPR, the Co-Controllers of personal data processing are: Uvet Hotel Company S.r.l. and Uvet Dyoniso S.r.l. (jointly also “Uvet Hotels” or the “Co-Controllers”), both with legal headquarters at Bastioni di Porta Volta 10, 20121 Milan, Italy.
The Co-Controllers have jointly determined the purposes and means of processing and have transparently defined, through an internal agreement, their respective responsibilities regarding compliance with the obligations under the GDPR, the content of which is communicated to the data subjects as follows.

Purpose of the processing

Uvet Hotels informs that the processing of personal data collected directly from the website is aimed at:

1. Satisfying the specific request made by the User, through sending a message via the Contact form. This may involve the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message.

2. Registering the User, with their consent, for the Uvet Hotels program Newsletter, so they can receive information, promotions, and special offers related to Uvet Hotels’ properties and initiatives.

3. Managing internal control and management activities, by transmitting the relevant data within the Uvet Group, of which the Co-Controllers are part.

4. With prior consent, using the email address to send commercial communications, publicize events, and promote activities and projects related to travel and tourism, promoted by other companies in the Uvet Group, of which the Co-Controllers are part.

Legal Basis for Processing and Provision of Data

According to Article 6 of the Regulation (EU), processing is lawful as it is necessary for the correct and complete execution of the request made, or as it is necessary for the correct and complete execution of the contractual or pre-contractual obligations assumed towards the data subject and as such, does not require consent for data processing. Providing the data is necessary to execute the request promoted by the data subject.
According to Article 6, paragraph 1, letter f) of the Regulation (EU), processing related to purpose 3 is based on the legitimate interest of the Controller, who, in accordance with Recital 47 of the Regulation (EU), has carefully evaluated the balance between its interests and the fundamental rights and freedoms of the data subjects, considering the relationship between the data subject and the Co-Controllers. In particular, the processing is also conducted in accordance with Recital 48 of the Regulation (EU), relating to the Controller’s membership in a business group.

Regarding the purposes of points 2 and 4, pursuant to Article 6, paragraph 1, letter a) of the Regulation (EU), processing is based on the consent of the data subject. The provision of data for marketing purposes is optional, and refusal has no consequences, except for the inability to receive promotional communications. Consent can be revoked at any time for promotional purposes.

Types of Personal Data Collected

The personal data collected through the website specifically include identification data (first and last name), contact data (email address and telephone number, optionally provided by the User), and any other personal data entered in the “Message” field, provided by the User through the Contact form.
In addition to the data provided directly and intentionally by the User, the computer systems and software procedures used to operate this website acquire, during their normal operation, certain navigation data whose transmission is implicit in the use of internet communication protocols.
This information is not collected for the purpose of associating it with the identity of the data subject, but which, by its nature, could allow identification of the users through processing and association with data held by third parties. This category of data includes IP addresses or domain names of the computers used by users who connect to the site and other parameters related to the user’s operating system and IT environment. These data are used solely to obtain anonymous statistical information about website use and to check its correct functioning. Data may be used to ascertain responsibility in case of hypothetical computer crimes against the site.
For more information, please refer to the dedicated Cookie Policy.
The Co-Controllers do not deliberately collect any sensitive data through this website.

Processing Methods

Personal data processing refers to their collection, recording, organization, storage, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation, and destruction, or the combination of two or more of these operations, even through automated tools used to store, manage, and transmit data, using methods that ensure security and confidentiality.
Regarding security, we inform you that the database is accessible only by personnel specifically authorized by the Controller, as well as the operations described above, and that the processing of your data will be carried out with methods and tools designed to ensure confidentiality. The processing may be conducted through electronic or automated means, as well as non-automated means (paper archives), both of which have adequate security measures, as provided for by Regulation (EU) 2016/679 on Personal Data Protection, to prevent data loss, illegal or incorrect use, and unauthorized access.

Data Recipients

Entities that may become aware of personal data, to the extent strictly necessary to fulfill the purposes outlined above, are authorized personnel for processing personal data by Uvet Hotels.
For the execution of the above purposes, as well as for the fulfillment of certain functions related to corporate management, the Co-Controllers rely on external subjects and/or companies to which they transmit the necessary data, including:

• Third-party companies managing the ICT infrastructure of the Controller.
• Hotel structures, as requested within the contact request by the User.
• Uvet Group companies for activities related to the control of the organizational management system or the technological infrastructure.
  A list of the external Data Processors can be consulted at the Controller’s headquarters.

Transfer of Personal Data to Third Countries or International Organizations

The Co-Controllers do not transfer personal data to third countries or international organizations. However, Uvet Hotels ensures compliance with the appropriate guarantees provided, such as: transferring data to countries deemed adequate by the EU Commission; signing standard contractual clauses for the transfer of data outside the EU, as defined by the European Commission, to ensure secure and lawful data transfer and processing outside the EU; or another international transfer mechanism approved under applicable laws.

Links to Third-Party Websites and Use of Social Media

We invite Users to consider that the site may provide links to other sites not covered by this privacy notice, or to social media platforms leading to servers installed by individuals or organizations over which the Co-Controllers have no control. The Co-Controllers make no representation and assume no responsibility regarding the accuracy or any other aspect of the information available on these sites. A link to a third-party site should not be interpreted as validation by the Controller or by the third party of the products and services offered by others. Uvet Hotels makes no statements or warranties regarding the use or storage of user data on third-party websites.
Users are encouraged to carefully review the privacy policy governing third-party websites linked to our website to fully understand how their personal data may be used.

Data Retention

Personal data provided through this website will be retained for the period necessary to fulfill the request. Data provided for promotional purposes will be retained for a period consistent with the purpose, not exceeding 5 years from the date of the last interaction with Uvet Hotels, without prejudice to the right of the data subject to withdraw consent at any time.

Rights of the Data Subjects

Under the European Regulation, data subjects have the right to request the Controller access to their personal data (Article 15), rectification (Article 16), deletion or erasure (Article 17), limitation of processing (Article 18), data portability (Article 20), or to object to their processing (Article 21), in addition to the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant impacts on them (Article 22). If processing is based on the data subject’s consent, pursuant to Article 7, paragraph 3 of the Regulation, the data subject has the right to withdraw consent at any time.
The data subject also has the right to lodge a complaint with the supervisory authority (Article 77 of the Regulation) if they believe that the processing of their data by the Controller is not in compliance.
Requests can be made to the Controller through the following methods:

• Sending a registered letter to: Bastioni di Porta Volta 10, 20121 Milan.
• Email to: privacy@uvet.com
• Contacting the Data Protection Officer.

Data Protection Officer

Address: Bastioni di Porta Volta 10, 20121 Milan, Italy.
Phone: +39 02 818381
Email: dpo@uvet.com

Changes to This Policy

Uvet Hotels reserves the right to modify this notice as necessary.
We encourage Users to periodically check this page to stay updated on any changes.