+39 373 852408
Legal

Privacy Policy

Pursuant to articles 13 and 14 of EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003, as amended.

1. Introduction

This notice describes how Le 5 Terre La Spezia di RO.VI. S.R.L. (the "Controller") collects and processes the personal data of users who visit the le5terrelaspezia.it website, book a stay or request information. It applies to all data collected via the website, contact forms and the communication channels operated by the Controller.

2. Data Controller

Le 5 Terre La Spezia di RO.VI. S.R.L.
Registered office: Via Sabotino, 10 — 19121 La Spezia (SP), Italy
Email: info@le5terrelaspezia.it
Phone: +39 373 852408

The Controller is not required to appoint a Data Protection Officer under Article 37 GDPR. For any privacy enquiry please write to the email address above.

3. Categories of personal data processed

Depending on how the user interacts with the website, the Controller may process the following categories of data:

  • Contact data: name, surname, email address, phone number, voluntarily provided through contact forms or booking enquiries.
  • Stay-related data: arrival and departure dates, number of guests, preferences, special requirements.
  • Payment data: handled directly by the external booking engine (Octorate) or by the banking circuit; the Controller does not store credit-card details.
  • Browsing data: IP address, browser and operating system, pages visited, date and time of access, referrer, automatically collected by IT systems and cookies (see Cookie Policy).
  • Communication data: content of messages sent via email, telephone or WhatsApp.

4. Purposes and legal bases

  • Handling enquiries and bookings — legal basis: performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).
  • Accounting, tax and administrative obligations — legal basis: legal obligation (Art. 6(1)(c) GDPR).
  • Site security and prevention of abuse — legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Technical and functional cookies — legal basis: legitimate interest of the Controller in the operation of the site (Art. 6(1)(f) GDPR).
  • Statistics, marketing cookies and any promotional communications — legal basis: the data subject's consent (Art. 6(1)(a) GDPR), freely revocable at any time.

5. Processing methods

Data is processed by electronic means and, to a limited extent, manually, in compliance with the principles of lawfulness, fairness, relevance and minimisation (Art. 5 GDPR). Adequate technical and organisational measures are adopted to safeguard the data and to prevent loss, unauthorised access or unlawful use, including encrypted communications (HTTPS/TLS), access controls and backup procedures.

6. Data retention

Personal data is kept for the time strictly necessary to fulfil the purposes for which it was collected:

  • Booking and enquiry data: for the entire duration of the relationship and for the following 10 years to comply with tax obligations (Art. 2220 of the Italian Civil Code).
  • General contact data: for the time strictly required to handle the enquiry and up to 24 months thereafter, unless otherwise consented.
  • Browsing data and statistical cookies: as described in the Cookie Policy.
  • Marketing communications: until consent is withdrawn.

7. Recipients of the data

Data may be disclosed to the following recipients, strictly within the limits required by the purposes above:

  • Authorised staff of the Controller (front office, administration), specifically instructed.
  • External technical service providers appointed as Processors under Article 28 GDPR (hosting, maintenance, hotel management software).
  • Octorate — external booking engine (independent controller for the technical management of the transaction).
  • Google Ireland Limited — Google Tag Manager, Google Maps and Google Fonts services; further Google services may be activated only after consent.
  • Judicial, public-security and other public authorities, in the cases provided for by law.

Data is not disseminated nor sold to third parties for autonomous marketing purposes without the explicit consent of the data subject.

8. Transfers outside the EU

Some third-party services integrated in the site (in particular Google services) may involve the transfer of personal data to non-EU countries, primarily the United States of America. Such transfers take place on the basis of the EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023) or, alternatively, of Standard Contractual Clauses (SCC) adopted by the European Commission pursuant to Article 46 GDPR.

9. Data subject rights

The data subject may exercise at any time the rights provided for by Articles 15-22 GDPR:

  • Access to personal data (Art. 15);
  • Rectification of inaccurate or incomplete data (Art. 16);
  • Erasure ("right to be forgotten", Art. 17);
  • Restriction of processing (Art. 18);
  • Data portability (Art. 20);
  • Objection to processing (Art. 21), in particular for direct-marketing purposes;
  • Withdrawal of consent at any time (Art. 7(3)), without affecting the lawfulness of processing carried out before withdrawal;
  • The right not to be subject to automated decisions, including profiling, producing significant legal effects (Art. 22).

Requests must be sent in writing to info@le5terrelaspezia.it. The Controller will respond within 30 days of receipt of the request (extendable by a further 60 days where particularly complex, Art. 12(3) GDPR).

10. Complaints to the supervisory authority

Any data subject who believes that the processing of their data does not comply with the GDPR has the right to lodge a complaint with the Italian Garante per la Protezione dei Dati Personali (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) or with the supervisory authority of their EU country of residence, pursuant to Article 77 GDPR.

11. Provision of data and consequences of refusal

Providing the data requested in the website forms is optional but necessary to receive the requested services (e.g. response to an enquiry or management of a booking). Failure to provide it makes it impossible to fulfil the user's request.

12. Automated decision-making and profiling

The Controller does not carry out any automated decision-making, including profiling, that produces legal or significant effects on the data subject within the meaning of Article 22 GDPR.

13. Changes to this notice

This notice may be updated at any time to reflect regulatory, technical or organisational changes. The current version is always published on this page with the latest update date.

Last updated: