Updated: May 24th, 2024

The “Company”, as defined below, in its capacity as personal data controller (the “Controller”), wishes to inform you, pursuant to the applicable personal data protection laws and regulations (the “Privacy Laws"), also including Regulation (EU) 2016/679 (“GDPR”), that your data shall be processed for the purposes and in the manners detailed below.

Firstly, we inform you that, for the purposes of this Privacy Policy, the term “Company” or “Controller” shall mean Sardegna Resorts S.r.l.- società unipersonale - owner of Hotel Pitrizza (the “Hotel”), with registered office address at Arzachena, località Porto Cervo, Casa Il Ginepro, 1/a; and the term “Group” shall mean the group of holding, subsidiary, and related companies of the Company (in Italy and abroad), which, based on express intra-group agreements, are involved in the processing of data relating to the performance of fiscal, accounting, social assistance, financial, organisational, and training activities.

We assure you that the personal data under this Privacy Notice shall be processed in compliance with GDPR provisions. Your personal data shall be processed (and thus, by way of example and not limitation, collected, recorded, processed, disclosed, erased, etc.) in line with the principles of fairness, necessity, transparency, relevance, and lawfulness, and exclusively for the purposes set forth below. Your Personal Data shall be processed using methods that ensure the protection of your privacy and your rights, and the privacy of your family members where processing operations also involve their personal data.

1. Personal Data Processed, Purposes of Processing, Legal Basis, and Consequences of Denying Consent

Within the scope of the hotel accommodation contract between the guest and the Company (the “Contract”), the Company shall process the following personal data concerning you:

a) general personal data, including, name, surname, date and place of birth, residence, nationality, sex, form of ID and relative ID number for guest identification; ID place of issuance; information on the length of stay in the hotel; written signature; Taxpayer Identification Code; bank details and credit card/debit card details; contact details including e-mail address and/or phone number;; data concerning the devices used to connect to the Hotel’s wi-fi network and smart TVs, vehicle registration plates.

The processing of the above data is necessary for

• purposes related and/or instrumental to the Company's compliance with the obligation to record and convey to the Police authorities the personal details of the Hotel's guests. The legal basis for processing is compliance with a legal obligation to which the Company is subject (Article 6 (1)(c) of the GDPR) and performance of the contract between the Company and the guest and/or taking steps prior to entering into a contract (art. 6 (1)(b) of the GDPR).
• purposes related and/or instrumental to the Company's compliance with administrative, accounting, and tax obligations The legal basis for processing is compliance with the legal obligation to which the Company is subject (Article 6 (1)(c) of the GDPR).
• purposes related and/or instrumental to the proper formalisation and performance of the Contract. The legal basis for processing is the Company’s performance of the contract in place with you or taking steps prior to entering into a contract (Article 6 (1)(b) of the GDPR).
• purposes related and/or instrumental to the handling of litigation, insurance documentation in the event of claims, and the exercise of the Company's or third-party rights in legal proceedings. The legal basis for processing is the legitimate interest of the Company (Article 6 (1)(f) of the GDPR).

• marketing purposes. Some of the data we collect, and namely name and surname, residence address and other contact details may also be processed to send information and/or promotional material regarding the services offered by the Company, including giveaways and birthday wishes. The legal basis for processing is your freely-given consent (Article 6 (1)(a) of the GDPR). Your refusal to give consent for the above purposes will not preclude the provision of the services requested.

b) the data as per letter a) and the data concerning your preferences, in connection to your utilisation of the services within the Hotel may be retained by the Company in order to offer you a personalised experience in the event you should use the services provided within the Hotel in the future. The legal basis for processing is your freely-given consent (Article 6 (1)(a) of the GDPR). Should you choose not to provide your data or refuse your consent to their retention for the above purposes, this will not preclude you from staying in the Hotel; however, it may prevent you from using some of the services or benefits connected to the performance of the Contract.

c) CCTV images. Our CCTV automatically captures the images of anyone who is present in the areas subject to video surveillance - as expressly identified by the signs and window decals placed in all relevant areas.

The above data shall be processed without your consent on the basis of the legitimate interest of the Company (Article 6 (1)(f) of Regulation EU  2016/6796) to ensure (i) the safety of the individuals who are present within the perimeter of the business, and (ii) the safety and surveillance of the Company's and of third-party assets. More information is available at the Hotel reception.

d) special categories of data. Generally, the Company does not ask its guests to provide any special categories of data. However, in connection to specific requests and/or activities or for the purpose of taking special care of your needs or preferences, it may be necessary for the Company to process some of your data which may be liable of revealing information concerning your health and/or the health of your family members (data regarding allergies or food intolerances, etc.). The legal basis for processing is your freely-given consent (Article 6 (1)(a) of the GDPR). Should you choose not to provide your data or refuse your consent for the above purposes, this will not preclude you from staying in the Hotel; however, it may prevent you from using some of the services or benefits connected to the performance of the Contract.

2. Communication of Personal Data to Third Parties

Where you expressly give your consent, the data as per paragraph 1 shall be communicated by the Controller to LVMH (as defined below in article 5), with registered office address at 24-32 rue Jean Goujon, 75008 Paris, who, in its capacity as independent data controller, shall process the above data for its own purposes, with the aim of providing you with personalised services in the event that you should use the services offered by other Cheval Blanc hotels in the future  (“LVMH Purposes “). For more details on the LVMH Purposes and the manners in which LVMH shall process your personal data in its capacity as independent data controller, please see LVMH's Privacy Policy, available at: https://www.chevalblanc.com/en/privacy-policy/.

The above data will be communicated to LVMH exclusively with your express consent. The provision of personal data required for the pursuit of the above purposes is optional, and your refusal to give such consent shall not preclude you from using the services you may request from the Company.

3. Data Sources

Generally, the Company collects the above personal data directly from its guests. However, your personal data may also be collected from other sources, including:

• OTA (Online Travel Agency) such as booking.com, expedia.com, trivago.com, etc;
• Traditional travel agencies or tour operators;
• Entities, businesses, or private parties who organise events or stay in the Hotel.

4. Method Used for Data Processing

Personal Data shall be processed by using manual, computer, and telecommunication tools that apply criteria that are closely related to the above indicated purposes, and in any case in such a way as to ensure the security and confidentiality of the data.

In the performance of processing activities, the Company undertakes to

• ensure the accuracy and updating of the data processed, and promptly rectify and/or complete incomplete data as requested by the data subject concerned;
• notify the data subject concerned, within the time-frames and in the cases set out under mandatory laws or regulations, of any personal data breaches;
• ensure that processing operations comply with the applicable provisions of law.
• the Company furthermore processes the personal data it acquires in full compliance with the principles of fairness, lawfulness, and transparency. In compliance with GDPR provisions, the Company configures, or in any case undertakes to configure, its computer systems and computer programmes so as to reduce the use of personal data to a minimum, by using, respectively, anonymous data or appropriate methods that allow for the identification of data subjects exclusively when strictly necessary.

VI. Will your data be transferred outside the European Economic Area?

The persons to whom we transfer your data may be located in a foreign country, including outside the European Economic Area. Any of your data transferred to countries outside the European Economic Area are transferred subject to appropriate safeguards, including contractual safeguards and our Binding Corporate Rules (BCR) in relation to job applicants’ personal data, in accordance with applicable data protection regulations.

You may obtain a copy of the appropriate safeguards by contacting LVMH HM by post at 24- 32 Rue Jean Goujon, 75008 Paris, France or by e-mail at: dataprivacy@chevalblanc.com.

5. Categories of Parties to whom the Data may be Communicated

Without prejudice to the communication of data carried out in compliance with legal obligations and under the Contract, your personal data may be made accessible to

• members of staff of the Company who carry out, under the authority of the Company, operational tasks (including reception and greeting, floor or room services, restaurant services, etc.), or administration and technical tasks (including legal advisory, IT assistance, administrative services), and business support and supervisory tasks.
• third-parties and companies (including, for example, suppliers of goods or services) who carry out on behalf of the Company specific operations entailing the processing of your Personal Data.
• we also inform you that, at present, the Company has an agreement in place with LVMH Hotel Management SAS (hereinafter, “LVMH”), under which agreement LVMH is tasked with the supervision of Hotel Pitrizza’s management.  In performance of said agreement and within the scope of the tasks entrusted to LVMH, LVMH may have access to your personal Data as the Company’s data processor.

In the performance of its activities, the Company also uses the services of, and communicates your personal data (excluding special categories of data) to the following parties, who act in the capacity as independent data controllers:

• public entities including law enforcement authorities (i.e. relevant police headquarters), or revenues Agency;
• carriers and/or suppliers of goods and services, external to the Company, and requested by you;
• banking and credit institutions;
• insurance companies with whom the Company has entered into insurance policies, in the event of accidents within the Company's premises;
• tour operators and travel agencies.

6. Transfer of Data Abroad

It is understood that any transfer of data to third parties shall be exclusively for the purposes indicated in this Privacy Policy, and that, should any transfer of data become necessary on account of newly arising requirements, any transfer of data to Countries outside the European Economic Area may take place exclusively under the terms and guarantees set out under Articles 44-49 of the GDPR.

7. Data Retention Policy

Your personal data shall be retained and processed by the Company, based on the specific purposes of processing, for a period not exceeding (“Retention Period”) 

• 10 (ten) years (i.e. standard retention period), as to the personal data required to comply any legal and tax obligations in connection to or arising from the conclusion of the contract to which the data subject is a party;
• 24 (twenty-four) months, as to consumer preferences.

At the end of the Retention Period, your Personal Data shall be erased or anonymised, unless there are additional legitimate interests of the Company and/or obligations of law requiring, subject to minimisation, the retention of said data.

8. Rights of Data Subjects

Please note that you may, at any time, exercise the rights under Articles 15-23 of the GDPR, including:

a) Right of access: the right to obtain from the Controller confirmation that the processing of personal data is taking place, and in such case obtain access to the personal data and to additional data regarding the origin, purposes, and categories of the data processed, on the recipients of data disclosures and/or data transfers, etc.

b) Right to rectification: the right to obtain from the Controller the rectification of any inaccurate personal data regarding them, without undue delay, and to have incomplete data completed, including by means of providing a supplementary statement.

c) Right of erasure: the right to obtain from the Controller the erasure of personal data without unjustified delay in the event in which

• the personal data are no longer necessary for the purposes of the processing;
• the consent on which the processing is based is withdrawn and there is no other legal basis for their processing;
• the personal data have been unlawfully processed;
• the personal data must be erased to comply with a legal obligation.

d) Right to object processing: the right to object, at any time, to the processing of personal data which legal basis for processing is the legitimate interest of the Controller.

e) Right to restrict processing: the right to obtain from the Controller the restriction of processing in the cases in which the accuracy of personal data is contested (for the period necessary to the controller to verify the correctness of said personal data), if the processing is unlawful and/or if the data subject has objected to processing.

f)  Right to data portability: the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, only in the cases when processing is based on consent and only when the processing is carried out by automated means.

g) Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her is in violation of GDPR provisions.

Where processing is based on consent, you shall also have the right to withdraw your consent at any time, it being understood that such withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to said withdrawal.

9. Data Protection Officer (DPO)

The Data Protection Officer is Data Protection Advisory S.r.l. (VAT Number 09722709962), with address for service at the registered office of the Company, and may be contacted via email to dpo@dp-advisory.eu.

Please Note: You may withdraw your consent to the processing of your personal data at any time, by sending an email to such effect to privacy@smeraldaholding.com

However, withdrawal of any previously given consent shall not affect the lawfulness of processing based on consent before its withdrawal.