Strada Provinciale 53 Bis 91, 71019 Vieste, Italia
  • +39 0884 707266
  • info@hotelsciali.it
cropped-ll.webp
Book Now

Privacy Policy

1. Data controller

The controller of personal data is:

VIESTEHOTEL S.R.L.
Address: Località Scialara – 71019 Vieste (FG)
VAT Number / Tax Code: 04006990719
European VAT: IT04006990719
RE: 292561
PEC viestehotel@pec.it

2. Categories of personal data processed

The Data Controller processes the following categories of personal data:

2.1 Data provided voluntarily by the data subject

  • Personal and identification data: first name, last name, date of birth, nationality, identity document (required by law for the guest card)
  • Contact details: email address, phone number, postal address
  • Reservation data: arrival and departure dates, room type, number of guests, special requests, any dietary preferences or accessibility needs
  • Payment data: credit card number, IBAN (managed through PCI-DSS certified payment processors; the Holder does not store complete card data)
  • Communications: content of emails, WhatsApp messages, or other direct contacts with the facility

2.2 Automatically Collected Data

  • Website navigation data: IP address, browser used, operating system, pages visited, visit duration, traffic source
  • Cookies and tracking technologies: please refer to the dedicated Cookie Policy available on the website's dedicated page.

2.3 Data Collected from Third Parties

  • Booking data transmitted by OTA platforms (e.g., Booking.com, Expedia, Airbnb) or travel agencies
  • Review data published on public platforms (e.g., TripAdvisor, Google)

3. Purpose of processing and legal basis

The Data Controller processes personal data for the following purposes, each based on an adequate legal basis pursuant to Art. 6 GDPR:

3.1 Reservation and Stay Management

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

Processing the reservation, managing check-in and check-out, providing the requested services, and fulfilling obligations related to the stay require processing your data.

3.2 Legal requirements and regulatory obligations

Legal basis: Legal obligation (Article 6(1)(c) GDPR).

The Data Controller is required to communicate guest data to Public Security Authorities (lodging card pursuant to art. 109 TULPS), to the Revenue Agency (tax obligations), and to other competent public bodies. They are also obligated to collect the tourist tax on behalf of the Municipality of Vieste.

3.3 Payment Management

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

The data necessary for processing payments is handled by certified payment processors. The Data Controller does not store complete credit card details.

3.4 Marketing communications and newsletters

Legal basis: consent of the data subject (Art. 6(1)(a) GDPR).

With prior explicit consent, the Data Controller may send promotional communications, special offers, and newsletters related to its services. Consent can be freely revoked at any time.

3.5 Structural Safety

Legal basis: Legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).

The facility can be equipped with video surveillance systems in common areas for security purposes and to prevent illegal acts. Individuals are informed of the presence of cameras through appropriate signage.

3.6 Service Improvement and Statistical Analysis

Legal basis: Legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).

Navigation data and aggregated information are used to improve the quality of the website and the services offered. The data are processed in aggregated and, where possible, anonymized form.

4. Data retention period

Personal data is stored for the time strictly necessary for the purposes for which it was collected, in accordance with the following criteria:

  • Data of bookings and stays: 10 years from the end of stay date (tax and accounting obligations pursuant to Presidential Decree 600/1973)
  • Lodging slips (data transmitted to the Police Headquarters): retention according to the terms provided by current public safety regulations
  • Given for marketing purposes (newsletter): until consent is revoked, and in any case no longer than 3 years from the last contact or from the date of collection
  • Video surveillance data: no longer than 30 days from recording, unless necessary for retention due to specific events (e.g., reporting to authorities).
  • Navigation data and analytics cookies: as indicated in the Cookie Policy

Once the retention period has elapsed, the data is irrevocably deleted or anonymized.

5. Recipients and categories of recipients

Personal data may be communicated or made accessible to the following categories of subjects, to the extent strictly necessary for the pursuit of the indicated purposes:

5.1 Public Authorities

  • Public Security (Police Headquarters/Precinct): for the purpose of the lodger form (legal obligation)
  • Tax Agency and other tax authorities: for tax compliance
  • Municipality of Vieste: for the tourist tax
  • Other competent authorities upon request of law

5.2 Service providers (Data processors pursuant to Article 28 GDPR)

  • Computer systems and management software providers (PMS, CRM, booking engine)
  • Payment Processors (PCI-DSS Certified Operators)
  • Online Travel Agencies (OTAs) and Channel Management Systems (Booking.com, Expedia, etc.)
  • Email marketing and newsletter service providers
  • Web analytics services (e.g., Google Analytics – with IP anonymization features where applicable)
  • Hosting and cloud service providers

All suppliers processing data on behalf of the Data Controller are bound by specific data processing agreements and guarantee adequate security measures.

5.3 Transfer to Third Countries

Some service providers (e.g., cloud platforms, international OTAs) may process data in countries outside the European Economic Area (EEA). In such cases, the transfer takes place in compliance with Articles 44-49 GDPR, through:

  • European Commission Adequacy Decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other appropriate guarantees provided by applicable legislation

6. Data Subject Rights

As a data subject, you have the right to exercise, at any time, the following rights pursuant to Articles 15-22 of the GDPR:

  • Right of access (Art. 15): obtain confirmation as to whether or not personal data concerning you are being processed and, if so, obtain a copy of the personal data being processed
  • Right of rectification (Art. 16): obtain the rectification of inaccurate or incomplete personal data concerning you
  • Right to erasure / right to be forgotten (Art. 17): obtain the erasure of your personal data, unless processing is necessary to comply with legal obligations or for other legitimate reasons
  • Right to Restriction of Processing (Art. 18): Obtain restriction of processing of data in certain cases provided for by the regulations
  • Right to data portability (Art. 20): to receive personal data provided to the Controller in a structured, commonly used and automatically readable format, and transmit it to another controller, where technically feasible
  • Right to object (Art. 21): object at any time to the processing of data for direct marketing purposes or for reasons connected to your particular situation, where the processing is based on legitimate interest
  • Right to withdraw consent (Art. 7, para. 3): withdraw consent at any time, without prejudice to the lawfulness of processing based on consent prior to withdrawal
  • Right to lodge a complaint (Art. 77): lodge a complaint with the Personal Data Protection Authority (www.garanteprivacy.it) or with the supervisory authority of the EU Member State of habitual residence

To exercise their rights, the data subject may contact the Data Controller via:

  • PEC: viestehotel@pec.it
  • Contact form available on the website www.hotelsciali.it
  • Standard mail: Viestehotel S.r.l., Località Scialara – 71019 Vieste (FG)

The Data Controller will respond to requests within 30 days of receipt, extendable by an additional 60 days in cases of particular complexity.

7. Safety Measures

The Data Controller adopts technical and organizational measures appropriate to guarantee a level of security appropriate to the risk, pursuant to Article 32 of the GDPR. Among the measures adopted:

  • Access to data limited to authorized and trained personnel
  • Data transmission via HTTPS protocol (SSL/TLS encryption)
  • Periodic backup procedures and disaster recovery plans
  • Data processing agreements with all third-party vendors

Despite the measures taken, no system is impenetrable. In the event of a personal data breach that presents risks to the rights and freedoms of data subjects, the Data Controller will notify the Supervisory Authority of the incident within 72 hours and, where necessary, will directly inform the data subjects involved.

8. Cookies and Tracking Technologies

The website www.hotelsciali.it uses cookies and tracking technologies for its proper functioning and to improve user experience.

For detailed information on the types of cookies used, their purposes, the third parties involved, and how to manage and disable them, please refer to the Cookie Policy available in the dedicated section of the website.

9. Minors' Data

The website www.hotelsciali.it is not intended for individuals under 16 years of age, and the Data Controller does not knowingly collect personal data from minors through the website. Accommodation services can be booked by parents or guardians for themselves and their minor children. In such cases, the provision of minors' data is necessary to comply with legal obligations (lodging forms) and to manage the stay.

10. Changes to this Privacy Policy

The Data Controller reserves the right to modify, update, or supplement this Privacy Policy at any time, also as a result of changes in laws or jurisprudence. The modifications will be published on the website www.hotelsciali.it with an indication of the update date. Therefore, you are invited to consult this page periodically.

In the event of substantial changes affecting the rights of data subjects, the Data Controller will provide appropriate notice.

11. Contact

For any information regarding the processing of personal data or to exercise your rights as per the previous Article 6, you can contact the Data Controller:

Viestehotel S.r.l.

Scialara Area – 71019 Vieste (FG), Italy

Tel.: +39 0884 707266

PEC viestehotel@pec.it

Site www.hotelsciali.it