Date: May 2018
1. Names and contact details of the controller and the company’s data protection officer
The controller for the processing of your data on the website https://www.mgallery-hotel-florence.com (“website”) is
FC Operations Hotel SRL
Via de’ Cerretani, 10
T: +39 055 064 3811
F: +39 055 238 1312
For more information on the controller, please refer to the legal notice.
You can contact our data protection officer at the following address:
Crusader Investments B.V.
Data Protection Officer
or by sending an email to: email@example.com.
2. Data processed when our website is visited
When our website is used for information purposes only, thus when you do not register or otherwise provide us with information, we process only the personal data that your browser transmits to our server. When you visit our website, we collect the following data that are technically necessary to display our website to you and to ensure the site’s stability and security (the legal basis is Article 6 (1) f) GDPR):
• IP address
• Date and time of visit
• Time zone difference to Greenwich Mean Time (GMT)
• Content of request (specific site)
• Access status/HTTP status code
• The amount of data transferred in each case
• Website from which the request is made
• Operating system and its interface
• Language and version of browser software
We store this information, but without your IP address, in log files and erase it after 338 days for security reasons. The data in the log files are stored separately from your other data. The data are stored for a longer period only in individual cases (e.g. in the event of a suspicion of misuse or fraud). In such cases, the respective log files are stored until the matter has been investigated and any subsequent necessary measures have been completed.
4. Use of web analytics services/tracking
When you visit our website, we collect and process data automatically in order to understand the behaviour of visitors to our website so that we are able to optimise our website and tailor it to the visitors’ interests. The legal basis for the processing of your data is Article 6 (1) f) GDPR. We have a legitimate interest in carrying out web analyses on a pseudonymous basis in order to better understand our users, to optimise our website and to determine whether our internet advertising achieves the desired results.
A detailed description of the services we use and on how your personal data are processed can be found in the following relevant descriptions of the services. You can object to the use of these services by way of an opt-out. Please note, however, that you may then not be able to use all of the functions of our website.
We use the following web analysis services on our website:
5. Use of marketing services/targeting
We collect and process data on our website so that we can display suitable advertising on this website and other websites (re-marketing/re-targeting) to you and measure the success of our advertising activities. In doing this, we cooperate with other providers that help us, in particular, to track whether the users find their way to us via certain advertising measures (conversion tracking). In this context, pseudonymous user profiles are also produced. Your consent is obtained in order to allow us to collect and process your data in such way. You may withdraw your consent given in this way at any time with effect for the future. Please note, however, that if you refuse or withdraw your consent you may not be able to use all of the functions of our website. You can object to the use of these services by way of an opt-out. Please note, however, that you may then not be able to use all of the functions of our website.
Facebook Custom Audience
6. Information on the use of social plug-ins
We use “social plug-ins” from different social networks (“plug-in providers”) on our website. A social network is a social meeting place on the Internet that enables users to communicate with one another and to interact in cyberspace. The legal basis for the processing of your data is Article 6 (1) f) GDPR. We have an interest in making it possible to provide you with the most convenient and best optimised offer on our website by way of the incorporation of social plug-ins and the possible analyses that these make possible and to operate this website commercially. The social plug-ins on our website are usually deactivated on our website to the extent this is technically possible. The social plug-ins therefore do not transmit any data to the respective social plug-in provider without any action on your part. You cannot use the social plug-ins until you activate them by clicking on the buttons. After they are activated, a direct connection is established via your internet browser to the system of the respective social plug-in. The content of the social plug-in is then transmitted directly to your browser and incorporated directly in our website. At the same time, the social plug-in transfers to the respective social plug-in provider the information that you have called up the relevant page of our website. This applies regardless of whether you have a profile with the social plug-in provider or have logged in or subsequently use a social plug-in actively (e.g. by clicking on the “Like” button or by posting a comment). When a social plug-in is used actively, the relevant information is transmitted from your internet browser directly to the respective social plug-in provider and stored there. If you are at the same time logged in at one of the social plug-in providers, that provider can link your visit to our website to your account there. In exceptional cases, a direct connection is established to the systems of the social plug-in provider when you call up a page of our website that contains such a social plug-in. The content of the social plug-in is then transmitted by the respective social plug-in provider directly to your internet browser and integrated directly into our website. At the same time, the social plug-ins transfer to the respective social plug-in provider the information that you have called up the relevant page of our website. This applies regardless of whether you have a profile with the social plug-in provider or have logged in at the social plug-in provider or have used a social plug-in actively (e.g. by clicking on the “Like” button or by posting a comment). When a social plug-in is used actively, the relevant information is transmitted from your internet browser directly to the respective social plug-in provider and stored there. If you are at the same time logged in at one of the social plug-in providers, this provider can link your visit to our website to your account there. We have no influence on the type and scope of the collected and transmitted data. You can find details regarding the scope and purpose of the collection, processing and use of data in the data privacy notices provided by the social plug-in providers. Your rights and settings options regarding the protection of you privacy are also detailed there.
If you do not want the social plug-in providers to link the data collected about your visit to our website to your account, please log out from the social plug-in provider before visiting our website.
We have no influence on the type and scope of the collected and transmitted data. You can find details regarding the scope and purpose of the collection, processing and use of data in the data privacy notices provided by the social plug-in providers. Your rights and settings options regarding the protection of you privacy are also detailed there. If you do not want a social plug-in provider to link the data collected about your visit to our website to your account, please log out from the respective social plug-in provider before activating the social plug-in. If you do not want the social plug-in provider to receive, store and use any data at all, please do not use or click on the respective social plug-in.
We use the following social plug-ins:
The social plug-ins of the social network Facebook are operated by Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA (www.facebook.com), and Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland (www.facebook.de) (“Facebook”). You can find an overview of Facebook’s plug-ins here: http://developers.facebook.com/docs/plugins; you can find information on data protection at Facebook here: https://www.facebook.com/policy.php. If data are processed outside the EEA where the level of data protection does not correspond to the European level of data protection, the processing is based on the EU-US Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC. If you wish to object to data collection by Facebook in the future, you can do so here: https://www.facebook.com/settings?tab=ads.
The social plug-ins of Twitter are operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). You can find an overview of Twitter’s plug-ins here: https://twitter.com/about/resources/buttons; you can find information on data protection at Twitter here: https://twitter.com/privacy. If data are processed outside the EEA where the level of data protection does not correspond to the European level of data protection, the processing is based on the EU-US Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO. If you wish to object to data collection by Twitter in the future, you can set an “opt-out cookie” here: https://twitter.com/personalization.
7. Integration of third-party content
8. Google reCAPTCHA
We use Google’s reCAPTCHA service, which protects our website against spam and misuse. The service prevents automatic software (also known as bots) from carrying out abusive activities on our website, meaning that it checks whether the input provided is in fact typed in by a human being. In doing this, Google collects the following data:
• Referrer (the address of the page on which the captcha is used)
• The user’s IP address
• Google account (if the user is logged in to his Google account, this is recognised and linked)
• The user’s input behaviour (e.g. speed with which the user fills in the boxes of the form, order in which the user selects the text boxes) is used to improve Google’s recognition of patterns.
• Browser, browser size and resolution, browser plug-ins, date, language settings
• The website’s document presentation instructions (CSS) and scripts (Java script)
• Mouse and touch events on the website
9. Email and contact form
The personal data relating to general enquires sent to us by email or via the contact form are stored only for the purpose of the relevant correspondence. The data we receive are stored only for the period of time required for the relevant correspondence. The legal basis for the processing of your data in connection with general enquiries is Article 6 (1) f) GDPR. We have a legitimate interest in processing your data in order to ensure that you can contact us quickly and that your enquiry is processed in accordance with your interests. If you send us specific enquires regarding your booking or our offers by email or via the contact form, the relevant personal data are processed only for the purpose of initiating the contract or implementing your booking. The legal basis for this processing is Article 6 (1) b) GDPR.
If you book a room through us, we will collect the following personal data:
• selected hotel
• period booked
• number of rooms
• number of persons (adults and children)
• selected additional package
• selected rate / selected special offer
• first and last names
• email address
• telephone number
• credit card details
• arrival information
• room and bed type and/or other preferences
We will use this data to process your booking and to conclude and fulfill the contract with you. This includes confirming your identity, receiving a payment guarantee and/or payment information and sending marketing messages or notices concerning your stay.
We take the protection of your personal data very seriously and therefore reduced the number of required fields to a minimum.
We will save this personal data for 10 years in accordance with legal storage obligations. If you make a booking through our website, you will automatically be forwarded to our reservation service provider during the booking process. This is where your personal data will be processed for contract performance purposes. The legal basis for processing your reservation data is Art. 6(1) Letters b & f of the General Data Protection Regulation. We have a legitimate interest in binding our customers and in improving customer satisfaction.
10. Data processing for advertising purposes
Sending out newsletters
We use your email address for advertising and marketing purposes in the context of our newsletter if you have consented to this. Your consent is obtained in accordance with statutory provisions exclusively via the double opt-in procedure. Therefore, you will not receive our newsletter before clicking on the confirmation link that is sent to you by email at your request. You may withdraw your consent given in this way at any time with effect for the future. Clicking on the unsubscribe link is sufficient for this.
We will send you emails including product recommendations. You will receive these product recommendations regardless of whether you have subscribed to a newsletter if you consent to receiving product recommendations by ticking the relevant check box during the booking process. You may withdraw your consent given in this way at any time with effect for the future. Clicking on the unsubscribe link is sufficient for this.
11. Data transfer to third parties and across international borders
We are a part of EVENT Hotels. As a worldwide operating group of companies, EVENT Hotels intends to provide services in Sweden, for example, that are as excellent as the services provided in Paris. In order to achieve this goal, we have established a global network of branches, data processing centres, trustworthy marketing partners, service providers, customer service centres and highly qualified employees across the world. Your data, including your personal data, are therefore forwarded in compliance with statutory requirements to other group companies, branches, sites, data processing centres or service providers that may not be based in your home country. For this purpose, either we conclude corresponding agreements regarding the processing of data on behalf of the controller pursuant to Article 28 GDPR or the data are processed for the purpose of performing or initiating the contract (the legal basis for this is Article 6 (1) b) GDPR).
As a member of EVENT Hotels, our company is committed to the high standards of EVENT Hotels. In particular, we implement the technical and organisational measures required pursuant to Article 32 GDPR in order to protect your personal data administered by us against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our security measures are continually improved in accordance with technological developments. Only few authorised persons and persons subject to special data protection obligations who generally deal with data in technical or editorial terms have administrative access to the data. Otherwise, data protection for employees in our company is strictly separated according to the respective functional areas.
13. Your rights
Withdrawal of consent
You may withdraw your consent to the processing of your data at any time with effect for the future. This does not affect the legitimacy of the processing of your personal data prior to the date of withdrawal.
Right to object
Your other rights
You have the following rights with respect to your personal data:
• Right of access (Articles 15 (1) and 15 (2) GDPR)
• Right to rectification (Article 16 (1) GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to object to the processing (Article 21 GDPR)
• Right to data portability (Article 20 GDPR)
To assert your rights, please contact our data protection officer at the address provided above.
14. Right to lodge a complaint with the supervisory authority
You also have the right to lodge a complaint with the supervisory authority regarding our processing of your personal data.