Adults

Rooms

Children

Privacy policy

PRIVACY POLICY
Information notices pursuant to Art. 13 of the Regulation (EU) 2016/679 (“GDPR”)

WHY THIS INFORMATION
Pursuant to Regulation (EU) 2016/679 (hereinafter “GDPR”), this page describes the methods for processing personal data. This is an information notice that is provided pursuant to art. 13 GDPR. The information notice is not to be considered valid for other third party websites, possibly accessible through links on this website, for which no responsibility is assumed by the Data Controller.

Processed personal data

Personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (C26, C27, C30 GDPR). 

Data of contractors / users.

Browsing data: during their ordinary course of operation, the IT systems and software procedures required to run this website acquire certain personal data, whose transmission is implicit in the use of Internet communication protocols. This data category includes IP addresses or domain names of computers used by the users who visit the site, as well as the URI addresses (Uniform Resource Identifier) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply from the server (done, error, etc.) and other parameters related to the operating system and the IT environment of the user. 

Data provided voluntarily by the user: the optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and / or the compilation of data collection forms entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data inserted.

Information about the processing of personal data carried out through Social Media platforms

Regarding the processing of personal data carried out by the managers of the Social Media platforms used by the Data Controller, please refer to the information notice provided by them through their respective privacy policies. The Data Controller processes the personal data provided by users through the pages of the dedicated Social Media platforms, to manage interactions with users (comments, public posts, etc.) and in compliance with current legislation.

Specific information notice

Specific information notice may be present on the websites pages in relation to particular services or processing of the data provided.

Cookies and other tracking systems. What are? What are they for?

For Cookies and other tracking systems, please see the cookie policy in the footer of the website.

1. WHO IS THE DATA CONTROLLER? HOW TO CONTACT?
The Data Controller is Villa d’Este S.p.A., with registered office in Via Regina 40, 22012 Cernobbio (CO), in the person of its Legal Representative, who you can contact for any information by phone +39 0313481, e-mail privacy@villadeste.it.

2. PURPOSES, LEGAL BASIS, DATA RETENTION, NATURE OF DATA PROVISION
PURPOSES:
Browsing the website.

The data necessary for the use of web services are also processed in order to:
obtain statistical information on the use of services (most visited pages, number of visitors by time or day, geographical areas of origin, etc.);
check the correct functioning of the services offered.
The data will be used to ascertain responsibility in the event of hypothetical IT crimes against the site.

LEGAL BASIS:
The processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject who require the protection of personal data do not prevail, taking into account the reasonable expectations of the interested party and the activities strictly necessary for the functioning of the site and navigation itself.
(Art. 6, par. 1, lett. f) and C47 of the GDPR)

DATA RETENTION:
The retention of the browsing data will be up to the duration of the navigation session and, in any case, they will not persist for more than seven days (except for any need to ascertain crimes by the judicial authorities).

NATURE OF DATA PROVISION:
The provision of data is necessary for browsing the website.

PURPOSES:
Use of cookies and similar technologies.
See the cookie policy in the website footer.

LEGAL BASIS:
For the non-technical cookies and similar technologies, the processing is based on the consent to the processing of personal data (Art. 6, par. 1, lett. a) and C42, C43 of the GDPR).
The consent is given through the banner and the cookie policy of the website.

DATA RETENTION:
See the cookie policy in the website footer.

NATURE OF DATA PROVISION:
See the cookie policy in the website footer.

In addition to browsing, personal data will be processed for:

PURPOSES:
A) CONTACTS, sending contact requests, information.

LEGAL BASIS:;
The processing is necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same.
(Art. 6, par. 1, lett. b) and C44 of the GDPR)

DATA RETENTION:
Maximum 12 months.

NATURE OF DATA PROVISION:
The data provision is necessary.
Failure to provide the necessary data will make it impossible to be contacted and receive information.

PURPOSES:
B) DIRECT MARKETING, for sending advertising or direct sales material or for carrying out market research, satisfaction or commercial and promotional communication, newsletters, by automated means (e-mail, SMS) and traditional means (telephone and paper mail).
The Data Controller to compare and possibly improve the results of automated communications, uses systems with reports. Thanks to the reports, the Data Controller will be able to know, for example: the number of readers, openings, unique “clickers” and “clicks”; the devices and operating systems used to read the communication; details of the activity of individual users; the details of the e-mails sent, e-mails delivered and not, of those forwarded; All these data are used for the purpose of comparing, and possibly improving, the results of communications.

LEGL BASIS:
The processing is based on consent to the processing of personal data (C42, C43)
(art. 6 par. 1 letter a) of the GDPR

DATA RETENTION:
Until consent is revoked
(or opt-out)

NATURE OF DATA PROVISION:
The data provision is optional.
Failure to provide the necessary data will make it impossible to receive direct marketing communications

PURPOSES:
C) COMMUNICATION OF YOUR DATA TO “THE LEADING HOTELS OF THE WORLD” for marketing purposes in order to be able to send you satisfaction questionnaires

LEGAL BASIS:
The processing is based on consent to the processing of personal data; (C42, C43) art. 6 par. 1 letter a) of the GDPR

DATA RETENTION:
Until consent is revoked.Please also refer to the information for the processing of personal data of third party Independent data controllers

NATURE OF DATA PROVISION:
The data provision is optional.
Failure to provide the necessary data will make it impossible to communicate the data to third parties for their purposes

PURPOSES:
D) MANAGEMENT OF YOUR REQUESTS and requests from other data subject, pursuant to art. 15 ss of the GDPR (rights of the data subject).

LEGAL BASIS:
The processing is necessary to fulfill a legal obligation to which the data controller is subject.
(Art. 6, par. 1, lett. c) and C45 of the GDPR)

DATA RETENTION:
5 years from the closing of the request, except for disputes.

NATURE OF DATA PROVISION:
The data provision is mandatory, as it is essential to execute legal obligations.

PURPOSES:
E) SELECTION OF STAFF IN THE “CANDIDATES” AREA to apply for personnel selection, carrying out the research and selection of personnel for the purpose of the possible establishment of an employment relationship, also for any positions different from those for which the interested party has applied spontaneously; retention of personal data also for future selections; management of applications in response to job vacancies published on our website; interviews and any video-interviews (data processing including image / audio).
See specific information in the dedicated area.

LEGAL BASIS:
The processing is necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same.
(Art. 6, par. 1, lett. b) and C44 of the GDPR)

DATA RETENTION:
Maximum 24 months.
In principle, the data collected during the recruitment process will be deleted as soon as it becomes apparent that no job offer will be made or that the offer will not be accepted by the candidate.

NATURE OF DATA PROVISION:
The data provision is necessary.
Failure to provide the necessary data will make it impossible to apply.

PURPOSES:
F) ORGANIZATIONAL, ADMINISTRATIVE, FINANCIAL AND ACCOUNTING ACTIVITIES AND CUSTOMER / USER DATA MANAGEMENT.

LEGAL BASIS:
The processing is necessary for the execution of a contract of which the interested party is a party (C44) or for the fulfillment of legal obligations (C45).   art. 6 par. 1 lett. b) and c) of the GDPR

DATA RETENTION:
10 years or different legal obligation

NATURE OF DATA PROVISION:
The provision of personal data is mandatory, as it is essential to be able to execute legal obligations.

3. WHO WILL THE PERSONAL DATA BE DISCLOSED? PERSONAL DATA RECIPIENTS
The personal data provided, also based on the purposes envisaged in specific areas, will be communicated to recipients, who will process the data as processors (Article 28 of the GDPR), as persons acting under the authority of the Controller and Processor (Article 29 of the GDPR) or autonomous Data Controllers, for the purposes listed above. Precisely, the data will be communicated to:

subjects that provide services for the management of the information system and telecommunications networks used by the Data Controller (including e-mail, the web platform, sending newsletters);
studies or companies in the context of assistance and consultancy relationships;
competent authorities for the fulfillment of legal obligations and / or provisions of public bodies, upon request;
by “candidates” area, to subjects for the management of selection activities;

The list of Data Processors is available by writing to privacy@villadeste.it or at the other addresses indicated above.

4. WILL THE DATA BE TRANSFERRED TO NON-EEA COUNTRIES?
Personal data will not be transferred to non-EEA countries.

5. IS THERE AN AUTOMATED PROCESS?
Personal data will be processed in a traditional manual, electronic and automated manner. Fully automated decision-making processes are not carried out.

6. WHAT ARE YOUR DATA SUBJECT’S RIGHTS?
You may exercise your rights pursuant to article 15 et seq. of the GDPR, contacting the Data Controller at privacy@villadeste.it.In particular, you have the right, at any time, to request the Data Controller to access your personal data (art. 15), to amend (art. 16), to delete your data (art. 17) or limit their processing (art. 18). The Data Controller informs (art. 19) each of the recipients to whom the personal data have been transmitted any corrections or cancellations or limitations of the processing carried out. The Data Controller informs the Data Subject of these recipients under request. In the cases provided for, you have the right to the portability of your data (art. 20) and in this case they will be provided to you in a structured format, commonly used and readable, by an automatic device. You have the right to object (art.21), at any time, to the processing of data based on legitimate interest, and in cases where the legal basis is consent, you have the right to revoke the consent given without prejudice to the lawfulness of the processing based on consent before revocation.

To stop receiving automated direct marketing communications (e-mail, SMS messages, instant messaging) please write an e-mail to privacy@villadeste.it with the subject “unsubscribe from automated” or use our automatic cancellation systems provided for e-mails only (opt-out).

To stop receiving traditional direct marketing communications (telephone calls with operator and paper mail) write an e-mail to the privacy@villadeste.it address with the subject “cancellation from traditional”.  

To stop receiving any marketing communications, write an e-mail to privacy@villadeste.it with the subject “marketing cancellation”.  

You can revoke your consent to profiling (not automated) by writing an e-mail to privacy@villadeste.it with the subject “no profiling”.

In the event that you believe that the processing of personal data carried out by the Data Controller is in violation of the provisions of Regulation (EU) 2016/679, you have the right to lodge a complaint to the Supervisory Authority or to appeal the judge, in particular in the Member State in which you usually reside or work or in the place where the alleged violation of the regulation occurred (Privacy Authority https://www.garanteprivacy.it/), or to take the appropriate judicial bodies.

7. CHANGES TO THIS PRIVACY POLICY
The Data Controller reserves the right to amend, update, supplement or remove parts of this Privacy Policy. For your convenience, when we post changes, we will revise the “last update” date of the Privacy Policy.

Last Update: 19/04/2023

Everything you were looking for

Easter at Villa La Massa

Experience the authentic Tuscan hospitality and the traditional Easter celebrations with our Easter luncheon.

Early Bird

Book our Early Bird promotion to secure a 15% discount!

Stay for Longer

Unwind at the beautiful Villa La Massa and enjoy an extra night of indulgence on us.

VILLA LA MASSA EXCELLENCE

“Villa La Massa Excellence” is a prestigious three-day event dedicated to vintage car enthusiasts.

Suite Retreat

A romantic 2-night getaway in the “cradle of the Renaissance”!