Privacy Notice

 

Art. 13 of EU Regulation 2016/679

 

Pursuant to Article 13 of EU Regulation 2016/679, the “General Data Protection Regulation” (hereinafter “Regulation” or “GDPR”), IBH RIPA S.r.l. (hereinafter “Company”), with registered office and operating headquarters at Via degli Orti di Trastevere, 3 – 00156 Rome, at Hotel Ripa Roma, as Data Controller, is required to provide information regarding the processing of personal data carried out both within the domain https://www.hotelriparoma.com, as well as through electronic means or at the hotel premises.

The definitions of the terms used and the data subject’s rights are set out in full at the end of this notice.

 

Why this Privacy Notice is provided

 

Providing information on data processing is both a legal obligation and an act of transparency. Specifically:

  1. Legal compliance: It is required by the GDPR and other applicable laws. This ensures that personal data is collected, used, and stored lawfully and fairly.
  2. Transparency: The notice explains clearly which data is collected (e.g., name, contact details, ID documents for check-in) and why (e.g., booking management, invoicing, legal obligations).
  3. Customer protection: It guarantees that clients’ data will be safeguarded, avoiding misuse such as unauthorized marketing or sharing with third parties without consent.
  4. Guest rights: It informs clients of their rights, such as accessing, correcting, or deleting their data, and how to exercise them.
  5. Trust: Demonstrating attention to data protection increases guest confidence and enhances the hotel’s reputation.

 

What data is processed

 

In order to stay at our facility, you must provide the following mandatory data: name, surname, place and date of birth, ID number, residence or domicile address, and contact details.

Should you wish to remain in contact with our organization, receive external messages in your room, access additional services offered by our staff, request a special diet, or any other specific needs, we will ask for your explicit consent for each additional processing activity.

At any time, you may exercise your rights as indicated in the section “Definitions.”

 

Data processing methods

 

For the purposes described above, the data you provide, either in person or electronically, will be processed both digitally and on paper, using specific procedures aimed at personalizing the services the Company offers.

Processing will be carried out to ensure confidentiality and the highest level of IT and physical security. Manual and electronic tools may be used to store and transmit data to our authorized personnel.

Processing will be strictly connected to the indicated purposes, and in particular, your data may be:

  • processed by the company departments responsible for the activities mentioned, or authorized to carry out those necessary for maintaining and/or executing and/or concluding the relationship established with you;
  • processed by third parties (natural or legal persons) who, under contract with the Company, provide specific services or perform connected, instrumental, or support activities.

 

Data retention period

 

Your data will be retained for the period required by applicable laws and, in any case, until the purposes described above are fulfilled, after which it will be deleted. With your explicit consent, your data may be kept for up to 5 years after your last stay to ensure quicker service upon your return.

If you do not express your wish to stay updated on the Hotel’s activities, your data will only be retained for the time strictly necessary to complete financial settlement checks.

 

Disclosure to third parties

 

Your data may be disclosed, with your consent and in compliance with the law, to third parties such as:

  1. Banks responsible for managing payments under agreed terms;
  2. Insurance companies for handling potential damage claims;
  3. Authorized entities or organizations for compliance with legal obligations;
  4. Organizations within the ITI group to improve the quality of services offered by the Company;
  5. Natural or legal persons who, under contract with the Company, provide specific processing services or perform connected, instrumental, or support activities.

 

Our website may contain hyperlinks leading to other domains. The Company is not responsible for any data protection violations suffered by users on other websites that may have fraudulently cloned our web page or fail to comply with EU Regulation 2016/679.

The list of external Data Processors is available at our offices.

 

Data Controller and Data Protection Officer (DPO)

 

The Data Controller is IBH RIPA S.r.l., with registered office and operating headquarters at Via degli Orti di Trastevere, 3 – 00156 Rome, at Hotel Ripa Roma.

You may withdraw your consent to data processing or request modification of processing activities at any time. Please note that withdrawal of consent may result in the termination of any ongoing contracts or services.

The Company has appointed Dr. Eng. Luca Lestingi as the Data Protection Officer (DPO). Any reports of alleged rights violations may be submitted to info@progettosavi.eu.

 

Contacts

 

For further information on the processing of your personal data, to report an issue, file a complaint, or request modification or deletion of data, please contact us at privacy@hotelriparoma.com.

You may also reach us by phone at +39 06 58611 for questions regarding how the Company manages personal information. Before responding, we may need to verify your identity and ask certain questions. We will provide a reply as soon as possible.

I. DEFINITIONS

 

For the purposes of this Privacy Notice:

  1. “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
  2. “Processing”: any operation or set of operations performed on personal data, with or without automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
  3. “Restriction of processing”: marking stored personal data with the aim of limiting their processing in the future.
  4. “Data Controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  5. “Processor”: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
  6. “Recipient”: the natural or legal person, public authority, agency, or another body, to which personal data are disclosed. Public authorities which may receive personal data in the framework of a particular inquiry under Union or Member State law shall not be regarded as recipients.
  7. “Third party”: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process personal data under their direct authority.
  8. “Consent of the data subject”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them, by a statement or by a clear affirmative action.
  9. “Personal data breach”: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  10. “Health data”: personal data related to the physical or mental health of a natural person, including healthcare services, revealing information about their health status.
  11. “Authorized person”: a natural person authorized to process data by the Controller or Processor.
  12. “Domain”: the domain accessible through the World Wide Web service of the internet, consisting of data and applications for transmitting and possibly collecting information.
  13. “Lawfulness of processing”: Processing is lawful only if and to the extent that at least one of the following applies:

a) the data subject has given consent to the processing for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party, or to take pre-contractual steps at the request of the data subject;

c) processing is necessary for compliance with a legal obligation to which the Controller is subject;

d) processing is necessary to protect the vital interests of the data subject or another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;

f) processing is necessary for the legitimate interests pursued by the Controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject, in particular if the data subject is a minor.

II. DATA SUBJECT RIGHTS

 

In relation to the processing of personal data, the data subject has the following rights under the Regulation:

 

a) The right to receive information under Art. 13.

b) The right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and related information (Art. 15).

c) The right to obtain without undue delay the rectification of inaccurate personal data and to have incomplete personal data completed (Art. 16).

d) The right to obtain the erasure of personal data without undue delay where applicable (Art. 17).

e) The right to obtain restriction of processing (Art. 18).

f) The right to be informed of recipients to whom personal data have been disclosed (Art. 19).

g) The right to receive the personal data in a structured, commonly used, and machine-readable format and transmit them to another Controller (Art. 20).

h) The right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them under Art. 6(1)(e) or (f), including profiling based on those provisions (Art. 21).

i) The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (Art. 22).

 

For the full text of EU Regulation 2016/679, please consult the Italian Data Protection Authority’s website:

https://www.garanteprivacy.it/il-testo-del-regolamento