Information pursuant to article 13 of Regulation (EU) 2016/679 and article 3.1 of the Measure of the Data protection authority dated 8 April 2010


Pursuant to article 13 of Regulation (EU) 2016/679 (the "Regulation") and article 3.1 of the Measure of the Data protection authority dated 8 April 2010, CIESSE SRL LIMITED LIABILITY COMPANY WITH ONLY SHAREHOLDER, as the Data controller,



that a closed-circuit surveillance system operates at our hotels in accordance with the Measure of the Data protection authority dated 8 April 2010.


Purposes of the processing
The personal data of the data subjects, comprised, specifically, of their images obtained during recording, are collected solely for the following purposes:
a) Safety: protecting the safety of the company's workers and/or collaborators, and of third parties;
b) Protecting company assets: preventing thefts, robberies, damage, assaults and acts of vandalism.

Data are lawfully processed also without the explicit consent of the concerned parties, pursuant to article of the above Measure.


Means of processing
Data are processed electronically in accordance with adequate data security and protection measures and for the above-mentioned purposes.
Specifically, when processing data, the company declares that it complies with the following principles:
- Lawfulness of data processing: data processing through video-surveillance systems is carried out correctly and for specific and legitimate purposes (safety and protection of assets). The systems were installed and are used in accordance with article 4 of Legislative decree no. 300/1970.
- Necessity of data processing: the company undertakes not to use the systems excessively and unnecessarily.
- Proportionality of data processing: the data collected are those strictly necessary to achieve the above-mentioned purposes.

Data dissemination and Communication to third parties
The data in question will not be disseminated and will not be communicated unless specifically requested by the police or the court.


Minimum information
The data subjects are properly informed using panels (simplified information) located in the areas and the premises subject to videosurveillance. These panels provide all the information required by article 3 of the Measure.


Image retention period
Images are recorded and stored in accordance with the authorisation measure issued by the competent DTL (territorial labour office).
Specifically, the data obtained will be stored for up to 24 hours or, in some cases, within seven days. After this time limit, the data will always be deleted by means of overwriting, except as provided in the DTL's authorisation measure when requested by the police or the court or, however, as a result of criminal events, damage to company assets, unauthorised access to the premises by personnel and/or third parties or thefts of company materials and products.


Data controller

Appointment of the Data processor and the person in charge of data processing
The Data controller appointed in writing the Data processor and the person in charge of data processing authorised to access the premises where the control points are located and to use the systems and, where necessary for the purposes to be achieved, to view the images and/or obtain copy thereof in accordance with article 3.3.2 the Measure.

Rights of the data subject
The data subjects have the right, at all times, to obtain confirmation of the existence or non-existence of the data and information on the content and origin, to verify the correctness of the data or to request data integration, erasure or rectification (articles 15 and following of Regulation (EU)).
Furthermore, they have the right to request the correction of any inaccurate personal data or the erasure, the restriction of processing and the portability of the data and to lodge a complaint with a supervisory authority and, in any case, to object such processing, for legitimate reasons (articles 17 and following of the Regulation).


Requests are to be sent to the Data controller.