Privacy Policy

Privacy Policy

Pursuant to EU Regulation 2016/679 (GDPR) on the Processing of Personal Data

The processing of personal data refers to any operation performed on information that directly or indirectly identifies a natural person. Such operations may occur with or without the use of automated means and include, but are not limited to: collection, recording, organization, storage, processing, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, comparison, interconnection, restriction, erasure, and destruction—even if the data are not stored in structured databases.
Personal data voluntarily provided by the user to BLG SRL through the website www.ortodeimedici.it (hereinafter, the "Website") or by other means related to the use of the services offered, will be processed in accordance with Legislative Decree 196/2003 (“Privacy Code”) and EU Regulation 679/2016 (“GDPR”), in compliance with Article 13 of the GDPR.

Principles of Data Processing
BLG SRL ensures that the processing of personal data will be conducted in accordance with the principles of lawfulness, fairness, and transparency, while safeguarding the user’s privacy and rights. Data will be collected and managed solely to the extent strictly necessary to achieve the purposes for which they were obtained, in full respect of the principles of data minimization and purpose limitation.
To this end, appropriate measures will be adopted to ensure that personal data are kept accurate and up to date in relation to the purposes of processing. Integrity and confidentiality will also be ensured through the use of suitable technological and organizational procedures capable of protecting the data from unauthorized or unlawful processing, as well as from accidental loss, destruction, or damage. Finally, BLG SRL undertakes to comply with the accountability principle established under the GDPR, assuming full responsibility for implementing and maintaining appropriate security and compliance measures.

1. Purposes of Data Processing
The personal data provided by the user will be lawfully and fairly processed for the following purposes:

A. Mandatory Purposes (do not require consent)
(pursuant to Art. 24 letters a, b, c of the Privacy Code and Art. 6 letters b, c, f of the GDPR)
Certain personal data processing operations are strictly necessary to enable the provision of the services requested by the user and do not require explicit consent. Specifically, data are used to activate and correctly manage the services provided through the Website, to comply with legal obligations—including accounting and tax requirements—and to fulfill legal provisions governing the hospitality sector, such as Article 109 of the Royal Decree of June 18, 1931, No. 773, which requires the registration and reporting of guest identification data to the local police. Processing is also legitimized by the legitimate interest of BLG SRL in ensuring the efficient organization and security of its services.

B. Marketing (with explicit consent)
(pursuant to Arts. 23 and 130 of the Privacy Code and Art. 7 of the GDPR)
With the user’s consent, the email and/or postal address may be used to send informational materials, promotional communications, commercial offers, and newsletters related to the Website and the services offered.

C. Profiling (with explicit consent)
(pursuant to Arts. 23 and 130 of the Privacy Code and Art. 7 of the GDPR)
The email and/or postal address may be used for analytics, market research, and customer satisfaction surveys, with the aim of customizing commercial offers.

D. Use of Images (with explicit consent)
(pursuant to Arts. 23 and 130 of the Privacy Code and Art. 7 of the GDPR)
Photographs taken within the property by the data controller may be published on the official Facebook page of Hotel Orto de’ Medici.

E. Communication to Third Parties During Stay (with explicit consent)
(pursuant to Arts. 23 and 130 of the Privacy Code and Art. 7 of the GDPR)
With the data subject’s consent, personal data may be disclosed to third parties for the purpose of managing phone calls or messages received during the stay.
The user may withdraw consent at any time with respect to the above-mentioned purposes (B, C, D, E) by sending a request to hotel@ortodeimedici.it. Refusal or withdrawal of consent will not affect the use of services provided by BLG SRL.

F. Video Surveillance (no consent required)
(pursuant to Art. 24 letters a, b, c of the Privacy Code and Art. 6 letter f of the GDPR)
A video surveillance system is in operation for security reasons. Data collected through this system will be processed in accordance with applicable laws. Surveillance cameras are clearly marked with appropriate signage.

2. Methods of Processing
Data processing will be carried out by manual and/or electronic means, using methods strictly related to the purposes outlined above. The data controller commits to implementing appropriate security measures to prevent unauthorized access, alteration, disclosure, or unlawful deletion of data.

In addition to the data controller, data may be accessible to employees and internal collaborators (e.g., administrative, commercial, marketing, legal, and IT personnel), as well as qualified external parties (e.g., technology service providers, communication agencies, hosting providers, postal couriers), formally designated as data processors. An up-to-date list of data processors is available upon request.

3. Legal Basis for Processing
The legal basis for data processing includes the user’s consent, the performance of a contract, compliance with legal obligations, and the pursuit of a legitimate interest (Art. 6(1)(a), (b), (c), (f)).

4. Location of Data Processing
Data are processed at the data controller’s registered office, located at Via San Gallo 30, Florence, as well as at the offices of any external processors appointed under Article 28 of the GDPR, selected for their reliability and competence.

5. Data Retention Period
Data will be retained for the time strictly necessary to fulfill the purposes outlined above and, in any case, no longer than five years, unless longer retention is required by law. In the event of legal disputes, data may be retained for an additional period. The user may request cessation of processing or deletion of their data at any time.

6. Website Registration and Newsletter Subscription
By subscribing to the mailing list, newsletter, or by creating an account on the Website, the provided email address will be added to a list used to send informational and promotional communications. Even after the conclusion of a contract, data may be added to this list.
Data processed: name and email address.

7. Data Controller
The Data Controller is:
BLG SRL
Registered Office: Via San Gallo 30, Florence
Email: hotel@ortodeimedici.it

8. Data Subject Rights
As a data subject, the user has the right to exercise, at any time, the rights established under the Privacy Code and the GDPR, including the right to:

• Know whether personal data concerning them are being processed and obtain a copy thereof;
• Receive information regarding the purposes, methods, and parties involved in the processing;
• Request the updating, rectification, or integration of data;
• Request the deletion, anonymization, or blocking of data processed unlawfully;
• Receive confirmation that any requested changes have been communicated to third parties involved;
• Object, in whole or in part, on legitimate grounds, to the processing of their personal data, including for direct marketing purposes through automated or traditional means;
• Exercise the right to data portability where applicable;
• Withdraw previously given consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal;
• Lodge a complaint with the Data Protection Authority.

To exercise these rights or to receive further information, users may contact the data controller at hotel@ortodeimedici.it.