PRIVACY POLICY

on the processing of personal data while browsing the website

(According to European Regulation 2016/679 and the Italian Privacy Code as amended)

LVGH S.r.l. (“LVGH”), with registered office at Piazzale Flaminio 9, 00196 Rome (RM), VAT No. 15335861009;

LGC S.r.l. (“LGC”), with registered office at Piazzale Flaminio 9, 00196 Rome (RM), VAT No. 16871481004;

in their capacity as independent Data Controllers, hereby inform you, pursuant to Article 13 of EU Regulation 2016/679 (“GDPR”) and Legislative Decree No. 196/2003 (“Privacy Code”), as amended, that the processing of personal data of users who visit the website www.legraal.com/legraalcortina will be carried out as described below.

The Controllers can be contacted at the following email addresses: privacy@legraalcortina.com and privacy@legraal.com .

The Controllers have appointed a DPO, who may be contacted at: dpo@legraal.com

This privacy policy applies exclusively to the website www.legraal.com/legraalcortina and not to other websites that may be consulted by the user via links. Visiting this website may result in the processing of personal data relating to identified or identifiable natural persons.

The purpose of this privacy policy is to provide maximum transparency regarding the information collected by the website and how it is used.

  1. Object of the processing

Visiting this website may involve the processing of personal data of identified or identifiable natural persons. Personal data are processed during browsing of the website www.legraal.com/legraalcortina, through (i) the dedicated contact form, (ii) the newsletter subscription process, or (iii) the booking process.

  1. Purposes of the processing

Personal data of users visiting the website are processed for different purposes depending on the category of data processed:

- Browsing data: processed automatically to obtain anonymous statistical information on the use of the website and to ensure its correct functioning; such data are stored in the server provider’s database.

- Data voluntarily provided by the user, by third parties, or collected, within the limits allowed by law, from public sources are processed for the following purposes:

  1. Legal obligations: this includes compliance with obligations arising from laws, regulations, EU provisions, or orders issued by competent authorities or supervisory bodies (in such cases, consent is not required). This includes tax regulations and anti-money laundering registers.

  2. Contractual and administrative–accounting purposes: this includes fulfilling obligations arising from contracts to which the data subject is a party or responding to specific requests made prior to entering a contract. No consent is required, as the processing is necessary for the contractual relationship.

  3. Protection of rights in judicial proceedings: this includes protecting the Controllers’ interests in legal disputes or initiating proceedings before competent authorities.

  1. Marketing and promotional purposes: this includes sending newsletters, commercial information, promotional material, and advertising about the Controllers’ products, services, or initiatives. Consent is optional and does not affect the relationship with the Controller.

  2. Profiling: this includes creating profiles based on user preferences, behaviour, and personal attitudes, in order to optimise commercial offers, send targeted communications, and conduct statistical analyses. Consent is optional and does not affect the relationship with the Controller.

  1. Legal basis of the processing

The legal basis for processing browsing data is the Controller’s legitimate interest in ensuring efficient and secure navigation, as per Article 6, par. 1, lett. f) GDPR.

Regarding data voluntarily provided by the user, the legal basis is:

- compliance with a legal obligation (Article 6, par. 1, lett. c) GDPR) for the purposes listed under point A above;

- performance of contractual obligations or responding to pre-contractual requests (Article 6, par. 1, lett. b) GDPR) for the purposes listed under point B above;

- the legitimate interest of the Controllers to defend their rights in legal proceedings (Article 6, par. 1, lett. f) GDPR) for the purposes listed under point C above;

- the explicit consent of the data subject (Article 6, par. 1, lett. a) GDPR) for the purposes listed under points D and E above.

Providing consent is optional. However, refusal may make it impossible to provide the requested services.

Users may unsubscribe from the newsletter at any time through the “unsubscribe” option in the newsletter footer.

  1. Categories of data processed and retention periods

Browsing data

The IT systems and software used to operate this website collect certain personal and non‑personal data during normal operation, the transmission of which is implicit in Internet communication protocols (log files). These data may allow identification through processing and association with third‑party data.

Such data include IP addresses, domain names, URI identifiers, request times, pages viewed, average time spent, the method used to submit requests, size of response files, server response codes, and device/system parameters.

These data are used solely to obtain anonymous statistics and check proper functioning. They are deleted once these purposes are achieved. Except in cases of investigations related to cybercrimes, browsing data are not retained for more than seven days.

Data voluntarily provided by the user, by third parties, or collected from public sources

The optional, explicit and voluntary provision of the user’s personal data through the dedicated contact form and for the purpose of subscribing to the newsletter entails the subsequent acquisition of the data subject’s first name, last name, email address, country/region and preferred language.

For the purpose of completing a booking, the following personal data will be processed: first name, last name, email address, telephone number, credit card details, as well as any additional information voluntarily entered by the user in the “Notes/Comments” field.

“Special categories of data,” also referred to as “sensitive data,” are personal data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade‑union membership, genetic data, biometric data intended to uniquely identify a natural person, or data concerning health, sex life or sexual orientation (Article 9 GDPR).

Such data may be processed only with the data subject’s explicit consent, or where one of the conditions set out under Article 9(2) GDPR applies.

Consent is optional; however, refusal may make it impossible to perform one or more activities requested from the Controller where such activities specifically require the processing of these categories of data.

Through the “Notes/Comments” field, or during the booking of certain services, it may occur that health‑related personal data of the data subject are processed (for example: particular health conditions, allergies or other relevant information).

Personal Data collected during the booking process are retained for a period necessary to ensure the regular performance of the contract (or of the pre‑contractual measures adopted), and for an additional period of 10 years, for the purpose of complying with administrative, fiscal and accounting obligations.

Personal Data collected in connection with requests submitted through the contact form are retained for the time strictly necessary to handle and fulfil the request.

Once this purpose has been achieved, the data are anonymised. Retention for a longer period may occur where required by law in relation to administrative, fiscal or accounting obligations.

Personal Data collected for marketing purposes are processed for a period not exceeding 24 months, without prejudice to the data subject’s right to withdraw consent at any time.

Personal Data collected for profiling purposes are processed for a period not exceeding 12 months, without prejudice to the data subject’s right to withdraw consent at any time.

5. Methods of Processing

The processing of personal data, regardless of the specific purpose, is carried out in accordance with Article 4, part. 1, n. 2 GDPR, and therefore includes: the collection, recording, organisation, storage, consultation, processing, alteration, use, restriction, communication, erasure and dissemination of data.

Personal data are processed using automated tools and for the time strictly necessary to achieve the purposes for which they were collected. For further information, the data subject may contact the Controller.

The collection and processing of personal data do not involve any form of automated decision‑making.

Specific technical and organisational security measures are implemented in order to prevent data loss, unlawful or improper use, and unauthorised access (data breaches).

6. Access to Personal Data

For the purposes described above, personal data may be accessed by the Controller’s employees, who are designated as Authorised Persons pursuant to Article 29 GDPR, and by the Controller’s consultants and third‑party companies performing outsourced activities on behalf of the Controller in their capacity as Data Processors, pursuant to Article 28 GDPR.

A list of the third parties to whom personal data are disclosed may be requested from the Controller.

In particular, in compliance with Article 28 GDPR, the Data Processor responsible for managing personal data relating to bookings carried out through this website, via the platform https://be.synxis.com, is The Leading Hotels of the World, Ltd., headquartered at 485 Lexington Avenue, Suite 401, New York, NY 10017.

7. Transfer of Data Abroad 

Personal data may be transferred outside the European Union and the European Economic Area. The Controller guarantees that any such transfers will be carried out in compliance with Articles 44 et seq. GDPR and with all applicable legal provisions.

Accordingly, personal data transferred outside the EU/EEA will benefit from a level of protection equivalent to that required by the GDPR.

For further information or to obtain the list of third‑country recipients to whom data are transmitted, the data subject may contact the Controller using the contact details indicated in this privacy policy.

8. Rights of the Data Subject

The data subject is entitled to exercise the rights set out in Articles 15 et seq. of the GDPR, and specifically the right to:

  • Obtain confirmation as to whether or not personal data concerning them exist, even if not yet recorded, and to receive such data in an intelligible form.

  • Obtain information regarding: (a) the origin of the personal data; (b) the purposes and methods of the processing; (c) the logic applied in the event of processing carried out with the aid of electronic tools and the security measures implemented; (d) the identification details of the Controller and of the Processor(s) appointed pursuant to Article 28 GDPR; (e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as recipients.

  • Obtain: (a) the updating, rectification or, where they have an interest, the integration of the data; (b) the erasure, anonymisation or restriction of data processed in breach of the law, including data whose retention is unnecessary in relation to the purposes for which they were collected or subsequently processed; (c) certification that the operations carried out pursuant to points (a) and (b) have been notified to those to whom the data were communicated or disclosed, except where such notification proves impossible or involves a manifestly disproportionate effort compared to the right being protected.

  • Object, in whole or in part: (a) on legitimate grounds, to the processing of personal data concerning them, even where relevant to the purpose of the collection; (b) to the processing of personal data concerning them for direct marketing purposes.

Where applicable, the data subject also has the rights provided for in Articles 18 and 20 GDPR (Right to restriction of processing and Right to data portability), as well as the right to lodge a complaint with the Supervisory Authority pursuant to Articles 77 GDPR and 141 of the Italian Privacy Code, as amended.

9. Exercising Data Subject Rights

The data subject may exercise their rights at any time by sending an email to the Controller at privacy@legraalcortina.com and privacy@legraal.com, and to the Data Protection Officer (DPO) at the following address: dpo@legraal.com .