Menu
Locanda Rossa
Book now
ITA
ENG
La LocandaRooms & VillasDiningWeddings & anniversariesCorporate EventsMaremmaSpa & SportsOffersBottegaContact
Select the language of your choice
Italian
English
Book now
Privacy policy

Pursuant to EU Regulation 2016/679

Dear Guest,
Pursuant to the applicable legislation on personal data protection (EU Regulation 2016/679 and Legislative Decree 196/2003, as amended and supplemented by Legislative Decree 101/2018), we wish to inform you that your personal data will be processed lawfully, fairly and transparently, for legitimate purposes and in a manner that ensures the protection of your privacy and your rights. In accordance with Article 13 of EU Regulation 2016/679, we provide you with the following information:

1. Data Controller

The Data Controller is LOCANDA ROSSA DI JONA CELESIA LORENZA, based at Strada Capalbio Pescia Fiorentina 11 B, 58011 Capalbio (GR), Tax Code: JNCLNZ63H60L219T, VAT No.: 07456241004. Email: accounting@locandarossa.com — Certified Email (PEC): locandarossa@pec.locandarossa.com

2. Methods of Processing

The data will be processed using both electronic systems that ensure high levels of security and confidentiality, and paper-based methods, appropriate for the provision of the services offered, and in full compliance with the security measures and protections required by applicable law

3. Categories of Personal Data Processed

- Contact details (telephone number, email, etc.)
- Personal details (first name, last name, gender, place and date of birth, residence, domicile)
- Data relating to the request and purchase of services and products (subject of the contract, terms, conditions, duration, etc.)

Additionally, and only if voluntarily provided:
- Health-related data, in the event you need to communicate specific needs due to disabilities, allergies, food intolerances, or other medical conditions.

This information is considered special category data under Article 9 of EU Regulation 2016/679 and is subject to stricter protection. In accordance with Article 9(1)(a), your explicit consent is required. Such data will only be shared with staff involved in handling your request.

4. Purposes of Processing and Legal Basis

Our facility offers various services, and the types of personal data collected and the related processing may vary depending on the service requested. The following outlines the different purposes of processing, categorized by service type:

Hotel Guest Management

The processing involves personal data collected by the facility for: preparing quotations; managing bookings, guest reception, and accommodation; handling payments (also through third-party banking/financial institutions); and fulfilling legal obligations of a public, administrative, accounting, or tax nature.

A) Quotation and Information Requests

Description: Requests for quotations may be submitted via the contact form on our website, or by email or phone using the contact details provided. In all cases, your contact data is used exclusively to respond via email.

PURPOSES:
- Managing quotation requests
- Handling reservations and information inquiries

LEGAL BASIS:
This processing is necessary for the performance of pre-contractual and contractual measures, and therefore does not require your consent, pursuant to Article 6(1)(b) of the GDPR. If you refuse to provide personal data, we will not be able to provide the requested services.

B) Booking Management

Description: Reservations may be made via email, phone (followed by confirmation email), the company’s website using a booking engine, or through an OTA (Online Travel Agency). Upon reservation, initial guest data is entered into the hotel’s management system. Typically, after a reservation made via our website, a form is sent by email requesting name, surname, phone number, and email. If the form is incomplete, missing details may be requested upon arrival at the facility.
Special Categories of Data (Art. 9 GDPR):
During the booking or upon arrival, the guest may share health-related information due to specific needs (e.g., disabilities). Such information is processed confidentially and shared only with the staff directly involved.

PURPOSES:
- Contract management
- Acquisition and confirmation of accommodation and related services

LEGAL BASIS:
This processing is necessary for the execution of pre-contractual and contractual obligations and does not require consent, pursuant to Article 6(1)(b) GDPR.

C) Stay Management

Description: Data is processed to manage guest reception and stay, including additional services, handle payments, and comply with legal obligations (public safety, administrative, tax).

C.1) Guest Reception and Stay Management

PURPOSES:
- Guest check-in
- Contract management
- Management of additional services

LEGAL BASIS:
Processing is necessary for the execution of pre-contractual and contractual obligations and does not require consent under Article 6(1)(b) GDPR.

C.2) Uploading Identification Data to the Police Portal

PURPOSES:
- Upon arrival, identity documents are collected and communicated to the police for public safety purposes as required by law (Art. 109 R.D. 18.6.1931 n. 773 - TULPS)

LEGAL BASIS:
Processing is mandatory by law and does not require consent (Art. 6(1)(c) GDPR).

C.3) Issuing Tax Documents

Description: Typically, the facility issues a receipt. If the guest requests an invoice, they must provide all data needed to issue the document.

PURPOSES:
- Issuing an invoice upon request

LEGAL BASIS:
Processing is mandatory by law and does not require consent (Art. 6(1)(c) GDPR).

C.4) Additional Services

- SPA: Guests are required to complete and sign a waiver. Pregnant guests must present a medical certificate. For minors, a parent or guardian must sign.
- Restaurant and Red Bar: Guests may voluntarily report food allergies or intolerances to staff. This information is used solely to ensure safe service and shared only with involved personnel.
- Bike Rental: At the time of booking or bike collection, a liability waiver must be completed and signed. For minors, a parent or guardian must sign.

C.5) Customer Satisfaction Survey

PURPOSES:
- Assessing customer satisfaction
- Sending promotional/advertising materials

LEGAL BASIS:
Consent is required (Art. 6(1)(a) and Art. 7 GDPR). Consent can be withdrawn at any time.

C.6) Receiving Messages and Phone Calls During Your Stay

PURPOSES:
- Improving the quality of your stay

LEGAL BASIS:
Consent is required (Art. 6(1)(a) and Art. 7 GDPR). Consent can be withdrawn at any time.

D) Legitimate Interest of the Data Controller or Third Parties

PURPOSES:
- Pursuing the legitimate interests of the Data Controller or third parties, provided such interests are not overridden by your rights and freedoms

LEGAL BASIS:
Consent is not required (Art. 6(1)(f) GDPR).

E) Speeding Up Future Check-ins

PURPOSES:
- Reusing your data to simplify registration for future stays

LEGAL BASIS:
Consent is required (Art. 6(1)(a) and Art. 7 GDPR). Consent can be withdrawn at any time.

Management of External Clients – Additional Services

The processing of personal data concerns clients who use additional services offered by the facility. This includes the management of these services, payment handling (including through third-party banking/financial institutions), and compliance with accounting and tax-related legal obligations.

A) Booking Management

Description: Bookings for additional services may be made by email, phone, or through the appropriate form available on the company website. The personal data collected (contact details) are used exclusively to ensure correct delivery of the chosen service(s).

PURPOSES:
- Contract management
- Acquisition and confirmation of bookings for accommodation and additional services

LEGAL BASIS:
This processing is necessary for the performance of pre-contractual and contractual measures and does not require your consent under Article 6(1)(b) GDPR.

B) Issuing Tax Documents

Description: Typically, a receipt is issued. If the client requests an invoice, they must provide all the necessary data to allow for its issuance.

PURPOSES:
- Issuing an invoice upon request

LEGAL BASIS:
Processing is mandatory by law and does not require consent (Art. 6(1)(c) GDPR).

C) Legitimate Interest of the Data Controller or Third Parties

PURPOSES:
- Pursuing the legitimate interests of the Data Controller or third parties, provided that such interests do not override the client’s rights and freedoms

LEGAL BASIS:
Consent is not required (Art. 6(1)(f) GDPR).

Event Management

A) Quotation and Information Requests

Description: Requests for quotations can be made through the website's contact form, email, or phone. The provided contact data is used exclusively to respond via email.

PURPOSES:
- Contract management
- Acquisition and confirmation of bookings for accommodation and related services

LEGAL BASIS:
This processing is necessary for the performance of pre-contractual and contractual measures and does not require consent (Art. 6(1)(b) GDPR).

B) Booking Management

Description: Bookings may be made on site, by email, by phone, or through the appropriate form on the company website. Contact data is used exclusively to ensure proper delivery of the selected service(s). If overnight accommodation is also requested, the procedure follows the standard process described in the “Hotel Guest Management” section.

PURPOSES:
- Contract management
- Acquisition and confirmation of bookings for accommodation and related services

LEGAL BASIS:
As above, processing is necessary for contractual performance and does not require consent under Article 6(1)(b) GDPR.

C) Issuing Tax Documents

Description: A receipt is usually issued. If an invoice is requested, the client must provide the necessary data to allow for its issuance.

PURPOSES:
- Issuing an invoice upon request

LEGAL BASIS:
Processing is mandatory by law and does not require consent (Art. 6(1)(c) GDPR).

D) Legitimate Interest of the Data Controller or Third Parties

PURPOSES:
- Pursuing legitimate interests, provided they do not override the client’s rights and freedoms

LEGAL BASIS:
Consent is not required (Art. 6(1)(f) GDPR).

Management of Mailing List for Promotional Materials and Newsletter Distribution

Anyone wishing to receive newsletters and promotional materials—regardless of whether they are current or former clients—can request inclusion by filling out the appropriate form on the website and providing their contact details.
Description: This processing involves maintaining and using a list of email addresses (collected during website registration or during the guest's stay) for marketing purposes and to send promotional content related to updates, rates, and offers. This is only performed with the express consent of the data subject, which can be revoked at any time.

PURPOSES:
- Marketing activities via automated email systems

LEGAL BASIS:
Consent is required under Article 6(1)(a) and Article 7 GDPR. You may revoke your consent at any time.

5. Duration of Processing

If no contract is concluded following a first contact or quote request, your personal data will be deleted from our databases after a period of time, which may vary depending on the type of service requested.
Processing lasts for the duration of the contract and beyond, only if necessary to fulfill legal obligations or the legitimate interests of the Controller. In all cases, data will be deleted once the purposes have been fully achieved.
Where processing is based on consent, you may withdraw it at any time (Art. 7 GDPR) and exercise the rights provided under Articles 15–22, as detailed in Section 11.

6. Voluntarily Provided Data

If you choose to pay via bank transfer, credit/debit card, check, or cash, you will need to provide us with all the information necessary to complete the payment.
The voluntary completion of forms or the sending of emails entails our subsequent acquisition of the data you provide, usually name, surname, phone number, and email. This data is essential to respond to your requests or perform the requested service.
Summarized privacy information is available on individual website pages where services are provided.
Refusal to consent to data processing for optional services does not prevent the performance of the main service.

7. Obligation or Option to Provide Data and Consequences of Refusal

The personal data requested is necessary for us to provide the service. Failure to provide all or part of it will make it impossible to perform the service.
Providing optional data for additional services is not mandatory and does not affect the performance of the main service.

8. Data Disclosure and Dissemination

Personal data collected for the purposes in Section 4 is not disseminated—i.e., not made available to unspecified entities.
However, it may be disclosed to specific parties such as:
- Subjects who access the data under legal obligations;
- Credit and financial institutions in case of electronic payments;
- Consultants and collaborators for business operations;
- Public authorities where required by law.

9. Data Transfers Outside the EU

Your personal data will not be transferred to non-EU countries under any circumstance.

10. Profiling

Your personal data will not be subject to profiling or any other automated processing as per Article 22 of EU Regulation 2016/679.

11. Data Subject Rights (Articles 13–22 and 77–79 GDPR)

If, as a data subject, you wish to exercise your rights under Articles 13–22 and 77–79 of EU Regulation 2016/679 in relation to your personal data—or if you have any questions or requests regarding this privacy policy—you may contact the Data Controller using the contact details provided in Section 1 of this notice.

The Data Controller is committed to fulfilling your requests.

Furthermore, we inform you that the law grants you specific rights with respect to the data processed by the Controller.

In particular, as a data subject, pursuant to Article 4(1) of EU Regulation 2016/679, you have the right to:

Withdraw consent at any time. You may withdraw your previously given consent to the processing of your personal data at any time (Art. 13(2)(c) GDPR);

Object to the processing of your personal data. You may object to the processing of your data in the circumstances provided under Article 21 GDPR;

Access your personal data. You have the right to obtain information about the data held by the Controller, the purposes of processing, and to receive a copy of the data (Art. 15 GDPR);

Verify and request rectification. You may check the accuracy of your data and request its update or correction (Art. 16 GDPR);

Request restriction of processing. When certain conditions apply, you may request that the processing of your data be restricted. In such cases, we will retain the data only for storage purposes (Art. 18 GDPR);

Request erasure of your personal data. When certain conditions apply, you may request that your data be deleted by the Controller. In such cases, we will proceed with deletion as promptly as possible (Art. 17 GDPR);

Receive and transfer your data (data portability). You have the right to receive your data in a structured, commonly used, and machine-readable format, and—where technically feasible—to have it transmitted directly to another controller. This applies where the data is processed by automated means and the processing is based on your consent, a contract you are party to, or pre-contractual measures taken at your request (Art. 20 GDPR);

Not be subject to a decision based solely on automated processing, including profiling, in the cases where this right is applicable (Art. 22 GDPR);

Lodge a complaint. You may lodge a complaint with the competent data protection authority (Art. 77 GDPR);

Take legal action (Art. 79 GDPR).