Privacidade Grand Hotel Santa Lucia

Hotel em Nápoles
Grand Hotel Santa Lucia

Reservar online



Pursuant to Article 13 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27/04/2016, hereinafter GDPR, the Company GRAND HOTEL SATA LUCIA S.R.L., as data controller, informs you that this page describes the methods of processing of personal data of users who consult the website and that this information does not concern other sites, pages or online services that can be reached through hyperlinks that may be published on the Websites but refer to resources outside the domain of the Hotel Santa Lucia.


  1. Purpose of data processing and legal basis

Your personal data are processed for the following Purposes of Service:

A1) Pursuing its own legitimate interest, consisting in ensuring the security of the Website and the information exchanged on it, i.e. the ability of such Website to withstand, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of the personal data stored or transmitted and the security of the related services offered or made accessible;

A2) Acquisition of personal data (first name, last name, tax code) and contact data (address, e-mail, telephone), contractual and administrative information (such as the date of the contract, type of business relationship, payment information, etc.) to enable the Holder to carry out pre-contractual activities and comply with contractual obligations, to manage administrative and accounting fulfillments and to allow us to assist and contact the Client via telephone and/or e-mail communications;

A3) to fulfill the obligation under the “Testo unico delle leggi di pubblica sicurezza” (Article 109 R.D. 18.6.1931 n. 773), which requires us to communicate to the Police Headquarters, for public security purposes, the generalities of the clients accommodated according to the modalities established by the Ministry of the Interior (Decree January 7, 2013).

A4) Acquisition of personal data for carrying out para-commercial activities related to Marketing (e.g. Mailing list, web marketing, promotional activities through social campaigns);

A5) Acquisition of personal data to enable the Company to carry out performance quality assessment activities aimed at improving the services provided (“Customer Satisfaction”) through automated processes in an anonymous form;

A6) Fulfill obligations required by law, regulation, EU legislation or an order of the Authority (such as, for example, in the area of anti-money laundering);

A6) To exercise the rights of the Data Controller, for example, the right to defense in court (Art. 24 Const.).


  1. B) Nature of the provision of data

Your personal data subject to processing are collected directly by the Data Controller or by the person expressly authorized by the Data Controller.

The legal basis for the processing of data for the purposes referred to above in A2) is Art. 6 paragraph 1 letter b of the Regulations (processing necessary for the performance of a contract or pre-contractual measures), as the processing is necessary for the provision of services or for the response to requests from the data subject. The provision of Personal Data for these purposes is optional, but failure to provide it would make it impossible to activate the services requested or to respond to Your requests.

The legal basis for the processing of data for the purposes referred to in A3) above is Art. 6 paragraph 1 letter c of the Regulation (fulfillment of a legal obligation), as the processing is in response to a legal obligation and is necessary for the provision of services or for the acknowledgment of requests by the data subject.

The legal basis for the processing of data for the purposes referred to in the aforementioned point A4) is Article 6 paragraph 1 letter a of the Regulations for which your data may be lawfully processed only with your consent, which is specific, separate, express, documented, prior and entirely optional. With regard to those processing purposes for which your consent is required, we inform you that your refusal will not affect the obligations otherwise undertaken.

The legal basis for the processing of data for the purposes referred to in A2), A5) and A6) is legitimate interest within the meaning of Article 6(1)(f) of the Regulations (processing necessary for the pursuit of the legitimate interest of the data controller or third parties) and does not require your consent.


  1. C) Methods of data processing

Your data are processed lawfully and fairly, in accordance with the provisions of Articles 5 and 6 of the Regulations for the pursuit of the purposes indicated above and in compliance with the fundamental principles established by the applicable legislation.

The processing of personal data may be carried out using both manual and computer and telematic tools, but always under the supervision of technical and organizational measures suitable to guarantee their security and confidentiality, especially in order to reduce the risks of destruction or loss, even accidental, of the data, unauthorized access, or processing that is not permitted or does not conform to the purposes of collection.


  1. D) Categories of data and their origin

Subject of the processing are personal data concerning your person acquired through the services made available on the website, as well as any data transmitted by e-mail or telephone.



  1. E) Scope of communication

Within the limits pertinent to the purposes of the processing of the indicated data, only employees authorized to their processing and belonging to the organizational structure of the Data Controller may become aware of them.

It should be noted that, your data may be transmitted to the following recipients:

– Authorized internal processors

– IT companies

The list is available at the headquarters of the Data Controller


  1. F) Retention period

In accordance with the principle of “limitation of storage” set forth in Article 5, of Regulation (EU) No. 679/2016 (GDPR), the collected data subject to processing for the purposes set forth above will be retained in accordance with the deadlines stipulated in the legal regulations and, thereafter, for as long as the Company is subject to retention obligations for purposes stipulated in the law or regulation. Verification of the obsolescence of retained data in relation to the purposes for which they were collected is carried out periodically.

In any case, data are expected to be retained for a maximum period of:

Contractual data: 10 years.

Marketing data: 3 years


  1. G) Data Profiling and Dissemination.

Profiling activities are planned for statistical purposes through anonymized processes;



  1. H) Rights of the data subject

In your capacity as a data subject, you have the rights set forth in Article 15 GDPR, namely the rights to:

  1. obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet registered, and its communication in intelligible form;
  2. obtain an indication of: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in case of processing carried out with the aid of electronic instruments; d) the identity of the owner, managers and the representative appointed under Art. 3, paragraph 1, GDPR; e) the subjects or categories of persons to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or authorized;
  3. Obtain: a) the updating, rectification or, when interested, the integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those that do not need to be kept for the purposes for which the data were collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
  4. oppose, in whole or in part: a) for legitimate reasons, the processing of personal data concerning you, even if pertinent to the purpose of collection; b) the processing of personal data concerning you for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication, through the use of automated calling systems without the intervention of an operator by e-mail and / or through traditional marketing methods by telephone and / or mail. It should be noted that the data subject’s right to object, set forth in point b) above, for direct marketing purposes through automated modalities extends to traditional ones and that, in any case, the possibility for the data subject to exercise the right to object even partially remains unaffected. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.
  5. Right to rectification of your personal data in case they are changed and do not correspond to those previously acquired or communicated (Art. 16)
  6. Right to the deletion of data (“right to be forgotten” art. 17). GRAND HOTEL SATA LUCIA S.R.L., if one of the following cases exists, proceeds to the deletion of the data from all databases and archives where the same is contained:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent and if there is no other legal basis for the processing;

(c) the data subject objects to processing under Article 21(1) and there is no overriding legitimate ground for processing, or objects to processing under Article 21(2);

(d) personal data have been processed unlawfully;

(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

(f) personal data have been collected in connection with the provision of information society services referred to in Article 8(1).

  1. Right to limitation of processing (Art. 18). The data subject has the right to obtain from the data controller the restriction of processing when one of the following cases occurs:

(a) the data subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;

  1. b) the processing is unlawful and the data subject objects to the erasure of the personal data and instead requests that their use be restricted;

(c) although the data controller no longer needs the personal data for the purposes of the processing, the personal data are necessary for the data subject to establish, exercise or defend a legal claim; and

(d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate grounds of the data controller override those of the data subject.

  1. Right to object (Art. 21-22): The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), including profiling on the basis of these provisions. GRAND HOTEL SATA LUCIA S.R.L. does not subject data to decisions based solely on automated processing.

Propose complaints to a supervisory authority (Autorità Garante per la protezione dei dati personali – based in Rome, Piazza Venezia n.11 – );


  1. I) Data controller and person responsible for the protection of personal data.

The Data Controller is GRAND HOTEL SANTA LUCIA S.R.L. based in Via Santa Lucia 173 – 80132 Naples – P IVA 10481541216.

The Data Controller can be contacted at the following e-mail address:

A Data Protection Officer (DPO) has been appointed, Silvio Tortora Maione, who can be contacted at the following e-mail address: