PRIVACY POLICY
WHAT THIS PRIVACY POLICY IS
This page describes how this website is managed with regard to the processing of personal data of users who consult it. This notice is also provided pursuant to Article 13 of Regulation (EU) 2016/679 — General Data Protection Regulation (hereinafter “GDPR”) — to those who interact with the web services provided by Hassler Roma S.p.A., accessible electronically at www.hotelhasslerroma.com. This privacy notice applies exclusively to the above-mentioned website and not to any other websites that may be accessed by users through external links.
DATA CONTROLLER
Pursuant to Article 4(1)(7) of the GDPR, the Data Controller is Hassler Roma S.p.A., represented by its pro tempore legal representative, with registered office at Piazza della Trinità dei Monti No. 6 – 00187 Rome, Italy.
DATA PROTECTION OFFICER (DPO)
Pursuant to Article 37 of the GDPR, the Data Controller has formally appointed a Data Protection Officer (DPO), who may be contacted at the following email address: dpo@hotelhassler.it.
DATA PROCESSORS AND DATA SHARING
Pursuant to Article 28 of GDPR 2016/679, the Data Processor for reservations made for Hotel Hassler through the official website via the platform Synxis is The Leading Hotels of the World, Ltd., 485 Lexington Avenue, Suite 401, New York, NY 10017, USA. Leading Hotels of the World uses Sabre GLBL Inc., 3150 Sabre Drive, Southlake, Texas 76092, for this purpose. The Data Processor for reservations relating to the Palazzetto made through the official website via https://reservations.travelclick.com is TravelClick, Inc. The Data Processor responsible for the management of the Hotel Hassler website and cookie configuration (excluding reservation platforms managed by third parties listed above) is Aro Cumarsaid Teoranta, Ireland, Na Forbacha, Gaillimh H91 YD2T, where the website is hosted.
Personal data collected through the website may be processed and disclosed to website hosting, maintenance and management companies; IT infrastructure support and technical assistance providers; third parties managing cookies in accordance with the Cookie Policy; email marketing platform providers; payment gateway providers and/or banking institutions for reservation transactions, acting as independent Data Controllers; Public Authorities where required by law or contractual obligations; professionals, consultancy firms or associations providing administrative, accounting, financial or legal assistance; and public institutions required under accounting and tax legislation. An updated list of appointed Data Processors pursuant to Article 28 GDPR may be requested from the Data Controller.
PURPOSES, LEGAL BASIS AND NATURE OF DATA PROVISION
Personal data provided through the website will be processed for the following purposes: reservation, management and delivery of hotel and restaurant services, pursuant to Article 6(1)(b) GDPR as processing necessary for the performance of a contract or pre-contractual measures requested by the data subject; responding to user requests for information, quotations or other enquiries submitted through the “Contact Us” section, pursuant to Article 6(1)(b) GDPR; statistical research and analysis carried out on anonymous aggregated data to monitor website functionality, measure traffic and evaluate usability and interest, which does not constitute personal data processing; profiling through third-party cookies pursuant to Article 6(1)(a) GDPR and applicable cookie regulations, which requires user consent; sending promotional and commercial communications by email for marketing purposes pursuant to Article 6(1)(a) GDPR based on explicit consent, or pursuant to Article 130(4) of Legislative Decree 196/2003 concerning soft spam for similar services following a previous relationship, with the right to object at any time; compliance with legal and regulatory obligations pursuant to Article 6(1)(c) GDPR; and establishing, exercising or defending legal claims pursuant to Article 6(1)(f) GDPR based on the legitimate interest of the Data Controller.
The Company adopts appropriate technical and organisational security measures to ensure lawful processing of personal data and, in accordance with the data minimisation principle under Article 5(1)(c) GDPR, processes only data strictly necessary to provide requested services or fulfil legal obligations.
PLACE OF DATA PROCESSING
Processing related to the web services of this website takes place at the premises of the Data Controller or appointed Data Processors and is carried out only by authorised technical personnel pursuant to Article 29 GDPR and Article 2-quaterdecies of Legislative Decree 196/2003.
TYPES OF DATA PROCESSED
Without prejudice to the user’s responsibility for the accuracy of personal data relating to themselves or third parties published or shared through this website, the Data Controller processes the following categories of data.
Navigation Data: the IT systems and software procedures used to operate this website acquire certain personal data during normal operation whose transmission is implicit in Internet communication protocols. These include IP addresses, domain names of computers used by users connecting to the site, URI addresses of requested resources, request times, server response status codes, file size and other parameters relating to the user’s operating system and IT environment. Such data are used solely to obtain anonymous statistical information on website use and to ensure proper functioning and are deleted immediately after processing, except where necessary to ascertain responsibility in case of cybercrime. Web contact data are retained for no longer than thirty days.
Data Voluntarily Provided by the User: sending emails to addresses indicated on the website entails acquisition of the sender’s address and any personal data included in the communication. Completion of forms to request services or offers entails processing of personal data necessary for contractual or pre-contractual purposes. Users should not provide special categories of personal data pursuant to Article 9 GDPR unless expressly required. Examples of data collected include name, surname, tax identification number, date of birth, telephone number, email address, company name, address, country, province, postal code and city.
Cookies: for detailed information on cookies and tracking tools, please refer to the Cookie Policy available through the cookie banner and to the Guidelines issued by the Italian Data Protection Authority on June 10, 2021.
Minors: the services of this website are not intended for minors and the Data Controller does not knowingly collect personal data relating to minors. If such data are identified, they will be promptly deleted unless retention is required by law or judicial authority.
PROCESSING METHODS
Personal data are processed mainly using electronic and telematic tools for the time strictly necessary to achieve the purposes described. Specific security measures are implemented to prevent loss, unlawful use, unauthorised access, alteration or disclosure.
TRANSFER OF PERSONAL DATA
The Data Controller adopts measures to ensure that personal data storage and processing take place within European Union countries. Data are not transferred to non-EU countries lacking adequate protection unless safeguards provided under Chapter V GDPR apply, including adequacy decisions, Standard Contractual Clauses, explicit consent or compliance with the EU-US Data Privacy Framework.
SOCIAL BUTTONS
The website may include social plug-ins managed by third parties such as Facebook, LinkedIn and Instagram. By clicking social buttons or widgets, users are redirected to the selected social network provider. Users are invited to consult the privacy policies of those platforms and the Company’s Cookie Policy for further information.
DATA RETENTION
In accordance with Article 5 GDPR principles of storage limitation and data minimisation, personal data are retained only for the time necessary to achieve the purposes described and in any case no longer than permitted under Italian law relating to limitation periods and legal obligations. Further information may be requested by contacting the DPO at dpo@hotelhassler.it.
AUTOMATED DECISION-MAKING
Pursuant to Article 22 GDPR, the Data Controller does not carry out automated decision-making processes, including profiling, capable of producing legal effects or significantly affecting data subjects.
DATA SUBJECT RIGHTS
Data subjects may exercise the rights provided under Articles 15 and following of the GDPR, including withdrawal of consent at any time without affecting prior lawful processing; objection to direct marketing processing or for reasons related to their particular situation; access to personal data and related information; rectification of inaccurate or incomplete data; erasure under applicable conditions; restriction of processing where legally applicable; data portability in structured and machine-readable format where technically feasible; and the right to lodge a complaint with the competent supervisory authority or pursue judicial remedies.
HOW TO EXERCISE YOUR RIGHTS
Rights may be exercised by contacting the Data Controller or the Data Protection Officer at the contact details provided above.
CAREERS SECTION
This notice also applies to candidates submitting applications or curricula vitae through the “Careers” section of the website pursuant to Article 13 GDPR and Article 111-bis of Legislative Decree 196/2003. Candidates are invited to submit curricula in European format, preferably in PDF format, and to avoid including special categories of personal data not relevant to the job position. The Company reserves the right not to acquire or to delete non-compliant applications.
External providers involved in managing recruitment services are formally appointed as Data Processors pursuant to Article 28 GDPR. Processing takes place at the premises of the Data Controller and authorised Processors and is carried out only by authorised personnel.
Personal data contained in cover letters and curricula vitae are processed solely for recruitment and personnel selection purposes, including employment or internship opportunities. The legal basis for ordinary personal data processing is Article 6(1)(b) GDPR as pre-contractual measures requested by the candidate. Where necessary, processing of special category data occurs pursuant to Article 9(2)(b) GDPR for employment law obligations such as protected category status.
Data may be communicated to Public Authorities where required by law and to legal, tax or administrative consultants where necessary. Curricula are retained for a maximum period of 18 months and then securely deleted unless legal obligations require otherwise.
UPDATE AND REVISION
This Privacy Policy was updated to Revision 5 on February 18, 2026, and may be subject to future revisions, which will be published on this website.