HOTEL VILLA ROSA S.R.L.  as Controller, informs the data subjects as required pursuant to articles 13-14 EU Regulation 2016/679 (hereinafter GDPR) that personal data will be processed with the modalities and for the purposes indicated below.


  • Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4 GDPR).
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. 
  • Controller determines the purposes and means of the processing of personal data.
  • Processor processes personal data on behalf of the controller.


Purposes of the processing, legal basis, data sources

The Controller processes the personal data communicated to him during the exercise of his activity as described in the Companies Register (R.I., CCIAA). Therefore, the data are communicated for the conclusion of contracts (written or oral), for the execution of what was agreed. Data are communicated by the customer also potential, which can be a company, these data may concern the legal representatives (or other operators) of the same our client.

The updating, verification and use of personal data can also take place by means of public registers in charge of this, for example for members of a company with access to the public registers in which the client company is registered(e.g. Companies Register at the Chamber of Commerce – CCIAA, INI-PEC).

Personal data are processed for these following purposes:

  • Perform the agreed activity (pre-contractual measures or contract that can be written or oral, for example data processing to fulfil pre-contractual needs, hotel or restaurant activities necessary for responding to requests, c.d. contractual and pre-contractual purpose).
  • Pursue a legitimate interest: The Controller is entitled to effectively carry out his business, within the limits of the reasonably expected, such as sending communications, responding to requests received or establishment, exercise or defence of legal claims. It is possible that the personal data are legitimately and freely communicated to the Controller without prior request. In this case, the data is received by the Controller in the context of its general activities and treated for legitimate interest if the request is legitimate (c.d. purpose of legitimate interest). The data sent by the data subject are treated lawfully also for his consent.
    The Data Controller specifies that the person who communicates the data must be able to communicate them, It should be noted that data cannot be sent to the Data Controller if it happens in violation of the law. Minors must not communicate information to the Data Controller. By law, minors under the age of 14 cannot even express consent to the processing of their personal data in relation to the direct offer of information society services.
  • Fulfil a legal obligation (for example, compliance with tax obligations).
  • Only with the specific and distinct consent of the data subject to receive advertising communications from the Controller for other products and services (so-called indirect marketing purpose).


Categories of personal data

For the purposes mentioned above, the Controller processes ordinary personal data (Controller not process sensitive data). Ordinary data are, for example, identification data and contact details (name, surname, fiscal code, address, telephone number, e-mail and other contact data). For the purposes mentioned above, the Controller processes ordinary personal data (Controller not process sensitive data). Ordinary data are, for example, identification data and contact details (name, surname, fiscal code, address, telephone number, e-mail and other contact data). With the booking for specific services is possible to receive information about specific needs related for example to allergy or medical condition, this information concerning health is used to give adequate service only, in this case, the request related to the service is covered by explicit consent.


Categories of recipients

Without prejudice to the communications made in compliance with legal and contractual obligations, all the data collected and processed may be communicated exclusively for the purposes specified above to external companies or professional offices that provide assistance for the exercise of rights and compliance of legal obligations related with the business activity of the Controller (e.g. accountants, lawyers, specialized consultants); credit institutions, public administrations for institutional functions in compliance with the limits established by law or regulations (e.g. Italian Revenue Agency, Police Headquarters, Ministry of the interior, Territorial Authorities).

Data recipients may also be IT companies or IT operators that provide IT services or IT assistance services (e.g. cloud storage services, hosting services and data traffic managers), subjects in charge of communication activities (e.g. Social Media Manager). For the purposes described above, personal data are known to those who work as authorized persons by the Controller, such subjects help the Controller to carry out his activities efficiently (e.g. collaborators, employees or subjects with similar functions and corporate bodies, including the board of auditors, exercising their functions.). The subjects belonging to the categories listed above operate, in some cases, as controllers. More details can be obtained by contacting the Controller.


Storage life

The personal data will be processed during the period necessary to establish and manage the existing business relationship. The data will be conserved for the time established by law or for the time potentially necessary for the protection of the rights deriving from the relationship, always in compliance with the reference standards. The storage period therefore generally corresponds to 10 years. The data will be used by the Controller for sending advertising information (marketing activities) until consent is revoked.



Personal data will be processed using instruments that guarantee security and confidentiality in accordance with the provisions of the article 32 GDPR.


Data transfer

Personal data transfer outside the EU is regulated by specific contracts that impose upon recipient the respect of the adequate guarantees in compliance with the current legislation on Privacy, or to subjects who enjoy a decision of adequacy (article 44 et seq. GDPR); a copy of the adequate guarantees will be obtained, in the case of transfer, contacting the Controller.


Possible consequences of failure to provide the data

For the Controller will be impossible comply with the requests received and his legal obligations in case of failure to provide the data requested for contractual and pre-contractual purposes. The Controller cannot use personal data for the marketing purposes described above in the absence of the data subject’s explicit consent. No consequences are expected for failure to provide data necessary for the purposes of the legitimate interest described above.


Cookie policy

Cookies are small text files that through a web page and through the browser are stored on the hard drive of the computer to store small amounts of information on the page for a limited period of time. There are different types of cookies.

The computer systems and software procedures used to operate this Site acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the Site, the URI (Uniform Resource Identifier) ​​addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's IT environment.


The cookies used on this site fall into the categories described below:

  1. Technical cookies (essential/essenziali)
    Technical cookies (called essential in the banner) do not require the consent of the visitor and are installed automatically following access to the site.
    These are cookies that are used to browse and provide a service requested by the user. They are not used for other purposes.
    Without the use of these cookies, some operations could not be performed or would be more complex or less secure.
    We use technical cookies that allow the site to function properly and keep it safe.
  2. Analytical cookies (analytics / functional-funzionali cookies)
    Analytical cookies (called functional banners) collect information, for example, on the number of visitors to the website and on the path of visitors to reach the site.
    Analytical cookies are assimilated to technical cookies when:
    2.a) Using for site optimization purposes directly by the site owner, who collects statistical information in aggregate form on the number of users and how they visit the site;
    2.b) Processing of these statistical analyzes is entrusted to third parties, the user data is minimized in advance and cannot be combined with other processing or transmitted to other third parties.

    This website uses Google Analytics (third-party analytical cookies), a web analysis service provided by Google Inc. (Google). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie on the use of the website will be transmitted and stored on Google's servers in the United States. Google will use this information for the purpose of examining the use of the website, compiling reports on website activity for its operators, and providing other services relating to website activity and internet. The Google services are configured as shown in the privacy settings. Google ensures that it transfers the information collected only where this is required by law or to persons in charge of processing the aforementioned information on behalf of Google. Google will not associate your IP address with any other data held by Google. You can refuse to use cookies by selecting the appropriate setting on your browser or by visiting the Google page dedicated to the deactivation functions currently available or by off setting it (x) in the management of cookies on this website, in doing so some features relating to this website will be deactivated. For more information: and

  3. Profiling cookies (profiling cookies / marketing)

    Profiling cookies (called in the marketing banner) record user preferences and actions. Based on this information, a user profile is created. This serves to combine the advertisements with the interests of the user and thus enables more targeted advertising for specific target groups. In many cases the site manager uses third-party cookies to deliver personalized advertising.


    Third Party Cookies: technical, analytical and profiling
    Through this site, cookies managed by third parties can also be installed where necessary for the provision of specific functions.
    For more information on third-party cookies, you can visit the website


Learn more on Google (third party)

The transfer of data carried out by Google outside the European Union is based on the standard contractual clauses (SCC) pursuant to art. 46, p.2 c, GDPR or in any case by means of transfers in compliance with the laws in force (Article 44 et seq. GDPR). Specifically: “Google relies on Standard Contractual Clauses (SCCs) for transfers of online advertising and measurement personal data out of Europe. For those services where Google acts as a processor, the Google Ads Data Processing Terms include, as necessary for the relevant data transfers, both the relevant SCCs issued by the European Commission (to help legitimise data transfers under the GDPR) and UK SCCs (to help legitimise data transfers under the GDPR as incorporated into UK law)". In any case, Google has pledged to always act with "a legal basis for the transfer of data in accordance with applicable data protection laws".


Consent for cookies

Visitors to the website have the right to withdraw their consent given at any time. Non-essential or similar cookies for the functioning of the website do not require consent. Functional cookies similar to essential cookies can be deactivated at any time by the user.

This website uses a technology called Consent Management Platform (CMP) to administer this right. When this website is accessed, a banner appears informing the user about the use of cookies, offering various consent options (accept all cookies, individual cookie categories or each individual cookie separately) and providing detailed information on the different types. The CMP stores the user's choices and applies them to the next visit to the website.


Ways to avoid the installation of cookies directly through the browser


  1. Click on the menu and then on Settings.
  2. Select the Privacy panel.
  3. In the History section, select Use custom settings.
  4. In the options that appear now, remove the check mark "Accept Cookies"
  5. Click OK.

For more detailed information, see:

Google Chrome

  1. Click on the menu and then on Settings.
  2. At the bottom, click Show advanced settings.
  3. In the Privacy section, click on Content settings.
  4. In the Cookies section, select Cookie and web sites data storage.
  5. Click Done.

For more detailed information, see:

Internet Explorer

  • Select the Extras menu and from here the Internet Options. If the toolbar is not displayed, go to the menu symbol and select Internet Options.
  • Select the Privacy panel.
  • Thanks to the slider, you can select different ways of processing cookies. If the device is at the top, all cookies are disabled, while if it is at the bottom, all cookies are enabled.
  • Click OK.

For more detailed information, see:


  • In the settings section, select Privacy.
  • Under Accept Cookies, you can define if and how Safari should store website cookies. For more information, click on the help panel, represented with a question mark.

For more detailed information, see:


Storing of cookies will not exceed 14 months. Without prejudice to any longer storage, in compliance with legal provisions, for specific needs, such as that of ascertaining the responsibility for computer crimes against the website or third parties.


Right of the data subject

The Controller recognizes to the data subject all his rights and faculties. With particular reference to art. 15 to 21 GDPR, the following rights are highlighted:

  • Right of access by the data subject, article 15, GDPR: the right to obtain confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data and obtain a copy.
  • Right to rectification, article 16, GDPR: the right to obtain from the controller without undue delay the rectification of inaccurate personal data and the right to have incomplete personal data completed.
  • Right to erasure (‘right to be forgotten’), article 17 GDPR: the right to obtain from the controller the erasure of personal data without undue delay and the controller have the obligation to erase personal data without undue delay where one of the regulation grounds applies.
  • Right to restriction of processing, article 18 GDPR: the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing for legitimate interest and pending the verification whether the legitimate grounds of the controller override those of the data subject.
  •  Right to data portability, article 20 GDPR: the right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means; the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  • Right to object, article 21 GDPR:  the right to object at any time to processing of personal data which is based on legitimate interest, including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint to the supervisory authority (Garante per la protezione dei dati personali with office in Piazza di Montecitorio n. 121, 00186, Roma). For further details please visit website.


Recommended method                                                                                                       

The data subject may at any time to exercise his rights contacting the data controller, to be secure that the request will be received the Controller suggests to use the follows methods:

  • a registered letter with return receipt to HOTEL VILLA ROSA S.R.L.  Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs)
  • or a written notice sent by certified email (PEC) to


All contact information

The Data Controller is HOTEL VILLA ROSA S.R.L., company register at the Brescia Chamber of Commerce, Italian VAT number, tax code and registration number: 03741690238, registered capital of € 15,000.00 with registered office in Lungolago Cesare Battisti n. 89, cap 25015, Desenzano Del Garda (Bs tel. +39 030 9141974, e-mail, pec


Contact details of the data protection officer (DPO)

The Controller has designated adv. Valentina Remonato his DPO, reachable at the following addresses: e-mail, tel. +39 338 8785457.

Mehr lesen
Rose & Sapori Restaurant
Lungolago C. Battisti, 89
25015 Desenzano del Garda (BS) // Italien
MwSt.-Nr.: IT03741690238
T +39 030 9144585 //