PURSUANT TO ART. 13 OF THE “PERSONAL DATA PROTECTION CODE” (“Privacy Policy”).

Dear Guest,

here below we provide you with the information regarding the processing of your personal data and  their free circulation which will be carried out by IL RASTRELLO SRL with headquarters in VIA ANTONIO GROSSI 10, 06064 PANICALE (PG), C.F. and VAT number 03623100546 (hereinafter  simply the “Rastrello”), in relation to the services offered by the same and this in the application of  the provisions of art. 13 of the “Italian code regarding the protection of personal data” introduced  by Legislative Decree 30/6/2003 No. 196 (repeal of law 675/96) and subsequent additions.

Rastrello in its capacity as Data Controller of personal data has the obligation to provide you with  all the information relating to the purpose and method of processing your personal data, the  indication of the subjects to whom your data could be communicated, and all the rights that the law recognizes in relation to the management of personal data by the Data Controller. Therefore, we invite you to take note of the information contained therein and express your  consent to the processing by signing this information.

A- Holders of the treatment

Independent owner of the processing of personal data communicated by you at the Il Rastrello  facility and during your stay at the same is: IL RASTRELLO SRL.

B- Categories of personal data and Source of personal data.

The personal data held by IL RASTRELLO accommodation facility are collected directly from customers and are treated in compliance with current legislation. After the entry into force of the Gasparri Decree and the new rules on anti-terrorism (ART.7 DL 27.7.2005, N.144 converted into Law 31.7.2005, n.155 and subsequent amendments), the accommodation operators are obliged to  identify their Guests. In particular, the personal data that the Company collects are name,  surname, residence/domicile, copy of identity document, email, landline and/or mobile phone  number, tax code and/or VAT number, room type, any third parties and/or children, even minors,  with whom the stay will be shared (hereinafter the “Data”).

The processing of the aforementioned Data by the Data Controller could also concern – subject to  your express consent – data relating to your health (e.g. physical handicap, for which a particular  type of room is requested when booking). In these hypotheses, we guarantee that the processing  will take place limited to the data and operations essential to fulfill the obligations, including pre contractual ones, relating to the provision of the Services, within the limits of the services and  services requested by you during the booking phase or during the stay at our facility.

C. Purpose and legal basis of the processing

The data will be processed in strict compliance with the provisions of the law, according to the  principles of lawfulness and correctness and in compliance with the right to privacy. The Data will be processed for the correct fulfillment of contractual and/or legal obligations in order  to implement the Services offered by our Hotel. Furthermore, your Data will be processed to fulfill  the obligation set forth in the “Consolidated text of public safety laws” (article 109 of Royal Decree  18.6.1931 n. 773) which requires the personal details of the residents to be communicated to the  Police Headquarters (Questura) for public safety purposes according to the methods established  by the Ministry of the Interior. The data acquired for this purpose will not be stored at the  accommodation facility, unless the resident provides specific authorization.

The provision of data for the purposes highlighted above is necessary for the provision of hotel  services and to fulfill public safety purposes. In this regard, there is an obligation to provide such  Data for the achievement of the aforementioned purpose; their missing, partial or incorrect  conferment could have as a consequence the impossibility of providing the Services requested by  you and therefore the impossibility of hosting you at our accommodation facility.

Video surveillance solely on-premises of VIA ANTONIO GROSSI 10, 06064 PANICALE -PG ITALY: for the purpose of protecting people, property, and corporate assets through a video  surveillance system of some areas of the structure. The processing falls within the scope of  legitimate interest in the protection of people and property with respect to acts of vandalism,

Mod.05 Privacy – Rev.02 – June 2019 thefts, robberies, assaults, damages and for fire prevention  and occupational safety purposes by part of the Company art. 6 paragraph 1 lett. f EU Reg.  679/2016 for which your consent is not required. The recorded images are deleted after 24 hours,  except for holidays or other cases of closure of the business and in any case no later than 7 days  as required by law. They are not communicated to third parties except in the case in which it is  necessary to adhere to a specific investigative request from the judicial authority or judicial police.

D. Methods of Treatment

The processing of personal data will take place using paper, IT or telematic tools and with  adequate security measures to guarantee the security and confidentiality of your personal data.  The data will be processed by personnel and collaborators of the Company and/or by external  subjects duly designated contractually as managers and persons in charge of processing.

E. Data communication

Personal data may be transferred and processed by other subjects, in their capacity as authorized,  responsible or independent data controllers; they will also be accessible – for the same purposes  for which the collection is made – to data processors belonging, by way of example, to the  following categories: appointees, data processors, accounting consultants, legal consultants,  banks, insurance companies, the Rastrello infrastructure, internet and e-mail service supply  companies, police forces, etc.

The Data will in no case be subject to public dissemination. For the performance of most of its  hospitality business il Rastrello can turn to external companies for carrying out the work necessary  for the execution of all or some orders received from customers for specific needs. This also  applies to the performance of services specific to the activity (e.g. breakfast), delegating them to  external structures. Or finally for the management of payment services, credit cards, credit  recovery, as well as fraud control and risk detection.

F. Transfer of Personal Data

The data may be transferred to countries of the European Union and to third countries with respect  to the European Union if this proves necessary to be able to fulfill the obligations assumed or to  achieve the purposes of the processing.

G. Storage Period

The Data collected and processed by the Data Controller to implement the Hotel Services may be  kept for the period of limitation established by the applicable regulatory provisions, including fiscal  ones.

H. Contact details

You can contact Rastrello to assert the rights listed above by writing to the e-mail address  info@rastrello.com and/or by sending a communication to the address VIA ANTONIO GROSSI 10,  06064 PANICALE -PG- ITALY.

What are your rights? You will be able to: (I) obtain confirmation of the existence or not of personal  data concerning you; (II) know the purposes of the processing and the methods, the recipients of  such data, and the retention period; (III) obtain the rectification or cancellation, and where  applicable, the limitation of the treatment; (IV) object to the treatment; (V) where applicable,

receive, in a structured format, commonly used and readable by an automatic device, the personal  data concerning you

provided to the Hotel and transmit such data to another data controller without impediments. The  interested party can exercise his rights by contacting the Data Controller directly. If the interested  party believes that the rights he enjoys on the basis of the Privacy legislation have been violated,  he can lodge a complaint with the Privacy Guarantor – www.garanteprivacy.it.

I – Sensitive data

It may also happen that, in relation to specific operations or products and services requested by  the customer, the Hotel comes into possession of data that the law defines as “sensitive”. In fact,  they could infer from them whether the customer belongs to associations, confessions, political  parties, or information on the state of health.

L – Activities for which it is NOT possible to refuse consent

Personal data is processed as part of the normal accommodation business and for  various purposes. Those mandatory strictly connected data and instrumental to the management  of customer relations. Three of these are the acquisition of information preliminary to the  conclusion of a contract, execution of operations on the basis of the obligations deriving from the  contract concluded with customers, debt collection, etc.). Both those mandatory by laws,  regulations and community regulations (anti-terrorism laws, anti-money laundering laws, etc.) or  instructions given by authorities legitimated by the law and by supervisory and control bodies.

M – Activities you can opt out of

Of a different nature are those functional to the accommodation business for which the interested  party instead has the right to refuse consent. The detection of the degree of customer satisfaction  on the quality of the services rendered and on the activity carried out by the accommodation  facility. This can take place directly or through specialized companies with personal or telephone  interviews, questionnaires, etc. These include the promotion and sale of products and services,  including those of third-party companies, carried out through letters, telephone, advertising  material, automated communication systems, internet, and e-mail.

N – Cases in which consent is not necessary and cases in which consent can be denied Pursuant to and for the purposes of art. 24 of Legislative Decree. 196/2003, the consent of the  interested party is not necessary when the data is processed to fulfill an obligation established by  law, a regulation or by community legislation. It is not necessary to fulfill obligations deriving from  a contract to which the interested party is a party or to fulfill specific requests from the interested

party before the conclusion of the contract. It is also not necessary when it concerns data from  public registers, lists, deeds or documents that can be known by anyone, without prejudice to the  limits and methods that the laws, regulations or community legislation establish for the knowledge  and publicity of the data. Furthermore, it is not necessary when it concerns data relating to the  performance of economic activities, processed in compliance with current legislation on corporate  and industrial secrecy. Necessary for communications within the landlord for administrative and  accounting purposes.

Il Rastrello accommodation facility needs to control itself and the quality of its services as well as to  expand its product offering. To this end, it could communicate data relating to its customers to  companies that offer this type of service, so that they can verify with the customers themselves  whether the structure has met their needs and expectations or if there is a potential demand for  other products or services.

However, each Guest has the right to refuse consent for these types of communication and for  related treatments. He can do so by ticking the appropriate boxes on the form, which can be  downloaded at the bottom of this statement. The same faculty can be exercised for the  communication of data to primary external companies, in order to allow them to offer them  products.

‍