Pursuant to articles 13 and 14 of EU Regulation 2016/679 (GDPR), the following information is provided in order to make you aware of the characteristics and methods of processing your personal data.
a) Identity and contact details of the Data Controller, the Data Processors and the Data Protection Officer
The Data Controller is Estay srl, with headquarters in Cagliari (CA), Piazza Deffenu n. 9, CF and VAT number 03794490924, in the person of its administrators with disjunctive mandate, Messrs. Michelangelo Soru and Nicola Sabiu; owner of the website www.estay.it (hereinafter also just the "Site"); Certified e-mail box (PEC): email@example.com; contact details for tourist reservations: +39 0708006929 or firstname.lastname@example.org ; contact details for property management mandate : +39 0704771414 or email@example.com ; contact details for general information: firstname.lastname@example.org.
The Data Processors, coordinated in various ways by the Data Controller for the achievement of the purposes better indicated in the following paragraph c) are: Italia Me Srl, Progetto Piredda Srl, Simone Contu, Elia Canalis, Davide Concas.
The Data Protection Officer (DPO) designated by Estay srl pursuant to art. 37 GDPR is Mr. Giovanni Molinari; contact details: email@example.com.
b) Type of data object of the treatment
When registering on the site, booking a stay, signing the contracts better described in the following par. c), or the purchase of experiences in the area (through the relative page https://www.escursi.com/estay), different categories of personal data of the User may be collected by Estay and / or third parties (v . infra par. e).
The data that may be collected are the following: name; last name; place and date of birth; company name or company name; contact e-mail and telephone number; fiscal Code; VAT number; residence or domicile address; identity documents (such as identity card or driving license); the photograph of the person of the User; navigation data or data relating to the User's preferences detected during the use of the service or the website by the User; payment information, bank details and / or credit card details; billing address; tax data; data relating to the property covered by the contracts stipulated by Estay such as cadastral, contractual, insurance coverage, energy certification and / or town planning compliance data; as well as the universal unique identification code (UUID); photographs of the property; documentation and information relating to the legal and economic status of the property, such as situations of ownership or co-ownership of real estate rights, mortgage transcripts and registrations; credentials of the Owner referable to access to portals or websites for the exchange of information relating to the leases and / or the relative authorizations (from now on, for the sake of brevity, even only the "Personal Data"). With reference to the sending of the application by the User who wishes to carry out the local management activity in collaboration with Estay, the User's Curriculm Vitae will also be treated.
With regard to information on the collection of data specifically referring only to web browsing and on the deactivation of advertisements based on these internet tools, the user is invited to refer to the specific Cookies Policy available separately on the website www.estay.it .
Information specific to the Estay app:
The Estay app may require the use of the user's location. If explicitly requested by the app, this permission is for the sole purpose of ensuring its proper technical functioning.
User location data is NOT collected by the data controller in any way.
c) Purpose and legal basis of the processing
The data is collected by spontaneous provision of data by the User when he decides to propose his own property for the property management activity or decides to finalize his stay booking, or when he decides to potentially enter part of the Estay network as local manager , in all the aforementioned cases by filling in the appropriate form and confirming his choice.
The data collected in this way are processed by Estay for the following purposes:
1) To reach the stipulation of property management contracts in the real estate sector, in the interest of homeowners located in the Sardinia Region, aimed at the subsequent stipulation of short tourist leases in the forms better indicated in point c2) below, and to execute them subsequently, including the provision of Estay services in the manner indicated in the relative contracts. To pursue these purposes, it is necessary to first identify the User; contact him by telephone or in writing during the execution of the mandate; acquire the data relating to the identification of the property from the cadastral, mortgage, energy profile, as well as its current state; transfer the property data to external On Line Travel Agencies (e.g., Vrbo, Booking.com, Airbnb and Expedia) for the purpose of advertising the property; make payments and receive collections in your interest, manage any issue of tax documents; communicate such data to the counterpart interested in the tourist solution for the purpose of stipulating the contracts better indicated in point c2). The communication of data to be processed for purposes related to the conclusion or execution of the contract or the execution of pre-contractual measures requested by the User is mandatory in order to reach the conclusion of the contract and / or to execute it. The legal basis of this processing is the need to stipulate the contract or to execute it subsequently (see Article 6, paragraph 1, letter b GDPR).
2) To reach the stipulation, in the name and on behalf of the owners of accommodation solutions and therefore, based on the purposes and duration of the stay, of short lease contracts pursuant to Legislative Decree 50/2017 converted with amendments by Law 21 June 2017 n. 96, of lease agreements for exclusively tourist purposes pursuant to art. 1, co. 2, letter c) Law 9 December 1998 n. 43, or transitory lease agreements pursuant to art. 5 L. December 9, 1998 n. 431, or even atypical accommodation contracts for tourist use, in the interest of subjects who intend to stay at the tourist solutions proposed by Estay. To pursue these purposes, it is necessary to identify the User, contact the User for assistance activities during the stay, manage payments and collections based on the mandate received, manage any issue of tax documents; communicate such data to proprietary Users for the purpose of stipulating the aforementioned contracts. The communication of data to be processed for purposes related to the conclusion or execution of the contract or the execution of pre-contractual measures requested by the User is mandatory in order to reach the conclusion of the contract and / or to execute it. The legal basis of this processing is the need to stipulate the contract or to execute it subsequently (see Article 6, paragraph 1, letter b GDPR). Those interested in the stay will be asked to upload a photograph of their person on the website, and for these purposes the legal basis of this treatment is the fulfillment of a legal obligation, with particular reference to the Royal Decree of 18 June 1931, n. 773 (so-called Consolidated Law on Public Safety).
3) To reach the stipulation of service contracts better indicated on the Website under the heading "Experiences" also provided by third parties. To pursue these purposes, it is necessary to identify the User, contact the User for assistance on the requested service, manage payments and collections based on the requested service, manage any issue of tax documents. The legal basis of this processing is the need to stipulate the contract or to execute it subsequently (see Article 6, paragraph 1, letter b GDPR).
4) To reach the stipulation of commercial collaboration contracts with local managers , having as their object the fulfillment of one or more property management deals , within the terms and with the methods indicated in the contracts. To carry out these purposes, it is necessary to identify the User ( local manager ), contact the User, manage payments and collections according to the terms of the commercial collaboration agreement, manage any invoice issuance. The legal basis of this processing is the need to enter into the contract or to execute it (see Article 6, paragraph 1, letter b GDPR).
5) Fulfill legal obligations by communicating to the competent authorities data relating to tenants and lodgers such as: i) sending the data of Users and of the persons they declare to host, to the Public Security authorities, using the Building Transfer Notice form and through the Accommodation Portal of the competent Police Headquarters; ii) sending the data of the Leases to the competent authorities for statistical purposes and / or data census of the territory (in particular, currently the SIRED system); iii) the sending of data relating to contracts stipulated in the form of Short-Term Leases to the Revenue Agency by 30 June of the year following that of the stipulation pursuant to art. 4, co. 4, Legislative Decree 50/17 converted by Law 96/17, as well as the inclusion of the Property in the database set up at the Ministry of Agricultural, Food, Forestry and Tourism Policies pursuant to art. 13 quater of Legislative Decree 34/2019 converted into Law 58/19 for the purpose of assigning the alphanumeric identification code to be used in any communication concerning the promotion of Estay services. The communication of the data to be processed for this purpose is mandatory since it is a matter of compliance with a legal obligation. Failure to communicate the mandatory data will not allow the interested party to proceed with the completion of the procedure and the conclusion or execution of the contract. The legal basis of these treatments is the fulfillment of a legal obligation (see Article 6, paragraph 1, letter c GDPR).
6) Proceed to the profiling and tracking of User preferences in order to increase or improve the functionality and quality of the website. The legal basis of this processing is the legitimate interest of the Data Controller (see Article 6, paragraph 1, letter f GDPR).
7) Send information for commercial and marketing promotion purposes to Users, even after the execution of contracts. These activities will be preceded by obtaining the User's express consent to the processing of their data for these purposes. The legal basis of this processing is the consent of the interested party (see Article 6, paragraph 1, letter a GDPR).
Further information regarding the purposes of the processing by the owner or third parties are provided in the dedicated sections of this information, as well as in the information on the individual services provided by third parties, which you are invited to consult below.
If the Data Controller intends to further process the personal data for a purpose other than that for which they were collected, before such further processing the Data Controller will provide the data subject with information on this different purpose and any further relevant information. Furthermore, the Data Controller will adapt to all the other requirements necessary for the different purpose of the Processing.
d) Processing methods and security measures
The processing is carried out using IT and / or telematic tools, with organizational methods and with logic strictly related to the purposes indicated above. Upon uploading the data by the User, these will be stored in electronic format by Estay on the memory space reserved for itself on the servers provided by the provider Aruba spa, with registered office in Ponte San Pietro (BG), via San Clemente , 53, CF 04552920482 and VAT number 01573850516 at the datacenter kept there and called "Cloud Services Farm2".
The Data Controller adopts the appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of personal data.
e) Transfer of data to third parties
When booking excursions and / or experiences in the area in the relevant "Experiences" section on the Site, the User's personal data - such as name, surname, other data communicated during the booking of the service, e-mail, number of telephone, password, cookies, usage data, VAT number, company name, language - may be disclosed to third parties providing the related services advertised therein. In this case, the owner of the relative treatment is Excursion Srl
The data provided by the Users interested in a stay may be transferred to the owners of the properties upon reporting the activities carried out by Estay as property manager as well as to the Local Managers belonging to the Estay network in order to execute the lease agreement. to any pre-contractual measures. The data provided by the proprietary Users may instead be transferred to the intermediary Italia Me Srl for the purpose of the necessary advertising of the property on online channels (e.g., Vrbo, Booking.com, Airbnb and Expedia) and off-line.
The execution of the property management contract with particular reference to the supply of Estay services , as indicated in the contracts, may also involve the transfer of data to third parties, such as suppliers or trusted technicians of Estay, as provided for in the related contract in order to fulfill the requests for intervention or maintenance by Users during their stay.
The essential elements of the lease agreements referred to in the previous par. c2 may be transferred to third-party public authorities (Agenzia delle Entrate, Regione Sardegna, Prefettura and / or competent Police Headquarters, Municipality of the location of the property) in order to comply with reporting obligations of a fiscal, administrative nature or otherwise required by law.
Furthermore, some User data generated while browsing the Website may be transferred to third parties, even outside the EU to allow them to perform services that this Website makes use of. In this regard, the User is invited to consult the sections of the information dedicated below to the individual services in question.
f) Data retention period or criteria for determining the period
The Data are processed and stored only for the time required by the purposes for which they were collected and therefore:
1) Personal Data collected for purposes related to the execution of a contract between the Owner and the User will be retained until the execution of this contract is completed and in any case up to and not beyond the period required by law for the purposes of keeping the documentation accounting and non-accounting for the exercise of commercial business and therefore for a period of 10 years;
2) the Data collected with the consent of the interested User in order to provide commercial, promotional and marketing information, will be retained for a period not exceeding 12 months from the end of the contractual relationship. In this regard, Estay may consider implicitly confirmed the authorization to process such data if the receipt of communications is not followed by an explicit cancellation request by the User with respect to such Data.
The User is always guaranteed the right to withdraw consent to this treatment. In case of withdrawal of consent, the Data provided by the User for this purpose will be deleted.
g) Data subjects' rights
The User has the right to:
- withdraw consent to processing at any time. If the treatment is based on the consent of the User, he has the right to withdraw the consent at any time without prejudice to the lawfulness of the treatment based on the consent before the revocation;
- oppose the processing of your data when it occurs on a legal basis other than consent. Further details on the right to object are indicated in par. f below;
- access their data or obtain information on the data processed by the owner, on certain aspects of the processing and receive a copy of the data processed.
- verify the correctness of their data and request their rectification, updating or correction at any time;
- obtain the limitation of the processing, if the conditions referred to in art. 18 GDPR, upon which the Data Controller will not process the data for any other purpose than their conservation;
- obtain the cancellation or removal of their Personal Data, recurring the conditions referred to in art. 17 GDPR;
- receive your data or have it transferred to another owner (right to data portability). The User has the right to receive his / her Data in a structured format, commonly used and readable by an automatic device and, where technically feasible, to obtain the transfer without obstacles to another owner. This provision is applicable when the data is processed with automated tools and the processing is based on the User's consent, on a contract to which the User is a party or on contractual measures connected to it;
- propose a complaint. The User can lodge a complaint with the competent personal data protection supervisory authority or take legal action.
h) Details on the right to object
The User has the right to object to the processing of their personal data, for reasons connected to their particular situation, where the processing is based on the need to perform a task of public interest or connected to the exercise of public authority of which the Data Controller is invested, or where the processing is based on the public interest of the owner or third parties. The User also has the right to oppose the profiling carried out on the conditions indicated above.
Furthermore, if personal data are processed for direct marketing purposes, the User has the right to object to such processing at any time, including the profiling carried out for these purposes.
Following the User's opposition to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
Furthermore, the User has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person in a similar way. Certain exceptions are reserved, such as the decision necessary for the conclusion or execution of a contract between the User and a Data Controller and the decision based on the explicit consent of the interested party.
i) Details on the right of access
Users have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed. Furthermore, where such processing is in progress, Users have the right to obtain access to their personal data and the following information:
- purpose of the processing (s);
- categories of personal data processed;
- recipients or categories of recipients to whom the personal data have been or will be disclosed;
- data retention period or criteria for determining this period;
- existence of the User's right to request the rectification or cancellation of personal data, or the limitation of the processing of personal data concerning him;
- right to object to processing (where the right to object is provided);
- right to portability.
The Data Controller is required to respond within one month from the date of receipt of the request, a term that can be extended up to three months in the case of particular complexity of the request.
l) Details on the right to lodge a complaint
The User has the right to lodge a complaint with the supervisory authority and can contact: firstname.lastname@example.org.
For more information on the right to lodge a complaint, please consult the institutional website of the Privacy Guarantor: www.garanteprivacy.it .