Privacy policy

Tenants

INFORMATION REGARDING THE PROCESSING OF DRIVERS' PERSONAL DATA PURSUANT TO ARTICLES. 13 AND 14 OF EU REGULATION 2016/679 (GDPR)

With this information, pursuant to the provisions of art. 13 of EU Regulation no. 2016/679 (also called “GDPR”), we wish to inform you regarding the processing of your personal data acquired and processed for contractual and accounting purposes.

1. DATA CONTROLLER

The data controller is Estay s.r.l. with registered office in P.za Deffenu n. 9, 09125 – Cagliari (CA), in the person of its legal representative pro tempore. For any need relating to personal data, the Data Controller may be contacted via ordinary or registered mail delivered to the registered office indicated above, or via e-mail to the addressamministrazione@estay.it, or via PEC at estaysrl@pec.net.

The Personal Data Protection Officer (RPD or DPO) is Mr. Giovanni Molinari, who can be contacted via e-mail atdpo@estay.it.

2. CATEGORIES OF PERSONAL DATA SUBJECT TO THE PROCESSING

The Data Controller processes the following categories of personal data relating to the interested party, provided or acquired during the negotiation, stipulation and/or execution of the relationshipcontractual, or otherwise transmitted to Estay fromlocal manager contacted by the same interested party or by Estima s.r.l. (see par. 6):

  • Personal identification data: name, surname, tax code;
  • Contact and delivery data: e-mail address, telephone number, domicile or different delivery address;
  • Reservation number and QR code assigned;
  • Any data relating to the payment of the fee;
  • Bank and/or credit card details, for the management of any security deposits, guarantees and payments;
  • Data relating to the degree of satisfaction with the quality of the services provided, statistical data relating to the stays enjoyed and the subject of the contracts stipulated by the tenants.

3. PURPOSE OF THE PROCESSING AND LEGAL BASIS

Personal data is processed for the following purposes:

  1. Stipulation and execution of the rental contract, the service contract (where applicable) and any pre-contractual measures at the request of the interested party, as well as the offer of the servicecity pass via a specific application for smartphones and IT devices in general;
  2. Determination and payment of the rental fee and the fee for Estay services, where applicable;
  3. Fulfillment of obligations llegal, contractual (including collective agreements), administrative, fiscal and insurance related to the contract, including the keeping of accounting records;
  4. Maintaining necessary correspondence and communications;
  5. Marketing activities and sending of promotional material, with automated contact methods (email, SMS, instant messaging, social networks, apps, automated calling systems without the intervention of an operator, etc.) and/or traditional methods (phone calls with operator and paper mail);
  6. Verification of the degree of satisfactionfor the quality of the services provided, studies and statistical and market research, directly or through specialized companies, through interviews or other means of detection.

The legal basis of the processing indicated above is the stipulation and execution of the contract or any pre-contractual measures requested by the interested party, except as specified below.

The legal basis of processing relating to obligations expressly provided for by law is the fulfillment of a legal obligation.

The legal basis of the processing relating to marketing activities and sending promotional material is the legitimate interest of the Data Controller.

The legal basis of the processing relating to satisfaction verification activities and statistical and market surveys is the consent of the interested party.

The provision of data for the purposes indicated above is instrumental, necessary and mandatory for the purposes of fulfilling legal and contractual obligations and also for the administrative, fiscal and accounting management of the contractual relationship, and therefore any failure to provide such data entails the objective impossibility of establishing, continuing or executing the relationship, or of correctly carrying out all the obligations connected to the relationship.

4. TREATMENT METHODS

The processing of personal data will take place in full compliance with the principles of confidentiality, correctness, necessity, relevance, lawfulness and transparency provided for by the GDPR. The processing and storage of personal data will be carried out using both paper and electronic tools, in compliance with current regulatory provisions. Suitable security measures will be observed to prevent the loss of personal data, illicit or incorrect use of the same or unauthorized access. The data will be processed exclusively by personnel authorized by the data controller who will be given specific instructions on the methods and purposes of the processing.

5. DATA CONSERVATION PERIOD AND CRITERIA

The duration of the processing inherent to the contractual relationship, services and pre-contractual measures will correspond to that of the same reports; the same applies to the processing necessary for the purposes of legal obligations. The data will be kept until the execution of the contract and compliance with legal obligations are completed, in any case up to and no later than the maximum term of 10 years from the end of the contractual relationship, as required by law for the purposes of document conservation. accounting and non-accounting for the exercise of commercial business activities and in compliance with the ordinary limitation period (art. 2220 and art. 2946 of the Civil Code).

For marketing purposes and sending promotional material, the duration of processing and the data retention period will be equal to 12 months from the end of the contractual relationship, or until any opposition from the interested party at an earlier time.

For the purposes of verifying the degree of satisfaction with the quality of the services provided, carrying out studies and statistical and market research, the duration of processing and the data retention period will be equal to 12 months from data collection, or until possible revocation of consent by the interested party in a previous time.

This is without prejudice to extensions of the aforementioned deadlines due to the management of any disputes, as well as any derogation possibly provided for by Italian or Euro-Community regulations.

6. DATA COMMUNICATION

In addition to any communications required by law or by administrative or judicial authorities, all data collected and processed may be communicated to the following subjects, where necessary appointed external managers of the processing delegated to them, correct appointment and instructions provided in writing pursuant to art. 28, par. 3, GDPR:

  • Accountants and business consultants; real estate intermediaries; companies that provide maintenance or assistance on platforms and applications and/or consultants, even in associated form, for the processing of fees; specialists in information systems and company electronic devices, as well as their possible collaborators; providers of business and management software, as well as providers of communication services such as email;
  • Collaborators or subjects that Estay uses, including the so-calledlocal managers, to fulfill their contractual obligations.

In particular, all personal data may be communicated to the associated company Estima s.r.l., with registered office in Viale Trieste n. 40, 09123 – Cagliari (CA), contactable on tel. +393499720364 / email addressimmobiliare@estima.re.it, who may be entrusted with the processing for the purposes referred to in par. 3 with reference to the stipulation and execution of rental contracts and the fulfillment of the related legal obligations. The transfer and authorization to Estima s.r.l. to carry out such processing will be made known to the interested party in the event of effective implementation.

6.1. Data transfers to third countries

The Data Controller does not foresee transfers of personal data outside the European Economic Area. However, the data processed through the software and service providers listed below may transit through servers located outside the EEA.

Below are the links to which this Data Controller refers for consultation of the measures adopted by suppliers to adapt the protection of personal data to the standards required by the GDPR.

- Microsoft Corporation, with reference to servers located in the United States of America:

https://privacy.microsoft.com/it-it/privacystatement; https://privacy.microsoft.com/it-IT/; https://www.microsoft.com/it-it/trust-center/privacy?rtc=1; https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWRql1?culture=it-it&country=IT (see attachment:Compliance with EU transfer requirements for personal data in the Microsoft Cloud).

- Google Ireland Limited, with reference to the email serviceGmail, equipped with servers located all over the world:

https://policies.google.com/privacy#inforetaining; https://policies.google.com/privacy/frameworks.

In this regard, it is noted that both Microsoft Corporation and Google Ireland Limited adhere to the FrameworkData Privacy Framework developed by the United States of America and the European Commission and declared adequate by the latter on 10 July 2023.

7. RIGHTS OF THE INTERESTED PARTY

At any time the interested party can exercise, pursuant to the articles. 15 et seq. of the GDPR 2016/679, the right to:

  • Access (art. 15 EU Regulation no. 2016/679);
  • Correction (art. 16 EU Regulation no. 2016/679);
  • Cancellation (art. 17 EU Regulation no. 2016/679);
  • Limitation (art. 18 EU Regulation no. 2016/679);
  • Portability (art. 20 EU Regulation no. 2016/679);
  • Opposition to processing (art. 21 EU Regulation no. 2016/679);
  • Revocation of consent to processing, if based on this legal basis, without prejudice to the lawfulness of the processing based on the consent acquired before the revocation (art. 7, par. 3 EU Regulation no. 2016/679);
  • Submit a complaint to the Guarantor Authority for the Protection of Personal Data and/or appeal to the competent Judicial Authority (articles 77 and 78 of EU Regulation no. 2016/679).

7.1 Details on the right to access data

The interested party has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed. Furthermore, where such processing is underway, the interested party has the right to obtain access to their personal data and the following information: purpose of the processing(s); categories of personal data processed; recipients or categories of recipients to whom the personal data have been or will be communicated; data retention period or criteria for determining this period; existence of the interested party's right to request rectification or deletion of personal data, or limitation of the processing of personal data concerning him/her; right to object to processing (where the right to object is provided for); right to portability.

The Data Controller is required to respond within one month from the date of receipt of the request, a period which can be extended up to three months in the case of particular complexity of the request.

7.2 Details of the right to complain

The interested party has the right to lodge a complaint with the Supervisory Authority. For further information on the right to lodge a complaint, please consult the institutional website of the Privacy Guarantor: www.garanteprivacy.it.

To exercise his rights and for any need relating to the processing that concerns him, the interested party can contact the Data Controller and the DPO by contacting them at the addresses indicated in par. 1.