WorldHotel Casati 18, INC. Privacy Policy

PRIVACY & COOKIE POLICY

This page describes the procedures for managing the website with regard to the processing of personal data of users who consult it. This information is also provided in accordance with Article 13 of EU Regulation 2016/679 – General Data Protection Regulation (GDPR) to those who interact with the Worldhotel Casati 18 web services, accessible via the address https://worldhotelcasati18.com. This information is provided only for this website and not for other websites that may be accessed by the user through links for which the Data Controller is not responsible.

1. DATA CONTROLLER The data controller is the company Casati s.r.l. – Worldhotel Casati 18, with registered office at Via Felice Casati, 18 – 20124 Milan, Tel. +39 02 29404208, email info@worldhotelcasati18.com.

2. DATA PROCESSORS In the context of the data processing activities, external subjects formally designated as Data Processors under Article 28 of EU Regulation 2016/679 may be involved. In particular, the Data Controller has identified the company Best Western Italia S.c.p.a. – Via Livraghi, 1/b – 20126 Milan as the Data Processor for managing reservations through the platform integrated into the institutional website. The complete list can be requested from the Data Controller.

3. DATA PROCESSING LOCATION The processing related to the web services of this site takes place at the Company’s headquarters, as well as at the Data Processors identified under Article 28 of the GDPR. In any case, data processing will be carried out only by adequately qualified technical personnel authorized to process it. No data derived from the web service is communicated or disseminated. By using their social profiles from the “Social Wall” section of the site or by sharing the respective hashtag (“#”), user data may be processed by companies located outside the European Union. Therefore, users are advised to verify their respective privacy policies.

4. TYPES OF DATA PROCESSED

• Navigation data The computer systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified individuals, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and computer environment. This data is used only for the purpose of obtaining anonymous statistical information about the use of the site and to ensure its correct functioning, and is deleted immediately after processing. The data may be used to ascertain responsibility in case of hypothetical computer crimes against the site: except for this possibility, web contact data does not persist for more than thirty days.

• Data provided voluntarily by the user Personal data directly and voluntarily communicated by the web user, such as through the completion of forms in the “contact us,” “meeting,” and “where we are” sections, including names, email addresses, and telephone numbers, are acquired directly by the Data Controller in order to respond to user requests. Users are advised not to enter special categories of personal data in free text fields, such as health-related data.

• COOKIE SECTION –

This SECTION highlights the cookie policies implemented by the company CASATI S.R.L., as the Data Controller, for users who visit the website and, more generally, for data subjects who interact with it in various ways. This cookie policy, provided in accordance with Articles 13 and 14 of GDPR, is updated and compliant with the “Guidelines on cookies and other tracking tools” of the Italian Data Protection Authority dated June 10, 2021. Article 30 of GDPR explicitly states that “natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as Internet Protocol addresses, cookie identifiers or other identifiers, such as radio frequency identification tags. These identifiers may leave traces that, in particular, when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them.” a. What are cookies? As known, cookies are generally text strings that websites (so-called Publishers, or “first parties”) visited by the user or different websites or web servers (so-called “third parties”) place and store – directly, in the case of publishers, or indirectly, through them, in the case of “third parties” – within a terminal device available to the user.

The terminals referred to may include, for example, a computer, a tablet, a smartphone, or any other device capable of storing information. Today and even more so in the future, this also includes IoT (Internet of Things) devices, which are designed to connect to the network and to each other to provide various services, not necessarily limited to mere communication. Internet browsing software and the operation of these devices, such as browsers, can store cookies and then transmit them back to the sites that generated them when the same user revisits the site, thus keeping a record of their previous interaction with one or more websites. The information encoded in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address, but can also contain non-personal data, such as language settings or information about the type of device a person is using to browse the site. Cookies can, therefore, serve important and diverse functions, including session tracking, storing information about specific configurations regarding users accessing the server, facilitating the use of online content, etc. They can, for example, be used to keep track of items in an online shopping cart or information used to fill out an online form. While cookies can enable faster loading of web pages and route information over a network, they can also be used for behavioral advertising and to measure the effectiveness of advertising messages, adjusting the type and mode of services provided based on user behavior observed earlier. b. Other tracking tools The same result can also be achieved through the use of other tools (all of which can be distinguished between so-called “active identifiers” like cookies and “passive” identifiers, the latter involving mere observation) that allow similar processing to the above. Passive tools include fingerprinting, a technique that identifies the device used by the user by collecting all or some of the information related to the specific device configuration adopted by the data subject. This technique can be used to achieve the same profiling purposes, including personalized behavioral advertising and the analysis and monitoring of the behavior of website visitors, or to tailor the type and mode of services provided based on observed user behavior. c. Classification of cookies and other tracking tools Cookies and, to a large extent, other tracking tools can have different characteristics in terms of duration (session or permanent) or subjectively (whether the publisher acts autonomously or on behalf of a “third party”). However, the classification that responds to the rationale of legal provisions and thus also to the protection needs of individuals is based on two main categories:

• Technical cookies, used solely for “carrying out the transmission of a communication over an electronic communications network, or as strictly necessary as required by an information society service provider explicitly requested by the contracting party or user to provide that service” (cf. Article 122(1) of the Code);
• Profiling cookies, used to attribute certain recurring actions or behavioral patterns in the use of offered functionalities (patterns) to specific identified or identifiable subjects, for the purpose of grouping different profiles within homogeneous clusters of varying sizes, enabling the data controller, among other things, to customize service delivery beyond what is strictly necessary for service provision, as well as to send targeted advertising messages, in line with the preferences expressed by the user during internet browsing. Similarly, other identifiers can be categorized according to different criteria, but the main criterion remains the purpose for which they are used: technical or non-technical, the latter being broadly understood, as the current legal provisions, discussed below, aimed at protecting the confidentiality of electronic communications and personal information, are formulated unequivocally according to a general prohibition of data processing, subject to strictly and restrictively codified exceptions that are not susceptible to analogical extension. d. Provisions on data processing through cookies and tracking systems For the use of cookies and other technical identifiers, based on their function and within the limits and conditions referred to, the data controller is subject only to the obligation to provide specific information, which may also be included within the general information, as their use falls within a codified exemption from the obligation to obtain the data subject’s consent. Cookies and other tracking tools for purposes other than technical ones may only be used after obtaining the informed consent of the contracting party or user. For this reason, our website, by default, upon the user’s first access, does not place any cookies or other tools other than technical ones on your device, nor does it use any other active or passive tracking techniques. In the banner that appears on the user’s first access to our site, you will have the opportunity to identify and select your preferences (Opt-in mode). If you choose, as is entirely up to you, to maintain those default settings and thus not to give your consent to the placement of cookies or the use of other tracking techniques, you can simply close the banner by selecting the appropriate command marked with an X inside the banner itself, without being forced to access other dedicated areas or pages. This information also takes into account the opinion no. 5/2020 of May 4, 2020, of the European Data Protection Board (EDPB), which clarifies that simple scrolling is never, by itself, sufficient to fully express the data subject’s willingness to accept the placement of cookies other than technical ones within their terminal, and therefore does not equate, by itself, to consent “under any circumstances.” e. Tracking tools used on the website https://worldhotelcasati18.com The complete list of cookies used on the site is provided below:

-wordhotelcasati18.com

–www.google.com

f. How to Identify and Manage Tracking Tool Settings Users can, for example, find information on how to manage Cookies in some of the most popular browsers at the following addresses: • Google Chrome • Mozilla Firefox • Apple Safari • Microsoft Internet Explorer • Microsoft Edge • Brave • Opera

Users can also manage some Tracking Tools for mobile applications by disabling them through the appropriate device settings, such as mobile advertising settings or general tracking settings (Users can refer to the device settings to find the relevant ones). How to Disable Interest-Based Advertising Notwithstanding the above, Users are informed about the possibility of using the information available on YourOnlineChoices (EU), Network Advertising Initiative (USA), Digital Advertising Alliance (USA), DAAC (Canada), DDAI (Japan), or other similar services. These services allow you to manage tracking preferences for most advertising tools. Therefore, the Controller recommends Users to use such resources in addition to the information provided in this document. The Digital Advertising Alliance also provides an application called AppChoices that helps Users control behavioral advertising on mobile applications.

6. PROCESSING METHODS Personal data is processed by personnel duly trained and authorized to process it and is safeguarded by appropriate security measures adopted by the Data Controller to prevent unauthorized, unlawful, and incorrect access, disclosure, modification, and destruction.

7. PURPOSES, LEGAL BASIS, AND NATURE OF DATA PROVISION The Personal Data that the user provides through the website in question will be processed by the Data Controller exclusively for the following purposes: a) Performance of a contract of which the user is a party or adoption of pre-contractual measures requested by the user, such as, for example, the management and/or modification of reservations, request for information, regarding activities and services provided by the user, also through the completion of specific forms. The legal basis for processing is Article 6(1)(b) of GDPR 2016/679. Consent not required; b) Sending communications via email to the address provided as part of the activities referred to in the previous point a), for the promotion and sale of products or services similar to those described. The legal basis is represented by Art. 130, paragraph 4 of Legislative Decree 196/2003 (so-called soft-spam). In this case, the data subject may initially or in subsequent communications refuse such use and processing by communicating specific links present in the communications or by sending a request to the Data Controller, objecting to processing free of charge.

c) Purposes of research and statistical analysis on anonymous aggregated data, aimed at measuring the operation of the Site, measuring traffic and evaluating usability and interest to make it more functional and performant; Consent not required as it does not involve the processing of personal data; d) For accounting, tax, and administrative purposes. The legal basis is represented by Article 6(1)(c) of GDPR 2016/679 or the processing is necessary to fulfill a legal obligation to which the data controller is subject. Consent not required; e) Purposes related to the fulfillment of laws and regulations. The legal basis is represented by Article 6(1)(c) of GDPR 2016/679 or the processing is necessary to fulfill a legal obligation to which the data controller is subject. Consent not required; f) Purposes necessary to establish, exercise, or defend a right in court or whenever the judicial authorities exercise their judicial functions. The legal basis is represented by Article 6(1)(f) of GDPR 2016/679 or the processing is necessary for the pursuit of the legitimate interest of the data controller. Consent not required;

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS The Data Controller undertakes to limit the areas of circulation and processing of personal data (e.g., storage, archiving, data retention on its servers) to the countries belonging to the European Union, with an express prohibition of transferring them to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, or in the absence of protection tools provided for by EU Regulation 2016/679 – CHAPTER V (adequacy decision, Standard Contractual Clauses, or explicit consent from the data subject).

9. DATA RETENTION Casati S.r.l. will process the data subject’s personal data for the time strictly necessary to achieve the purposes indicated in this information. Except as mentioned above, the Data Controller will process the data subject’s personal data until the term allowed by the current legislation to protect its interests (Art. 2947(1)(3) c.c.). More information about the period of retention of Personal Data and the criteria used to determine this period can be requested by writing to the contact details of the Data Controller.

10. CURRICULUM MANAGEMENT This information, prepared in accordance with Article 13 of GDPR 2016/679, can also be used by the company Casati S.r.l. for any personnel recruitment advertisements published on websites and/or portals not directly managed by the company itself.

The Company will process curricula received via email or through third-party companies operating in the personnel selection sector (publications on portals, etc.), to evaluate potential candidates within the Company or who may present themselves in the near future. The processing takes place electronically, excluding curricula received by regular mail. Curricula that are deemed in line with the Company will be stored at the company’s headquarters for a period of 12 months and will be treated in full compliance with the security measures provided for in Article 32 of GDPR 2016/679. Curricula deemed irrelevant, as well as those whose retention period has exceeded 12 months, will be discarded. Curricula will be stored at the human resources office of Casati S.r.l. and will not be disclosed to unauthorized third parties. They may be evaluated by personnel duly authorized for processing (Art. 29 and 32(4) of GDPR 2016/679 and Art. 2-quaterdecies of Legislative Decree 196/2003), in the operational unit in which the candidate is expected to perform their service/collaboration. For curriculum compilation, candidates are kindly requested to adhere to the following rules: • compile their curriculum in European format; • transmit the curriculum in pdf format; • avoid inserting special categories of personal data as defined in Article 9 of GDPR 2016/679 (relating in particular to health status, religious, philosophical, or political beliefs) that are not relevant to the job offer. The company reserves the right to delete curricula that do not meet the above requirements. The purpose of the treatment related to curriculum management will involve activities closely related to the evaluation, recruitment, or selection of personnel, with collaboration objectives, fixed-term or permanent employment, internships, or to allow the chosen candidate to prepare their thesis at our headquarters. In accordance with Article 111-bis of Legislative Decree 196/2003, the information referred to in Article 13 of GDPR, in cases of receipt of curricula spontaneously transmitted by data subjects for the purpose of establishing an employment relationship, will be provided at the time of the first useful contact, subsequent to the sending of the curriculum itself. In accordance with the specified purposes, under Article 6(1)(b) of GDPR, the data subject’s consent for the processing of personal data contained in the curriculum is not required.

11. AUTOMATED PROCESSING AND PROFILING The Data Controller does not carry out automated processing, including profiling, on personal data acquired through forms on this website. As for any profiling activities carried out through cookies, please refer to the relevant Cookie Policy.

12. RIGHTS OF DATA SUBJECTS Individuals whose personal data is referred to have the right to obtain confirmation of the existence or otherwise of such data at any time and to know its content and origin, verify its accuracy, or request its integration or update, or correction (Chapter III GDPR 2016/679). Under the same article, there is the right to request the deletion, transformation into anonymous form or blocking of data processed in violation of the law, as well as to object in any case, for legitimate reasons, to their processing. Requests should be addressed to the Data Controller at the above contact details. The data subject can freely exercise the rights referred to in Articles 15 and onwards of GDPR 2016/679, which we reproduce in full, namely: • revoke consent at any time. The User can revoke consent to the processing of their Personal Data previously expressed; • object to the processing of their Data. The User may object to the processing of their Data when it occurs on a legal basis other than consent; • access their Data. The User has the right to obtain information about the Data processed by the Data Controller, certain aspects of the processing, and to receive a copy of the Data processed; • verify and request correction. The User can verify the correctness of their Data and request their updating or correction; • obtain the limitation of processing. When certain conditions are met, the User may request the limitation of the processing of their Data. In this case, the Data Controller will not process the Data for any purpose other than their storage; • obtain the deletion or removal of their Personal Data. When certain conditions are met, the User may request the deletion of their Data by the Data Controller; • receive their Data or have them transferred to another controller. The User has the right to receive their Data in a structured, commonly used, and machine-readable format and, where technically feasible, to have them transferred without hindrance to another controller. This provision applies when Data is processed with automated tools and processing is based on the User’s consent, a contract of which the User is a party, or contractual measures related thereto; • object to profiling for decisions based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way. Requests should be addressed to the Data Controller at the email address: privacy@hotelfelicecasati.com

13. RIGHT TO LODGE A COMPLAINT Data subjects who believe that the processing of personal data concerning them carried out through this site violates what is provided for by the Regulation have the right to lodge a complaint with the Guarantor for the protection of personal data, as provided for in Article 77 of the Regulation itself, or to refer to the appropriate judicial authorities (Article 79 of the Regulation).

14. UPDATE AND REVISION The privacy policy was updated on July 5, 2023, and may be subject to future revisions.