PRIVACY & COOKIE POLICY

Privacy Notice – Article 13 of EU Regulation 679/2016 (GDPR)

Aries Group S.r.l.
Via Lampedusa 11/A – 20141 Milan (MI), Italy
Email of the Controller: privacy@ariesgroup.it

 

Preamble

Pursuant to Article 13 of EU Regulation No. 2016/679 (hereinafter, the “GDPR”), we hereby inform you that your personal data (“Personal Data”) are processed by ARIES GROUP S.R.L., VAT and Tax Code 11337310962, registered with the Milan Companies Register under REA No. MI – 2595814, having its registered office in Milan, Via Lampedusa 11/A (“Aries” or the “Company”), in its capacity as Data Controller within the meaning of Article 4 of the GDPR (“Controller”), as further specified in this Privacy Notice.

 

Categories of Personal Data Processed

Depending on the circumstances, Aries may process the following categories of Personal Data:

  • Identification Data (first name, surname, date of birth, gender, tax code, nationality, details from identification documents such as passport or identity card).

  • Contact Data (email address, postal address, telephone number).

  • Browsing Data collected through cookies installed on electronic devices (computer, smartphone, tablet, etc.). Please refer to the [Cookie Policy – insert link] for further details.

  • Banking Data required for the management of the contractual relationship.

 

Purposes of Processing, Legal Basis and Retention Period

Below are the purposes of processing, the relevant legal bases and the retention periods applicable to the Personal Data processed by the Company depending on the circumstances.

  1. Purchase and provision of services. Personal Data are processed to enable booking and purchase of accommodation and hospitality services, as well as additional services related to the hotel’s activities (e.g. spa, wellness, massages, sports activities, organisation of corporate events such as symposia, conferences, presentations). Free services provided at the hotel (e.g. Wi-Fi) are also included.

    • Legal Basis: Performance of a contract or pre-contractual measures requested by the data subject (Art. 6(1)(b) GDPR).

    • Retention Period: Data are kept for the duration of the contract and for 10 years thereafter for administrative, accounting and tax purposes.

  2. Handling of requests. Personal Data are processed to respond to requests for information sent via the website, email, telephone, or in person at reception.

    • Legal Basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR).

    • Retention Period: Stored for the time necessary to respond, then anonymised, without prejudice to legal obligations.

  3. Compliance with legal obligations. Personal Data are processed to fulfil obligations arising from laws applicable to hotel activities (e.g. public security laws, including Royal Decree No. 773/1931).

    • Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).

    • Retention Period: For the period necessary to ensure compliance.

  4. Civil, tax and administrative compliance. Data are processed to fulfil civil, tax, administrative, and accounting obligations under applicable laws.

    • Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).

    • Retention Period: For the period necessary to ensure compliance.

  5. Marketing. With explicit consent, Personal Data may be processed to send commercial communications, promotional activities, offers, discounts, newsletters, using automated and non-automated means (email, SMS, messaging apps, social networks, phone calls, postal mail).

    • Legal Basis: Consent of the data subject (Art. 7 GDPR).

    • Retention Period: Up to 24 months, unless consent is withdrawn earlier.

  6. Soft Spam (Art. 130(4) Italian Legislative Decree 196/2003). Without requiring consent, Aries may send promotional emails relating to services similar to those already purchased by the user (“soft spam”). The user may object at any time by writing to privacy@ariesgroup.it or following the opt-out instructions in the communication.

    • Legal Basis: Art. 130(4) of Legislative Decree 196/2003.

    • Retention Period: Up to 24 months, unless objection is raised earlier.

  7. Customer satisfaction. Aries may send surveys or communications to assess satisfaction with the services, in order to improve quality standards.

    • Legal Basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR).

    • Retention Period: For the time strictly necessary, and no longer than 24 months.

  8. Anonymous analysis. Following anonymisation, data on purchases and interactions may be used for internal analysis to improve services and processes.

    • Legal Basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR).

    • Retention Period: As data are anonymised, no time limits apply.

  9. Protection of the Controller’s rights. Data are necessary to establish, exercise or defend legal claims before courts or other competent authorities.

    • Legal Basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR).

    • Retention Period: For the time strictly necessary to ensure legal protection.

After the above retention periods, Personal Data will be deleted or anonymised.

 

Provision of Data

The provision of data marked with an asterisk (*) in the forms (online or at the hotel) is mandatory for the conclusion and performance of the contract. Failure to provide such data may prevent the proper establishment or execution of the contractual relationship.

 

Processing Methods

Data are processed in accordance with the GDPR, applying the principles of fairness, lawfulness, transparency, and data minimisation. Processing is carried out using manual and electronic tools ensuring appropriate security and confidentiality. Only duly authorised persons have access to the data, subject to technical and organisational measures.

 

Recipients of Personal Data

Personal Data are processed by the Controller through its employees and collaborators duly authorised and instructed.
Communication to third parties is limited to what is strictly necessary for the purposes indicated, e.g. legal, tax, accounting consultants; marketing and communication consultants; HR consultants; CRM providers; logistics, IT and outsourcing service providers; banks and insurance companies; auditing firms.
Where such parties act on behalf of the Controller, they are appointed as Processors under Article 28 GDPR. Otherwise, they act as independent controllers.
Personal Data may also be disclosed to public authorities, supervisory bodies and regulatory entities, acting as independent controllers, where required by law.

 

Data Transfers

Data may be transferred outside the EU, where strictly necessary to fulfil the purposes indicated. Such transfers will take place:

  • pursuant to an adequacy decision of the European Commission;

  • in the absence of such decision, under standard contractual clauses and, where necessary, additional safeguards;

  • or under other adequate guarantees as provided for by Article 46 GDPR.

 

Rights of the Data Subject

Under Articles 15–22 GDPR, you may exercise the following rights free of charge at any time:

  • Right to be informed about the existence of processing concerning you.

  • Right to access your Personal Data.

  • Right to obtain a copy of your data and information on where it is stored.

  • Right to request rectification, update or integration.

  • Right to request erasure (“right to be forgotten”).

  • Right to object to processing.

  • Right to data portability.

  • Right to restriction of processing.

You also have the right to lodge a complaint with the competent Data Protection Authority (in Italy: the Garante per la Protezione dei Dati Personaliwww.garanteprivacy.it) if you believe processing is unlawful.

 

Exercise of Rights

Requests or communications regarding this Notice, clarifications or the exercise of rights must be addressed to:
privacy@ariesgroup.it
or by post to: Aries Group S.r.l., Via Lampedusa 11/A, 20124 Milan (MI), Italy.

 

Notice Revision Date: September 2025