Palazzo di Varignana

Privacy policy

This document describes how the website is managed related to the processing of the personal data of users consulting it and provides the personal data security policy that the Palazzo of Varignana Resort & SPA adopts in its structure.
This information is also being provided pursuant to art. 13 of the European General Data Protection Regulation 2016/679 (GDPR)- to all those interacting with the web services of the Palazzo di Varignana Resort & SPA accessible online from the address: and for all those who for various reasons interact with Palazzo di Varignana S.r.l, and more specifically with Palazzo di Varignana Resort & SPA.

This policy refers solely to the website of Palazzo di Varignana and not to other websites possibly consulted by the user through links.

The policy is also inspired by Recommendation no. 2/2001 that European data protection authorities, united in the Group established by art. 29 of directive 95/46/EC, adopted on 17 May 2001 to identify certain minimum requirements for the collection of personal data on-line; in particular, methods, times and type of information that process controllers must provide users when they connect to web pages, regardless of why they should do so.

The process controller

After consulting this website, data related to people identified or identifiable may be processed.
Pursuant to the GDPR, Controller of data processing is Palazzo di Varignana S.r.l., with registered office in 40141 Bologna (BO) Via Della Zecca, 2 - VAT and Tax Code 0265821204 , Phone +39 0510827029 Fax +39 0510822435 E-mail: (hereinafter also “Company”) through its legal representative.

Data processing location

Processing connected to the web services of this website and described through it takes place in the operating office of Palazzo di Varignana, in Varignana (BO) Via Ca’ Masino n. 611/a and in the registered office of the Company in Bologna (BO) Via Della Zecca, 2, and is performed by personnel officially assigned and trained for the protection of personal data. No data from the web service is communicated to third parties unless this is strictly needed for processing purposes or imposed by laws or regulations in force. Processing connected to the web services of this website taking place c/o the controller is handled by internal personnel, officially trained and appointed as processors.

Processing purpose

This section describes the various processing purposes divided into web services and services provided directly c/o the head office of Palazzo di Varignana Resort & SPA.

For the website navigators

Personal data provided voluntarily and optionally by users forwarding requests for information on hotel services (prices, room and conference room availability, etc.), or simply forwarding employment applications by send their curricula in an electronic format, is used solely to execute the service requested and is not communicated to third parties unless that notification is imposed by laws or is strictly pertinent and needed to fulfil requests.

In particular, personal data provided voluntarily by data subjects will be collected by digital means and processed, assisted by electronic means directly an/or through parties appointed (company supplying the e-mail service, website hosting service) for the following purposes:
- to check whether the room requested is available with anonymous information entered such as arrival data, number of nights, number of adults and children and then, to finalise the service purchase, providing name, surname, e-mail address, phone number and credit card details;
- to enable booking and confirmation providing credit card details as a guarantee;
- to answer questions related to our hotel services (room availability, prices, conference rooms, catering, etc.);
- to display the right not to subscribe to the newsletter to receive periodical commercial or promotional communications;
- assess any curricula received compatibly with any internal needs;
- statistical purposes in anonymous format (to assess the number of accesses, etc.).
Booking data will be processed electronically and on paper to guarantee the booking of room/s under conditions agreed.

Data is recorded in our electronic databases accessible to personnel duly appointed and trained on the security and confidentiality of personal data.

A credit card number given as a guarantee might be needed to confirm the booking, with no prejudice to the fact that the customer may decide to pay by cash at the end of his/her stay.

1) Navigation data

IT systems and software procedures used to operate this website acquire, during normal operations, some personal data transmitted implicitly when using Internet protocols.

This is information that is not collected to be associated with identified data subjects but which, for its very nature could, through processing and association with data held by third parties, enable identification of users.

This data category includes IP addresses or the domain names of computers users use to connect to the website, URI (Uniform Resource Identifier) addresses of resources requested, time of the request, how the request was made to the server, size of the file obtained in response, the numerical code indicating state of the response given by the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment.

This data is used solely to obtain anonymous statistics on use of the website and to control it is working correctly and is deleted immediately after processing. The data could be used to ascertain responsibility in a case of hypothetical computer crimes damaging the website: without prejudice to this possibility.

2) Data provided voluntarily by the user

The optional, explicit and voluntary sending of e-mails to the addresses indicated in this website imply subsequent acquisition of the sender’s address, needed to answer the requests and any other personal data included in the e-mail.

3) Cookies

No personal data of the user us acquired by the website on purpose.

No cookies are used to transmit personal information, nor are any so-called persistent cookies of any type or user tracking systems used.

The use of so-called session cookies (that are not memorised persistently on the user’s computer and disappear when the browser is closed) is strictly limited to transmission of session identifiers (formed by casual server-generated numbers) needed to enable the person to explore the website safely and efficiently.

The so-called session cookies used in this website avoid using other techniques that are potentially prejudicial to the confidentiality of user navigation and do not enable acquisition of personal data identifying the user.

Optional aspects of providing data

Besides what was specified for navigation data, the user is free to provide his/her personal data to make bookings on-line.

Continuing the on-line booking procedure implies implicit consent by the data subject to his/her personal data being processed based on the privacy policy of the website

Not providing that data may make it impossible to receive what was requested.

Processing methods

Personal data is processed on paper and/or using automated tools for the time strictly needed to achieve the purposes for which it was collected.

Specific security measures are complied with to prevent loss of data, illegal or inaccurate use and unauthorised access.

Telephone bookings, via email or via fax

Booking data will be processed electronically and on paper to guarantee the booking of room/s under conditions agreed.

Data is recorded in our electronic databases accessible to personnel duly appointed and trained on the security and confidentiality of personal data.

A credit card number given as a guarantee might be needed to confirm the booking, with no prejudice to the fact that the customer may decide to pay by cash at the end of his/her stay.

Managing curricula

The company reserves the right to assess the curricula received for the potential candidacies available in the hotel or which could become available in the near future.

Curricula considered “interesting” will be stored in the registered office of Palazzo di Varignana Resort & SPA and can be communicated to the service heads of the various departments involved.

Processing of personal data present in the curriculum sent voluntarily by the data subject is to assess his/her possible candidacy for establishing a working relationship, or an internship. So the processing purpose will concern activities strictly referred to the assessment, recruitment or selection of personnel, with purposes of collaboration, hiring with pre-set contract, open-ended contract, internship.

The storage period for curricula considered “interesting” is one year and it will be processed fully complying with the minimum security measures on personal data adopted by Palazzo di Varignana S.r.l.

Palazzo di Varignana S.r.l. will provide suitable information pursuant to art. 13 of the GDPR during any interviews with candidates.


Promotional and commercial material can be sent directly by Palazzo di Varignana S.r.l.

The company Palazzo di Varignana S.r.l. through Palazzo di Varignana Resort & SPA can subscribe the data subject to the newsletter if:
- the data subject has given its consent on the website where indicated or through written consent when the booking was confirmed or in the contractual forms of Palazzo di Varignana S.r.l. (for agreement, agency, congress and more general sales contracts for hotel services);
- the data subject has consented in writing during the check in stage in the form notifying general details;
- the data subject has purchased the Hotel service using his/her e-mail account and did not specifically exercise the right not to receive promotional and commercial material.
The data subject has the right to cancel receipt of the newsletter at any time pursuant to rights granted by the GDPR.

Check in procedure and transcription of general clients details in the notification form

Italian legislation, based on Art. 109 of the Consolidated Act of Public Security laws and law no. 135 of 29 March 2001 (Reform of national legislation on tourism) imposes that the client must be registered when he/she arrives at the Hotel in a notification form which must then be transmitted to the Police within the following 24 hours.

Palazzo di Varignana Resort & SPA complies with this obligation by transmitting the details of its clients electronically and/or on paper to the local Police Headquarters.

In order to guarantee freely exercising the right to choose for processes where it is not obligatory to provide data, when registering in the notification form, Palazzo di Varignana Resort & SPA asks the client for the following consent related to the GDPR:

1. to external communication of data related to the person’s stay in the hotel, solely to consent to receiving messages and phone calls addressed to the person;
2. to the processing of special data /e.g. data related to health) communicated to use certain services;

3. to receive promotional messages, also by e-mail, related to the tariffs and offers applied by Palazzo di Varignana

If the client should refuse to provide his/her data when checking in, Palazzo di Varignana Resort & SPA cannot host him/her in its resort.

The personal data provided by the client when checking in will be processed by the personnel of Palazzo di Varignana Resort & SPA assigned to handle processing and suitably instructed on personal data security and personal data protection rights, and can be communicated to:

a) Bodies and Public Offices in compliance with legal and/or contractual obligations;

b) competent authorities for the obligation to register clients, based on Art. 109 of the Consolidation Law on Public Security and based on law no. 135of 29 March 2001 (Reform of national legislation on tourism);

c) consultancy companies for accounting and fiscal activities;

d) credit collection companies and banks to manage payments resulting from the stay;

e) third party suppliers (rental firms etc.) to satisfy the request for services made by the client;

f) any consultants and external suppliers specifically appointed to carry out accounting, fiscal and tax consultancy activities on our behalf;

The client is informed that pursuant to Chapter III of the GDPR in the presence of conditions regulated by the law it may exercise the right acknowledged by the latter, including the possibility to present a complaint to the Data Protection Authority, contacting the process Controller for Palazzo di Varignana Resort & SPA.


Palazzo di Varignana Resort & SPA uses a videosurveillance system to pursue its legitimate interests pursuant to the GDPR, or for purposes linked to the Security of people, assets, fire prevention and to safeguard property.

In particular, the images video-recorded and usable in real time by personnel appointed to do, acquired through the videosurveillance system are processed for the following purposes:

a) to become a deterrent against possible aggressions, theft, robberies, damage, sabotage or vandalism whilst improving safety in the hotel for staff, clients and all those people who come through the hotel;

b) to facilitate exercising, in civil or penal court, the defence rights of the process controller or third parties based on the images used when illegal facts occur;

c) to intervene in real time to manage risk situations for the safety of property and people.
The system in question was designed, configured and installed in accordance with videosurveillance laws in force GDPR, Directive 95/46/EC, Art. 4 Law 300/1970, General Provision of the Authority of 08 April 2010, Penal and Civil Codes). Any further details on how processing is handled and the storage times of recordings are available for data subjects in detailed information c/o Palazzo di Varignana Resort & SPA

For that purpose Palazzo di Varignana S.r.l. has installed and configured video cameras so as not to invade the individual’s privacy in compliance with the principles of pertinence and not excess and only collecting data strictly needed to achieve the purposes pursued.

Rights of data subjects

The subjects the personal data refers to have the right, at any time, to receive confirmation of whether their data is being held or not and to know contents and origin, check it is correct or request it be integrated, updated or rectified; in any case, exercise all rights acknowledged by the GDPR.

Requests must be presented to the Controller of Processing.

Data storage times

With no prejudice to the storage times indicated till now, please note that data provided and processed by Palazzo di Varignana S.r.L. will be stored for 5 years from when processing is terminated; unless established otherwise by laws and the possibility to revoke consent or exercise all the rights acknowledged by the GDPR and indicated below in this policy.

The rights of data subjects

Where requirements exist, data subjects may exercise all rights acknowledged by the GDPR, such as the right to: receive confirmation that his/her personal data is being processed; obtain rectification of inaccurate data or integration if it is incomplete; obtain that his/her personal data be deleted; obtain limits to processing; receive personal data concerning him/her in a structured, common format, readable using an automatic device; object to processing; revoke consent at any time if processing is based on consent; present a complaint to the data protection Authority. It may exercise those rights by writing or in person contacting Palazzo di Varignana Resort & SPA, in Varignana (BO) Via Ca’ Masino n. 611.a and/or c/o the registered office of the Company in Bologna (BO) Via Della Zecca, 2.

This privacy policy will be consultable in an automatic form through the most recent browsers implementing the P3P standard (“Platform for Privacy Preferences Project”) proposed by the World Wide Web Consortium (

All efforts will be made by Palazzo di Varignana S.r.l. to make the functionalities of this website interoperable with the automatic control mechanisms for privacy available in some products used by users.