Falkensteiner Arbatax Park S.r.l. (hereinafter referred to as “Arbatax Park Resort”, “Arbatax Park Resort & SPA”, or the “Controller”) is committed to protecting the Personal Data entrusted to it.
The management and security of Personal Data are ensured with the utmost care and in full compliance with applicable data protection legislation, including Regulation (EU) 2016/679 (“GDPR”).
This Privacy Policy describes how Arbatax Park Resort collects, uses, stores, shares, and protects personal data in connection with the use of its website, hospitality services, reservations, communications, and related activities.
We process personal data in accordance with: Regulation (EU) 2016/679 (“GDPR”), applicable national data protection legislation, applicable e-Privacy and cookie regulations.
This Privacy Policy explains:
If you wish to contact us regarding this Policy or regarding your personal data, please use the following contact information:
Falkensteiner Arbatax Park S.r.l.
Via Isarco 1 – 39040 Varna (BZ),
P.IVA IT 03328650217
E-mail: privacy@arbataxpark.com
dataprotection@falkensteiner.com
The Controller may collect and process the following categories of personal data in connection with the use of the website, hospitality services, reservations, customer communications, and related activities:
Providing personal data is generally optional; however, failure to provide certain data may prevent the Controller from delivering requested services, managing reservations, complying with legal obligations, or responding to requests.
The Controller does not intentionally collect or process special categories of personal data, unless such processing is necessary for the provision of requested services, required by applicable law, or explicitly consented to by the data subject.
In the context of hospitality and wellness services, the Arbatax Park Resort may process limited special categories of personal data voluntarily provided by guests, including:
Such data will be processed exclusively for the purpose of providing the requested services, ensuring guest safety and comfort, complying with legal obligations, or protecting the vital interests of the data subject.
The processing of special categories of personal data shall be based on one or more of the following legal bases, where applicable:
Special categories of personal data are processed with enhanced technical and organisational security measures and are accessible only to authorised personnel on a strict need-to-know basis.
When making a reservation or purchasing services through the Arbatax Park Resort website, guests may choose among the available payment methods, including payment by credit or debit card and instalment payment solutions offered by authorised payment providers.
To process payments and confirm reservations, Arbatax Park Resort may collect and process certain payment-related personal data, such as the cardholder’s name and surname, billing details, transaction amount, payment status, booking reference and other information necessary to complete the transaction securely.
Payments made through the website are processed via secure third-party payment service providers and financial institutions acting either as data processors on behalf of Arbatax Park Resort or as independent data controllers, depending on their role in the payment transaction.
Such providers may include banks, card schemes, payment gateways and “buy now, pay later” partners such as Scalapay.
The processing of payment-related personal data is necessary for the performance of a contract and for taking steps at the request of the data subject prior to entering a contract GDPR.
Certain payment data may also be processed to comply with legal and regulatory obligations applicable to accounting, taxation, anti-fraud and financial reporting.
Payment card details are transmitted through encrypted and secure channels directly to the authorised payment providers.
Arbatax Park Resort does not store complete payment card numbers or security codes (CVV/CVC).
Users are encouraged to protect their payment information and ensure that card details and authentication credentials are not shared with unauthorised third parties.
| Purpose of processing | Categories of personal data | Legal basis |
|---|---|---|
| Management of bookings, accommodation services and customer requests | Full name, address, country of residence, email address, phone number, booking details (arrival and departure dates, number of guests, selected accommodation, special requests), payment and billing data | Performance of a contract or taking steps at the request of the data subject prior to entering a contract pursuant to Art. 6(1)(b) GDPR |
| Compliance with legal obligations applicable to hospitality, taxation, accounting and public security | Identification data, identity document data (ID card or passport), tax or VAT-related data where applicable, invoicing and transaction data, information required for guest registration with competent authorities | Compliance with legal obligations pursuant to Art. 6(1)(c) GDPR |
| Customer support and communication management | Contact details, communication content, customer requests and inquiries, communication history via email, contact forms, telephone or social media | Performance of a contract and/or legitimate interest pursuant to Art. 6(1)(f) GDPR |
| Video surveillance and security monitoring | Video recordings, images of individuals entering or moving within monitored areas, date and time of recordings, location data related to camera coverage | Legitimate interest in ensuring the safety and security of guests, employees, visitors, property and company assets, as well as the prevention of theft, vandalism, unauthorised access and other security incidents pursuant to Art. 6(1)(f) GDPR |
| Website administration, cybersecurity and fraud prevention | IP address, log files, device and browser technical data, access and authentication data, session information, security and diagnostic data | Legitimate interest in ensuring system security and preventing fraud pursuant to Art. 6(1)(f) GDPR |
| Website analytics and performance measurement | Cookie identifiers, website usage data, browsing data, aggregated statistical information, analytics data collected through tools such as Google Analytics | Consent pursuant to Art. 6(1)(a) GDPR where required |
| Marketing communications and newsletters | Full name, email address, preferred language, marketing preferences, newsletter interaction data | Consent pursuant to Art. 6(1)(a) GDPR |
| Advertising, remarketing and profiling activities | Online identifiers, cookie data, IP address, browsing behaviour, interests and interactions with advertisements | Consent pursuant to Art. 6(1)(a) GDPR |
| Customer satisfaction surveys and service improvement | Contact details, survey responses, service ratings, comments and customer feedback | Legitimate interest in improving services and customer experience pursuant to Art. 6(1)(f) GDPR and/or consent where required |
| Establishment, exercise or defence of legal claims | Any personal data relevant to a dispute, complaint or legal proceeding, including communications, bookings, invoices and service usage records | Legitimate interest pursuant to Art. 6(1)(f) GDPR |
Where processing is based on consent, data subjects may withdraw consent at any time.
Withdrawal of consent shall not affect the lawfulness of processing carried out before the withdrawal.
Consent may be withdrawn:
Withdrawal of consent is free of charge and does not affect other lawful processing activities based on different legal grounds.
Where processing is based on Article 6(1)(f) GDPR, the Arbatax Park Resort pursues the following legitimate interests:
The ensures that such interests are balanced against the rights and freedoms of data subjects.
Data subjects may object at any time to processing based on legitimate interests.
The Arbatax Park Resort may use analytics, advertising and remarketing technologies that involve the automated processing of certain personal data to evaluate user preferences, interests and interactions with the Website.
Profiling activities may be carried out using analytics cookies, advertising and remarketing tools, social media integration technologies, and third-party marketing and tracking cookies.
Such processing may be used to personalise advertising content, measure the effectiveness of marketing campaigns, display advertisements that may be relevant to users’ interests, and analyse user interactions with the website.
The Arbatax Park Resort does not carry out solely automated decision-making processes producing legal effects or similarly significant effects on individuals within the meaning of Article 22 GDPR.
Where profiling activities require consent under applicable law, such processing will only take place after the user has provided valid consent through the cookie consent management platform.
Users may withdraw their consent or modify their cookie preferences at any time through the cookie settings tool available on the Website.
Please note that you have the right to request the following from Arbatax Park Resort at any time:
| to give you access to your personal data | You can ask Arbatax Park Resort what personal data it uses about you, and you can also request access to that personal data. You have the right to know the purpose of the processing, which categories of your personal data we keep, the authorities or categories of bodies with whom we share your personal data, the data retention period, as well as the source of the data in the case where the data is indirectly collected. You can contact us if you would like a copy of some or all the personal information we hold about you. |
| request correction of incorrect data | We want your personal information to be accurate and up to date. You can ask us to correct or remove information that you think is inaccurate or out of date. |
| request the deletion of personal data | You can ask Arbatax Park Resort to stop processing or even deleting your personal data. If we need your personal data to perform a contractual obligation towards you, Arbatax Park Resort may cease to be able to perform such contractual obligations. Also, if your personal data is necessary to be able to comply with certain legal obligations (e.g. tax obligations), your request may not be able to be fulfilled. |
| request the restriction of the processing of your data (to us and/or third parties) in certain processes or completely | If you want to contest the accuracy of the data, or we no longer need the personal data for the purpose of processing, but you need them to establish, exercise or process legal claims, or you have objected to the processing on the basis we consider legitimate, you have the right to request the restriction of the processing of personal data. |
| Complain about how we use your information | Remember that you have the right to object to the processing of personal data based on a legal basis that Arbatax Park Resort considers legitimate. |
| request the transfer of data to another controller (portability of rights) | If the processing is based on your consent or is carried out by automated means, you have the right to request Arbatax Park Resort a transfer of data to another processor. |
To exercise any of the above rights, please use the contact details provided at the beginning of the Privacy Policy.
If you believe that your rights are not respected, you have the right to file a complaint with the Data Protection Authority.
Personal data are retained only for as long as necessary to fulfil the purposes for which they were collected and in accordance with applicable legal obligations.
The Arbatax Park Resort generally applies the following retention periods:
| Category of data | Retention period |
|---|---|
| Booking and contractual data | For the duration of the contractual relationship and thereafter for the period required under applicable civil, tax and accounting laws |
| Accounting and invoicing data | Retained for the period required by applicable tax and accounting legislation. Personal data processed for invoicing are stored for seven years in accordance with statutory retention obligations under the Italian Civil Code. After this period, the data is deleted unless further legal obligations or legitimate interests justify extended retention. |
| Customer support and communication data | Up to 24 months from the last interaction unless further retention is necessary for legal claims |
| Marketing and newsletter data | Until withdrawal of consent or objection to processing, and in any event periodically reviewed |
| Data processed through cookies and analytics tools | According to the retention periods specified in the Cookie Policy or cookie consent tool |
| Security logs and technical data | Retained for a limited period necessary to ensure system security and prevent abuse. Technical logs, security records and related data are generally retained for up to 72 hours, unless longer retention is required for security investigations, incident response or legal obligations. |
| Data related to legal disputes | Retained for the duration of the dispute and applicable limitation periods |
Personal data may be disclosed, where necessary and in accordance with applicable data protection laws, to the following categories of recipients:
When users interact with certain website functionalities or third-party integrations, such as Google Maps or AskSuite chatbot services, the relevant providers may process technical and usage data including IP address, browser and device information, communication content, and information voluntarily provided through contact or chat functionalities.
All external service providers processing personal data on behalf of the Arbatax Park Resort act under appropriate contractual safeguards and data processing agreements in accordance with Article 28 GDPR.
Further information regarding third-party data processing practices is available in the respective providers’ privacy policies:
A current list of relevant processors and service providers may be requested by contacting the Arbatax Park Resort using the contact details provided in this Privacy Policy.
Certain service providers and technology partners used by the Arbatax Park Resort may process personal data outside the European Economic Area (“EEA”), including in countries that may not provide the same level of data protection as under European Union law.
This may occur particularly in connection with:
Some providers, including Google, Meta Platforms, and other digital service providers, may process personal data in the United States or other third countries.
Where personal data are transferred outside the EEA, the Arbatax Park Resort ensures that appropriate safeguards are implemented in accordance with Chapter V GDPR, including where applicable:
Certain providers may also participate in the EU–US Data Privacy Framework.
Companies in the U.S. that wish to participate in the Data Protection Framework must undergo a self-certification process and enrol in the list of companies that have joined the Data Privacy Framework.
The Arbatax Park Resort regularly reviews relationships with international service providers in order to ensure that personal data remain protected in accordance with applicable European data protection standards.
Further information regarding international transfers and applicable safeguards may be requested by contacting the Arbatax Park Resort using the contact details provided in this Privacy Policy.
To maintain the website and ensure that its functionalities are at the expected level, Arbatax Park Resort uses a technology known as “cookies”.
Cookies are small files that we send to your computer and can be accessed later.
They can be temporary or permanent. Thanks to cookies, you can browse our pages without difficulty.
Cookies show us what interests you and other visitors to our website, which helps us to improve it.
Read more about cookies in the Cookie Policy.
Other websites that can be accessed through arbataxpark.com have their own statements on confidentiality and data collection and the ways in which they are used and published.
Arbatax Park Resort is not responsible for the ways and conditions of operation of third parties.
Arbatax Park Resort collects and processes personal data through user interactions on social networks such as Facebook, Instagram, YouTube and LinkedIn.
Arbatax Park Resort or the responsible persons appointed by Arbatax Park Resort have access to messages and/or posts on the mentioned social networks, however, personal data collected through them, especially those contained in messages, Arbatax Park Resort does not store and does not further process except for the purposes specified in these Rules.
Arbatax Park Resort uses a business profile using the services of Facebook, YouTube, Instagram and LinkedIn, and you can see their Privacy Policy or confidentiality statements, as well as the way they use your personal data, at:
| FACEBOOK ONLINE | https://www.facebook.com/policy.php |
| YOUTUBE ONLINE | https://policies.google.com/privacy?hl=hr |
| INSTAGRAM ONLINE | https://help.instagram.com/519522125107875 |
| LINKEDIN ONLINE | https://www.linkedin.com/legal/privacy-policy |
If you have any questions regarding the collection and processing of data by Facebook, YouTube, Instagram and LinkedIn or if you wish to exercise any of your rights guaranteed by the General Data Protection Regulation, please contact:
| FOR FACEBOOK: | META PLATFORMS Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland |
| Contact of the Data Protection Officer: | https://hr-hr.facebook.com/policy.php https://www.facebook.com/help/contact/540977946302970 |
| If you are not satisfied with the way your personal data is collected and processed, you can contact Facebook’s lead supervisory authority, the Irish Data Protection Commissioner or the Data Protection Authority of the Republic of Italy. | |
On the website arbataxpark.com we use Facebook plugins provided by Meta Platforms.
When you visit arbataxpark.com, your browser automatically loads these components, and Facebook can receive information about the subpage you have opened.
A list of Facebook plugins is available at https://developers.facebook.com/docs/plugins/.
If you are logged into your Facebook account, Facebook can associate your visit to arbataxpark.com with your user account.
The same goes when using the integrated Facebook buttons, such as “Like” or leaving a comment.
Facebook is operated by Meta Platforms Inc. (USA) or Meta Platforms Ireland Ltd. for users outside the US and Canada.
If you don’t want Facebook to associate your arbataxpark.com activity with your account, please log out of Facebook before visiting our site.
| FOR YOUTUBE: Google Ireland, Gordon House Barrow St, Dublin 4, Ireland |
|
| Contact of the Data Protection Officer: | https://support.google.com/policies/contact/general_privacy_form |
| If you are not satisfied with the way your personal data is collected and processed, you can contact YouTube’s lead supervisory authority, the Irish Data Protection Commissioner or the Data Protection Authority of the Republic of Italy. | |
On the website arbataxpark.com we use YouTube components provided by YouTube LLC, a subsidiary of Google.
When you open a subpage containing a YouTube video, your browser automatically loads YouTube content, and YouTube and Google can receive information about the page you visited.
If you’re signed in to your YouTube account, YouTube can associate your visit to arbataxpark.com to your account, regardless of whether you started the video or not.
YouTube is operated by YouTube LLC (USA) or Google Inc. If you do not want YouTube to associate your activities on arbataxpark.com with your account, please log out of YouTube before visiting our site.
| FOR INSTAGRAM: META PLATFORMS Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland |
|
| Contact of the Data Protection Officer: | https://hr-hr.facebook.com/policy.php https://www.facebook.com/help/contact/540977946302970 |
| If you are not satisfied with the way your personal data is collected and processed, you can contact the lead supervisory authority for Instagram, the Irish Data Protection Commissioner or the Data Protection Authority of the Republic of Italy. | |
| FOR LINKEDIN: LINKEDIN IRELAND, Wilton Plaza, Wilton Place, Dublin 2, Ireland |
|
| Contact of the Data Protection Officer: | https://www.linkedin.com/help/linkedin/ask/TSO-DPO |
| If you are not satisfied with the way your personal data is collected and processed, you can contact the lead supervisory authority for LinkedIn, the Irish Data Protection Commissioner or the Data Protection Authority of the Republic of Italy. | |
The Company reserves the right to update or modify this Privacy Policy at any time.
Updated versions will be published on the website together with the relevant revision date.
