Grand Hotel Liberty Riva del Garda


Privacy policy in accordance with EU Regulation 2016/679

Pursuant to Article 13 of the GDPR (EU Regulation 2016/679) and Legislative Decree No. 101 of 2018, the following information is provided, consistent with the principle of transparency, in order to make the user aware of the characteristics and methods of data processing:

  1. Identity and contact details

We inform you that the “Data Controller” of the data processing is
Grand Hotel Liberty Beauty and Wellness S.p.a.,
in the person of the pro tempore director Mr. Alessandro Calzà,
current at Viale Carducci n. 3/5,
38066 Riva del Garda (TN),
VAT no. 00819600222.
The following contact details are provided: telephone 0464/553581,;
e-mail address info@;
certified electronic mail (PEC) box

  1. Purpose of data processing and legal basis for processing, purpose limitation and data minimisation

The processing of your personal data is solely for the purpose of supplying and providing the services referred to in the corporate purpose (hotel, restaurant, bar and wellness activities) communications without commercial or marketing purposes only with specific consent, user profiling and similar always related to the aforementioned purposes referred to in the corporate purpose. It should be noted that the Data Controller shall abide by the principle of purpose limitation and that any processing operations subsequent to the initial ones shall not have purposes incompatible with the original one.

  1. Accuracy

The Data Controller shall keep your data up to date by deleting them at your request, except as provided for therein, and by promptly rectifying inaccurate data, subject to the exercise of this right by the data subject himself.

  1. Limitation of storage – duration of processing

The data shall be kept in a form that ensures their identification for a period of time not exceeding the achievement of the purposes referred to in point 2, as well as in application of the relevant tax regulations.

  1. Integrity and confidentiality

In order to guarantee adequate security of the processed data, including its protection from unauthorised or unlawful processing or from accidental loss-destruction or damage, the following measures shall be implemented: backup of data stored in computer format; computer access traced by means of a username and password changed at regular intervals; use of licensed software programmes only; use of licensed antivirus software; paper-based data filing system accessible only by the persons formally designated to process the data; written presentation of the methods for accessing the data; access-controlled filing system for sensitive data.

  1. Modalities of data processing 
  • Data processing is carried out partly in paper form and partly in computer form and is carried out by means of the operations or set of operations of collection, recording, organisation, storage with the duration limits indicated above and subsequent filing in paper form and/or computer form with access and consultation only to those persons in charge of processing regulated in writing.
  • The operations may be carried out with or without the aid of electronic or automated tools and all appropriate technical and organisational measures will be put in place in order to guarantee the security and protection of the data, such as access passwords to the data in the possession only of those in charge of processing (changed at least once a year) and system applications to prevent unauthorised third parties from accessing the databases.
  • Archives containing sensitive data shall be protected by means of a key lock and only accessible by authorised persons, with a written record of each access.
  • The persons who may access the premises outside closing hours shall be specifically identified and registered: the list may be requested from the Data Controller or the relevant appointee.
  1. Data processor ex art 29 GDPR

Data are processed within the entity by authorised data processors under the responsibility of the Data Controller for the purposes stated above.

  1. Data Processor ex art 28 GDPR

The data may be communicated to external Data Processors who have entered into specific agreements, conventions or protocols of understanding, contracts with the Data Controller.

The data may be communicated, merely by way of example, to the following categories of recipients: consultants, other suppliers and service providers (accountants, labour consultants, training consultants and certifiers, lawyers and legal consultants, system administrators, IT consultants, insurers and brokers), whose contact details may be requested from the Data Controller.

  1. Disclosure of data and provision of data

Please note that the provision of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract.

Failure to provide data will make it impossible for the person concerned to proceed with the completion of the procedure.

  1. Dissemination of data.

Personal data shall not be subject to dissemination, except as expressly authorised in the consent and to the extent strictly necessary for the activity referred to in point 2.

  1. Transfer of data abroad.

Personal data may be transferred to European Union countries and to countries outside the European Union within the scope of the purposes set forth in point 2, without being transferred to third parties.

  1. Rights of the data subject.

We wish to inform you that the EU Regulation 2016/679 and Legislative Decree 101 of 2018 to complete the General Data Protection Regulation give you specific rights to be exercised over your personal data, including the right to request from the Data Controller access to and rectification or erasure of your personal data or the right to restrict the processing of your personal data or the right to object on legitimate grounds to the processing of your personal data. The right to data portability, understood as the right to receive data concerning you in a structured, commonly used and machine-intelligible format and the right to transmit such data to another data controller without hindrance. The right to obtain direct transmission of personal data from the Data Controller to another Data Controller if technically feasible.


Request a quote