B&B Hotels Italia S.p.A., with registered office in Via Domenichino 19, 20149 – Milan (Italy), VAT no. 06291950969, (“B&B ITALIA”) and Casper BidCo, with registered office in Boulevard Romain Rolland, 29, 92120 – Montrouge (France), registration number 850 790 908 (“Casper BidCo”), in their capacity as joint controllers (“Joint Controllers”), process the personal data provided by you if you have chosen to take part in the Online Check-In pilot project launched by the Joint Controllers, i.e., to perform Online Check-In operations using facial recognition technology after making a reservation of a stay at the B&B Hotel Milano City Center Duomo (the “Hotel”).
The Joint Controllers will process the personal data provided by you during the Online Check-In pilot project using the B&B mobile app with facial recognition technology (“Personal Data”). In particular, the following Personal Data are processed:
1.1. Copy of your passport and the data it contains, including: name, surname, date and place of birth, document number and expiry date;
1.2. Biometric data relating to the characteristics of your face (the facial images will not be retained, but will be used to check your identity by comparing them with your passport photograph, and will then be irreversibly deleted); and
1.3. An encrypted string that gathers information from the identity check, i.e. the validity of your passport and the correspondence of your identity with the passport photograph, and confirms the positive match (“String”). It is specified that it is in no way possible for your face and the copy of your passport to be traced using the String.
The Personal Data are collected and processed solely to check the identity of the person who will be staying at the Hotel, for the purpose of providing the hotel service. This will be done using innovative facial recognition technology, to facilitate and speed up the check-in procedures at the Hotel. Specifically, we inform you that on arrival at the Hotel you must in any case go to reception to allow the staff in charge to check your personal identity, in the traditional way but more quickly.
The legal basis for processing is your express consent. Only the Personal Data contained in your passport will be disclosed to the competent public security authorities, only as regards the information required by B&B ITALIA to fulfil the obligations laid down in Article 109 of Italian Royal Decree (R.D.) no. 773 of 18 June 1931 (Consolidated Law on public security, TULPS) in the methods laid down in the related Decrees.
The provision of Personal Data is required for checking your identity using facial recognition technology in order to facilitate and speed up the check-in procedures at the Hotel. You may in any case check in at the Hotel reception with the staff in charge of this procedure, in the traditional way.
The choice of checking your identity using facial recognition technology means that your identity will be checked in a fully automated manner. In particular, the Joint Controllers will use a fully automated procedure to check the validity of your passport and the correspondence between the image in your passport and your face. In any case, you will have the possibility to dispute the decision taken, also by directly contacting the Joint Controllers by e-mail at the following address firstname.lastname@example.org. In any case, if the identification process is unsuccessful, you may check in at the Hotel reception with the staff in charge of this procedure.
Without prejudice to the compliance with the principle of minimisation and proportionality, the Personal Data may be made accessible to the following parties for the above-listed purposes:
a) to employees and collaborators of the Joint Controllers, on the basis of the instructions received from the Joint Controllers themselves and under their authority;
b) to companies, consultants or professionals used by the Joint Controllers to provide their services, including, in particular:
c) only the Personal Data contained in your passport, to parties (including public authorities) who have access to the personal data by virtue of regulatory or administrative orders.
The Personal Data will be subject to the highest security standards. The String and the copy of the passport will be retained exclusively in encrypted form and for the period specified below in sub 7. Under no circumstances will the Personal Data be disclosed or in any case communicated to an indefinite number of parties.
The Personal Data will be processed in the European Union.
The images of your face will not be retained, but will be used exclusively to check your identity by comparing them with your passport photograph, which will take 2-3 seconds, and will then be irreversibly deleted.
The copy of your passport will be retained from the time of comparison as defined above until no later than 24 hours following your arrival at the Hotel. This retention period shall not in any case exceed 72 hours from the receipt of the e-mail in which the Joint Controllers notify you of the possibility to perform Online Check-In operations, starting from 48 hours prior to your arrival at the Hotel. The Personal Data contained in the String will be retained for the same period.
The Personal Data contained in your passport will be retained for 5 years from their registration by the competent person in charge at the Hotel, on the basis of the information given in the copy of the passport.
All Personal Data will be irreversibly deleted at the end of the respective periods indicated above.
It is specified that if the identity check performed using the Online Check-In procedure is unsuccessful, all your Personal Data will be immediately and irreversibly deleted.
In relation to the processing of Personal Data, you may exercise the rights laid down in Articles 15 to 22 of the General Data Protection Regulation 2016/679 (“GDPR”). In particular, you have the right to obtain from the Joint Controllers the integration or deletion of your Personal Data (so-called right to be forgotten); the right to obtain the restriction of the processing and the right to portability of your Personal Data, the right to object to the processing of your Personal Data and the right to lodge a complaint with the Data Protection Authority, if there are grounds to do so, using the following contacts: Piazza Venezia 11, 00187 Rome, fax: (+39) 06.69677.3785, telephone switchboard: (+39) 06.696771, e-mail: email@example.com. You also have the right to withdraw your consent to processing (without prejudice to the lawfulness of the processing prior to withdrawal) and to dispute the automated decision taken by the Joint Controllers, and to request human intervention by a person in charge at B&B ITALIA. Furthermore, pursuant to art. 26 of the GDPR, you have the right to request the essential contents of the joint controller agreement between the Joint Controllers.
You may exercise these rights by contacting the Joint Controllers at the e-mail address firstname.lastname@example.org and/or the Hotel staff.
There are no restrictions to the methods used to exercise your rights, and it is free of charge.