Privacy Notice

Pursuant to Article 13 of EU General Data Protection Regulation (GDPR) no. 679/2016

S.A.G.I.M. S.r.l (Società Amministrazioni Gestioni Immobiliari Milano), having its registered office in Via Vivaio 8, Milano, Fiscal Code and VAT no. 01215020155, in its capacity as the Controller (hereinafter: the controller), provides you with more information about the purpose and modalities of processing your data, pursuant to Article 13 of EU General Data Protection Regulation (GDPR) no. 679/2016 and following amendments. The controller will process the data collected through its website ( for the purposes and through the modalities described as follows.

  1. Scope of Processing

Which data are processed?

The data processed are those that you provided, namely:

  • Name, last name, email address, telephone number and home address;
  • credit card details (credit number, card holder, expiration date and CVV);

Personal information:

  • about your stays, including arrival and departure dates, special requests and service preferences (e.g. about rooms, facilities and so forth);
  • about your marketing preferences, also those resulting from surveys and promotions.


Data collected automatically

While surfing the website, the following information can be collected, which is stored in the website’s server log file:

  • IP address;
  • type of browser;
  • the parameters of the device used to connect to the website;
  • ISP name;
  • visit time and date;
  • referral and exit page;

These data are collected to examine users’ trends and gather aggregate information, manage and ensure website safety, and cannot reveal the user’s identity.


  1. Purpose of Processing

Why and on which legal grounds are your data collected?

Your data will be processed:

  1. a) without your consent, to carry out services as laid down in art. 6, let. b), e) and f) of GDPR, namely:
  • to perform services or operations agreed upon in the contract (e.g. manage your online booking, provide you with customer care etc.);
  • to meet fiscal obligations;
  • to make contact with you, to deal with the requests you made through online forms;
  • to comply with legal obligations and regulations, either national or European ones, or to carry out orders from judicial authorities and monitoring bodies;
  • for the establishment, exercise or defence of legal claims in court proceedings, to pursue the legitimate interest of the data controller concerned.
  1. b) with your consent (art. 6, let. a) of GDPR), for the following purposes:
  • to promote new products, services or offers that interest you, by means of advertising, informative, promotional or new material;
  • to carry out market surveys, economic and statistical analyses;
  • to encourage third parties to send advertising, informative and promotional material concerning their own products and services.


  1. Mandatory and non-mandatory nature of Data

Which data are mandatory and which are not?

The provision of the data to fulfil the purposes referred to in Art. 2, let a) is legally and contractually imposed. Failing to provide these data or refusing to have one’s data processed will result in the controller’s impossibility to fulfil your requests and to comply with the requirements of relevant authorities. The provision of the data to fulfil the purposes referred to in Art. 2, let b) is not mandatory, so you can decide whether or not to provide your consent or to withdraw it at any time.


  1. Type of Processing

How are your data used?

The processing of your personal data is done through the stages indicated in Article 4, n. 2) of GDPR, viz.: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Collection is both paper-based and electronically-based, and includes measures aimed at ensuring the security and confidentiality of your data.


  1. Data Storage

How long are your data stored?

The controller uses your data up to a maximum of ten years from the end of the contractual relationship, to carry out the services and in any case in line with the time limit imposed by law, until the withdrawal of consent to perform marketing purposes, and for not more than 12 years for profiling activities (article 2, let b).


  1. Data Access

Who can access your data?

Your data can be accessed:

  • by staff authorised by S.A.G.I.M. S.r.l.;
  • by commercial partners and service providers that work on behalf of S.A.G.I.M. S.r.l., being them responsible of external processing and performing activities which are connected, related or supplementing those of the controller.


  1. Data Communication

To whom are your data communicated?

The controller can communicate your data without your consent to perform service purposes:

  • to judicial authorities, upon their request;
  • to subjects referred to in point 6.
  • to all those to whom it is necessary to communicate them, either for law or by contract, to enable the performance of the purposes described above (e.g. credit bodies, professional firms, commercial partners).

S.A.G.I.M. S.r.l. can also communicate these data to third parties to allow marketing activities as specified in p. 2, let b. To this end, specific consent will be requested from you, once the third party to which data will be transmitted will be identified. The latter will store your data in their capacity as autonomous processing controller. Please rest reassured that your data will not be disclosed.


  1. Data Transfer

Where can my data be transferred?

Your data might be transferred outside the European Union to the subjects specified in par. 6 and 7. In order to protect your data in the context of these transfers, the controller takes specific measures, among other the consent of the data subject, the decision of adequacy and the standard contractual clauses adopted by the European Commission


  1. The rights of the data subject

In his capacity as the data subject, the latter can exert the rights detailed in Articles 15, 16, 17, 18, 20, 21, 22 of GDPR. If no limitations are provided for by law, the data subject can:

  • obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data in a clearly and understandable way;
  • seek information about, and also a copy of:
  1. the source and the type of his personal data;
  2. the logic involved in any automatic personal data processing;
  3. the purpose for which data are processed;
  4. the personal information about the controller and the processor;
  5. the subjects – or groups of subjects – to whom his data might be communicated or made available;
  6. the period during which his data are stored or the criteria used to determine this period, where possible;
  7. the existence of an automated decision-making process, including profiling. Should this be the case, he might require the logic implemented, the relevance and the possible implications;
  8. the existence of adequate safeguards in the event of these data being transferred to a non-European country or to an international organisation;
  • obtain, without undue delay, that incorrect data are updated, amended, reviewed and that incomplete data are integrated, if any interest arises about this;
  • obtain that his data are cancelled, blocked, anonymised, whereas possible:
  1. if processed illegally;
  2. if they are no longer necessary to the purposes for which they have been collected and then processed;
  3. if consent has been withdrawn and thus data processing is not based on any legal ground, whatsoever;
  4. in the event data processing has been refused and no legal reasons exist to continue to use these data;
  5. if this is imposed by the law;
  6. if it involves minors.

The data controller can refuse to delete data in the following cases:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority;
  3. for reasons of public interest in the area of public health;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  5. for the establishment, exercise or defence of legal claims
  • obtain the right to restriction of processing in the following cases:
  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data controller opposes their erasure;
  3. the exercise or defence of legal claim;
  4. the verification whether the legitimate grounds of the controller override those of the data subject;
  • receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to have the personal data transmitted directly from one controller to another, where technically feasible;
  • the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data:
  1. when compelling legitimate grounds exists for the processing of personal data;
  2. where personal data are processed for direct marketing purposes and/or profiling (he can refuse to receive advertising or sale material, material for market research, commercial communication, the use of automatic calls without the presence of an operator, through emails or traditional marketing tools, phone or post)

For all the cases mentioned above, the data controller will inform the third parties to whom your data are communicated that you intend to exert your rights, save for specific cases (e.g. when this task is impossible to perform or entails a disproportionate effort as compared to the safeguarded right).


  1. How to exert your rights

You can at anytime amend and withdraw the consent provided and exercise your right by making contact with the data controller at the following address: S.A.G.I.M. S.R.L., Via Vivaio, 8- 20122 MILANO – Tel. 02929781 e-mail:

For the processing of data referred to in the present notice, you have the right to report a complaint to the Data Protection Supervisor (


  1. Data Controller and Processor

S.A.G.I.M. S.R.L., having its legal offices in Milano, Via Vivaio, 8, Fiscal Code and VAT code 01215020155 -Tel. 02929781 e-mail: The updated list of data controllers and processors is stored at the premises of the data controller.