Privacy Policy

Privacy Policy Gruppo UNA

User personal data processing policy
Rights of the data subject
How to exercise rights and/or request information about data processing


Dear User,
This Privacy Policy is provided to you pursuant to art. 13 of EU Regulation 2016/679 - concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter also the "Regulation" or "GDPR").
This Privacy Policy contains information relating to the processing of your personal data as a result of browsing the internet and using the services made available to you via the website.
You will be given specific and/or supplementary information about the processing of your personal data every time we collect it, when you interact with the website, or by virtue of contractual relationships established with our Company; you can view them all at any time by clicking on the links in the “Policies” section at the bottom of this page.

NB: this Privacy Policy does not apply to web services provided by any third parties you may use or consult via hypertext links. In this regard, we invite you to consult the privacy information and privacy policies provided by these third parties in the appropriate locations.


Privacy Regulations: The GDPR, the Privacy Code, the Italian Data Protection Authority's provisions and in general all laws concerning the protection of individuals with regard to the processing of personal data.

GDPR or Regulation: European Union Regulation 2016/679 of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation)

Personal data: Any information regarding an identified or identifiable individual.  Besides data provided by the user via any forms in individual web service areas, this also includes browsing data 

Data subject: The identified or identifiable individual that personal data refers to.

Browsing data: In the course of their normal operation, the computer systems and software procedures used to operate web services collect certain data whose transmission is implicit in the use of internet communication protocols. This is information that is not collected in order to be linked to identified data subjects, but that by its very nature could allow users to be identified via processing and association with data held by third parties. However, if the browsing session takes place after accessing the Reserved Area (requiring users to log in), the data collected is associated with the user's personal account.

Browsing data includes:

  • IP addresses or domain names of the computers used by users that connect to the website;
  • the addresses of the requested resources in URI (Uniform Resource Identifier) format;
  • the time of the request;
  • the method used to submit the request to the servers;
  • the size of the file obtained in response;
  • the numerical code indicating the status of the response the server gives (successful, error, etc.)
  • other parameters regarding the user's operating system and computer environment.

Data provided by users: This is the data which the user voluntarily and knowingly provides by sending communications (e.g. by email, to the addresses on the web domain) or by filling in specific forms, if present in the areas provided by the services.

The data provided by the user is only strictly necessary for the purposes required by the services on a case by case basis (for precise details regarding the categories of data collected on a case by case basis, please refer to the relevant privacy policy). By way of example, this data may be:

  • personal details;
  • regarding contact details (e.g., email address)
  • related to the user/client's contractual position;
  • geolocation (if the user has consented to the collection of data about their position);
  • regarding the use of individual services available to the user;
  • regarding facts and events disclosed by the user in their messages (as far as this is concerned, and in order to better protect them, users are encouraged not to provide information that is not strictly connected with the request and the nature of the services provided by the Company).

Data controller The person who decides on the purposes and methods of processing personal data.  With reference to web services, Gruppo Unipol is the Company which this website refers to and whose references are at the bottom of each page.

Services or Web Services The services provided through the internet, used via the website and/or any apps.

User: The data subject (individual) who browses, consults, accesses or uses the web services.

DPO: The Data Protection Officer. Users may request clarifications regarding the processing of personal data or exercise their rights by contacting the DPO, in the manner and form indicated in the section “How to exercise rights and/or request information about data processing”.

Italian Data Protection Authority: The Guarantor for the protection of personal data, in other words the Italian national monitoring authority for the protection of personal data. Consult the  Authority's website.

Cookies: Cookies are pieces of information that are stored on your device (e.g., in your browser's memory) when you visit a website or use a web application 

Each cookie may contain various data, such as the name of the server it comes from, a numerical identifier, etc.

See the Cookies Policy for more information.


Below we have provided some useful information about the processing of personal data carried out via our web services.

In particular, we would like to inform you about:

  • the identification and contact details of the Data Controller;
  • the contact details of the Data Protection Officer (DPO);
  • the categories of personal data processed via the web services;
  • the purposes for which this personal data is processed on a case by case basis;
  • the conditions that legitimise the processing of this data (legal grounds);
  • how long the data will be stored for, always strictly necessary for the pursuit of the stated purposes;
  • the categories of data recipients.

Data controller


Gruppo UNA S.p.A.

Via Gioacchino Murat, 23 - Milano

Categories of personal data, purposes and legal grounds for processing and length of data storage


Categories of Personal Data

Purposes of processing

Legal grounds

Length of data storage

Browsing data

To allow web browsing and the provision of services

The need to perform a contract to which the data subject is a party or to provide a service at their request

For the duration of browsing within the services

To obtain anonymous statistical information on the use of the web services, for the sole purpose of checking their correct functioning

Legitimate interest of the Company

The data is collected in aggregate form and can no longer be traced to the individual user who browsed the website

To guarantee that web services are secure and function correctly, as well as to assess liability in the event of hypothetical crimes, and in order to consequently protect our rights Legitimate interest of the Company 90 days from the date that the technical issue arises, for functionality analysis and improvement (“Troubleshooting”), unless a longer period is required in the event of disputes or investigations or if it becomes necessary to defend rights

Data provided by the user: provision of web services

Information request

The need to respond to requests made by the data subject (pre-contractual phase) or legitimate interest

The time necessary to provide the information

Booking overnight stays (data may also be collected by third parties, if the booking is made via external booking services providers)

The need to respond to requests made by the data subject (pre-contractual phase) or perform a contract to which the data subject is a party

For the duration of the booking (if hotel services are used, after checking in, for the duration of the stay and subsequently for the times set by administrative/accounting requirements in force from time to time

Quote for booking rooms

The need to respond to requests made by the data subject (pre-contractual phase)

The time the quote is valid for



2 years from the subscription date or until consent is withdrawn

Newsletter Leisure Team


2 years from the subscription date or until consent is withdrawn

Newsletter Mice Team


2 years from the subscription date or until consent is withdrawn

Newsletter Corporate Team


2 years from the subscription date or until consent is withdrawn

Discount and agreement request

The need to respond to requests made by the data subject (pre-contractual phase) or perform a contract to which the data subject is a party

For as long as the discount, agreement or service is valid (generally speaking, 1 year from the time the data is collected)

Request for information about franchising agreements

The need to respond to requests made by the data subject (pre-contractual phase)

For the time strictly necessary for negotiations

Booking catering services

The need to perform 

a contract to which the data subject is a party


The time strictly necessary to process the request and subsequently it will be stored for administrative/accounting purposes in compliance with the regulatory terms that are established from time to time (generally speaking, for 10 years)

Commercial and promotional messages (marketing purposes)


2 years or until consent is withdrawn

Providing your personal information is free and optional; We remind you, however, that it is indispensable to pursue certain purposes (to provide you with appropriate feedback to requests, to register in the Reserved Area or to provide individual services); if is not provided, it may not be possible to pursue these purposes.

If data (and relative consent) is not provided for any marketing or profiling purposes, this will not affect other services requested.

We invite you to consult the relevant data processing policies for more details.


Processing methods and data storage period

The abovementioned data will not be distributed and may be disclosed to members of staff in our Company who have specific authorisation to process it.  It may also be acquired and/or processed by other Gruppo Unipol companies and/or companies. Processing operations may be carried out by external parties who perform certain activities on our behalf and with whom we have special agreements governing the processing of personal information.

Finally, data may be disclosed at the express request of public authorities or law enforcement agencies.

The processing of personal data is always subject to the application of appropriate security measures to ensure the confidentiality, availability and integrity of the data.


The Web Services may use both first and third-party technical, analytical and profiling cookies.
Cookies are essential to improve the services and to provide products that are always in line with user preferences.
Any use of profiling and/or third-party cookies will always be subject to your prior consent.

To find out more, click here.

Privacy laws (articles 15-22 of the Regulation) guarantee the user, as data subject, the right to access data about them, as well as to obtain the rectification and/or integration, erasure or portability of the data.  Privacy laws also give the user the right to request the restriction of data processing and to object to processing, as well as the possibility to withdraw any consent given (withdrawal does not affect the lawfulness of the processing carried out up to that moment).


What are they?

Conditions for exercising rights

Access to data

Users may ask the data controller:

  • for confirmation that data about them is being processed;
  • a copy of the data about them;
  • information about the processing of data (e.g. legal grounds, storage time periods, data recipient categories, etc.)

Users may always make these requests

Rectifying or integrating data

Users may ask the data controller to:

  • rectify
  • update
  • alter

personal data that is processed

If the processed data is inaccurate or incomplete

Erasing data

Users may ask the data controller to erase personal data being processed

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the user withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  • the user opposes processing pursuant to art.  21 and there are no overriding legitimate grounds for the processing;
  • the personal data has been unlawfully processed;
  • the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

Restricting personal data processing

Users may ask the controller not to carry out, with the sole exception of storage, any processing operation on their personal data, except with users' consent or to protect their rights

  • the accuracy of the personal data is contested by the user, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
  • the user has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

Opposition to personal data processing

Users may oppose processing on the basis of legitimate interest (including having promotional messages sent) or on the basis of public interest

The reasons must relate to the particular situation of the user, unless the user opposes processing for direct marketing purposes

Opposition to automated decision-making

Users may oppose automated decision-making. If this decision-making is necessary to enter into a contract, based on explicit consent, whether authorised by the law or regulation of the state or of the European Union, users have the right to obtain human intervention on the part of the controller, to express their point of view and to challenge the decision.

There is a decision based exclusively on automated processing, including profiling, that has legal consequences regarding them or that similarly affects them to a significant extent.

Portability of Personal Data

Users have the right to receive personal data concerning them in a commonly used, structured format that can be read by an automatic device.

Provided that the following conditions are met:

  • the data is provided by the user;
  • processing is based on their consent or on a contract;
  • the processing is carried out by automated means

Withdrawal of consent

Users may withdraw their consent.  Withdrawal of consent does not affect the lawfulness of processing carried out before consent is withdrawn.



The "Data Protection Officer" is available if there are any doubts or queries, to exercise the rights of data subjects, and to provide an updated list of data recipient categories.

Data protection officer or DPO

Furthermore, your right to contact the Italian Data Protection Authority, including to lodge a complaint, remains unaffected, if it is considered necessary in order to protect your personal information and your rights in this matter.

Below is a list of our privacy policies:

Contractual privacy policy and for promotional purposes - registration form -  (GUN_InfC_Clie_01)

Privacy policy for accessory services – (GUN_Info_Clie_01)

Privacy policy for online reservations at hotels – inluding via third parties (GUN_InfoPreW_01)

Privacy policy for Newsletter subsription – (GUN_InfC_News_03)

Privacy policy for commercial and promotional purposes – (GUN_InfC_Comm_01)

Supplementary privacy policy for customer satisfaction surveys – (GUN_Info_Quest_01)

Privacy policy for sending discounts, coupons, vouchers, etc. – (GUN_Info_Comm_01)

Privacy policy for audiovisual recordings – (GUN_InfC_AuVd_01)

Privacy policy for booking events/conferences – (GUN_Info_PrEv_01)

Privacy policy for information requests – (GUN_Info_WInf_01)

Privacy policy for information requests (franchising) – (GUN_Info_WInf_02)

Video surveillance privacy policy Long version – (GUN_Info_VdsE_01)

Supplementary privacy policy for online meal and restaurant booking services - (GUN_Info_PreW_03)

Information on the processing of personal data for the purchase of other services. (GUN_Info_Cont_01)

Privacy policy for Wi-Fi service – (GUN_Info_Wfor01)


Back to contents