Privacy Policy
Uno Otto Operations S.r.l., pursuant to Articles 13 and 14 of EU Regulation 2016/679 (“GDPR) and Italian data protection laws”), hereby informs guests and all individuals (the “Data Subjects”) who interact with the hospitality facility Casa Laveni, located at Via dei Bossi 5, 20121 Milano, Italia, (“Casa Laveni”) that the personal data provided in connection with their stay and use of the services offered by the facility will be processed in accordance with the terms and for the purposes set out below (the “Privacy Policy”).
1. Data Controller
The data controller, pursuant to Article 4(7) of the GDPR, is Uno Otto Operations S.r.l. (“Uno Otto Operations” or the “Data Controller”) with registered office in Via Giacomo Leopardi 8, 20123 Milan Italia, C.F. and VAT number IT13886060964 , with the following contact details:
- E-mail address: info@casalaveni.com
- Postal address: Via Giacomo Leopardi 8, 20123 Milan Italia
For any information or clarification regarding the processing of personal data, the Data Subject may contact the Data Controller at the above contact details.
2. Categories of Personal Data Collected[LCA1]
The personal data of Data Subjects are collected in connection with the booking and stay at Casa Laveni, as well as in the course of the provision of services offered by the facility.
The data processed include, in particular:
- Identification Data: name, surname, date and place of birth, nationality, identity document number and type, home or residential address;
- Contact Data: e-mail address, telephone number;
- Tax and Billing Data: tax identification number and VAT number.
Hereinafter collectively referred to as “Personal Data”.
Data received from third parties (Article 14 GDPR). In some cases, Personal Data may be provided to the Data Controller by third parties, such as online travel agencies (OTAs), booking platforms, travel agents or other intermediaries, or by the person making the reservation on behalf of other guests. In such cases, the Personal Data may include Identification Data and Contact Data, and will be processed for the purposes set out in Section 3.
3. Purposes and Legal Bases of the Processing of Personal Data
Personal Data are processed by the Data Controller for the following purposes:
- Management of bookings and stays: Identification and Contact Data are processed to manage the reservation, confirm the booking and provide the hospitality services requested by the Data Subject. The legal basis for this processing is the performance of a contract to which the Data Subject is party, pursuant to Article 6(1)(b) of the GDPR. The provision of data for this purpose is necessary: failure to provide such data will make it impossible to proceed with the booking and to deliver the requested services.
- Compliance with public safety obligations: Identification Data are processed to comply with the obligation to communicate guest data to the competent Police Headquarters (i.e., the Questura) through the “Alloggiati Web” system, pursuant to Article 109 of the “Testo Unico delle Leggi di Pubblica Sicurezza” (Italian Royal Decree No. 773/1931). The legal basis for this processing is compliance with a legal obligation to which the Data Controller is subject, pursuant to Article 6(1)(c) of the GDPR. The provision of data for this purpose is mandatory: refusal to provide such data will result in the inability of the facility to host the Data Subject.
- Tax and accounting obligations: Personal Data, including Tax and Billing Data, are processed to comply with legal obligations in administrative, accounting and tax matters, including the issuance, transmission, storage and retention of electronic invoices and other accounting records, pursuant to Article 2220 of the Italian Civil Code and applicable tax legislation. The legal basis for this processing is compliance with a legal obligation to which the Data Controller is subject, pursuant to Article 6(1)(c) of the GDPR.
- Guest assistance and service-related communications: Identification and Contact Data are processed to manage communications with the guest during the stay (e.g., messages, e-mails and telephone calls), as well as to provide post-stay assistance (e.g., lost and found management, sending copies of invoices, and any communications related to the service provided). The legal basis for this processing is the legitimate interest of the Data Controller in ensuring an adequate level of guest assistance, pursuant to Article 6(1)(f) of the GDPR. This legitimate interest has been duly balanced against the reasonable expectations of the Data Subjects and does not prejudice their rights and freedoms, as the processing is strictly functional to service-related needs. The Data Subject may object to such communications at any time by contacting the Data Controller at the contact details indicated in Section 1.
- Exercise and defence of rights in legal proceedings: Personal Data may be processed to assert or defend a right of the Data Controller in judicial or extrajudicial proceedings. The legal basis for this processing is the legitimate interest of the Data Controller or third parties in exercising the right of defence, pursuant to Article 6(1)(f) of the GDPR. This legitimate interest is to be considered prevailing as it corresponds to a constitutionally guaranteed right;
- Pre-booking enquiries and requests: Contact Data are processed to respond to enquiries and to take steps at the request of the Data Subject prior to entering into a contract. The legal basis for this processing is the performance of a contract or pre-contractual measures pursuant to Article 6(1)(b) of the GDPR.
4. Data Retention Period
The Data Controller intends to retain Personal Data for a period not exceeding that which is necessary to achieve the purposes for which they were collected and processed. In particular:
- Personal data processed for the purposes referred to in Section 3, point (i) will be retained for the period necessary to manage the stay and any related obligations and, in any event, for a period not exceeding the ordinary limitation period of 10 (ten) years from the date of check-out.
- Personal data processed for the purposes referred to in Section 3, point (ii) are communicated to the competent Police Headquarters in compliance with applicable law and are not retained by the facility beyond the period strictly necessary for their transmission, unless retention for a longer period is required under applicable law.
- Personal data processed for the purposes referred to in Section 3, point (iii) will be retained for a period of 10 (ten) years, in accordance with applicable Italian tax legislation.
- Personal data processed for the purposes referred to in Section 3, point (iv) will be retained for the period necessary to provide the relevant assistance and manage any related obligations and, in any event, for a period not exceeding the ordinary limitation period of 10 (ten) years from the date of check-out.
- Personal data processed for the purposes referred to in Section 3, point (v) will be retained for the time necessary to achieve the purpose of exercising or defending legal claims and in accordance with the applicable limitation periods.
5. Processing Methods and Categories of Data Recipients
Personal Data will be processed by means of manual and digital tools, using methods strictly related to the purposes indicated and, in any event, in a manner that ensures their security and confidentiality.
Personal Data may be disclosed, within the limits strictly relevant to the obligations, tasks and purposes set out above and in compliance with applicable data protection legislation, to the following categories of recipients:
- Employees and collaborators of Casa Laveni, duly instructed and designated for processing, who require access to such data for the provision of the requested services and limited to the information strictly instrumental and related thereto;
- External natural and/or legal persons providing services instrumental to the activities of the Data Controller (e.g., accounting consultants, legal consultants, IT service providers), bound by confidentiality agreements;
- Competent Authorities in the cases provided for by law, regulations and/or national and European Union legislation.
The updated list of any data processors is available at the registered office of the Data Controller.
Unless otherwise provided above, Personal Data will not be disclosed to third parties. Any further communication or disclosure will take place where a valid legal basis applies under the GDPR and applicable law; where required, the Data Subject’s consent will be obtained.
6. Transfer of Personal Data to Third Countries
The Data Controller does not transfer Personal Data outside the European Union.
Should such transfer be necessary to achieve the purposes referred to in Section 3 of the Privacy Policy, the Data Controller will carry out such transfer exclusively to entities located in countries for which an adequacy decision has been issued by the European Commission, or by adopting the appropriate safeguards pursuant to Article 46 of the GDPR, including, where applicable, the Standard Contractual Clauses adopted by the European Commission.
7. Rights of the Data Subject
The Data Subject is entitled to the rights conferred by Articles 15–22 of the GDPR.
In particular, Data Subjects have the right to request and obtain, at any time:
- access to their Personal Data and confirmation of whether or not processing is being carried out, as well as to obtain a copy thereof;
- information on the processing carried out;
- rectification and/or updating of inaccurate or incomplete Personal Data;
- erasure of Personal Data where they are no longer necessary for the purposes for which they were collected, subject to compliance with retention obligations imposed by law (e.g., tax and fiscal obligations);
- restriction of processing;
- to exercise the right to object to processing, where applicable;
- data portability, i.e. the right to receive their Personal Data in a structured, commonly used and machine-readable format;
- to withdraw their consent to the processing of Personal Data at any time, where processing is based on consent; the withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent given prior to such withdrawal;
- to lodge a complaint with the competent supervisory authority for data protection. In Italy: the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).
8. How to Exercise Your Rights
The rights referred to in Section 7 may be exercised at any time by submitting a request to the Data Controller at the following contact details:
- E-mail address: info@casalaveni.com
- Postal address: Via Giacomo Leopardi 8, 20123 Milan Italia
The same contact details may be used to request further information or clarification regarding the above-mentioned rights, the categories of data recipients, and the Privacy Policy.
9. Updates to The Privacy Policy
The Privacy Policy may be amended over time, including in connection with the entry into force of new sector-specific regulations, the update and/or provision of new services, or technological developments. In the event of substantial amendments, the Data Controller will notify the Data Subjects through the most appropriate means. Data Subjects are therefore invited to consult The Privacy Policy periodically.
Privacy policy last updated on 01/05/2026