Privacy Policy

PRIVACY POLICY – Hotel Palazzo Delle Stelline di G.S.A. S.r.l.


During the consultation of this website, it is possible that information and personal data will be collected, as indicated in this statement. The information refers exclusively to this website.

The Data Controller

The Data Controller is Hotel Palazzo Delle Stelline di G.S.A. S.r.l., VAT number / C.F. 06250840151, with registered office in Corso Magenta 61, Milan 20123.

The object of the treatment

The personal data held by the Data Controller are processed in compliance with the obligations of correctness, lawfulness and transparency imposed by the aforementioned legislation, protecting the confidentiality and rights of the interested parties.

The site collects some user data to offer its services. For details, view the cookie policy presented on this website.

The provision of some personal data of the interested party, provided by the same to allow direct contact with the Data Controller (telephone, e-mail, etc.) is mandatory in order to use the requested services and failure to provide them could affect access. Mandatory personal data are marked with an asterisk.

In cases where some data are indicated as non-mandatory, the interested party is free to refrain from communicating such data, without this having any consequence on the availability of the service or on its operation.

Interested parties who have doubts about which data are mandatory are encouraged to contact the Data Controller.

In particular, data can be collected through:


Through the Contact Form, personal data can be communicated to the Data Controller.

The user is invited not to provide irrelevant personal data; in any case the irrelevant data will be eliminated or, in any case, will not be considered.

The data transmitted through the Form are processed only in order to respond to user requests, on the basis of the pre-contractual relationship between the parties.


Purpose of the treatment

The data of the interested party is collected to allow the Owner to provide its services, as well as for the following purposes: statistics and display of content from external platforms.

To obtain further detailed information on the purposes of the processing and on the personal data concretely relevant to each purpose, the interested party can refer to the relevant sections of this document.


Legal basis of the processing

The legal basis of the processing is as follows:

  • the processing is necessary to fulfill a legal obligation to which the Data Controller is subject, pursuant to art. 6, paragraph 1, lett. c) of the 2016/679 EU Regulation;
  • the processing is necessary for the pursuit of the legitimate interest of the Data Controller or third parties, pursuant to art. 6, paragraph 1, lett. f) of the 2016/679 EU Regulation;
  • the processing is necessary to fulfill the pre-contractual relationship through the Contact Form, pursuant to art. 6, paragraph 1, lett. b) of the 2016/679 EU Regulation;

However, it is possible to ask the Data Controller to clarify the concrete legal basis of each treatment and in particular to specify whether the treatment is based on the law or provided for by a contractual or pre-contractual relationship.


Processing methods

The data are processed by the company staff in charge and are not disclosed to unauthorized third parties.

The processing is carried out using IT and / or telematic tools and in an automated and / or manual form, in compliance with the provisions of art. 32 of the GDPR 2016/679 on security measures, by persons specifically appointed and in compliance with the provisions of art. 29 GDPR 2016/679.

The Data Controller adopts the appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of personal data.

In addition to the Data Controller, in some cases, other parties involved in the provision of the services offered and in the organization of this website may have access to the data (hosting provider, IT companies, archiving, collection, printing and shipping and management of e-mails, agencies communication, postal couriers), also external subjects appointed, if necessary, as Data Processors by the Data Controller. The updated list of Managers can always be requested from the Data Controller.


Transfer of personal data

The data are processed at the operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located. For further information, please contact the Data Controller.

The personal data of the interested party are not transferred outside the European Union.


Retention period

In compliance with the principles of lawfulness, purpose limitation and data minimization, pursuant to art. 5 of the GDPR 2016/679, the personal data of the interested party will be kept for the period of time necessary to achieve the purposes for which they are collected and processed or to defend / exercise a right.

When the processing is based on the consent of the interested party, the Data Controller can keep the personal data longer until such consent is revoked. Furthermore, the Data Controller may be obliged to keep personal data for a longer period in compliance with a legal obligation or by order of an authority.

At the end of the retention period, the personal data will be deleted. Therefore, upon reaching this deadline, the right of access, cancellation, rectification and the right to data portability can no longer be exercised.

Rights of the interested party

At any time, the interested party may exercise, pursuant to articles 15 to 22 of EU Regulation no. 2016/679, the right to:

  1. a) ask for confirmation of the existence or otherwise of their personal data;
  2. b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, the retention period;
  3. c) obtain the rectification and cancellation of data;
  4. d) obtain the limitation of the processing;
  5. e) obtain data portability, i.e. receive them from a data controller, in a structured format, commonly used and readable by an automatic device, and transmit them to another data controller without hindrance;
  6. f) oppose the processing at any time; interested parties are reminded that, should their data be processed for direct marketing purposes, they can oppose the processing without providing any reasons.
  7. g) ask the data controller to access personal data and to correct or delete them or limit their processing or to oppose their processing, in addition to the right to data portability;
  8. h) withdraw the consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation;
  9. i) lodge a complaint with a supervisory authority. The interested party has the right to lodge a complaint with the Guarantor for the Protection of Personal Data, based in Rome via di Monte Citorio 121 (tel. +39 06696771), following the procedures and indications published on the Authority’s website www


Contacts of the Data Controller

To contact the Data Controller, you can contact the following contacts:
– by e-mail, at the address:
– by phone: +39 02.4818431
– by fax, to the numbers: +39 02.48519097 / 02.48194281
– by ordinary mail: Corso Magenta, 61 – 20123 Milan



Pursuant to EU Regulation 679/2016 and Legislative Decree 196/2003

Dear Customer,

This note is intended to clarify the provisions of the legislation for the protection of personal data, in particular with regard to your rights and methods of protection.

Holder of the treatment

The Data Controller carried out within the Hotel Palazzo delle Stelline is G.S.A S.r.l. – Hotel Services Group, with headquarters in Corso Magenta 61, 20123 Milan (MI), tel. +39 02481843, e-mail

Type of data processed

The personal data processed by the Data Controller are the following:

  • Name and surname;
  • E-mail and telephone number;
  • Data relating to the credit card for payment (card number, name and surname of the cardholder, expiry date and security code);
  • Internet browsing data: the site collects some user data to offer its services. For details, view the cookie policy presented on this website.

Purpose of the processing and legal basis

The data provided by the Customer (or “the interested party”) will be used in order to make the reservation at the hotel.

The processing of data is necessary for the execution of a contract (as in the case of a relationship between customer and hotelier) or pre-contractual measures (Article 6, paragraph 1, letter b) of the GDPR).

Only if you so wish, can you express your consent to additional services carried out by the Data Controller, such as:

  • the transmission of information / promotional material to the contacts indicated by you.

We remind you that any refusal to provide your consent will not affect the execution of the hotel contract in any way but will make it impossible to provide you with the additional services offered. This consent can be revoked at any time, without the revocation affecting the processing carried out prior to the revocation.


Methods of processing and recipients of data

The processing is carried out by the Data Controller, by means of the persons in charge or by external subjects, specifically instructed by the Data Controller. As part of its activity and for the purposes indicated above, the Data Controller may make use of services rendered by third parties who operate on behalf of the Data Controller and according to his instructions, as data controllers. These are subjects who provide the Owner with processing or instrumental services (eg. IT services for the operation of the platform) or who, in any case, provide a service strictly and necessarily connected to the Owner’s activity: tax consultants; public and private entities, also in relation to inspections or audits; subjects who can access the data by virtue of legal provisions; external companies supplying goods or services. An updated list of the subjects to whom any communications of personal data can be made is available at the headquarters of the Data Controller.

The data will be processed both with paper and electronic / computer / telematic tools/supports, in full compliance with the law, according to principles of lawfulness and correctness and in order to protect your confidentiality.

Your information will not be disclosed.

Conservation times

Your data will be stored in accordance with current national laws and may be deleted or obscured at the specific request of the interested party and subject to legal conservation obligations.

Transfer of data

Your data may be transferred within the European Union, where the Data Controller or its suppliers are based or have their own servers. The data will not be transferred outside the European Union.


Rights of the interested party

The interested party has the right, at any time, to exercise towards the Data Controller:

the right of access (Article 15 of the GDPR); the right to request the rectification of data concerning him (Article 16 of the GDPR); the right to obtain the cancellation of their data (Article 17 of the GDPR); the right to obtain the limitation of processing (Article 18 of the GDPR); the right to object to the processing (Article 21 of the GDPR) and the right to data portability (Article 20 of the GDPR).

In case of rectification or cancellation or limitation of the data, the Data Controller communicates the changes to the recipients to whom the data are transmitted (Article 19 of the GDPR).

The interested party also has the right not to be subjected to any automated processing that produces legal effects concerning him or that significantly affects his person (Article 22 of the GDPR).

In any case, the interested party may contact the Guarantor Authority or the Judicial Authority.

To contact the Data Controller: email: