Pursuant to EU Regulation no. 679/2016 (the General Data Protection Regulation, “GDPR”), this page describes the methods for processing personal data of users who visit the Palazzo Ruspoli websites (hereinafter ” Palazzo Ruspoli Sites”) accessible by electronic means at the following addresses:


Moreover, should you decide to book a reservation by selecting arrival and departure dates via the appropriate booking forms on the aforementioned websites, you will be connected to a booking engine. This booking engine is provided by our partner Blastess, appointed as Data Processor as indicated in this statement.

This information does not apply to other websites, pages or online services accessible via hypertext links that may be published on sites and which refer to resources that are external to the palazzo-ruspoli-florence domain.

The information is also based on Recommendation n. 2/2001, which the European authorities for the protection of personal data, that gathered in the Group established by art. 29 regarding directive n. 95/46/EC, adopted on 17 May 2001 in order to identify certain minimum requirements for the collection of personal data online, and, in particular, the methods, timing and nature of the information that the data controllers must provide to the users when they connect to web pages, regardless of the purpose of the connection; as well as the provisions established by the General Measures of the Privacy Guarantor dated May 8, 2014.


Following consultation of the sites listed above, data relating to identified or identifiable natural persons may be processed.

The Data Controller of your personal data is RUSPOLI SRL (the company that manages Palazzo Ruspoli) VAT number / Fiscal Code number 02271410488, with registered office in Florence, in via De ‘Martelli, n. 5, telephone number: 055.2670563 email:


Browsing data The computer systems and software procedures used to operate this website acquire, during their normal operating functions, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties; however, due to its very nature it could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, the addresses in the Uniform Resource Identifier (URI) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the user’s computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and is deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site: except for this eventuality, at present, the data on web contacts does not last for more than seven days.

The legal basis for this specific data processing: the processing is necessary to allow the interested party to consult the site.


Data provided by the user.  The optional, explicit and voluntary sending of emails to the addresses indicated on the Palazzo Ruspoli Sites, as well as filling in and forwarding the forms found on the Palazzo Ruspoli Sites or the booking engine managed by Ermes Hotels Srl, entail the acquisition of the sender’s contact data, which is needed to respond, as well as all personal data included in notifications (including data entered in the forms and forwarded through the Palazzo Ruspoli sites to book a stay).

Personal data provided in the manner described above will be processed for the following purposes:

  1. a) to manage your contractual relationship regarding the service requested, or to execute pre-contractual measures (such as, for example, the request for information or an estimate), to acquire and confirm your booking of accommodation services and ancillary services, and to provide the requested services. Legal basis for processing: execution of the pre-contractual or contractual service requested;
  2. b) for administrative purposes and for the fulfilment of legal obligations regarding accounting and taxes, or to comply with requests from judicial authorities. The legal basis for this processing: fulfilment of legal obligations;
  3. c) only with prior specific consent, for periodically sending newsletters by e-mail. The legal basis for this processing: consent of the interested party;
  4. d) only with prior specific consent, to receive promotional notifications and invitations to events and special promotions (marketing). The legal basis for this processing: consent of the interested party;
  5. e) when sending a curriculum vitae, exclusively for selection purposes. The legal basis for this processing: consent of the data subject to processing CV data for selection purposes;
  6. f) only with prior specific consent, for purposes of automated processing and/or profiling. The legal basis for this processing: consent of the interested party.

We wish inform you that when issuing notifications for marketing purposes and sending newsletter to clients, via email, for the purposes referred to in subparagraphs c) and d) the Data Controller also initiates automated processing, profiling, based on indices and pre-established parameters, as we use MailUP’s platform and IT tools to issue our notifications. In particular, MailUP provides information on who opens the newsletter and clicks on the links contained in the email received. In particular, MailUP, via statistical tracking systems (for example web beacons), enables to detect when the message is opened, the number of clicks on hyperlinks contained in the email, which IP address or what type of browser is used to open the email, and other similar details. The logic used in the use of the processing in question, consists in sending newsletters and commercial offers to subjects who interact with Ruspoli srl (Palazzo Ruspoli), that are interested in the Data controller’s service and/or products and to avoid forwarding unwanted notifications. The profiling activity (with the consent of the interested party) is limited to the data provided by you (without data enrichment). You have the right not to give consent to processing via profiling and in any case, you can, at any time, oppose this process as outlined in this disclosure in the Rights of the interested parties section. The legal basis for this processing: consent of the interested party.

Specific summary information will progressively be provided or displayed on the Palazzo Ruspoli Sites pages, possibly prepared for the provision of certain services. Upon checking-in, clients will receive further information regarding the processing of their personal data with regard to the hotel service.

Cookies. Cookies are text files, containing small amounts of information, which are stored on the computers or mobile devices or other similar technologies of users that visit a website. At each subsequent visit, cookies are sent back to the website that originated them (first party cookies), or to another website (third-party cookies) and recognized. Cookies cannot retrieve any other data from your hard drive, nor transmit computer viruses or acquire email addresses. For information regarding our use of cookies please refer to our Cookie Policy. For further information on the types of cookies, features and their function, please visit the following websites –,, and the aforementioned Provision of the Guarantor.


Apart from what has been specified with regard to browsing data, the user is free to provide personal data listed in the application forms or indicated in contacting the Office to request to receive informative material or other notifications. Failure to provide such data may make it impossible to fulfil requests.

Please note that should consent be given to receive marketing material, newsletters, CV processing for personnel selection purposes by Palazzo Ruspoli, it can be revoked at any time.





The data provided will be processed for the time strictly necessary to give feedback to requests and notifications sent voluntarily by clients. With regard to receiving a CV, it will be processed only for the time strictly necessary for the evaluation of the candidacy. The data processed for the purpose of booking a stay at the Hotel through our website will be kept for the entire duration of the relationship and subsequently, after payment, for 10 years (the time envisaged by legal regulations). Personal data provided to receive newsletters and to receive promotional offers (marketing) will be kept for 10 years. Data relating to web browsing is stored for a maximum of seven days. Cookies are kept for the period indicated in the cookies policy.



Personal Data will be processed using manual, computerized or telematic tools that are suitable for ensuring security and confidentiality and will be carried out by personnel that has been trained to comply with current legislation.

Specific security measures have been implemented to prevent the loss, illicit or incorrect use and unauthorized access of data, in compliance with the provisions set forth in Articles 24.25 and 32, of the GDPR.

In any case, Palazzo Ruspoli cannot be held responsible for unauthorized access or loss of personal data attributable to the interested party or in any case beyond its control.

No data acquired via the web will be passed on to third parties unless otherwise indicated in the Cookie Policy.



With regard to managing the site, specific security measures have been adopted, aimed at ensuring the user’s secure access and to protect the information contained in the site from risks of loss or destruction, even accidental. The antivirus software used in managing the site is updated on a regular basis in order to avoid data loss due to possible computer viruses. It is worth highlighting that though we ensure adopting specific anti-virus systems, despite being a legal obligation, it is advisable for users to equip their workstations with an anti-virus system to prevent possible attacks. An identification code and password are assigned to companies that wish to access the reserved part of the site. These passwords are generated in such a way that they do not contain references that are easily traceable, so as to avoid possible abuse. Users are required to keep their password confidential.


Personal data is stored on servers located within the European Union, unless otherwise specified in the Cookie Policy

With regard to forwarding emails via MailUP, the physical data centre located within the EU is compliant with the applicable legal provisions, pursuant to the provisions established in Article 45 and 46 of the European Regulation 679/2016.



Access to Personal Data collected, as a result of consulting the website and sending requests and/or reservations via the website, is permitted only to persons in charge of processing, expressly authorized by the Data Controller, and to designated data processors as established in Article 28 of the GDPR.

The Data Controller is aware of the importance of data security for our clients and has selected our data processors very carefully.

The Data Controller has appointed as Data Processors, pursuant to Article 28 of the GDPR:

  • ERMES HOTELS SRL with reference to the processing of personal data provided by clients when making a reservation for a stay through the Palazzo Ruspoli website, via the management of the booking engine. More precisely, it should be noted that if users intend to make a reservation on the Palazzo Ruspoli Sites, they will be connected to the search engine for bookings managed by ERMES HOTELS SRL,, which ensures an encrypted and protected session.
  • MailUp S.p.A. with registered office in Viale F. Restelli 1, 20124 Milan (Italy), which manages the MailUP service for the management of forwarding email notifications, with which we have signed an agreement in compliance with the law and art. 28 GDPR.

The updated list of external processors is available at the data controller’s registered office. The updated list can be requested any time by contacting the data controller at the addresses and through the contacts indicated in this document.


No data deriving from the web service is circulated. The data will not be disclosed to third parties except to third parties who, in fulfilling the contract and limited to the purposes indicated above, collaborate with the Data Controller (professionals/companies providing consultancy work of a legal, tax and accounting nature, competent authorities for ‘fulfilling legal obligations’, subjects providing services for managing computer systems and assistance to the website); all of which are bound by the obligation of confidentiality. In any case, in compliance with the principles of data processing envisaged by the GDPR, only the data necessary for carrying out the activities entrusted to them will be passed on to external parties.

The personal data provided by users who request dispatch of informative material is used for the sole purpose of carrying out the service or provision requested and is communicated to third parties only if this is necessary for that purpose (shippers or couriers, for example).



RIGHTS OF THE INTERESTED PARTIES (art 7, articles 15 to 22 GDPR).

Based on current legislation and the provisions established in the GDPR, you have the right to:

  1. ask the data controller to access personal data and request confirmation of the existence, or otherwise, of your personal data;
  2. obtain information on the origin, the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data has been or will be communicated and, where possible, the retention period, the existence of an automated decision-making process, including profiling, and in relation to it, obtaining information on the logic used, as well as the importance and expected consequences of such processing for the data subject;
  3. obtain the correction of data concerning you without unjustified delay;
  4. obtain the deletion (right to be forgotten) of the data without unjustified delay if no longer necessary, incomplete, erroneous or collected in violation of the law;
  5. obtain the integration of incomplete personal data, by providing an additional declaration, taking into account the purpose of the processing;
  6. obtain the processing limitation or oppose the processing;
  7. object, at any time, to the processing, including profiling, in relation to the data processed for direct marketing purposes;
  8. obtain data portability, i.e. receive it from a data controller, in a structured format, commonly used and readable by an automatic device, and transmit it to another data controller without delay;
  9. revoke your consent at any time, if this constitutes the basis of the processing. The withdrawal of consent, however, does not prejudice the lawfulness of the processing based on the consent given prior the revocation;
  10. know whether the communication of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the data subject is obliged to provide personal data and the possible consequences of not communicating such data ;
  11. oppose an automated decision-making process concerning individuals, including profiling, and, in such cases, receive significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject;
  12. lodge a complaint to a supervisory authority (Privacy Authority);
  13. be informed of the existence of adequate safeguards pursuant to Article 46 relating to the transfer of data, should the personal data be transferred to a third country or to an international organization.

Requests addressed to the Data Controller may be sent to the following address: RUSPOLI SRL, in via De ‘Martelli, no. 5, 50129 Florence, telephone number: 055.2670563, email:

The Data Controller must proceed in this direction without delay and, in any case, no later than one month after receiving a request. The deadline may be extended to two months if necessary, taking into account the complexity and the number of requests the Data Controller receives. In such cases, the Data Controller, within one month of receiving your request, will inform you of the reasons for the extended period.

Complaints to the supervisory authority can be addressed to the Guarantor for the protection of personal data, Piazza di Monte Citorio 121, IT-00186 Rome, email:



The Data Controller reserves the right to modify or amend, at any time, this privacy statement, wherever published on the site, mainly due to the entry into force of new sector regulations. At any time, users can check the latest version of the privacy policy as updated from time to time by the Data Controller, by simply connecting to the site

Last updated May 2018