INFORMATION ON THE PROCESSING OF PERSONAL DATA of users who consult the website of the Controller pursuant to Article 13 of Regulation (EU) 2016/679 

Pursuant to EU Regulation No. 679/2016 (the General Data Protection Regulation, “GDPR”), this page illustrates the methods of processing the personal data of users who consult the website of the Osteria Pagliazza (hereinafter the “Site”) electronically accessible at the following addresses:

Furthermore, we inform you that if the user of the Site decides to make a reservation and / or a purchase, by filling out the forms on the Site, they will be connected to a booking engine powered by our Partner E-Group, appointed as Data Processor, as indicated in this information notice.

This information does not concern other sites, pages or online services that can be reached via hypertext links that may be published on the sites but refer to resources outside the domain osteriapagliazza or hotelbrunelleschi.


The controller of personal data is BINFI S.p.A. (company that manages the Osteria Pagliazza) – VAT number 01043670478 and Tax code 03129270488 – with headquarters in Florence, via De’ Martelli, 5 – telephone number: +39 055.27370 email:


Unless otherwise indicated, the provision of personal data, through the collection points on the Site, refers to adults only.


Browsing data. During normal operation, the computer systems and software procedures used to operate this website acquire some personal data whose transmission is implicit in the use of Internet communication protocols. These data are not collected to be associated with identified data subjects, but by their very nature may, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment.

These data are used solely to compile anonymous statistical information on the use of the website, to verify its correct operation and for security purposes. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site.

Data communicated by the user. The optional, explicit and voluntary sending of emails to the addresses indicated on the Site, as well as the compilation and forwarding of the forms on the Site, entail the acquisition of the data provided by the sender, which are necessary to reply, and / or to execute the contract for the purchase of products and / or services marketed on the Site. Specific summary information will be progressively reported or displayed on the pages of the Site, possibly arranged for the provision of certain services.

The Controller normally processes so-called common data (e.g. personal data, residence or domicile data, billing data, payment data, email contact details, telephone and fax numbers…). Data belonging to special categories (referred to in Article 9 of the GDPR), such as information revealing the health conditions of the data subject (allergies or other health problems), may be processed only at the explicit request of the user.

Cookies. For any information relating to cookies of this site, please refer to our Cookie Policy at the following link:


The personal data provided as per this information will be processed for the purposes and legal bases indicated below:

  1. To allow the user to browse the Site. The legal basis for this processing is the need to allow the user to use the website navigation service.
  2. to provide the user of the Site with information about the products and services marketed by the Data Controller and to respond to their requests for quotation or information. The legal basis for this processing is the need to execute pre-contractual measures at the request of the data subject. In case of provision of health data (such as allergies or other information that reveal the client’s health conditions), the legal basis for the processing is also constituted by the data subject’s consent.
  3. to acquire, confirm and fulfill the order for the requested products and / or restaurant / hotel services placed by the user of the website. The legal basis for this processing is the need to execute a contract to which the data subject is a party. In case of provision of health data (such as allergies or other information that reveal the client’s health conditions), the legal basis for the processing is also constituted by the data subject’s consent.
  4. In case of purchase of the hotel service, to fulfill the obligation set out in the “Consolidated Law on Public Security” (Article 109 of the Royal Decree 18.6.1931 No. 773), the details of the clients are communicated to the Police Headquarters, for public security purposes, according to the procedures established by the Italian Ministry of the Interior (Decree of January 7th 2013). Legal basis for the processing: to comply with legal obligations.
  5. for administrative purposes and for the fulfillment of legal obligations such as those having an accounting or tax nature, or to comply with requests made by the judicial authority. The legal basis for this processing is the fulfillment of legal obligations.
  6. for marketing purposes, and therefore to send the data subject promotional communications, updates on rates and offers made by the Data Controller, or relating to events organized by the Data Controller. The legal basis for this processing is the consent by the user of the Site. This processing can be carried out by the Data Controller only with the prior consent of the data subject, which can be revoked at any time.



The provision of navigation data is optional but necessary to browse the website; therefore, if data subjects do not give their consent, they cannot visit the Site.

The provision of data required for the execution of pre-contractual measures, the conclusion of the contract, the fulfillment of legal obligations, is not mandatory; it is however necessary for the conclusion of the contract and / or to execute the pre-contractual measures, and to satisfy the legal obligations to which the data controller is subjected. Failure to communicate such personal data may lead to the impossibility of fulfilling the relative request.

The provision of contact data for marketing purposes is optional, and failure to provide personal data will have the sole consequence that the data subject cannot be contacted to receive corporate promotional communications and / or information regarding events organized by the Data Controller.

The data subject may not authorize the use of cookies and disable them at any time, using the methods illustrated in the cookie policy. However, it should be noted that in this case, malfunctions of the Site or of some of its features may occur.


The data provided will be stored for the following periods:

  • In case of request for information or quote (purpose b), the data will be stored for as long as necessary to respond to requests and communications voluntarily forwarded by the client.
  • The data relating to web browsing are stored for the time strictly necessary to process the statistics of the site, and to ensure the operation and security of the website.
  • the personal data provided by the data subject with reference to the purpose indicated in point (c) will be stored for a maximum of 10 years (ordinary time limit). Any data on health (such as allergies or other information that may reveal the health of the client) will be stored for as long as necessary to render the requested service.
  • the personal data provided by the data subject with reference to the purpose indicated in point (d), e) will be stored for as long as necessary to meet the legal obligations to which the Data Controller is subjected
  • For marketing purposes, the data will be stored for a maximum of 10 years.
  • Cookies are stored for the period indicated in the cookie policy accessible at the following link


In compliance with the provisions of art. 24 and 25 of the GDPR, specific security measures are observed to prevent data loss, unlawful or incorrect use and unauthorized access.

However, the Data Controller is not responsible for unauthorized access or loss of personal information attributable to the data subject or that is in any case beyond their control.

No data acquired via the web will be communicated to third parties unless otherwise specified in the Cookie Policy accessible at the following link


The processing of personal data connected to the web services of this site is not subject to transfers to Third Countries, unless otherwise indicated in the Cookie Policy.

The Data Controller hereby guarantees that whenever external data controllers (art 28 GDPR) with servers located in third countries are used, the appointment will take place in accordance with the applicable legal provisions, with guarantee of an adequate level of protection and/or subject to adequate guarantees (for example on the basis of a decision of adequacy of the Third Country by the European Commission, or through the stipulation of standard contractual clauses provided for by the European Commission).


Access to personal data collected following the consultation of the Site and sending of requests / reservations / purchases through the website is allowed only to the data processors, expressly authorized by the Data Controller, and to the data processors appointed in compliance with the characteristics referred to in art. 28 of the GDPR.

The Controller is aware of the importance of data security for our clients and for this reason has selected the data processors very carefully.

Pursuant to art. 28 of the GDPR, the Data Processors appointed by the Controller are:

  • E-Group S.r.l. with registered office in Via San Marco, 11 / C – 35129 Padua (PD) – CF / P. IVA IT03461800280, with reference to the processing of personal data provided by customers to make a reservation through the Site. More precisely, it should be noted that if the user intends to make a reservation, the user will be connected to the search engine for reservations managed by E-Group S.r.l., which ensures an encrypted and protected access session.
  • MailUp S.p.A. with headquarters in Viale F. Restelli 1, 20124 Milan (Italy), that manages the MailUP email communications forwarding service, with which we have signed an agreement in compliance with the provisions of the law and art. 28 of the GDPR.


The updated list of external data processors is available at the headquarters of the data controller. The data subject can request the updated list at any time by contacting the data controller at the addresses and contact numbers indicated in this document.

No data deriving from the web service are communicated or disseminated. The data may not be disclosed to third parties except to external parties that, in the fulfillment of the contract and limited to the purposes indicated above, collaborate with the Data Controller (professionals / companies providing legal, tax, accounting consultancy services, competent authorities for the fulfillment of legal obligations, entities that provide services for the management of IT systems and support to the website, shippers or carriers): all such entities are bound by the confidentiality duty. In any case, in compliance with the principles of data processing provided for by the GDPR, only the data necessary for the performance of the activities entrusted to them will be transmitted to external subjects.

The personal data collected may also be disclosed to fulfill requests made by Public Authorities, Judicial or Public Security Authorities.


The data subject is entitled to exercise the rights provided for by article 7 and article 15 et seq. of EU regulation 2016/679.

The data subject has the right to withdraw their consent at any time, if this constitutes the basis of the processing. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal;

When applicable, the data subject also has the right to obtain from the Data Controller access to their personal data, the updating, rectification and / or erasure of the same, and the limitation of the processing of data concerning them. They also have the right to request that their personal data are made available to them in an intelligible form, to receive the personal data provided to the Data Controller and transmit them to another Data Controller without impediment (right to data portability), to object to the processing, as well as to lodge a complaint with the Privacy Guarantor.

Requests addressed to the Data Controller may be sent to the Data Controller’s contacts at the following address: BINFI S.p.A., via De’ Martelli, 5, 50122 Florence, telephone number: +39 055.27370, email:


Data subjects who believe that the processing of personal data referring to them through this site is in violation of the provisions of the Regulation have the right to lodge a complaint with the Guarantor, as provided for by art. 77 of the Regulation, or to take appropriate legal measures (Article 79 of the Regulation). Further information on how to submit a complaint to the Privacy Guarantor are available at: .


The Controller reserves the right to modify or amend, at any time, this privacy statement published anywhere on the site, especially following the entry into force of new sector regulations. The latest version of the privacy policy, updated as and when needed by the Data Controller, is available on the website to all users who may consult it at any time.

Last update: January 2021