of our Web site users in line with article 13 of EU Regulation 2016/679

In accordance with EU Regulation 2016/679 (heretofore “Regulation”), this document describes the modalities of the way that we process the personal data of those who consult the web sites of our Company, The Secret Garden Relais accessible electronically at the following addresses:

This information does not apply to any other online sites, pages or services accessible through text-to-text links that might be posted on the site with reference to resources outside the domain of the Company, The Secret Garden Relais.

The Secret Garden Relais, Via Gottola, 14 – 80063 – Piano di Sorrento [NA] – Italy – P.IVA: 07598951213, Tel.: +39 081.808.69. 60 – Mob.: +39 331.818.25.89 – E-mail

SPINNERTOP Communication, Via Gottola, 14 – 80063 – Piano di Sorrento [NA] – Italy – P.IVA: 07598951213, Tel.: +39 081.808.69. 60 – Mob.: +39 331.818.25.89 – E-mail

Personal data pertaining to the User is processed by the Controller when:

  • The User has provided consent for one or more specific purposes; Note: in some jurisdictions, the Controller might be authorised to treat personal data without the consent of the User or on another legal basis, specified below, as long as the User does not oppose (“opt-out”) of such processing. In other words, EU legislation does not yet regulate the processing of personal data in terms of protection;
  • Processing is necessary to the execution of a contract with the User and/or to the execution of pre-contractual measures;
  • Processing is necessary to meet a legal obligation of the Controller;
  • Processing is necessary so that the Controller can execute a mission in the public interest or carry out a public function;
  • Processing is necessary for the pursuit of legitimate interests of the Controller or of third parties.

It is, nevertheless, possible to ask the Controller to clarify the specific legal basis for each processing of data, and, especially, to specify if the processing is based on legislation, provided for by a contract or necessary for the conclusion of a contract.


Browsing data
Computer systems and software used by this site acquire, in the course their normal function, some personal data that need to be transmitted in order to use Internet communications protocols. This category of data includes IP addresses or domain names of the computers and terminals employed by Users, Uniform Resource Identifiers/Locators of the requested resources, time of the request(s), method used to send request(s) to the server, file(s) size obtained as a result, code number indicating the status of the server’s response (good, ends, error etc.) and other parameters relative to the operating system and computing environment of the User. This data, necessary for the use of the Web, also are processed in order to: obtain statistical information on the use of Web services (most visited pages, number of visitors by time period or by day, geographic area of provenance, etc.) and to check that services offered function correctly. Browsing data do not last for more than seven days and are cancelled immediately after their collection (except when needed by judicial Authorities to verify crimes).

Data communicated by the User
The optional, explicit and voluntary transmission of messages to the contact addresses of the Controller, as well as the compiling and forwarding of the forms on the sites of the Controller, entail the acquisition of the sender’s contact details, necessary for a response, as well as all the personal data included in the communications. Specific information will be posted on the pages of the Controller’s sites, intended for the supply of certain services. The site contains various forms to collect Users’ data. Each form is intended to allow the User to access specific services.
Data connected with “Contact Us”, “Guestbook” and/or “Newsletter” forms also may be processed by the personnel of SPINNERTOP Communication., the company responsible for technical maintenance of the site and Processing Outsourcer, at company headquarters and/or through consultation of data filed on its own server. Users should pay particular attention to the request for consent, bearing in mind that any consent given may always and at any time be revoked by the Users themselves, using the Controller’s email address and indicating “Re: Privacy” in the subject line of the email.

Cookies and other tracing systems
Why do we use cookies?
Cookies allow us to supply, protect and improve the Service, by, for example, personalising content and providing greater security. While the cookies that we use could vary periodically, subsequent to improvement and updating of the Service, we use cookies for the following purposes: to save User preferences and enhance the on-line experience by reducing waiting time. Cookies include, for example, those that set language and currency, save log-in information for access to private sections and/or allow the site’s Controller to manage statistics.

Session and tracking cookies:
This Web site uses Session cookies to develop activities that are strictly necessary in order to function.
Cookies are small pieces of data sent from a web site or a social media network when they are visited by a user and stored on the user’s pc, tablet or smartphone. Each Cookie contains different information to help the Controller provide the service as described. Cookies can remain in the system for the duration of a browsing session (that is, until the browser is closed) or for a more prolonged period. Some installations of Cookies require a user’s consent. Cookies are not used to profile users and are not used for tracing.
Rather, session (non-lasting) Cookies are used in a manner strictly limited to secure and efficient browsing of the Web. Storage of Session Cookies in computer terminals or browsers is under the control of the user, since they remain on the log of the server, once an HTTPS session is finished, for periods of not more than one day, along with other browsing data. Banner cookies, when accepted, remain for one year.

Third party cookies:

Statistics. The services contained in this section allow the Processing Controller to monitor and analyse traffic data, as well as to keep track of the user’s behaviour on the Web. For example:
– Google Analytics (Google Inc.) Web analysis service provided by Google Inc. (“Google”). Uses collected personal data in order to trace and examine the use of this Web site, compile reports and share with other services developed by Google. Google could use personal data to contextualise and personalise advertisements for its own advertising network.
– Google AdWords (Google Inc.). This is Google’s own statistical service which correlates data from Google’s AdWords advertising service with actions that users take on this Web site.
– Personal data collection: Cookies and Use Data; Processing centre: 1600 Amphitheater Parkway, Mountain View, CA94043 USA; privacy regulations privacycancellation

Widget. These services make it possible to visualise content stored on external platforms, directly from the pages of this Web site and to interact with them. In the event that a service of this type is installed, it is possible that, even in the case of Users who do not subscribe to it, the service will collect traffic data relative to the pages on which it is installed.
The site also could use some social plug-ins in order to share and communicate content. This is optional. When one of the plug-ins is used, however, the site will go through your browser to contact the server that handles the social media sharing services that you want, so that they, in turn, can communicate the data that you intend to post and share on your own social profile (for which you are solely responsible) and informing them (the servers) of the pages that you have visited.
Content sharing can be avoided through the use of social sharing keys. For more information on the use and collection of data through the following plug-ins and to learn how such data is processed and transmitted (and for what purpose), please consult the Legal and Privacy Policy issued by the Controllers of the services in question.

How can I manage my Cookies?
By using “System Preferences” of your browser, you are able to manage Cookie preferences directly within your own browser and prevent third parties from installing any. It is important to note that disabling any or all Cookies may compromise the functioning of this site.
Your computer or its browser may contain settings that allow you to choose whether to install Cookies or to eliminate them. For more information on these management options, please consult the help function on your browser or computer.
For more information on the way that companies use Cookies and on available choices, you can consult the following resources:

Managing payment
Payment management services allow this web site to process payments by credit card, bank transfer or other means. Data used for payment are acquired directly by the management of the payment service requested, without being processed in any way by this Web site. Some of these services could also allow the transmission of programmed messages to the User, such as emails containing invoices or notifications relative to the payment.

Monitoring infrastructure
These services allow this Application to monitor the use and behaviour of its components, to permit performance and functional improvements, execute maintenance or solve problems.

As a data subject, you may, at any time, exercise your rights vis à vis the Processing Controller, in line with article 15 of the General Data Protection Regulation (GDPR), EU 2016/679:
i. obtain confirmation of the existence, or not, of your personal data, even if not yet registered, and have them communicated in intelligible form;
ii. obtain an indication of the: a) origin of this personal data; b) processing purpose and modality ; c) reason(s) for processing effected with the help of electronic instruments; d) identity of the Processing Controller, those responsible and the representative designated in line with article 3, paragraph 1, GDPR; e) subjects or categories of subjects to whom the personal data could be communicated or who could come to know it as designated representatives of the State, those responsible or in charge;
iii. obtain: a) an update, rectification or, when appropriate, integration of the data; b) cancellation, transformation into anonymous form or blockage of data processed in violation of the law, including those collected or subsequently processed; c) declaration that the operations effected on data, as of a) and b), have been made known, along with their content, to those to whom the data has been communicated or distributed, except when this appears to be impossible or requires the use of means obviously disproportionate to the protection of the Data Subject’s rights;
iv. oppose, entirely or in part: a) for legitimate reasons the processing of his/her personal data, even though pertinent to the purpose of the collection; b) processing of his/her personal data for the purpose of transmitting advertising material, direct sales, market research, commercial communications by the use of automated calling systems without the intervention of an operator, by email and/or by traditional marketing methods using telephone and/or paper sent by mail. Please note that the Data Subject’s right to opposition, described in point b) above, for purposes of direct marketing by automated means, extends to traditional means as well, and that it is still possible for the Data Subject to exercise his/her right to opposition only in part.

Consequently, the Data Subject may decide to receive communication solely by traditional means, or, solely by automated means, or even by neither one of these two types of communication.

Where applicable, you also have other rights under articles 16-21 of the GDPR:

– Right to rectification (art. 16);
– Right to cancellation – Right to erasure (“right to be forgotten”) (art.17);
– Right to restriction of processing (art. 18);
– Obligation to be notified in case of rectification or cancellation of personal data or restriction of processing (art. 19);
– Right to the portability of data (art. 20);
– Right of opposition (art. 21);
– Right to revoke, at any time, previously expressed consent to the processing of personal data;
– Right to file a claim with the Guaranteeing Authority.


  • Facilitate the protection of personal data at the time of planning a processing system to protect data safety (PRIVACY BY DESIGN)
  • Take security measures, evaluating, in advance, any risks that could be generated by the processing system
  • Guarantee the transparency of data flows and processing systems
  • Intervene promptly in case of data breaches
  • Establish roles and responsibilities for every processing phase

For further information and to exercise your rights under the European Regulation, please go to Processing Controller, who, for purposes if the law, is The Secret Garden Relais, Via Gottola, 14 – 80063 – Piano di Sorrento [NA] – Italy – P.IVA: 07598951213, Tel.: +39 081.808.69. 60 – Mob.: +39 339.50.61.487 – E-mail

Articles 11 and 12 of the Regulation establish, in a general way, the modalities for the exercise of Data Subjects’ rights. The deadline for a response to the Data Subject is, for all rights (including the right to access), one (1) month, extendable to three (3) months in particularly complex cases; in any event, the Controller must reply to the Data Subject within one (1) month of the request, even in case of refusal.
The Controller must evaluate the complexity of the response to the Data Subject and establish the amount of any compensation that might be required, but only if the request is clearly unfounded or excessive (even repetitive) (art. 12.5), contravening the provisions of art. 9, paragraph 5, and 10, paragraphs 7 and 8, of the Regulation, or if more “copies” of personal data are requested, e.g. in the case of right to access (art.15, paragraph 3); in this case, the Controller must allow for administrative costs incurred. Normally, the response to the Data Subject should be delivered in writing and by digital means that facilitate accessibility; oral response is possible only by request of the Data Subject his/herself (art.12, paragraph1; see also art. 15, paragraph 3).
Exercise of rights is, in principle, gratis for the Data Subject, but there can be exceptions. The Controller has the right to ask for the information necessary to identify the Data Subject, who, in turn, has the obligation to supply it, by identical means (see, especially, art. 11, paragraph 2 and art. 12, paragraph 6).

Data Subjects who consider that this site has processed their personal data in violation of the provisions of the Regulation have the right to file a claim with the Guarantor, as provided by art. 77 of the Regulation itself, or to appeal to the appropriate judicial authorities (art. 79 of the Regulation).

The Processing Controller reserves the right to modify this policy at any time, providing Users with the modifications on this page. Users, therefore, are requested to consult this page often, taking the date of the last modification, indicated on the bottom of the page, as a reference. In the event that he/she does not accept a modification to this Privacy Policy, the User must stop using this Web site and may ask the Processing Controller to remove his/her personal data from it. Until further notice, this Privacy Policy will continue to apply to all personal data collected so far.

Last modified: 25 June 2018