Privacy Policy

Table of contents
1 Introduction
2 What is personal data and what does the processing of personal data mean?
3. For whom is this policy applicable?
4. For what areas is this policy applicable?
5. What does it mean to be a Data Controller?
6. Giro Pizzeria (Miss Clara AB) as a Data Controller
7. Why are we allowed to process personal data?
8. What personal data do we process and why?
9. How long do we generally store personal data?
10. Our actions to protect personal data
11. When do we share personal data?
12. Your rights
13. Cookies
14. Changes to this policy
15. Contact

1. Introduction
Thank you for choosing us and a special thanks for taking the time to thoroughly read through this Privacy Policy. We would like to begin with a short summary explaining why we have created this policy. Our fundamental objectives are to
• Give you a brief introduction to personal data and our different roles in this context
• Explain why we handle certain kinds of personal information
• Ensure that you understand what information we gather and what we actually do with said information;
• Show you how we work to protect your rights and your integrity.
Our goal is that you, after having read this policy, will feel secure in that your personal integrity is respected and that your personal data is treated in a correct manner. We therefor also work on a continuous basis with securing that our treatment of personal data is completely in compliance with current legislation, especially the General Data Protection Regulation (GDPR) which will be in effect starting on May 25th 2018.

2. What is personal data and what does the processing of personal data mean?

2.1 Personal data consists of all information that directly, or indirectly together with other information, can be connected to a living (physical) person. A non-exhaustive list with examples of personal data consists of, among others:
• Name
• Personal ID number
• Email-address
• IP-address
• Credit card number
• Pictures and video

2.2 The Processing of personal data includes every action connected to the use of the personal data, regardless of whether such an action is performed automatically or not. This means that the following actions, among others, are included:
• Collection
• Registration
• Use
• Alteration
• Storage
• Disclosure by transmission
• Deletion

3. For whom is this policy applicable?
This Privacy Policy shall in the first instance be applicable to individuals who are staying at our hotel and from whom we collect and process personal data (”Data Subjects”). Different parts of this Privacy Policy may also be relevant to you depending on your relationship with us. All in all, this policy is relevant for persons who
• are hotel guests of ours
• eat at our restaurant
• arrange meetings or events using our facilities
• visit our website or our social media platforms
• otherwise communicate with us, for example through our customer service
By agreeing to this Privacy Policy you agree to our processing of your personal data in accordance with this Privacy Policy.

4. For what areas is this policy applicable?
This Privacy Policy regulates how we may collect and process personal data to be able to continue delivering and developing our Services.

5. What does it mean to be a Data Controller?
A Data Controller is a legal person or other entity that determines the purpose and means for the processing of personal data. A corporation is a Data Controller in regards to personal data it has for its own benefit in regards to its employees, customers, partners, users and others.

6. Giro Pizzeria (Miss Clara AB) as a Data Controller
We, Giro Pizzeria (Miss Clara AB) (company reg. no. 556866-2984) are the Data Controller and therefor accountable in accordance with applicable legislation, for the processing that occurs with your personal data, within the scope of our Services.

7. Why are we allowed to process personal data?

7.1 For it to be permissible for us to process personal data there must always be support for said treatment within the GDPR, so-called lawful basis. Such lawful basis may include:
• Consent from the Data Subject
• That the processing of personal data is necessary to fulfill the terms of an agreement with the Data Subject, for example in relation to the use of the Services
• Fulfilling a legal obligation, for example storing certain information due to legislation regarding certain accounting standards and practices. This could also be the case when handling opt-out settings requests concerning your rights as a Data Subject in accordance with GDPR.
• A weighing of interests when we have a legitimate interest in using your data, for example for statistical purposes and to market our services, and to secure payment and prevent fraud

7.2 It may occur that the same personal data is processed both through support in terms of fulfilling an agreement as well as in terms of specific consent or in terms of the processing of that specific information is necessary to fulfill other legal obligations. This means that even though you may revoke your consent and the treatment based on said consent ceases, that specific personal data may remain with us for separate reasons.

8. What personal data do we process, and why?
In this section, we explain how your personal data is used in order for us to be able to provide you with high quality experiences, services and offers.

8.1 When you book a room at our hotel
When you book a room at the physical location of our hotel, via telephone, through email or at http://www.giropizzeria.com we handle the following personal data which you personally provide to us:
• Your name and your contact information (phone number, email)
• Your credit card number and bank information

8.1.1 We handle your personal data in order to:
• identify you as an individual
• charge you for the services and products that you have ordered
• in order to discover, and prevent, fraud in conjunction with bank card payments
• handle and deliver what you have purchased in accordance with our terms and conditions
• notifying you (through email, or similar) regarding information connected to your stay at our lovely hotel
• market our Services and products, for example by email
• produce statistics regarding purchases and usage, in order to improve our Services

8.1.2 Legal grounds for the processing
We process your personal data based on:
• performance of a contract when we provide our Services;
• based upon a weighing of interests when we have a legitimate interest in using your data for statistical purposes and to market our services, as well as to secure payment and prevent fraud and
• based upon a legal obligation for handling opt-out settings requests concerning your rights in accordance with the GDPR

8.1.3 Period of storage
We save personal data relating to your stay at our hotel for up to 3 months after your stay has ended to be able to handle any customer related inquiries and questions. We save personal data relating to your correspondence with us for up to 12 months after your stay to ensure traceability in your communications with us. In order to analyze visitor trends over time we will save some non-personal data for up to two years.

8.2 When you make a table reservation at our restaurants
When you make a table reservation to eat at our lovely restaurant, whether at the physical location of our hotel, via telephone, through email or at http://www.giropizzeria.com we handle the following personal data which you personally provide to us:
• Your name and your contact information (phone number, email)

8.2.1 We handle your personal data in order to:
• identify you as an individual
• charge you for the services and products that you have ordered
• notifying you (through email, or similar) regarding information connected to your reservation
• market our Services and products, for example by email
• produce statistics regarding purchases and usage, in order to improve our Services

8.2.2 Legal grounds for the processing
We process your personal data based on:
• performance of a contract when we provide our Services;
• based upon a weighing of interests when we have a legitimate interest in using your data for statistical purposes and to market our services, as well as to secure payment and prevent fraud and
• based upon a legal obligation for handling opt-out settings requests concerning your rights in accordance with the GDPR

8.2.3 Period of storage
We save personal data relating to your visit in our restaurant for up to 3 months after your stay to be able to handle any customer related inquiries and questions. We save personal data relating to your correspondence with us for up to 12 months after your visit to ensure traceability in your communications with us. In order to analyze visitor trends over time we will save some non-personal data for up to two years.

8.3 When you book our meeting or event facilities
When you make a reservation to use any of our fine meeting or event facilities, whether at the physical location of our hotel, via telephone, through email or at http://www.missclarahotel.com we handle the following personal data which you personally provide to us:
• Your name and your contact information (phone number, email)

8.3.1 We handle your personal data in order to:
• identify you as an individual
• charge you for the services and products that you have ordered
• notifying you (through email, or similar) regarding information connected to your reservation
• market our Services and products, for example by email
• produce statistics regarding purchases and usage, in order to improve our Services

8.3.2 Legal grounds for the processing
We process your personal data based on:
• performance of a contract when we provide our Services;
• based upon a weighing of interests when we have a legitimate interest in using your data for statistical purposes and to market our services, as well as to secure payment and prevent fraud and
• based upon a legal obligation for handling opt-out settings requests concerning your rights in accordance with the GDPR

8.3.3 Period of storage
We save personal data relating to your booking for up to 3 months after your stay has ended to be able to handle any customer related inquiries and questions. We save personal data relating to your correspondence with us for up to 12 months after your stay to ensure traceability in your communications with us. In order to analyze visitor trends over time we will save some non-personal data for up to two years.

8.4 When you communicate with us
You can choose to communicate with us in many different ways, for example via social media and through emails with our customer service.
When you communicate with us, we process data which you personally provide to us, for example:
• name and contact information
• information regarding your views, questions, or matters

8.4.1 We process your personal data in order to:
• answer questions and handle your matters, for example addressing defects, handling complaints, questions about your stay
• improve our services and the information we provide and publish on our website and other forums of communication

8.4.2 Legal grounds for the processing:
We process your personal data for our, and your, legitimate interest in administering your matter (weighing of interests).

8.4.3 Period of storage:
We save your personal data for up to 12 months after the matter is closed in order to ensure traceability in your communications with us.

8.5 When you connect to our Wi-Fi or use our website
When you connect to our Wi-Fi network, we are the controller of personal data for any processing which takes place in order to connect you to the Internet, but not for the continued processing, or for the contents of your communications over Wi-Fi. When you connect to our Wi-Fi network, we process
• your IP address and MAC address
When you visit our website, we process:
• data about how you interact with, and use, our website, for example in conjunction with booking your stay at our hotel
• information regarding your visits to our website, through cookies. For more information about how we use cookies, please see http://www.giropizzeria.com/cookiepolicy

8.5.1 We process your personal data in order to:
• provide our digital services
• provide support when you encounter any kinds of technical problems
• maintain, test, and improve our digital services
• discover and prevent security attacks, for example virus attacks

8.5.2 Legal grounds for the processing:
We process your personal data based on:
• performance of a contract when we provide Wi-Fi and
• based on a weighing of interests for our legitimate interest in maintaining, testing, and improving our digital services.

8.5.3 Period of storage:
We save your personal data for 3 month after you have used our digital channels and for 6 months from the time at which you connected to our Wi-Fi.

9. How long do we generally store personal data?
Your personal data is stored only during the period for which there is a need to store the information to be able to fulfill the terms of the agreement. We may store your personal data longer if this is necessary from a legal standpoint or to safeguard our legal interests, for example within the scope of legal proceedings that we are involved in.

10. Our actions to protect personal data

10.1 We have ensured that we have taken all necessary and appropriate technical and organizational measures to safeguard your personal data against loss, misuse or unauthorized access.

10.2 To technically ensure that personal data is processed in a safe and confidential manner we use digital networks that are breach protected through for example encryption, fire walls and password protection. In any instance where a breach may occur we have created routines to identify, assess and minimize any damage that may occur as well as report said damage to all affected parties.

10.3 To ensure an adequate knowledge level regarding processing of personal data we will arrange ongoing educational efforts regarding GDPR, both for our employees as well as the consultants that may from time to another be contracted to do work for us.

11. When do we share personal data?

11.1 We will not sell, make available or spread personal data to third parties with the exception for what is stated throughout this Privacy Policy. Within the scope of the Services personal data may be shared to subcontractors or partners, if this is necessary for the fulfillment and performance of our Services, for example to process your payments. In any instance where we choose to share personal data we will enter into a Data Processing Agreement to ensure that the recipient of the personal data processes said information in accordance with applicable legislation as well as to ensure that the recipient has taken the necessary technical and organizational actions to, in a satisfactory fashion, be able to protect the rights and freedoms of you as a Data Subject.

11.2 Furthermore we may share personal data if we are required to do so by law, court order or if withholding such personal data would hinder any ongoing legal investigation.

12. Your rights

12.1 We are responsible for your personal data being processed in accordance with applicable legislation.

12.2 Upon your request, or at our own initiative, we will correct, de-identify, delete or complete any information that has been found to be wrongful, incomplete or misleading.

12.3 You have the right to demand access to your personal data. This means that you have the right to demand transcripts regarding the processing that we have maintained over your personal data. You also have the right to receive a copy of the personal data that are being processed. You have the right to, once a year and through written application, without cost receive a transcript regarding what personal data is stored in regards to you, the purpose of the storage and processing as well as to whom said information has been made accessible. You also have, within the transcripts, the right to be informed of the period of time in which the personal data will be stored and what criteria we have used to determine said period of time.

12.4 You have the right of correction of your personal data. We will, upon your request and as quickly as possible correct the incorrect or incomplete personal data we process in regards to you.

12.5 You have the right to demand deletion of your personal data. This means that you have the right to demand that your personal data is removed if it is no longer necessary for the objectives for which it was gathered. There may exist legal requirements stating that we may not immediately delete personal data (for example in terms of auditing and taxation related legislation). We will in any such case cease the processing being done for any other reasons than to adhere to the legislation of GDPR.

12.6 You have the right to object to any processing of personal data that is carried out on a lawful basis of weighing of interests. If you object to such processing we will only continue the processing if there are legitimate reasons for the processing that outweigh your interests.

12.7 If you do not want us to process your personal data for direct marketing, you always have the right to object to such processing. This is done either by unregistering in each specific email or by sending us an email at gdpr@giropizzeria.com When we have received your objection we will cease the processing of personal data for any such marketing. You also have the right to report our processing of your personal data to any public authority responsible for monitoring the application of the GDPR, for example The Swedish Data Protection Authority in Sweden. However, we do recommend that you contact us first so that we can try solving the matter in a more efficient and timely manner.

13. Cookies
When you visit our website, we may also collect information and data about you by using what is referred to as cookies. For more information about how we use cookies, please see http://www.giropizzeria.com/cookiepolicy

14. Changes to this policy
We reserve the right to make amendments to this Privacy Policy from time to another. The date for the latest amendment is stated at the end of this Privacy Policy. If we make any amendments to the Privacy Policy we will publish these amendments on our website. You are therefor recommended to read this Privacy Policy regularly to view any potential amendments.

15. Contact
Giro Pizzeria (Miss Clara AB) (company reg. no. 556866-2984) is the Data Controller for the processing of your personal data. If you would like to have additional information on how your personal data is handled, please contact us through a written and personally signed request sent to:

Giro Pizzeria (Miss Clara AB)
Sveavägen 48, Box 1616
111 34 Stockholm

In the letter, please include your name, address, email, telephone number and personal ID number. Please also enclose a copy of your ID. A reply will be sent to your address as stated in the National Population Register.