Information pursuant to Articles 13 and 14 of EU Regulation 679/2016
This information has been provided exclusively for this site and no other websites consulted by the user through the links present in the pages of this website.
EU regulation 679/2016, concerning the protection of personal data (hereinafter the “Regulation”), establishes standards relating to the protection of individuals with regard to the processing of their personal data, in addition to standards regarding to the free circulation of this data and protects the fundamental rights and liberties of individuals, with particular regard to the right to the protection of their personal data.
Article 4 no. 1 of the Regulation stipulates that “Personal Data” is to be understood as any information that may concern an identified or identifiable individual (hereinafter the “Data Subject”).
“Processing” is to be understood as the operation of complex of operations, performed with or without the assistance of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organisation, structuring, preservation, adaptation or amendment, extraction, consultation, use, transmission, dissemination or any other form of disclosure, comparison or interconnection, restriction, deletion or destruction (Article 4 no. 2 of the Regulation).
Pursuant to Articles 12 and following, it also stipulates that the Data Subject must be made aware of the appropriate information relating to the Processing activities to be performed by the Data Controller and of the rights of the Data subjects.
GRUPPO OPERATORI TURISTICO-ALBERGHIERI TIGNALE
VIA SAN ZENONE n.q, 25080 TIGNALE (BS)
Purposes of processing and legal basis for processing
The user’s personal data will be processed in pursuit of purposes and on the legal basis indicated below:
- for the conclusion and correct execution of the contract in which the Data Subject is one of the Parties, or the execution of precontractual measures adopted on their request, for requested information and/or services/products, including subscriptions to newsletters; the legal basis for the processing listed is represented by Article 6 paragraph 1 letter b) of EU Regulation 679/2016;
- to respond to requests sent by the user by mail and/or forms present on the website; the legal basis for the listed processing is represented by Article 6 paragraph 1 letter b) of EU Regulation 679/2016;
- to send, periodically, commercial communications concerning services, products and activities offered by the Data Controller using remote technologies (mail, telephone, SMS, WhatsApp); the legal basis is represented by consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
- to send, periodically, commercial communications concerning services, products and activities offered by the partners and sponsors of the Data Controller via remote technologies (mail, telephone, SMS, WhatsApp); the legal basis is represented by consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
- to carry out retargeting activities and/or the use of email to exploit social media profiles (Facebook, Instagram) for personalised marketing campaigns; the legal basis for which is represented by the consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
- to make navigating the site functional and possible, as well as ensuring that it has an adequate degree of availability; the legal basis for this type of processing in represented by the legitimate interests of the Controller as provided for by Article 6 paragraph 1 letter f)
- the analysis of statistical data on aggregated or anonymous data for the purpose of monitoring that the site, traffic usability and interest is functioning correctly; the legal basis for this type of processing is represented by the legitimate interest of the Controller, as stipulated by Article 6, paragraph 1 letter f)
- to ascertain, exercise or defend a right in court; the legal basis for this type of processing is represented by the legitimate interests of the Controller, as provided for by Article 6 paragraph 1, letter f);
- to fulfill obligations stipulated by the law, regulations or EU legislation or court order; the legal basis for this type of processing is represented by the legitimate interests of the Controller, as stipulated by Article 6, paragraph 1, letter c).
Type of Data
The Data necessary for the pursuit of the objectives described above will be collected and processed:
- identifying data
- contact information
- data relating to the contractual relationship
- data relating to the preferences and interests of the Data Subject
Computer systems and software processes responsible for the functioning of this website will acquire certain personal data in the course of their normal use, for which transmission is implied when using internet communication protocols.
This concerns information that is not collected in order for it to be associated to identified Data Subjects, but which due to their same nature could, through processing and association with data held by third parties, enables users to be identified.
Falling into this category is data such as the IP addresses or domain names of the computers used by users visiting the site, addresses in the URI (Uniform Resource Identifier) notation of the requested resources, the time requested, the method used to make the request to the server, the size of the file received in response, the numeric code indicating the status of the response given by the server falls into this category (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment.
This data is used exclusively to pull anonymous statistical information concerning the use of the site and to monitor that it is functioning correctly and is immediately deleted after processing.
The data could be used to ascertain liability in the event of hypothetical cyber crimes against the site.
Refusal to Provide Data
Apart from what is specified for the navigation data, user/visitors are free to provide their own personal data. The provision of Data is required in some cases, as any refusal to provide it could lead to a failure to conclude, or the incorrect fulfillment of the contract of which the Data Subject is a party and/or a failure to comply with legal obligations that the Controller is subject to.
The provision of Data for processing requiring consent is optional, failure to provide it will not lead to users being unable to benefit from the products/services offered by the Controller. Even in the event where consent is provided, the Data Subject will in any case be entitled to subsequently object, fully or in part, to the processing of their personal data for the above purposes, simply by making a request to the Controller at the above contact details.
Sources of Data
Data will be provided by the Data Subject or collected from third parties.
Data Processing Methods
With reference to the provisions of Article 5 of the regulation, the Personal Data subject to processing will be:
- processed in compliance with the law, correctly and transparently in relation to the Data Subject;
- collected and recorded for the established purposes, explicitly and legitimately, and subsequently processed in terms that are compatible with this purpose;
- suitable, pertinent and limited to what is necessary in relation to the purposes for which it has been processed;
- accurate and, if necessary, updated;
- processed in a manner that ensures an adequate level of security;
- stored in a form that enables the identification of the Data Subject for a period of time no longer than required for the purpose for which it being processed.
Processing will be carried out using both manual and/or computerised and electronic methods using organisational and processing logic strictly related to the purpose itself and in any case in such a way that guarantees the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures stipulated by the provisions in effect.
Communication of Data
Personal Data may be communicated to parties authorised for processing, as well as to external managers appointed for processing by the Controller (the full list of external managers is available from the Controller), responsible for managing the purposes described above. With their consent, the Data may also be communicated to the Controller’s third party sponsor companies and/or commercial partners who may use it for the purposes described in no. 3) of the Article concerning “Purposes of Processing” cited above. In the context of pursuing the purposes stated above, the Data may be communicated to other parties acting as autonomous Controllers.
Dissemination of Data
Personal data will not be subject to dissemination.
Transfer of Data to Other Countries
For the purposes stated above,Personal Data will be processed within the European Economic Area (EEA). If it were to be transferred to a Third Party country, in the absence of an adequacy decision by the European Commission, the provisions stipulated by the applicable legislation concerning the transfer of Personal Data to Third Party Countries will be complied with, such as the European Commission’s Standard Contractual Clauses.
Storage of Data
In general, Personal Data will be stored for the time strictly necessary for the pursuit of the purposes for which it was collected and subjected to processing, including the storage period required by the applicable legislation and, in any case, for maximum of 10 years from the termination of the relationship with the Controller, and for a maximum of 2 years for the purposes in which consent was required, unless there is a need for the Controller to defend their rights in court.
Rights of the Data subject
Pursuant to European Regulation 679/2016, Articles 15 to 21 and the national legislation on the subject, the data subject may, in accordance with the methods and within the limits set down by the legislation in force, exercise the following rights:
– request confirmation of the Personal Data concerning them (right of access);
– discover its origin;
– receive an intelligible communication;
– receive information concerning the logic, methods and purposes of the processing;
– request that it be updated, supplemented, corrected, deleted, anonymised, that it be blocked from processing that is in breach of the law, including that which is not necessary for the purposes for which it has been collected;
– the right to make a complaint to the Data Protection Authority;
– additionally, more generally, to exercise all of the rights that have been recognised to them by the legal provision in force.
The exercise of these rights can occur by sending a request, which must be addressed without formality to the Data Controller at the addresses stated above.