Regulation (EU) 2016/679 on the protection of personal data (hereinafter referred to as the “Regulation”) establishes rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and protects the fundamental rights and freedoms of natural persons, with particular reference to the right to protection of personal data.
Article 4(1) of the Regulation lays down that “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the Regulation).
Furthermore, Articles 12 et seq. of the Regulation lay down that Data Subjects must be made aware of the appropriate information relating to the Processing activities carried out by the Controller and of the Data Subjects’ rights.
Controller Azienda per il Turismo S.p.A. Madonna di Campiglio Pinzolo Val Rendena Via Pradalago 4 38086 – Madonna di Campiglio (TRENTO) Tel.: +39 0465 447501 E-mail: firstname.lastname@example.org Website: https://www.campigliodolomiti.it VAT Number 01854660220
Purposes of the Processing The user’s personal data will be processed for the following purposes: 1. to conclude and properly fulfil the agreement to which the Data Subject is party, for the requested services/products, including the request to subscribe to the information newsletters; 2. to periodically send, via remote communication technologies (e-mail, telephone, text message, WhatsApp), commercial communications on the services, products and activities offered by the Controller; 3. to ensure that marketing communications relating to the products and services offered by the Controller, as well as those of its business partners and sponsors, including online advertising, are relevant to the Data Subject’s interests; to this end, your personal data may be used to understand better the interests and preferences of the Data Subject so as to be able to predict which other products, services and information the Data Subject may be most interested in, allowing us to personalise the Controller’s communications to make them more relevant and interesting for you; 4. to conduct market research to develop and improve our range of products, services and activities proposed by the Controller and its partners; 5. to periodically send, via remote communication technologies (e-mail, telephone, text message, WhatsApp), newsletters and communications on the services, products and activities offered by the Controller’s partners and sponsors that are of greater interest for the Data Subject; 6. to send e-mails with commercial and promotional information purposes for the sale of our services, of the same type as the Data Subject’s previous purchases; 7. to reply to requests sent by the user via e-mail and/or the form on the website; 8. to make site navigation possible and functional, and to guarantee an adequate level of security, integrity and availability; 9. to analyse statistical data on aggregate or anonymous data, with the aim of monitoring the correct functioning of the website, usability, traffic and interest; 10. to ascertain, exercise or defend a right in court; 11. to fulfil the obligations laid down by a law, a regulation, Community legislation or an order of the Authority.
Type of data The Data necessary for the pursuit of the aforementioned purposes will be collected and processed:
data relating to the contractual relationship;
data relating to the Data Subject’s preferences and interests.
Browsing data The computer systems and software procedures underlying the functioning of this website acquire certain Personal Data during their normal operation, the transmission of which is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified Data Subjects, but that, by its very nature, could enable users to be identified through processing and association with data held by third parties. This data category includes the IP addresses or domain names of computers used by users who access the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the to the user’s operating system and software environment. These data are used only in order to obtain anonymous statistical information on the use of the website and to check that it is working correctly. These data are deleted immediately after processing. The data could be used to ascertain liability in the event of hypothetical cybercrimes against the website.
Legal basis of the Processing The data will be processed without the need for further consent for the purposes and according to the legal basis indicated below: 1. Article 6(1)(b) of Regulation (EU) 2016/679, for the conclusion and the proper performance of the agreement to which the Data Subject is party or for the execution of pre-contractual measures adopted at the Data Subject’s request and/or to fulfil the request for subscription to the newsletter; 2. Article 6(1)(b) of Regulation (EU) 2016/679, based on the consent given by the Data Subject; 3. Article 6(1)(b) of Regulation (EU) 2016/679, based on the consent given by the Data Subject; 4. Article 6(1)(b) of Regulation (EU) 2016/679, based on the consent given by the Data Subject; 5. Article 6(1)(b) of Regulation (EU) 2016/679, based on the consent given by the Data Subject; 6. Article 6(1)(f), based on the Controller’s legitimate interest, subject to the Data Subject’s refusal to the processing, which may be opposed at any time; 7. Article 6(1)(b) of Regulation (EU) 2016/679, for the conclusion and the proper performance of the agreement to which the Data Subject is party or for the execution of pre-contractual measures adopted at the Data Subject’s request for replying to the requests sent by the Data Subject; 8. Article 6(1)(f), based on the Controller’s legitimate interest to ensure the proper functioning of the website; 9. Article 6(1)(f), based on the Controller’s legitimate interest to analyse and monitor the functioning of the website; 10. Article 6(1)(f), based on the Controller’s legitimate interest to exercise the rights of defence; 11. Article 6(1)(c), to be able to fulfil the legal obligations bearing on the Controller.
Refusal to provide the data Apart from what has been specified for the browsing data, the users/visitors are free to provide their Personal Data. The provision of the data is in some cases necessary since any refusal to provide them could result in the failure to conclude or not properly fulfil the agreement to which the Data Subject is a party and/or failure to comply with legal obligations bearing on the Controller. The provision of the data for the processing operations that require consent is optional; failure to provide the data will not make it impossible to use the services offered by the Controller. Also in the event of consent, Data Subjects will in any case be entitled to object subsequently, in whole or in part, to the processing of their personal data for the aforementioned purposes, by making a simple request in this respect to the Controller at the aforementioned addresses.
Data source The data will be provided by the Data Subject or collected from third parties.
Processing methods In compliance with the provisions of Article 5 of the Regulation, the Personal Data subject to processing will be: (i) processed lawfully, correctly and transparently in respect of the Data Subject; (ii) collected and recorded for specific, explicit and lawful purposes, and subsequently processed in terms that are compatible with such purposes; (iii) adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed; (iv) exact and, if necessary, updated; (v) processed in a manner that guarantees an adequate level of security; (vi) stored in a form that allows the identification of the Data Subject for a period of time not exceeding the achievement of the purposes for which they are processed. The processing will be carried out with both manual and/or computer and electronic tools with the organisational and processing logic strictly related to the said purposes and in any case so as to guarantee the security, integrity and confidentiality of the data in compliance with organisational, physical and logical measures envisaged by the applicable provisions.
Data disclosure The Personal Data may be disclosed to authorised processing personnel, as well as to the external processors appointed by the Controller (the complete list of external processors is available from the Controller), responsible for managing the aforementioned purposes. Subject to your consent, the data may also be disclosed to the Controller’s third-party sponsors and/or commercial partners, which may use them for the purposes indicated in no. 5) of the aforementioned Clause “Purposes of the Processing”. As part of the pursuit of the aforementioned purposes, the data may be disclosed to other parties acting as autonomous controllers.
Data dissemination The Personal Data will not be disseminated.
Data transfer abroad For the aforementioned purposes, the Personal Data will be processed within the European Economic Area (EEA). Should they be transferred to third countries, in the absence of a European Commission adequacy decision, the provisions of the applicable legislation on the transfer of Personal Data to third countries, such as the standard contractual clauses provided by the European Commission, will be nevertheless observed.
Data storage In general, Personal Data will be stored for the time strictly necessary to pursue the purposes for which they were collected and processed, including the storage period required by applicable legislation and, in any case, for a maximum period of ten years from the termination of our relationship in relation to the purposes of contractual performance and for a maximum period of two years for the purposes for which your consent is required, without prejudice to the Controller’s possible need to defend a right in court.
Data Subject’s rights In accordance with Regulation (EU) 679/2016, Articles 15 to 21, and the current national legislation, Data Subjects may, according to the procedures and within the limits laid down by current legislation, exercise the following rights: – to request confirmation of the existence of Personal Data concerning them (right of access); – to know their origin; – to receive intelligible communication thereof; – to obtain information about the logic, methods and purposes of the processing; – to request their updating, rectification, supplementing, erasure, transformation into anonymous form, the blocking of the data processed in breach of the law, including the data no longer required for the pursuit of the purposes for which they were collected; – to lodge a complaint with the Supervisory Authority (Data Protection Authority); – as well as, more generally, to exercise all rights to which they are entitled under the current legislative provisions. The rights may be exercised by sending a request to be addressed without any formalities to the Controller, at the aforementioned addresses.