PRIVACY NOTICE PURSUANT TO ART. 12 AND 13 OF REGULATION EU 679/2016 AND CONSENT TO THE PROCESSING OF PERSONAL DATA

Preamble

EU Regulation no. 679/2016 (also referred to herein as the GDPR) establishes rules relating to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In order to protect the fundamental rights and freedoms of natural persons, the Regulation therefore imposes on data controllers the obligation to provide data subjects the information referred to in articles 12, 13 and 14, and specification of the rights of data subjects provided for under articles from 15 to 22 of the GDPR.

Information pursuant to art. 13 (1)

Controller and contacts

The Controller is Consorzio Piccole Strutture Ricettive Langhe Monferrato Roero, whose registered address is Piazza San Paolo 3 – Alba (CN) – 12051, Italy – Vat no. 02933490043 – Tel: +39 0173 226555 – email: info@holidaysol.it

The Controller informs you that your personal data will be processed:

– pursuant to articles 12 and 13 of EU Regulation no. 679/2016 (General Data Protection Regulation, referred to hereinafter as the “GDPR”), by specifically authorized parties only for the purposes and by the methods which will be specified hereinbelow in relation to the operation of the www.holidaysol.it web portal.

Data Protection Officer contact details

The activity performed by the Controller for the purposes given in the privacy notice is among those envisaged in art. 37 of Reg. EU 679/2016.

Subject, purposes of the processing

The Controller informs you that your personal data, in particular your first and last names, telephone number and identifiers and IP addresses or domain names, will be subject to processing in the ways and forms laid down in the GDPR to perform the website’s functions, with particular reference – without being limited to – the data collection procedures described therein through the contact form, request for info or direct contact by telephone, email or fax.

In particular, the personal data you supply to the Controller will be processed for the pursuit of the following purposes:

– to comply with specific requests you make to the Controller through the Website and its communication tools (contact areas and similar);

– to provide information relating to the services of the Controller further to requests for information you make by email, ask for info and other communication tools such as, for example, telephone or fax;

– other purposes which are additional to or connected to those listed above and fall within the sphere of the Website’s activities.

Data collected automatically during browsing will also be processed. See the Cookie information notice for further information.

This information notice only applies in reference to the above-mentioned web portal, and not to other or different websites or portals which may be viewed by clicking on links on the portal.

Legal basis for the processing

Apart from what has been set out above in relation to browsing data, the processing of the above personal data communicated by you to the Controller has the following legal bases:

  • Art. 6, (1) a) of the GDPR, relating to your express free, specific, informed and unequivocal consent, for which we inform you that such consent can only be given if you are over 16 (sixteen) years of age, failing which only the holder of parental responsibility over you may proceed.
  • Art. 6, (1) b) of the GDPR, relating to the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The nature of both these legal bases is therefore merely optional and not mandatory, as the only consequence may be that the Controller is unable to deliver the above-mentioned services of direct communication or contractual/pre-contractual performance. And in any case, any consent you have given may be withdrawn at any time, interrupting said activities and services with immediate effect.

The processing is not based on art. 6 (1) f)

Recipients and categories of recipients of the data collected and data transfer

In particular, in relation to the above-mentioned purposes the data could be disclosed to the following parties and/or categories of parties, or may be disclosed to organizations and/or persons performing services, either internally or externally, on behalf of the Data Controller. For greater clarity, these include without being limited to: parties – inside or outside the company – which provide computing and telematic services for the management of the IT system used by the Controller and telecommunications networks (including email and web portal and website management and hosting); parties which the Controller reserves the right to appoint as processors; tax authorities and other companies or public entities in compliance with regulatory obligations; authorities with jurisdiction and/or bodies supervising compliance with legal obligations; consulting firms and practices; law firms and practices for the protection of contractual rights; parties which perform operations checking, auditing and certifying the activities put in place by the Controller as external data processors pursuant to art. 28 of the GDPR, or independently as separate Controllers.

This website could share some of the data collected with services located both inside and outside the EU (in the latter case, exclusively parties signed up to the Privacy Shield protocol). The transfer is authorized on the basis of specific decisions of the European Union and the Data Protection Authority.

Period of storage of the data

In accordance with the principles of lawfulness, limitation of the purposes and storage and minimization of data, pursuant to art. 5 of the GDPR the period for which your personal data will be stored will be no longer than is necessary for the achievement of the purposes for which the personal data are collected and processed.

Rights of data subjects

– Right of Access and Rectification

Pursuant to art. 15 of the GDPR, as data subject you have the right to obtain from the Controller confirmation of whether or not processing of personal data relating to you exists, and to obtain access to said data and to all the information referred to in art. 15 (1) a) to h) through the issuing of a copy of the data subject to processing in a structured, commonly used, machine-readable and interoperable format.

Pursuant to art. 16 of the GDPR, as data subject you have the right to obtain from the Controller the rectification and/or completion of the data subject to processing if they are not updated and/or are inaccurate and/or incomplete.

– Right to Erasure and Right of Restriction

Pursuant to art. 17 of the GDPR, as data subject you have the right to obtain from the Controller the erasure of personal data concerning you without undue delay only in the cases provided for under art. 17 (1) from a) to f), except in the event of art. 17 (3) specifically applying.

Pursuant to art. 18 (1) a) to d), of the GDPR, as data subject you have the right to request and obtain from the Controller the restriction of the processing of your personal data, or that said data not be subject to further processing or alteration. The Controller guarantees that the restriction of processing is implemented using appropriate technical means ensuring its inaccessibility and inalterability.

– Right to Data Portability

Pursuant to art. 20 of the GDPR, as data subject you have the right to receive from the Controller the personal data concerning you which has been processed using automated means in a structured, commonly used and machine-readable format, and also have the right to transmit those data to another controller, or to obtain direct transmission of said data by the Controller, where technically feasible, to another specifically identified data controller.

– Right to Object

Pursuant to art. 21 of the GDPR, as data subject you have the right to object at any time to the processing of personal data concerning you on grounds relating to your particular situation in the event of the processing of your data being necessary (1) for the performance of a task carried out for reasons of public interest and/or in relation to the exercising of official authority vested in the Controller; (2) for the pursuance of a legitimate interest of the Controller or a third party; (3) for profiling activities if carried out by the Controller on the basis of the preceding points. You also have the right to object to the processing of your personal data on grounds relating to your particular situation if they are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You also have the right to object in the event of your personal data being processed by the Controller for the purposes of direct marketing and/or profiling activities associated with direct marketing. In these cases, on receiving your communication as indicated hereinbelow, the Controller – Consorzio Piccole Strutture Ricettive Langhe Monferrato Roero – will refrain from processing your personal data any further.

Methods of exercising the above rights

You may exercise your above rights by emailing a request to the attention of the Privacy Officer at consorziosol@confcommercio.legalmail.it

The Controller will confirm receipt of your request and provide you with information relating to the action taken with reference to the exercising of your rights provided for under articles 15 to 22 of the GDPR within 1 (one) month of the receipt of your request. If necessary, and taking into consideration the complexity and number of requests, the Controller may extend this deadline by 2 (two) months, subject to justification being sent within 1 (one) month of the receipt of your request.

The Controller will disclose any rectifications, erasures, limitations and objections to all the recipients identified by art. 4, (1) 9) of the GDPR to whom the data have been transmitted, unless it proves to be impossible and/or involves disproportionate effort.

In the event of the Controller failing to comply with your request within 1 (one) month of its receipt, you will be informed by the Controller of the reasons for this failure to comply and of your right to lodge a complaint with the supervisory authority (Data Protection Authority), as specified pursuant to art. 13, (2) d) and regulated by article 77 and subsequent articles of the GDPR.

Right to Withdraw

Pursuant to art. 6 (1) a) you have given your consent to the processing of your data for the purposes specified above and therefore the nature of your express consent is merely optional and not mandatory with no consequences other than the impossibility for the Controller to properly perform the above direct communication services. In any case, the consent you may have given may be withdrawn by you at any time, interrupting corporate services and activities with immediate effect. Such withdrawal will not compromise the lawfulness of the processing based on the consent given prior to the withdrawal.

Right to Complain

Pursuant to art. 77 of the GDPR, as data subject you have the right to lodge a complaint with a supervisory authority in accordance with the methods indicated in said article.

Consequences of failure to disclose your data

The communication of your data is not a legal obligation. But as specified above, it is based on the condition of lawfulness of the processing, or your express, freely given, specific, informed and unambiguous consent or, if necessary, the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

The nature of both these legal bases is therefore merely optional and not mandatory, with no consequences other than the impossibility for the Controller to properly perform the above direct communication services or carry out its contractual/pre-contractual performance. In any case, the consent you may have given may, as said, be withdrawn by you at any time, interrupting corporate services and activities with immediate effect.

Processing methods

The processing of the personal data you disclose is performed by means of the operations indicated in art. 4 (2) of the GDPR, and to be precise: “collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, disclosure, erasure or destruction of the data”.

The personal data you disclose are subjected to automated processing for the time which is strictly necessary in order to achieve the purposes for which they have been collected using technical and organizational methods employed to prevent the loss, illegal or improper use and unauthorized access to the data, and therefore such as to guarantee a level of security appropriate to the risk pursuant to art. 32 of the GDPR by suitably authorized parties in compliance with the provisions of art. 29 of the GDPR, or employees and/or associates of the Controller in their capacity as authorized parties and/or system administrators who may perform consultation, use, processing, alignment and any other appropriate operation in compliance with the provisions of law necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in accordance with the declared purposes and methods.

The Controller informs you that for the purposes of the processing of your personal data it performs profiling activities, in other words to analyze or predict aspects relating to the professional performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements, etc.

In particular, unless specified otherwise herein the personal data you disclose will be subject to processing only at the registered offices of the Data Controller and will not therefore be disseminated, and pursuant to art. 13 (1) e) they may only be processed by authorized parties  and/or external data processors (in the person of single professionals and/or professional associations), including explicitly the hosting company and/or technical personnel assigned to the management and/or maintenance of the Website, but only and exclusively for the purposes expressly and specifically indicated above.