Extended disclosure in accordance with EU Regulation no. 679/2016 (“GDPR”) and Legislative Decree. 196/2003 as amended by Legislative Decree 101/2018
The data controller is IF Imola Faenza Tourism Company s.c.a.r.l. P.IVA 00693671208 COD. FISC 04044300376
Piazza Ayrton Senna da Silva, 2 40026 Imola (BO) , henceforth referred to as “The Company”
The company , in conducting its business pays the utmost attention to the security and confidentiality of its customers’ personal data.
The Company is the Data Controller of the personal data collected on this website (hereinafter the “Site“). WHICH PERSONAL DATA ABOUT YOU MAY BE COLLECTED The Company may collect the following categories of personal data (hereinafter, collectively, the “Data“):
- Contact data – information related to first name, last name, social security number, address, phone number, cell phone number, email address, etc.
- Other personal data – information that you provide us about your place and date of birth, education or professional situation, etc.
- Social Log-In Data – information related to your Social account as well as other data you provide to the Social Network used to log-in to the Site, which may be disclosed according to the privacy preferences you have set on that Social Network.
HOW WE COLL ECT YOUR DATA The Company collects and processes your Data, depending on the service you requested, under the following circumstances better described in the section on purposes:
- for the purchase of our products
- If you register on the Site / download our possible APP
- if you register for our events
- If you write to our sales or administrative department
- if you subscribe to our newsletters
- whether it responds to our marketing campaigns
- Whether other companies or business partners legitimately transfer your Data to us
If you are providing Data on behalf of someone else, you must ensure, in advance, that the data subjects have read this Privacy Notice. Please help us keep your Data up-to-date by informing us of any changes. FOR WHAT PURPOSES YOUR DATA MAY BE USED
- (a) Establishment and execution of contractual relations and consequent obligations.
The Company may process your Contact Data, Payment Data and Other Personal Data for the purposes of the possible establishment and execution of contractual relationships, the provision of requested services and the response to reports and complaints. The Company may also use your Contact Data, and in particular your email, to provide you with information related to the requested service. Prerequisite for processing: performance of a contract to which you are a party and fulfillment of legal obligations related to that contract. Providing it is mandatory to process your order; if you fail to do so, we will not be able to process it.
- (b) Operational management and purposes closely related to this in accessing the Site, particularly the restricted areas of the Site.
- (c) Analysis and improvement of services – customer satisfaction
Your Contact Data may be processed by the Company to analyze, review and improve its services with a view to customer satisfaction. Prerequisite for processing: legitimate interest of the Company in reviewing and improving the quality of its services.
- (d) Sending periodic newsletters
Your Contact Data may be used by the Company in order to send you periodic newsletters, upon your explicit request through subscription to the service, containing news and insights on various topics of interest. Prerequisite for processing: performance of a contract to which the data subject is a party. The provision of data is mandatory, failing which you will not be able to subscribe and receive the newsletter.
- (e) Marketing to meet your needs and Profiled Marketing to provide you with promotional offers also in line with your preferences
Subject to your appropriate and specific consent, the Company may process your Contact Data and for marketing and advertising communication purposes aimed at informing you about sales promotional initiatives, carried out through automated contact methods (electronic mail, text messaging, MMS, chat, instant messaging, social networks and other mass messaging tools, push notifications, etc.) and traditional contact methods (e.g., operator telephone call, traditional mail, etc.), or for market research. Again subject to your special and specific consent, the Company may, also, process your Contact Data, Other Personal Data, Interests, Social Log Data and Site Usage Data, through statistical processing of them, creating an individual profile of you in order to send you commercial communications in line with your preferences, based on the analysis of your purchasing habits and choices. Such personalized communications could be carried out through automated modes of contact (e-mail, text messaging, MMS, chat, instant messaging, social networks and other mass messaging tools, push notifications, etc.) and traditional modes of contact (e.g., operator phone call, traditional mail, etc.). Prerequisite for processing: consent. The provision of Data is optional and failure to provide it does not affect contractual relations. This consent may be revoked, at any time, with effect for subsequent processing.
- (f) Sending communications for the promotion of products and services similar to the subject of a previous purchase pursuant to and to the extent permitted by Art. 130, paragraph 4, of the Privacy Code (Legislative Decree No. 196/2003, as amended by Legislative Decree 101/2018).
Your Contact Information related only to e-mail contact details may be used for promotional purposes related to products and services similar to those that are the subject of your purchase. Prerequisite for processing: legitimate interest of the Company in maintaining an effective contractual relationship with you. The provision of Data is optional and failure to provide it does not affect contractual relations. This consent may be revoked, at any time, with effect for subsequent processing.
- (g) Performing marketing activities on behalf of third parties on products and services of Group companies and also third parties.
Subject to your specific and appropriate consent, the Company may process, on behalf of third parties, your Contact Data for marketing activities on products and services of Group companies and also of third parties belonging mainly to the publishing, finance, economy, industry, luxury, services, telecommunications ICT, insurance and nonprofit, carried out through automated contact methods (e-mail, SMS, MMS, chat, instant messaging, social networks and other massive messaging tools, push notifications, etc ) and traditional contact methods (e.g., telephone call with operator, traditional mail, etc.) or for market research and statistical surveys. Prerequisite for treatment: consent. Failure to provide the same will not affect contractual relations. This consent may be revoked, at any time, with effect for subsequent processing.
- (h) Defense of rights in the course of judicial, administrative or extrajudicial proceedings, and in the context of disputes arising in connection with the services offered.
Your Contact Data and Payment Data may be processed by the Company to defend its rights or take action or even make claims against you or third parties. Prerequisite for processing: legitimate interest of the Company in protecting its rights. The provision of Data for this purpose is obligatory since failure to do so will make it impossible for the Company to defend its rights.
- (i) Purposes related to obligations under laws, regulations or EU legislation, provisions/requests of authorities empowered to do so by law and/or supervisory and control bodies
Your Contact Data and Payment Data may be processed by the Company to fulfill its obligations. Prerequisite for processing: fulfillment of a legal obligation. The provision of Personal Data for this purpose is compulsory since failure to do so will make it impossible for the Company to fulfill specific legal obligations. HOW WE KEEP YOUR DATA SECURE The Company uses all security measures necessary to improve the protection and maintenance of the security, integrity and accessibility of your Data. All of Your Data is stored on our secure servers (or appropriately stored hard copies) or those of our suppliers or business partners, and is accessible and usable according to our standards and security policies (or equivalent standards for our suppliers or business partners). Where we have provided you (or you have chosen) a password that allows you access to our Site, applications or services provided by us, you will be responsible for the secrecy of that password and for compliance with any other security procedures we give you. HOW LONG WE KEEP YOUR DATA We keep your Data only as long as necessary to fulfill the purposes for which it was collected or for any other legitimate related purposes. Therefore, if Data is processed for two different purposes, we will retain that data until the purpose with the longer retention period ceases, however, we will no longer process Data for that purpose whose retention period has expired. Your Data that are no longer needed, or for which there is no longer a legal basis for their retention, are irreversibly anonymized (and thus can be retained) or securely destroyed. Below are the retention times in relation to the different purposes listed above:
- Establishment and execution of contractual relationships and consequent obligations: the Data processed to fulfill any contractual obligation may be retained for the duration of the contract and in any case no longer than the next 10 years, in order to verify any pending obligations including accounting documents (e.g. invoices).
- Operational management and purposes strictly related to this access to the Site, in particular to the restricted areas of the Site: the Data processed for this purpose may be kept for the duration of the contract and in any case no longer than 10 years after the last access to the Site.
- Service analysis and improvement – customer satisfaction: the Data processed for this purpose may be kept for 12 months.
- Sending periodic newsletters: the Data processed for this purpose may be retained for the duration of the relationship, but no longer than 10 years thereafter.
- Marketing to meet your needs and Profiled Marketing to provide you with promotional offers also in line with your preferences: the Data processed for these purposes may be kept for 24 months after collection.
- Sending communications for the promotion of products and services similar to that of a previous purchase (within the meaning and to the extent permitted by Art. 130, paragraph 4 of the Privacy Code (Legislative Decree No. 196/2003, as amended by Legislative Decree 101/2018): Data processed for the purpose of promoting similar services or products may be retained for 24 months from the date of the previous purchase.
- Performing marketing activities on behalf of third parties on products and services of Group companies and also third parties: Data processed for marketing purposes may be kept for 24 months after collection.
- Defense of rights in the course of judicial, administrative or extrajudicial proceedings, and in the context of disputes that have arisen in connection with the services offered: in such cases, we will retain your Data for the time strictly necessary for the fulfillment of these purposes.
- Purposes related to obligations under laws, regulations or EU legislation, provisions/requirements of authorities empowered to do so by law and/or supervisory and control bodies: in such cases, we will retain your Data for the time strictly necessary to fulfill these purposes.
WHO WE MAY SHARE YOUR DATA WITH Your Data may be accessed by duly authorized employees, as well as by external suppliers, appointed as necessary as data processors, who provide support for the delivery of services. CONTACT INFORMATION The Company’s contact information can be found on the “Contact Information” page of this website The Data Protection Officer (DPO) appointed by the Company can be contacted at the following email address marked on that page. YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO ADVOCATE COMPLAINTS TO THE CONTROL AUTHORITY Under certain conditions you have the right to request the Company:
- access to your Data,
- The copy of the Data you have provided to us (so-called portability),
- The rectification of the Data in our possession,
- The deletion of Data for which we no longer have any legal basis for processing,
- Withdrawal of your consent if the processing is based on consent;
- The limitation of the way we process your Data, within the limits provided by the legislation to protect personal data.
Right to object: in addition to the rights listed above, you always have the right to object at any time, for reasons related to your particular situation, to the processing of your Data carried out by the Data Controller in pursuit of its legitimate interest. In addition, she can always object at any time if the Data is processed for marketing and profiled marketing purposes. Requests to object should be addressed to the email address in the contact section. The exercise of these rights is free of charge and is not subject to formal constraints, but is subject to certain exceptions aimed at safeguarding the public interest (e.g., the prevention or identification of crimes) and interests of the Society (e.g., maintaining professional secrecy). In the event that you exercise any of the above rights, it will be the Company’s responsibility to verify that you are entitled to exercise them and to acknowledge you, as a rule, within one month. In the event that you believe that the processing of Personal Data referred to you occurs in violation of the provisions of the GDPR, you have the right to file a complaint with the Garante per la protezione dei dati personali, using the references available on the website www.garanteprivacy.it or to take appropriate legal action.
1) PRINCIPLE OF RESPONSIBILITY The processing of personal data is managed over time by appropriate responsibilities identified within the corporate organization.
3) PRINCIPLE OF PERTINENCE OF COLLECTION Personal data shall be processed lawfully and fairly; shall be recorded for specified, explicit and legitimate purposes; shall be relevant and not exceed the purposes of processing; and shall be kept for as long as necessary for the purposes of collection.
4) PRINCIPLE OF PURPOSE OF USE The purpose of processing personal data is made known to the data subjects at the time of collection. Any new data processing, if unrelated to the stated purposes, is activated after new information to the data subject and possible request for consent, when required by the GDPR.
5) PRINCIPLE OF VERIFIABILITY Personal data are accurate and updated over time. They are also organized and stored in such a way that the data subject is given the opportunity to know, if he or she so desires, what data have been collected and recorded, as well as to check their quality and request their possible correction, integration, deletion for violation of the law or opposition to processing, and to exercise all other rights provided by the GDPR at the addresses indicated in the Notices on this page.
6) SECURITY PRINCIPLE Personal data are protected by technical, computer, organizational, logistical and procedural security measures against the risks of destruction or loss, even accidental, and unauthorized access or unauthorized processing. These measures are updated periodically according to technical progress, the nature of the data and the specific characteristics of the processing, constantly monitored and verified over time.
Third parties performing support activities of any kind for the provision of services by companies, in relation to which they perform personal data processing operations, are designated by the latter as Data Processors and are contractually bound to comply with measures for the security and confidentiality of processing. The identity of said third parties is made known to users. With the consent of the data subjects, if required by law, and in any case after adequate information specifying the various purposes, personal data may be communicated to third parties, public and private, unrelated to the company, who will process them as autonomous data controllers. Of the processing of personal data carried out by these third-party data controllers, the Company is in no way responsible. The Society also assumes no responsibility for:
- the rules and methods of handling personal data of other Web sites, which can be reached from our pages through links and cross-references;
- The contents of any e-mail services, Web spaces, chat forums provided to users.
Processing related to the web services offered by this site takes place at the offices of the companies and possibly at the offices of external data processors and is handled by data processors in charge of managing the services requested, marketing activities – where requested by the user -, data storage activities and occasional maintenance operations. Scope of data communication The personal data provided may be communicated to third parties in order to fulfill legal obligations, in execution of orders from public authorities legitimized to do so, or even to assert or defend a right in court. If necessary in connection with particular services or products requested, personal data may be disclosed to third parties who perform, as independent data controllers, functions closely related and instrumental to the provision of services or supply of products. Without communication, these services and products could not be provided. Personal data will not be disseminated unless the requested service requires it. Types of data collected, purposes and processing methods It is good for you to know that, through browsing the site, your professional and personal interests may be detected: such information, however, is collected for the sole and exclusive purpose of providing the requested services and possibly to control the quality of the services offered. Only with the express consent of the user in the legal forms, are carried out, with electronic tools, analysis and profiling activities related to purchasing and professional choices for the purpose of improving the offer of services and business information, direct sales, market research on products, services and events from the company in accordance with the interests of users. Personal data will also be processed for sending commercial and promotional information, direct sales, market research on products, services and events (hereinafter collectively referred to as “marketing activities”) of the company, and for marketing activities, directly by the company, on behalf of companies of the company Data voluntarily provided by the user The types of personal data collected and processed in the siteare those necessary for the provision of the various services provided. The data collected are processed by paper, automated and telematic means and with logic strictly related to the purposes of processing. Your fax and telephone numbers and e-mail address may also be used to provide services to you. Therefore, it is clear that if these data are not given, those services that require the use of these tools cannot be provided to you. If you do not express your consent to the use of e-mail and telephone for the purpose of advertising information or direct sales or interactive marketing communications, these tools will not be used for this purpose. Specific disclosures will be made on the pages of the site set up for the possible provision of personal data. Any voluntary sending of electronic mail to the addresses indicated on the site involves the acquisition of the sender’s address as well as any other information contained in the message; these personal data will be used for the sole purpose of performing the service or performance requested. Navigation data It is useful to know that the site’s software procedures acquire, in the course of their normal operation, some personal data (navigation data), the transmission of which is implicit in the use of Internet communication protocols. While this information is not intended to be associated with identified users, by its nature, when combined with other data held by third parties (e.g., your internet service provider), it could allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, addresses in URL (Uniform Resource Locator) notation of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment. This data is used only for the purpose of anonymous statistics on the use of the site and to check its proper functioning. The Data Controller and, depending on the service requested, the Designated Managers shall retain, for a limited period according to legal regulations, the trace (LOG) of the connections/navigations made in order to respond to any requests from the judicial authority or other public body entitled to request said trace for the investigation of possible liability in case of computer crimes. Provision of data Apart from what is specified for navigation data, the user is free to provide or not to provide the personal data requested in the registration forms for the services. On such forms moreover some data may be marked as mandatory; it should be understood that such data are necessary for the provision of the requested service. If this data is not provided, the requested service cannot be provided and you will not be able to take advantage of related opportunities. At the time of any provision of data, a notice containing all the requirements dictated by the GDPR is provided to the data subject. The data subject is then called upon to give informed, free, specifically expressed and documented consent in the form required by law, where required by law. If personal data are conferred at later stages, additions may be provided to previously rendered disclosures and new processing consents may be requested. Security measures taken to protect collected data The company uses “secure” architectures and technologies to protect personal data against undue disclosure, alteration or misuse. The protections activated against personal data are intended, in particular, to minimize the risks of destruction or loss, including accidental loss, of data, unauthorized access, or processing that is not permitted or not in accordance with the purposes of collection. Individuals to whom personal data refer have the right at any time to exercise their rights as set forth in the GDPR. Requests should be addressed to the e-mail address found on the “Contact Us” page or to the specific contact information indicated in the disclosures made to users at the time of any personal data collection.
Third Party Sites
Third-party sites that can be accessed through this website are not covered by this policy. Society. disclaims any responsibility for them. The categories of cookies used and the type of processing of personal data by these companies are regulated in accordance with the information made by these companies.
Use of IP addresses
An IP address is a number automatically assigned to your computer whenever you connect to the Internet through your Internet Provider or from a corporate LAN/WAN network using the same Internet protocols. Like the home address to which others can send you material, the IP address is used by the Web site so that it can send you its own pages.