INFORMATION AND CONTACT DETAILS OF THE CONTROLLER
Art. 13, paragraph 1(a) and (b) EU Reg. n. 679/2016
Controller: The Italian Trotter S.r.l., whose registered office is at Via Francesco Guala 77/A, 10135 Torino, Italy, VAT n. 12204410018
Contact details of the Controller: Email: firstname.lastname@example.org
The Italian Trotter S.r.l., whose registered office is at Via Francesco Guala 77/A, 10135 Torino, Italy, VAT n. 12204410018, as the controller of your personal data (hereinafter also “Controller”), inform you, within the meaning of Articles 12 and 13 of EU Regulation n. 679/2016 (General Data Protection Regulation, henceforth called for brevity “GDPR”), that your personal data will be processed by subjects specifically authorized to and limited to the aims and with the modalities specified hereafter with reference to the capabilities of the web portal www.theitaliantrotter.com
OBJECT AND PURPOSES OF THE PROCESSING
The Controller informs you that it will process your personal data and specifically (i) name and surname, location (place of residence), email address, telephone/fax number, accounting and banking data, (ii) information belonging to special categories of personal data ex art. 9 of GDPR and (iii) identifying and IP addresses or domain names, in accordance with the purposes and the methods as defined and specified below.
The Website users’ personal data, as described above, will be subject to processing in the ways and in the forms prescribed by the GDPR for the carrying out of specific functionalities of the Website, with particular – but not exhaustive – reference to procedures, described therein, of data collection, “Tailor Made Tour” questionnaire, “Wine Club” Membership, “Contacts” and “Newsletter” form filling.
In particular, the personal data provided by yourself, as data subject, to the Controller, will be processed for the pursuit of the following purposes:
a) Through the “Tailor Made Tour” questionnaire, to find out which travel services are the best for you, that will be included in the quotation document/travel contract, and/or to join the “Wine Club” Membership as described in the website. Some information provided by you (“special request” form) may possibly belong to special categories of personal data ex art. 9 of GDPR (e.g. food allergies, disabilities, special needs);
b) For the response to specific requests from the user/data subject to the controller via the Website and its communication tools, in particular via the “Contacts” form, finalized to the vehiculation of requests for any kind of information;
c) For the purposes of direct marketing, especially for the sending of newsletters through the homonymous specific function “Newsletter”, the sending of information on products, activities and services, commercial and promotional initiatives of the company, signalling and promoting advertising events.
This Privacy Information is effective only with reference to the above mentioned web portal www.theitaliantrotter.com, but not with reference to other and different portals or Websites accessible through links present therein, of which the Controller is not in any way the holder.
LAWFULNESS OF PROCESSING
Apart from what above specified for navigation data, the communication from the data subject to the Controller of the personal data, as above described, has as prerequisites for lawfulness of processing, the following legal basis:
• Art. 6, para. 1 lett. b) of the GDPR, concerning the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject to entering into contact, for the purposes referred to in points a).
• Art. 9, para. 2 lett. a) of the GDPR, concerning the data subject explicit consent for the purposes referred to in point a).
• Art. 6, para. 1 lett. a) of the GDPR, concerning the data subject freely given, specific, informed and unambiguous consent, in any case revocable, for the purposes referred to in paragraph b) and c).
The processing of your personal data, possibly also belonging to special categories ex art. 9 of the GDPR, is therefore necessary for the integral fulfilment of the aims referred to in points a) and b), and consequently your refusal to provide the above mentioned data may result in the failure to carry out the functions and services of the Website; instead, the processing of your personal data is merely optional with regard to the completion of commercial activities and direct marketing referred to in point (c), and therefore the possible lack of consent does not prevent the fulfilment of the other purposes as above indicated. In any case, the consent from you possibly loaned, may be from you revoked at any time, with the immediate effect of intermitting the connected activities and business services.
METHOD OF PROCESSING
The processing of the personal data communicated by yourself is realized by means of the operations indicated in Art. 4 n. 2) of the GDPR, and precisely: “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
The above described personal data are subjected to automated processing for the time strictly necessary to achieve the purposes for which they have been collected, with technical and organizational measures adopted to prevent the loss of data, incorrect criminal use and/or unauthorized access, and such, therefore, to ensure a level of security appropriate to the risk within the meaning of art. 32 of GDPR, by subjects specifically authorized, in compliance with the provisions of art. 29 of GDPR, i.e. employees and/or collaborators of the Controller as authorized subjects and/or system administrators, which can carry out operations of consultation, use, processing, comparison and any other appropriate operation in compliance with the provisions of the law necessary to ensure, inter alia, the confidentiality and security of data as well as the accuracy, updating and relevance of the data in relation to the purposes and methods declared.
It should be noted, in particular, that the above mentioned personal data will be processed only under the controller’s approval, except as specified below, it will be not, therefore, disseminated and, within the meaning of Art. 13, paragraph 1, lett. (e), it will be processed only by authorized persons and/or any processor (in person of individual professionals and/or complex professional associations), and/or by entities that operate as autonomous controllers, the hosting company and/or by technical personnel in charge of the management and/or maintenance of the Website, but only and exclusively for the purposes above expressly and specifically indicated.
COMUNICATION OF THE DATA
In relation to the above-mentioned purposes, the personal data can be communicated to the following subjects and/or categories of subjects listed below or can be communicated to companies and/or to persons, providing services, also external, on behalf of the Controller.
Among these, for the sake of greater clarity, but not limited to: hotels, professionals and consultants, also as complex professional associations, on which the company relies for the provision of services relating to the travel contract; banks and credit institutions; subjects who carry out control, revision and certification of the activities carried out by the company, possibly also in the interests of customers; entities that provide IT and telematic services for the management of the IT system used by the Owner and of the telecommunications networks (including the management of e-mail and web portals and Internet sites – hosting – cloud storage services); Competent authorities and / or supervisors for the fulfillment of legal obligations; tax consultancy firms or consultants; labor consultants; legal legislator for the protection of contractual rights; subjects who carry out control, audit and certification of the activities carried out by the Data Controller, who operate as data processors pursuant to Art. 28 of the GDPR, or in total autonomy as a separate Controller.
This Website may share some of the data collected with IT services localized outside of Italy and of the European Union area. In particular with Google, Facebook, Instagram and YouTube, also through social plugin and the service of Google Analytics. The transfer of personal data outside the EU is authorized on the basis of specific decisions of the European Union’s Commision and of the Supervisory Authority for the protection of personal data, in particular the decision 1250/2016 (i.e. Privacy Shield – here the information page of the Italian Supervisory Authority), so that we do not need further consent. The above mentioned companies ensure the adhesion to the Privacy Shield.
In any case, in the hypothesis that a personal data transfer extra EU would be necessary, the Controller now ensures that the data transfer will be in accordance with the provisions of applicable law, and in particular in accordance with Articles 44 – 45 – 46 – 47 – 48 and 49 of GDPR.
DATA RETENTION PERIOD
We draw your attention to the fact that, in compliance with the principles of lawfulness of processing, purpose limitation and data conservation and minimization, within the meaning of Art. 5 of GDPR, the storage period of your personal data is established for a period not greater than the achievement of the purposes for which they were collected and processed, i.e. for the entire duration of the fulfilment of the above mentioned purposes, and therefore, exhausted the processing finality, your data will be erased from any physical and logical support.
THE DECISION-MAKING PROCESSES AND AUTOMATED PROFILING
The Controller informs you that, for the purposes of the personal data processing, does not avail itself of the decision-making automated processes, i.e. those directed to take decisions based solely on technological means on the basis of predetermined criteria (i.e. without the human involvement), nor does it perform automated profiling activities.
RIGHTS OF THE DATA SUBJECT
Right of access ex art. 15 of the GDPR and right of rectification ex art. 16 of the GDPR
As the data subject, within the meaning of art. 15 of the GDPR, you have the right to obtain from the Controller the confirmation of the existence or not of a personal data processing concerning yourself, to obtain access to them and to all the information referred to in Article 15, paragraph 1, letters (a) to (h), by release of the copy of the data object of processing in structured format, of common use, readable by automatic device and interoperable.
Pursuant to art. 16 of the GDPR, you also have the right to obtain from the Controller the rectification and/or integration of the data object of processing, if they are not accurate and/or updated and/or incorrect and/or incomplete.
Right to erasure ex art. 17 of the GDPR and right to restriction of processing ex art. 18 of the GDPR
As the data subject, you have the right to obtain, without undue delay, from the Controller, exclusively in the cases referred to in art. 17, paragraph 1, letters (a) to (f), of the GDPR, the erasure of the data concerning yourself – with the exception of specific cases provided for by art. 17 paragraph 3.
As the data subject, within the meaning of art. 18, paragraph 1, letters (a) to (d) of the GDPR, you have the right to request and obtain from the Controller the restriction of processing of your personal data, i.e. that such data are not subjected to additional processing and can no longer be modified. The Controller ensures that the restriction of processing to be carried out by technical devices adapted to ensure their inaccessibility and immutability.
The right to data portability ex art. 20 of the GDPR
As the data subject, you have the right to receive, within the meaning of art. 20 of the GDPR, by the Controller, the personal data concerning yourself, whose processing is performed by automated means, in a structured, commonly used and machine-readable format, and you also have the right to transmit such data to another controller, i.e. to obtain from the Controller, where technically feasible, the direct transmission of such data to another controller specifically identified.
Right to object ex art. 21 of the GDPR
You have the right to object in any moment to the processing of personal data concerning yourself, for reasons related to your particular situation, in cases where the processing of your personal data is necessary (1) for the execution of a task in the public interest and/or connected to the exercise of public powers which is invested the Controller; (2) for the pursuit of a legitimate interest of the Controller or a third party; (3) for profiling activities performed by the Controller on the basis of the preceding points.
You also have the right to object to the processing of your personal data for reasons related to your particular situation where the same data are processed for the purposes of scientific research or historical or for statistical purposes in accordance with Article 89, paragraph 1 of the GDPR, except when the processing is necessary for the execution of a public interest task.
Detailed operating mode to exercise the rights
You may exercise the rights listed above by request to be sent to the email address email@example.com or by registered letter with return receipt to the address “Via Francesco Guala 77/A, 10135 Torino, Italy”, to the attention of Mrs. Elena Pasero.
The Controller will confirm receipt of your request and will give you the information relating to the action taken with reference to the exercise of your rights provided for in Articles 15 to 22 of the GDPR, within one (1) month after receipt of the request. If necessary, and taking into account the complexity and the number of requests, the Controller may extend this period of two (2) months after communication motivated by transmitting within one (1) month after receipt of the request.
The Controller will communicate any rectification, cancellation, limitation, opposition to all recipients, as identified by the art. 4, paragraph 1, n. 9 of the GDPR, to which such data have been transmitted, unless this proves impossible or involves a disproportionate effort.
Following the sending of your request for correction, cancellation, opposition, limitation, if the Controller has reasonable doubts about your identity will ask you more information to confirm it. These notifications will be sent via email from address firstname.lastname@example.org.
If the Controller does not comply with the request within a period of one (1) month after receipt of the request, it will inform you about the reasons for the non-compliance and about your faculty to lodge a complaint with a Supervisory Authority (i.e. the Italian “Autorità Garante per la protezione dei dati personali”), as specified pursuant to Art. 13, paragraph 2, letter (d) and governed by Articles 77 ff. of the GDPR.