1. Type of data processed
The Company will process the following personal data of the Users who browse the Website and interact with the web services offered through the latter, in particular:
- Data collected while the User is browsing the Website
The computer systems, cookie technology and software procedures used to operate the Website acquire, during their normal operation, some data whose transmission is automatic in the use of the Internet. These data are not collected to be associated with a specific User. However, they could, by their very nature, lead to the identification of the Users, by means of processing and associating them with different data held by third parties.
This category of data includes, for instance, IP addresses or domain names of computers used by Users to connect to the Website, Website pages visited by Users, domain names and addresses of websites from which the User has accessed the Website (by referral), the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the web server, the size of the file obtained in response, the numeric code indicating the status of the response sent by the web server, and other settings regarding the browser (e.g. Internet Explorer, Google Chrome, Firefox), the operating system (e.g. Windows) and the User’s computer environment.
- Data voluntarily provided by the User to communicate with the Company
These are the data voluntarily provided by the User to the Company (e.g. name, surname, e-mail address, other personal data included in e-mails or attachments thereto, etc.) following the sending of an e-mail or other communications, through the interface in the “Contacts” section of the Website.
2. Legal basis and purposes of the processing
The personal data automatically or voluntarily provided by the User will be processed for the following purposes without the prior consent of the User:
- to allow Users to browse the Website;
- to carry out the necessary maintenance and technical assistance to ensure the correct operativity of the Website and related services;
- to take legal action for the protection of Company’s rights and to tackle unlawful behaviours;
- to comply with legal and/or regulatory obligations;
- for the pursuit of the Company’s legitimate interest to: (a) prevent the occurrence of fraud or other crimes through the use of the Website; (b) inform the User about the activities carried out by the Company through the contents of the Website; (c) improve the quality and structure of the Website, as well as to create new services, features and/or functions thereof; (d) carry out statistical surveys (following prior anonymisation of User’s personal data) regarding the use of the Website; (e) interact with Users interested in the “Porto Cervo Wine and Food Festival” and/or, more in general, in the services of the Company, through the “Contacts” section available on the Website.
Should the Company use the personal data collected for any other purpose incompatible with the purposes for which these data were originally collected and processed, the Company will inform in advance the User who may deny or withdraw his consent.
3. Nature of the provision of data
The provision of personal data automatically provided by the User occurs by merely browsing the Website. Therefore, whether the User does not intend to provide any personal browsing data, he should not visit or otherwise use the Website or send requests or communications through the Website or give his consent when the option is proposed to him in accordance with the Privacy Legislation.
The provision of personal data voluntarily provided by the User is optional. However, failure to provide such data may result in the impossibility to receive replies to communications sent by any means to the Company through the Website.
4. Methods of data processing
The processing of Users’ personal data is carried out by means of the operations set out in article 4 GDPR and, in particular: the collection, recording, storage, retrieval, consultation, use, disclosure by transmission, restriction, erasure of data.
We also inform you that User’s personal data:
- will be processed in accordance with the principles of lawfulness, fairness and transparency;
- will be collected only for the legitimate purposes referred to in § 2;
- will be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- will be kept in a form that allows the identification of the User for a period of time not exceeding the achievement of the purposes and better defined under § 8 below;
- will be processed in such a way as to ensure adequate security from the risk of destruction, loss, alteration, disclosure or unauthorized access by means of technical and organizational security measures.
User’s personal data are processed by means of paper, automated or information technology tools as well as by adopting organizational methods and logic which are strictly related to the purposes of the processing.
The Company uses the most appropriate technological and security measures (information technology, physical, organizational and procedural) to ensure the security and confidentiality of the data processed.
The User acknowledges, however, that the disclosure of personal data by means of websites presents risks associated with the communication of such data and that no system is totally secure or tamper-proof or immune to information theft.
5. Access to data
The User’s personal data may be made accessible only for the purposes referred to in § 2 to the following authorized subjects: employees and collaborators of the Company or of its associated companies, subsidiaries and affiliates duly authorized by the Company.
6. Disclosure of data
The Company may, even without the express consent of the User and for the purposes referred to in § 2, disclose the User’s personal data to: supervisory and/or control bodies of the Company, judicial authorities and all other persons to whom disclosure of data is required by law for the achievement of the abovementioned purposes, as independent data controllers.
In addition, the Company may entrust certain personal data processing operations – carried out for the purposes referred to in § 2 above – to categories of third parties, specifically appointed, if necessary, as data processor by the Company, including, but not limited to:
- providers of the technical services of the Website;
- providers of the hosting service of the Website;
- IT companies responsible for the maintenance and management of the Website;
- communication agencies involved in any market research carried out by the Company using the anonymised browsing data of the Users;
- the companies which form part of the Smeralda Holding Group, to which the Company belongs (for management, statistical and data consolidation needs).
The User’s personal data will not be disseminated to the public or to indeterminate subjects.
7. Transfer of data outside the EU
User’s personal data will be handled and stored using Company’s or third party’s servers located within the European Union. In case the Company uses third party’s servers to handle and store data the third party will be appointed as data processor.
The User’s personal data will not be transferred to non-EU countries or international organisations.
Any transfer of the User’s personal data to non-EU countries or international organisations may only take place under the terms and with the safeguards provided by the Privacy Legislation.
8. Period of data storage
User’s personal data will be stored and processed until the end of the browsing session. After the end of the browsing session, personal data will not be stored and/or processed, for any reason whatsoever, for a period exceeding 24 months (the “Storage Period”), unless a different storage period is provided for under the applicable law.
At the end of the Storage Period your personal data will be deleted, unless there are further Company’s legitimate interests and/or legal obligations for which – following their prior minimisation -this storage of personal data is mandatory.
9. User’s Rights
Pursuant to the Privacy Legislation, the User shall always be granted the right to withdraw his consent, and may at any time exercise the following rights:
a) the “right of access” and specifically of obtaining confirmation as to whether or not personal data concerning the User are being processed, the communication of such data in an intelligible form as well as the following information:
- the purposes and methods of the processing of User’s personal data (including the existence of an automated decision-making, including profiling, referred to in article 22 par. 1 and 4 GDPR and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the User), the categories of personal data processed, the origin of the personal data, the period for which the personal data will be stored (where possible), or the criteria used to determine such period;
- the identification details of the Data Controller, the data processors and the representative designated pursuant to article 27 GDPR, of all subjects or categories of subjects to whom the personal data have been or will be disclosed on Italian territory, particularly if data will be disclosed to recipients from third countries or international organizations (in this case, the User is also entitled to be informed of the existence of adequate safeguards pursuant to article 46 GDPR);
- the existence of the right of the User to obtain from the Data Controller the rectification, erasure or restriction of the processing of personal data or to object to their processing;
- the existence of the right to lodge a complaint with the Italian Data Protection Authority (the “Garante Privacy”);
b) the “right to rectification”, which means the right to obtain the rectification of inaccurate personal data concerning the User or, if it is in his interest, the integration of personal data, from the Data Controller;
c) the “right to erasure” (or “right to be forgotten”), which means the right to request the erasure or the anonymization of personal data that were or have been processed unlawfully, including data whose storage is unnecessary for the purposes for which they were collected or further processed;
d) the “right of restriction of processing”, that is the right to obtain – from the Data Controller – the restriction of processing in certain cases provided for by the Privacy Legislation;
e) the right to request from the Data Controller the identification of the recipients to whom the Data Controller has notified any rectification, erasure, or restriction to the processing (carried out pursuant to articles 16, 17 and 18 GDPR, in compliance with the obligation to notify, unless it proves to be impossible or would involve a disproportionate effort);
f) the “right to data portability”, i.e. the right to receive (or transmit directly to another controller) personal data in a structured, commonly used and machine-readable format;
g) the “right to object”, which means the right to object, in whole or in part:
- the processing of personal data carried out by the Data Controller for his own legitimate interest;
- the processing of personal data by the Data Controller for the purposes of direct marketing or profiling.
In the above cases, where necessary, the Data Controller will inform the third parties to whom the User’s personal data were disclosed of any exercise of Users’ rights, unless it proves to be impossible or unduly burdensome.
10. Exercise of User’s rights and complaint to the Garante Privacy
L’Utente potrà in qualsiasi momento esercitare i diritti di cui al paragrafo precedente, nelle seguenti modalità:
a) by sending a registered letter with acknowledgement of receipt to the Company address in Arzachena, Porto Cervo, Casa Il Ginepro 1/A;
b) by sending an e-mail to: [firstname.lastname@example.org] and to the DPO to: email@example.com.
Pursuant to the Privacy Legislation, the User has also the right to lodge a complaint with the Garante Privacy by:
a) lodging the complaint by hand to the offices of the Garante Privacy (using the address referred to in lett. b) below);
b) forwarding a registered letter with acknowledgement of receipt addressed to “Garante per la protezione dei dati personali”, Piazza Venezia n. 11 – 00187 Rome;
c) sending an e-mail at the following address: firstname.lastname@example.org, or email@example.com or a fax to the following number: 06-696773785.
For further information, please visit the website of the Garante Privacy: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524.
11. Data Controller and data protection officer
The Data Controller of the personal data collected and processed through this Website is Sardegna Resorts S.r.l., with registered office in Arzachena, Porto Cervo, Casa Il Ginepro 1/A.
The Data Controller can be contacted by e-mail at the following address: [firstname.lastname@example.org].
The data protection officer is Data Protection Advisory S.r.l., domiciled for the assignments at the registered office of the Company (the “DPO”). The DPO can be contacted at the following e-mail address: dpo@DP-Advisory.eu.
Last update: [•] 2019