INFORMATION NOTE ON THE PROCESSING AND PROTECTION OF PERSONAL DATA CARRIED OUT AS PART OF THE WEB BOOKING SERVICE
In the exercise of its business activity Fattoria Torre a Cona Società Agricola S.r.l. pays the utmost attention and protection of personal data of all those who work or interact with it (hereinafter for brevity "Interested" and/or "User"), adopting for this purpose any suitable, adequate and necessary procedure and security system.
Firmly believing in the principles of transparency and correctness, this information is therefore provided in order to provide all interested parties with a complete description of the methods and purposes of the processing of personal data that is carried out for and in connection with the provision of web booking services (hereinafter for brevity the "Services"), and this also in accordance with the provisions of Regulation (EU) No. 2016/679 on the protection of individuals with regard to the processing of personal data, and the free movement of such data (hereinafter for brevity the "GDPR").
II. HOLDER AND PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
The Data Controller is Fattoria Torre a Cona Società Agricola S.r.l., with registered office in Via Piazza Cesare Beccaria 2 - 50121, Florence, Italy, VAT/C.F. 05026700483 and operational headquarters in Via Torre a Cona 49 - San Donato in Collina, 50067 Rignano sull'Arno (FI), firstname.lastname@example.org (hereinafter also referred to as "Data Controller").
The processing of the personal data provided to the Data Controller for the use of the Booking Engine Service (hereinafter referred to as "Web Booking") and for the marketing activities associated with such service, will be carried out on behalf of the Data Controller (i.e. in the role of data processor pursuant to art. 28 of the GDPR) by Passepartout S.p.A., a company incorporated under the laws of San Marino mainly engaged in the production and distribution of software and related services, with registered office in the Republic of San Marino in Customs (Cap 47891), Via Consiglio dei Sessanta no. 99, registered with the Company Register no. 6210 on 6 August 2010, with Economic Operator Code no. SM03473, share capital € 2,800,000 fully paid up, which can be contacted, for the purposes of this notice, at the e-mail address email@example.com or by telephone at 800 414243 (hereinafter also referred to as "Passepartout" and/or "Data Processor").
Passepartout S.p.A. has designated (i) as its representative in the European Union, pursuant to art. 27 of the GDPR, the company Paci Rappresentante Privacy Srl registered with the Chamber of Commerce of Romagna, share capital € 10,000.00, with registered office in Rimini, P.tta Gregorio da Rimini n. 1, which can be contacted, for the purposes of this information notice, at the e-mail address firstname.lastname@example.org or at the telephone number 0541 902128 (hereinafter for brevity "Representative"); and (ii) a data protection officer (as per Chapter IV, Section 4 of the GDPR) who can be contacted at the e-mail address email@example.com or at the telephone number 800 414243.
III. PERSONAL DATA
Personal data shall mean all information relating to a natural person, identified or identifiable by reference to elements such as the name, identity document details, physical, physiological, genetic, economic, cultural or social identity of that person, as well as details of his or her location.
The personal data as described above are processed mainly when the interested party uses the Services and/or the Web Booking.
The provision of all other personal data is optional but may be necessary to use the Services and/or the Web Booking, such as data to make proposals, buy or sell that are necessary to conclude a contractual transaction.
Personal data is provided directly by the interested party and/or acquired automatically through the devices when the Services and/or Web Booking are used, when the data is provided in a web form on our sites, when an account is created and/or updated or when the interested party contacts us in any other way or expressly provides personal data through his consent, all as detailed below.
IV. TYPE AND CATEGORY OF DATA PROCESSED
Of the personal data as described above, and for the provision of the Web Booking, the Data Controller (and for it the Data Processor) collects only the following types.
The personal data collected concern:
a) identifying information such as name, surname, date and place of birth, place of residence, tax code, VAT number and registered office, iss code, telephone number, e-mail address (also by certified e-mail), username, password, gender, or other data that we are required or authorized to collect and process, in accordance with current legislation, in order to authenticate or identify the User or to verify the information provided and collected;
b) IP address and navigation data and any other data concerning the User's interaction with the Services and/or the Web Booking, for example when viewing or searching for content, creating or accessing your account and/or a reserved area. We also collect data relating to the devices and/or computers used by the User to access the Services and/or the Web Booking, including browser type, unique device code, language, operating system, referring web page, pages visited, location and information on cookies, data on the computer and connection (for example, statistics on page views, incoming and outgoing traffic from the sites, source URL).
c) data relating to offers, purchases or sales related to the Services and/or Web Booking provided during a pre-contractual negotiation and its subsequent completion and any other data provided in reference to such operations;
d) data relating to the invoicing (and possible shipment) of the Services and/or the Web Booking;
e) financial data considering that some Services and/or the Web Booking support payments and transactions with third parties. For this purpose it may be necessary to provide certain data for the identification and verification of the identity of the interested party and the means of payment used, such as name, surname, credit/debit card number, expiry date of the card. Such data, where collected by the Data Processor, will be saved only in encrypted form. In some cases, in order to allow the User to speed up new and similar payment transactions in the future, Passepartout may only store the last four digits of the card number;
f) geo-location data, in particular through the use of mobile devices;
g) cookies and similar technologies installed by Passepartout as data controller. In the provision of the Services and/or Web Booking, cookies, unique identifiers and other similar technologies are used to acquire data on the pages and links visited and other similar actions, within the advertising or e-mail content, all within the terms, according to the terms and conditions provided in the specific policy available at the following link: https://www.passepartout.net/utility/cookie; with respect to the processing connected to the collection of such data;
h) special categories of personal data ("details") provided by customers for special needs/requests related to the booked services. Special categories of personal data such as, for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data aimed at uniquely identifying a natural person, data relating to a person's health or sexual life or sexual orientation, are not collected in any way and therefore not processed;
(i) data collected from third parties. We may also collect data via the social media used by you. If you make a quick booking via the social login on the booking form, you authorize us to automatically share with you certain personal data entered in the social network necessary for the booking (e.g. personal data, address, language, email). In order to receive more detailed information pursuant to art. 13 of the GDPR regarding the use of personal data through this technology, we ask Users to access the following links: Facebook social login: https://developers.facebook.com/docs/plugins, Google account login:https://www.google.com/policies/privacy.
V. PURPOSES AND METHODS OF DATA PROCESSING
The processing of personal data collected takes place only and exclusively for the following purposes:
a) to execute contracts relating to the Services and/or Web Booking
Through the information and data communicated, we are able to carry out the activities and contractual services provided for by the Service contracts and/or the Web Booking requested by the interested party (also in the name and/or on behalf of third parties) or to carry out measures and/or pre-contractual negotiations referring to the same Services and/or the Web Booking, including administrative and accounting activities, management of tax fulfilments, payments and invoicing.
The information collected will also be used to contact the User with regard to his/her account or in any case with regard to his/her contractual position, to resolve account and/or reserved area problems, to resolve a dispute, to carry out debt collection activities.
Personal data may also be processed to verify and resolve any anomalies in the functioning of the Services and/or the Web Booking.
b) offer security and protection to both the personal data received and the security systems adopted
The data collected on the web booking are used by Passepartout to verify the identity and authenticate the Users, to make and/or receive payments, to protect against possible fraud and/or abuse, to respond to a request or a complaint, to carry out checks, to prevent, detect, mitigate and/or ascertain security breaches and/or even potentially prohibited, illegal and/or illicit activities.
c) Communicate with the interested party.
The data may be used to contact the User to send service communications and/or respond to his/her requests.
d) Carry out marketing activities
Marketing agreed. With the express and specific consent of the User to be manifested in the manner specifically indicated from time to time, the Data Controller may use the User's information provided by Passepartout to promote new products or services in which he may be interested, carry out automated marketing activities also through third parties specifically appointed.
Soft spam towards customers. Even without the consent of the interested party, the data, in accordance with art. 130 of the Privacy Code, may be processed to send emails to Users for the marketing or direct sale of services or products equal or similar to those already purchased previously.
The User may in any case revoke the express consent on marketing activities by following the appropriate instructions included in the newsletter/e-mail or by sending an email to firstname.lastname@example.org.
The personal data collected will be processed lawfully and correctly in compliance with the rules of GDPR, using manual or automated systems that allow you to store, manage and transmit (both in paper and electronic format) the data for the sole purpose indicated in this policy.
Only duly authorized personnel may access the personal data collected.
VI. LEGAL BASIS FOR DATA PROCESSING
The legal bases on which we process your personal data are as follows:
a) for the purposes referred to in points a) and c) of paragraph V above: the contracts established or to be established (with the interested parties) to use the Services (art 6.1 b GDPR);
b) for the purposes of point b) of paragraph V above: the legitimate interest (art 6.1 f GDPR), with respect to which it is possible to lodge an opposition under paragraph X below, letter X. (a) by which is meant the interest in: preventing fraud; promoting security and data protection; in relation to traffic data in order to ensure network and information security, by which is meant the ability of a network or information system to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted and the security of the related services offered or made accessible through these networks
(c) for the purposes of point d) (marketing consent) and (soft spam) of paragraph V: respectively, the consent of the person concerned (Article 6.1 a GDPR) and the legitimate interest in direct marketing (Article 6.1 f GDPR). The consent may be revoked and the legitimate interest opposed in the terms and conditions indicated in paragraph X, letter a) below;
VII. DATA CONTROLLER
As already mentioned in Paragraph II above, the processing of personal data provided to the Data Controller for the use of the Web Booking and related service security will be carried out by Passepartout, the company that owns the software program for the Web Booking and licensed to the Data Controller.
This data processing will be carried out in accordance with the terms and conditions of the contract between the Data Controller and the Data Processor and in any case in full compliance with the provisions of this information notice (hereinafter referred to as the "Data Controller-Responsible for Processing Agreement").
Passepartout will process and store the personal data collected in the servers at its disposal (also at the Republic of San Marino). In this regard, it should be noted that in the regulation of the Agreement between the Data Controller and the Data Processor, the guarantees required by GDPR (ex art. 46) have been taken into account (and fully implemented) in the case of transfer of personal data to countries outside the European Union.
VIII. HOW TO SHARE INFORMATION WITH THIRD PARTIES
The personal data provided may be shared with third parties only in the following cases:
a) suppliers of websites, applications, services and tools with which we collaborate for the provision of Services and/or Web Booking.
b) providers of IT services, payment and/or sales management, marketing, data analysis, and research and survey).
c) suppliers who follow services of prevention, detection, detection of potentially illegal acts, of violations of the Services; collection of invoices; consulting activities;
d) in addition, we may store or disclose personal data where necessary to meet the requirements of justice, for example because required by an Administrative Authority, a Control and/or Supervisory Authority or as part of a judicial proceeding, in compliance with the law, or otherwise for the exercise of legal rights or defense against complaints and/or legal action or to prevent, detect or investigate illegal activities, fraud, abuse, violations of subjective legal positions or where there are threats, even potential threats to the security of the Web Booking or physical security of any person.
IX. DATA RETENTION PERIOD
The period of retention of personal data is determined (or determinable) depending on the purpose or legal basis on which the processing should take place.
The personal data for the execution of the contract concerning, among other things, the Web Booking, will be kept for the time necessary to correctly and fully perform the services provided for in the contract itself (including those strictly connected and related to its termination) and in any case for a period of time not exceeding 10 (ten) years from the termination of the Web Booking.
The personal data processed for marketing and commercial purposes will be kept for no more than 24 months in compliance with the provisions of the Privacy Guarantor and in case of soft-spam until the moment in which the interested party has not expressed the intention to revoke the consent for this purpose.
In the event of having to satisfy one's legitimate interests for the purposes referred to in point b) of paragraph V as identified above, the storage period shall correspond to the period in which such interest is satisfied.
It shall also be without prejudice to the case in which the greater (or lesser) retention of the data must be carried out in order to meet the requirements of justice, for example to comply with a request by the administrative, supervisory and/or supervisory authority or for the exercise and/or protection (judicial and/or extra-judicial) of one's rights or to exercise the defence against complaints and/or legal action.
Once the storage period has ended, personal data will be anonymized or removed securely.
X. THE RIGHTS OF THE DATA SUBJECT
All Interested parties to whom the personal data processed may refer, in accordance with the terms and conditions set forth by GDPR, may exercise the rights described below.
a) Right of access, rectification and cancellation of data, limitation and opposition to the use of data and right to revoke consent.
Without prejudice to the foregoing with regard to storage, the Data Subject may at any time obtain access to his or her personal data, as well as the right to update, modify, limit the processing or request its deletion.
If you choose to delete your data, please note that although most of the information stored will be deleted within 60 (sixty) days, it may take up to 180 (one hundred and eighty) days to delete all data entered into our systems due to the size or complexity of the systems and procedures used.
Where the data processing is based on the consent given by the Data Subject, this consent may be revoked at any time. You may therefore always object to the sending of newsletters and the processing of data for all or only some of the marketing or commercial purposes.
The interested party may also oppose the processing of the data even when it is carried out with respect to our legitimate interests.
If you are asked to withdraw your consent, to limit the use of your data or to delete personal data previously provided, we may no longer be able to provide the Services.
In any case, requests for deletion of data are subject to applicable legal and document retention requirements imposed by law or regulation.
b) Right to portability
The interested party has the right to receive in a structured, commonly used and machine-readable format the personal data concerning him/her provided to a data controller and has the right to transmit such data to another data controller.
c) Right to lodge a complaint
The interested party shall always have the right to lodge a complaint with the competent supervisory authority if he or she perceives problems regarding the use of his or her personal data.
The exercise of the rights described above may be requested by the interested party by communicating to the following e-mail address: email@example.com.
XI. SECURITY MEASURES
We guarantee the implementation and maintenance of suitable technical and organizational measures to ensure a level of security appropriate to any possible risk, also constantly carrying out a series of technical, administrative and physical checks to keep the personal data of the interested party confidential and secure.
XII. COMPLETENESS AND CHANGES