INFORMATIVE NOTICE GIVEN IN ACCORDANCE WITH ARTICLES 13-14 OF THE GDPR (EUROPEAN REGULATION 2016/679)
According to the legislation indicated, this processing will be based on the principles of fairness, lawfulness, transparency and protection of your privacy and rights. Pursuant to Article 13 of the GDPR 2016/679, therefore, we provide you with the following information:
A - Federterme, as the controller of the processing of your personal data, informs you about their use and your rights, so that you can consciously express your consent, where required, and exercise the rights provided by the General Data Protection Regulation (European Regulation 679/2016, hereinafter: The Regulation).
To best help you book your experience at the spa that suits you best, it turns out to be necessary to process some of your data, so it is inevitable for us to ask you to provide us with some information. This is mostly basic information, such as your name, contact information, any names of those traveling with you, and payment information. You may also choose to send us additional data related to your reservation (for example, your expected time of arrival).
In addition, we also collect data from the computer, phone, tablet, or other device you use to access our services. These include your IP address, browser, and language settings. We may also receive information about you through third parties or when we automatically collect other information.
The GDPR requires in each case that there is a legal basis for the processing of your data by us-as Data Controller. The legal basis for processing is:
- Obligation by law or regulation,
- Contract with data subject or performance of contract,
- Legitimate interest of the data controller or third party,
- Vital and urgent interest of the data subject,
- Explicit consent of the data subject,
- Performance of a task of public interest.
Below, in particular, we specify the meaning of the types of purposes:
- By law: that is, to fulfill obligations required by law, by a regulation, by the legislation of the European Union as well as by provisions issued by Authorities legitimized to do so by law or by competent Supervisory or Control Bodies (in this case, your consent is not necessary as the data processing is related to compliance with such obligations/dispositions). Among the data processed by law are those related to tax regulations or for anti-money laundering records.
- contractual and, more generally, administrative-accounting, i.e., to perform obligations arising from contracts to which you are a party or to fulfill, prior to the conclusion of the contract, your specific requests (in this case, your consent is not necessary, since the data processing is functional to the management of the relationship or the execution of the requests); purposes arising from the protection of mutual interests in court and for tax purposes or for other legal obligations such as, for example, the maintenance of anti-money laundering registers if applicable, also fall within these processing.
direct marketing: data processing activities aimed at providing you with information and sending you informative, commercial and advertising material (including by means of distance communication techniques such as, but not limited to, postal correspondence, telephone calls, telefaxes, electronic mail, SMS or MMS messages or other) about any products, services or initiatives of the company, to promote the same, to carry out direct sales actions. The processing of such data may be done by your optional consent or on the basis of the legitimate interest of the company where deemed and evaluated not to be in conflict with your rights.
Particular cases of data:
- 'Particular' data also called 'sensitive' data, i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to a person's health or sex life or sexual orientation (Art. 9 of the regulation) or relating to criminal convictions and offenses or related security measures (art. 10 of the regulation). Such data may be processed only with your express written consent if one of the reasons indicated in Article 9 paragraph 2 and Art. 10 of the regulation exists. Consent is free and optional but denial of consent could go to prejudice the enjoyment of any services provided by the Owner for which it is essential to process this type of data.
- Consent to the processing of your data may be binding in order to conclude contracts with the Controller or third parties. They may be binding for the purpose of concluding contract only the data whose processing is indispensable in order to be able to conclude the contract itself, while Ella may freely give or withhold consent for non-essential data.
- If Ella is under the age of 18 and over the age of 14, your data will be processed with special care to confidentiality and in the limited timeframe necessary for the fulfillment of the services you requested from the Controller, excluding purposes other than those underlying the existing relationship between you and the Controller.
- If you are a parent or guardian of a minor under the age of 14, we inform you that the Controller undertakes to process the minor's data in full compliance with the regulation and, in particular, with the principles of confidentiality, lawfulness, minimization. This processing is done only for the purposes underlying the existing relationship between you and the Controller.
Several other parties are connected to the services offered by the Controller, in various ways and for various reasons. We therefore inform you that your data may be transferred or assigned to third parties (i.e., parties other than the Controller) to enable the fulfillment of contractual obligations. The main reason we share your data is to provide your chosen spa with all the information needed to complete your reservation.
We also rely on third parties to provide you with other services. These include financial institutions, advertising companies, and company employees. In certain cases, it is the law that requires us to share your data with government or other authorities.
B - METHODS OF DATA PROCESSING.
The processing of your data is carried out by means of manual tools and by means of manual/paper storage and by means of electronic and automated tools, in a manner strictly related to the purposes stated above.
The company adopts technical and organizational measures to prevent and limit the risk of loss, deterioration, subtraction of your data, and to ensure their recovery within a reasonable time in case of 'data breach'. Processing is carried out in such a way as to ensure the security, protection and confidentiality of your data. Within the company, your personal data may come to the attention of:
- Employees or associates of the company who have or hold by law or by statute roles that require activities involving the processing of customer data. Such personnel have been provided with appropriate training and instructions by the company to protect the storage, maintenance, updating and security and confidentiality of your data. Consent to the processing by such personnel is not required since it is inherent in the necessary arrangements required by law.
Outside the company, your data may be processed by:
- collaborators subject to a non-employee employment contract operating outside the facilities of the Holder
- commercial workers subject to a non-employee employment contract operating outside the facilities of the Holder
- consultants of any kind (lawyers, accountants or accountants, engineers, architects, labor consultants or other professionals registered or not registered in professional registers), who go to perform on behalf of the company technical, support tasks (in particular: legal services, IT services, shipping) and control.
- Third-party companies that collaborate with the owner in order to best offer the services you have requested. This is the case, by way of example, of spas to which your personal identification data will be transmitted to enable them to accompany you in the best way possible in the enjoyment of the services you have booked through the site made available by the Holder.
For the pursuit of the aforementioned purposes, the Holder may communicate or otherwise transmit your data to certain parties, including foreign parties, who will use the data received as independent co-controllers, except in the case where they have been designated by the company as "responsible" for the processing of their specific competence. It is your right to request and obtain the list of third parties to whom such data are transmitted.
- Public bodies or public administrations for the fulfillment of legal obligations
The data controller uses computer systems in co-ownership with third parties, who therefore become co-owners of the processing and the relationship with them is regulated by a special contractual agreement. It is possible that the data controller delegates the processing of your data to other sub-processors, who in turn are instructed on how to properly process the data.
Since the data you provide to us may consist of so-called 'special' data formerly called 'sensitive' data in accordance with Article 9 of the European Regulation, i.e., data relating to racial origin, health, sexual orientation or habits, political, trade union, religious or philosophical thought orientations, or criminal convictions (Article 10 of the Regulation), processing may take place with your prior written consent and for the purposes indicated in this processing form, except in cases of processing defined as lawful by the Regulation.
In the event that some of your personal data should consist of so-called 'biometric' data, such as fingerprints, hand, face or signature data collected by means of technological tools, you are assured that the same will be processed in accordance with the legal provisions in force subject to your consent - where necessary - and for the purposes indicated in this processing form.
Your data may be subject to transfer to a foreign country. If this occurs within the European Union, your data will be processed in the same way as in Italy. If it is transferred to countries outside the European Union, it will be processed respecting the rights provided for in your favor by the European Regulation. In the event that your data is transferred to a country outside the EU, it is possible that it will be processed by entities that guarantee compliance with the rights provided for in the European Regulation through voluntary adherence by them with general measures. The Transfer of the data will take place in any way through instruments that guarantee the protection of the data from intrusion by third parties.
Your data have been collected directly from you and therefore we provide you with the following information in this form where applicable: data of the data controller and representative; data of the data protection officer; purpose and legal basis of the processing; recipients of the data; intention to transfer data abroad; length of storage period or criteria for determining the length; right to access, rectification, deletion, objection to processing, portability; right to withdraw from processing if possible unless required by law; possibility to lodge complaints with the authority (Garante); whether the data are required for the performance of a contract, or by law and the consequences if consent is not given; the data are subject to profiling and the logic of profiling will be mapping preferences, behaviors, geographical origin, mode of use, dwell time, number of pages visited and any other commercially relevant behavior recorded by the user within the limits of the cookie policy and in full compliance with the principle of minimization; the existence of automatic decision-making processes and the data subject's right to have decisions made after human intervention.
Your data, among other purposes, will also be processed by the Data Controller for commercial purposes and, following your express consent, for subscription to the site's newsletter.
Your data will be kept by the Data Controller - with respect to the purposes envisaged - the time necessary for the performance of the relationship in place with you and to be able to ensure the mutual protection in court of rights as well as to comply with legal obligations including those of a fiscal nature. Data that are not necessary for the latter purposes will be removed within the maximum period provided for by the right to be forgotten, as indicated further on in this notice, or, at your request, even in a shorter time if it does not conflict with the rights of the Data Controller.
Data of the data subject that does not have to be retained due to specific legal obligation will be deleted within 10 years.
C - RIGHTS OF THE INTERESTED PARTY
You may, at any time, exercise the following rights expressly recognized by the Regulations:
You have the right to lodge a complaint at any time with the national authority (Data Protection Authority) if you believe that one of your rights has been violated;
You have the right to have your data always accurate and up-to-date and therefore you may at any time report or request that it be updated.
Ella has the right to revoke consent to the processing of data where this is not prevented by legal provision or the need to protect the holder's rights, including in court. In any case, the request for revocation gives rise to the right to restriction of processing.
Ella has the right to access your data processed by the Controller by means of a written request, including a computerized request. It is essential that Ella can provide us with proof of her identity. Ella is entitled to access free of charge for one time only, while you may be charged a fee for requests subsequent to the first. Ella has the right to obtain a response within thirty days of the request. Ella has the right to have her data in printable formats.
Ella has the right to have her data corrected and updated and may at any time request that it be updated and corrected where she verifies that the data in our possession is out of date or incorrect. In order to ensure that your data is up to date, please be sure to notify us of any useful changes.
You have the right to the deletion of data concerning you, provided that it is not data that the Data Controller must retain for specific legal obligations such as, for example, obligations arising from tax regulations, anti-money laundering or for the protection of the rights of the holder in litigation.
If you dispute the accuracy of your data, or the lawfulness of the processing, or the Holder's right to delete your data, or you object to the processing of your data and the Holder disputes your objection, you have the right to have your data retained but not processed except to the extent necessary to resolve the dispute over the data.
Whenever the Controller changes or deletes all or part of your data, Ella has the right to be informed of this and to object to the change and deletion.
Ella has the right to be able to transfer your data - stored and processed electronically - to another operator, within the limits indicated by the Regulations, and provided that it is technically feasible, in such a way that it can be easily read and acquired by third parties.
Ella has the right to object to the processing of your data, the use of data for direct marketing, profiling for public interest or for scientific or historical or statistical research purposes.
Ella has the right, at any time, to communicate your wish to stop receiving the Holder's newsletter.
The company may, under certain circumstances, process your data in order to communicate with you about commercial or informational or educational initiatives. In this case, your consent, if necessary, must be explicit and separate from other forms of consent and you may revoke your consent given for this purpose at any time.
Ella has the right to be consulted when evaluating security procedures for the processing and protection of your data.
D - INDICATION OF THE PERSONS INVOLVED IN THE PROCESSING
Your data may be processed by the following persons:
[owner] Federterme
[representative] Not applicable
[Internal Responsible Parties] appointed and registered
[RDP/DPO] Luca Rampazzo
E - METHODS FOR EXERCISEING YOUR RIGHTS
Your requests may be exercised by written communication to the company's address or by filling out the appropriate form found on the website.