INFORMATION NOTE CONCERNING PROCESSING AND STORAGE OF PERSONAL DATA
EU Regulation 2016/679 governs the protection of natural persons and other subjects with regard to the processing of personal data. Pursuant to the aforementioned regulation, your personal data will be processed in accordance with the principles of correctness, lawfulness, transparency and protection of your privacy and rights. TURISMO85 SRL with Registered Office at Via Nazionale, 8/C- 33042 – Buttrio (UD), Tax Code and VAT ID number 01358730305 (hereinafter the “Data Controller”), in its capacity as data controller, pursuant to art. 13 of GDPR, hereby informs you as follows:
- Data Protection Officer
The Data Controller has appointed a Data Protection Officer who can be contacted by email at: firstname.lastname@example.org
- Data Processor:
In carrying out its activities, the Data Controller makes use of certain services provided by Danieli & Officine Meccaniche S.p.A. as Data Processor, with registered office at: Via Nazionale 41, 33042 Buttrio (UD).
- Processed Data:
The Data Controller will process the personal identification data (e.g. first name, surname, company name, address, telephone number, e-mail, bank and payment references), hereinafter referred to as “personal data”, provided by you as a natural or legal person, in connection with the conclusion of service contracts or quotations or mandates for the purchase of tourist services.
- Purposes of the processing:
The provision of your data is optional. However, in the absence of the data required for the purposes indicated in points l) to XI) (contractual and legal purposes), the requested service or part thereof cannot be performed and you will not be able to take advantage of the opportunities mentioned below:
l. organize a tourist package or facilitate the purchase of related tourist services;
ll. intermediation in the purchase of a tourist package organized by a third party or of individual tourist services provided by third-party suppliers (e.g. hoteliers; carriers);
lll. intermediation in the purchase of ancillary financial/insurance services and linked to tourist packages/services either concessional or purchased individually (medical and luggage insurance policies; cancellation; assistance to the traveller);
lV. perform the task of issuing visas;
V. perform the task of issuing ESTA authorizations;
VI. for registration to our website;
VII. fulfil pre-contractual, contractual and tax obligations arising from your existing employment relationships;
VIII. enter master data into the company’s computer databases;
IX. for accounting and invoicing;
X. comply with obligations provided by law, regulations, EU legislation or an order of the Authority
(such as anti-money laundering legislation);
Xl.exercise the rights of the Controller, such as the right of defence in court.
4.bis Additional purposes:
Processing for marketing purposes may only take place with your express consent:
– sending via SMS, e-mail, mail and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Controller and detection of the degree of satisfaction with the quality of services;
We would like to point out that if you are already our customer, we may send you commercial communications relating to the Controller’s services and products similar to those you have already used, unless you disagree. You may revoke your consent for the purposes set out in points 4 and 4bis at any time. If not revoked, the retention period will be ten (10) years.
- Special category data
Within the scope of the existing contract with you, specific requested services or special conditions of the same (e.g. in the case of disabled travellers or travellers observing particular dietary regimes, specific equipment of travel accommodations or particular conditions of transport services and/or catering services, as well as any other additional and ancillary services that may be requested) may entail the acquisition and processing of special category data. These are “personal data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist nature, as well as personal data disclosing health or sex life”.
The processing of such data is voluntary and is subject to the acquisition of a specific written consent. In the absence of such consent, T85 will not be able to provide the requested service. Therefore, if you need to receive specific services that may involve the acquisition and processing of special category data by T85, we invite you to contact our reservations staff to fulfil the necessary formalities.
- Processing methods
The processing of your personal data is carried out through the operations indicated in Article 4 no. 2) of GDPR: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, deletion and destruction of data. Your personal data are subject to both paper and telephone and electronic and/or automated processing. The Data Controller shall process personal data for as long as necessary to fulfil the above-mentioned purposes and shall retain personal data for a period not exceeding the statutory limitation period to protect the rights of the Data Controller in the event of any disputes in connection with the provision of services and/or for tax purposes (10 years). After the above-mentioned retention periods have expired, the data will be destroyed, deleted or anonymized in accordance with the technical deletion and backup procedures.
- Access to data
Your data may be made accessible for the purposes of Art. 4. and 4bis):
– to employees and collaborators of the Data Controller or of the company Turismo85 srl in their capacity as persons in charge and/or internal data processors and/or system administrators;
– to third-party companies or other entities (by way of example, credit institutions, professional firms, consultants, insurance companies, airlines, shipping companies, chartering companies, etc.) that perform outsourcing activities on behalf of the Controller, in their capacity as external data processors.
- Data communication
Without the need for your express consent (Art. 6 letters b) and c) GDPR), the Data Controller may communicate your data for the purposes set out in Art. 2 to supervisory bodies (such as IVASS i.e. the Italian Institute for the Supervision of Insurance), judicial authorities, insurance companies for the provision of insurance services, as well as to those subjects to whom communication is obligatory by law for the fulfilment of the aforementioned purposes. These entities will process your data in their capacity as autonomous data controllers. Your data will not be disclosed.
- Transfer of data outside the European Union
Your personal data may be transferred abroad to third-party companies inside and outside the European Union, always for the purposes indicated above. In the case of data transfer to countries outside the European Union, these countries shall guarantee an adequate level of protection on the basis of a specific decision of the European Commission, or alternatively the recipient shall be contractually obliged to data protection with a level that is adequate and comparable to the protection provided by the GDPR.
- Data subject’s rights
As data subject, you have the rights set out in Articles 15-22 of the GDPR, namely the rights to:
l. obtain the confirmation of the existence or not of personal data that concern you, even if not yet registered, and their communication in legible form;
ll. obtain the indication of: a) origin of personal data; b) processing methods and purposes; c) logics applied in case of processing carried out by electronic instruments; d) identification details of the data controller, data processors and the designated representative pursuant to Article 3(1) GDPR; e) the subjects or subject categories to whom personal data can be communicated or who could get to know them as designated representative in the territory of the State, data processors or controllers.
III. obtain: a) the updating, rectification or, if interested therein, integration of data; b) the deletion, anonymization or blocking of the data processed in breach of the law, including data which do not need to be kept in relation to the purposes for which the data were collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, also in relation to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
IV. object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, by means of automated calling systems without the intervention of an operator, by e-mail and/or by traditional marketing methods using the telephone and/or by post. It should be noted that the data subject’s right to object, as set out in point b) above, for the purposes of direct marketing by automated means extends to traditional marketing and that, in any event, the data subject’s right to object may still be exercised even in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications, or neither type of communication. Where applicable, you also have the rights set out in Articles 16-21 GDPR (Right to rectification, Right to be forgotten, Right to restriction of processing, Right to data portability, Right to object), as well as the right to complain to the Data Protection Authority (www.garanteprivacy.it ).
- How to exercise your rights
You may exercise your rights at any time by sending:
– a registered letter with return receipt to TURISMO85 SRL via Nazionale, 8/C- 33042- Buttrio-(UD).
– an e-mail to the following address: dataprotectionT85@turismo85.it;
– an e-mail to the DPO’s address: email@example.com .