Dear user, in accordance with Article 12 and subsequent articles of the EU Regulation 2016/679 of the European Parliament and Council of the 27th April 2016 (General Data Protection Regulation, “Regulation” or “GDPR”), and in general in accordance with the principle of transparency foreseen in the same Regulation, we are to provide the following information on the processing of personal data (that is, any information concerning an identified or identifiable natural person: "interested party") made in connection with the browsing on the website www.suedtiroltranser.com or www.altoadigetransfer.com ("website") and on the related interaction by the user (it is noted that this statement does not therefore concern other websites that may be visited by the user through links on the website).
DATA CONTROLLER AND DATA PROTECTION OFFICER
The data controller (i.e. the person who determines the purpose and means of processing of personal data) is Silbernagl Srl., based in Castelrotto (BZ), Sciliar Street, 39/1 PEC: email@example.com, tel: +39 0471 706633. For contacts specifically relating to the protection of personal data, including the exercise of the rights, we indicate in particular the e-mail address: firstname.lastname@example.org to which you may address any requests.
BROWSING DATA OF THE USER
The IT systems and computer programs used for the operation of the website collect some personal data whose transmission is implied in the use of Internet communication protocols (e.g. the IP addresses or the domain names of computers used by users who connect to the website, the URI -Uniform resource Identifier- addresses of the requested resources, the time of the request, the method used to submit the request to the server, the dimension of the file obtained, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and other parameters related to the operating system and the user's computing environment). Although the information is not collected in order to associate it to specific users, by their nature and through processing and association with further data held by third parties, such data may permit to identify users.
Such data shall only be used for statistical purposes, without associating them to any identifier of the users, to ensure the correct operation of the website and are deleted after processing. This data may also be used for the purposes of investigating liabilities in the event of information crimes committed against the website.
The legal basis of the processing is therefore the legitimate interest in the operation and security of the website.
DATA PROVIDED VOLUNTARILY BY THE USER
No personal information of the user is required for the website to be visited. However, any contact with the Controller, or the optional, explicit and spontaneous sending of messages, e-mail or traditional mail, to the contact details of the Controller indicated on the website entail the subsequent acquisition of the address, including e-mail of the sender or his/her telephone number, necessary to answer the requests, as well as any other personal data provided in the related communications. Such data will be processed in the sole purpose of following up on the user's request and may be communicated to third parties only if this is necessary for this purpose; they will be kept for the time strictly necessary to provide the person concerned with the answers to the requests made (purpose of response to users).
For the processing of the data for these purposes, the user's consent is not required, since the processing is necessary for the execution of a contract of which he/she is part or the execution of pre-contractual measures adopted at the request of the latter (art. 6, paragraph 1, lit. b) of the Regulation).
The user will be able to purchase the trip by entering the following booking information (contractual purpose): first name, last name, mobile phone number, e-mail, accommodation name, accommodation address, location and date of departure and arrival, method of payment.
For this purpose, there is no obligation to provide data in the pre-contractual phase, but the non-conferral or updating of the requested data may result in the impossibility of registering and/or making the purchase. The data other than those indicated as necessary are requested and possibly processed for a better use of the service. The legal basis of the processing for the "contractual purpose" is the fact that it is necessary: for the execution of the contract of which the person concerned is part or the pre-contractual measures adopted at his/her request; for the fulfilment of a legal obligation to which the Data Controller is subject.
The protection of rights finds instead legal basis in the relative legitimate interest of the Controller. Also falling within the legitimate interest of the Controller, in this case to the carrying out of his/her business activity, are those activities of data processing (insertion in the management software or in the address book, analysis of the turnover, internal checks on the quality of the service, etc.) that, while not configuring an obligation, are closely related to the performance of the contractual relationship.
The data will be kept for the duration of the contractual relationship, and, after its end – limited to the data at that point necessary – for the termination of the contractually assumed obligations and for the fulfilment of all possible legal requirements and for the requirements of protection also related to the contract or deriving from it. Ordinarily, the data are therefore stored 10 years from the purchase and the registration data are not retained once the user deactivates his/her profile.
The user will also be able to subscribe to our newsletter, through the special section of the website, to receive periodic information about our services (direct marketing purposes via newsletter); in this case, the processing of personal data for this purpose will be based on the consent of the user, which he/she can still withdraw at any time, and the lack of consent or non-conferral of data will not have any consequence on the possible contractual relationship. The subscription to the newsletter – unless the withdrawal of consent occurs earlier, which will result in the immediate deletion of the data – is maintained for 48 months from the conferral of consent or by the renewal of the same.
PROCESSING MODALITIES AND COMMUNICATION OF THE DATA
The processing of personal data will be done by personnel trained and authorized by the Controller with procedures, technical and information tools suitable to protect the confidentiality and security of the data. Personal data will not be disseminated. In the context of your activity and for the above-mentioned purposes, the Controller may make use of services rendered by third parties operating either as independent Controllers or on behalf of and in accordance with the instructions of the Controller, as Data Processors. These are partners that provide the Controller with transport or instrumental services (e.g. computer services for the operation of the website as well as for the email management). The user may request a complete and updated list of the appointed Data Processors by contacting one of the contacts listed below.
It is not intended to transfer personal data to non-EU countries or to International Organisations.
RIGHTS OF THE INTERESTED PARTIES
The GDPR gives the person concerned the exercise of the following rights with reference to the personal data concerning him/her (the summary description is indicative, the complete statement of the rights can be found in the Regulation, in particular in Artt. 15-22):
- Access to personal data (the concerned person will therefore have the right to have free information about the personal data held by the Controller and about the related processing, and to obtain a copy in an accessible format);
- Rectification of data (we will provide, on recommendation of the concerned person, the correction or integration of your data – which are not an expression of evaluative elements – incorrect or inaccurate, even if they have become so, because they have not been updated);
- Erasure (right to be forgotten) (for example, data are no longer needed with regard to the purposes for which they were collected or processed; they have been illegally processed; they must be deleted in order to fulfil a legal obligation; the concerned person has withdrawn the consent and there is no other legal basis for processing the data; the person objects to processing, if there are the conditions);
- Right to restrict processing (in certain cases – objecting the accuracy of the data, during the time required for verification; objecting the lawfulness of processing with opposition to the erasure; need of use for the rights of defence of the concerned person, while they are no longer useful for processing; if there is objection to processing, while the necessary verifications are carried out- the data will be stored in such a way in order to be able to be restored, but, in the meantime, they are not available to the Controller except in relation to the validity of the restriction request of the concerned person, or with the consent of the person or for the assessment, exercise or defence of a right in court or to protect the rights of another natural or legal persons or for reasons of relevant public interest of the Union or of a member State);
- Right to object to processing in full or in part for legitimate reasons (in certain circumstances the concerned person may however object to processing of his/her data, in particular, if the personal data is processed for direct marketing purposes, he/she have the right to object to processing at any time, including profiling to the extent that it is connected to such direct marketing); in this particular case, the sending of the newsletter takes place on the basis of the consent expressed by the person concerned and therefore the simple withdrawal of the consent by the latter will be sufficient to end the processing);
- Data portability (if processing is based on consent or on a contract and is carried out by automated means, on request, the concerned person will receive his/her personal data in a structured format, in common use and readable by an automatic device, and he/she may transmit them to another Controller, unimpeded by the Controller which has provided them and, if technically feasible, the concerned person can obtain that such transmission is made directly by the latter).
In addition, if the processing takes place by virtue of the consent expressed by the person concerned, he/she may withdraw the consent at any time without prejudice to the lawfulness of the processing provided before the withdrawal. The person concerned also has the right to complain to the supervisory authority (Garante per la protezione dei dati personali) if he/she considers that the processing about him/her infringes the requirements of the Regulation.