(Article 13 of Regulation (EU) 679/2016)
In compliance with Article 13 of Regulation (EU) 679/2016 (European Data Protection Regulation - hereinafter referred to as the “GDPR”), we provide information regarding the processing of personal data carried out through the website https://www.suedtirol.info/it (hereinafter referred to as the “Website”) and the mobile application called “Südtirol Guide” (hereinafter referred to as the “APP”).
IDM Südtirol-Alto Adige (VAT Number IT 02521490215), registered office at Piazza della Parrocchia 11 – 39100, Bolzano. E-mail: privacy@idm-suedtirol.com (hereinafter referred to as the “Controller”)
The Controller has appointed a data protection officer, who can be contacted by e-mail at data-protection-officer@idm-suedtirol.com, or by writing to Data Protection Officer, Piazza della Parrocchia 11, 39100 Bolzano.
The data to be processed are:
furthermore, for registered Users:
a) The personal data will be processed for the following purposes:
- account registration and profile creation;
- use of the Website and the APP functions;
- managing any requests for assistance or information.
The legal basis of the processing for the purposes referred to in letter a) is Article 6(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The provision of data is not compulsory, but is a necessary requirement to perform the requested services. Failure to provide them therefore means that such requests cannot be fulfilled.
b) The personal data will also be processed to fulfil a legal obligation to which the Controller is subject (in accordance with Article 6(c) of the GDPR).
c) The data may be processed in pursuit of the legitimate interests of the Controller provided that the interests or the fundamental rights and freedoms of the data subject are not overridden, having regard to the reasonable expectations of the data subject based on his or her relationship with the Controller and in particular for the prevention of fraud or, to the extent strictly necessary and proportionate, to ensure network and information security.
The legal basis for the processing for the purposes referred to in letter c) is Article 6(f) of the GDPR.
d) With the prior consent of the Data Subjects, the personal data will be processed:
- to inform Users, by e-mail, SMS and MMS, of services, initiatives and events promoted by the Controller;
- to analyse, including by automated means, the Users consumption, tastes and preferences in order to provide them with information on services or initiatives in line with their interests. The automated decision-making process envisaged in the context of the processing of this data does not produce any legal effect for the data subjects and does not affect them in the same way;
- to provide the User with information regarding places and services of interest in the surrounding area.
The legal basis of the processing for the purposes referred to in letter d) is Article 6(a) of the GDPR: the Data Subjects have given consent to the processing of their data for one or more specific purposes. The provision of data is optional but is a necessary requirement to pursue the purposes indicated.
User data will also be used in aggregated and anonymised form for statistical analysis.
The personal data will be processed with or without the aid of computer systems. The Controller undertakes to guarantee the logical and physical security and confidentiality of the personal data processed, implementing all technical and organisational measures appropriate to the processing.
The personal data, collected for the purposes set out in point 4, will be processed and stored for as long as necessary to pursue the purposes for which they were collected and in any case within the statute of limitations laid down by law.
In particular, the data will be processed:
- for profile creation and registration purposes: until the profile is deleted;
- for booking service purposes: for 10 years from the booking date;
- for marketing purposes: until consent is revoked;
- for profiling purposes: until consent is revoked, but in any case no later than 18 months after consent has been collected or renewed.
The data relating to the User’s position are not archived by the Controller.
At the end of the storage period, the data will be deleted or anonymised for use for statistical purposes.
The personal data are accessible to:
i) employees and/or collaborators of the Controller in their capacity as persons authorised to process data;
ii) business partners and/or service providers who perform outsourcing activities on behalf of the Controller in their capacity as external processors carrying out activities related to, instrumental for or supporting those of the Controller. The list of the processors is available at the addresses given in point 1 of this policy.
The Controller may also disclose the Users data to third parties (Public Bodies, Police Forces or other public and private entities), solely for the purpose of fulfilling contractual, legal and/or Community law obligations. In any case, the data will not be disseminated, nor will data be disclosed where their dissemination is prohibited by law.
There are no transfers of data outside the EU or to international organisations. Should such transfers take place for the performance of the Website or the APP functions, the Controller will adopt all the appropriate safeguards provided for in Articles 44 et seq. of the GDPR, including the adequacy decisions and standard contractual clauses approved by the European Commission.
In compliance with the provisions of Articles 15 to 21 of the GDPR, Users, as Data Subjects, may exercise the rights indicated therein, and in particular
- Right of access (Article 15, GDPR). Obtain confirmation as to whether or not personal data concerning them are being processed and, if so, receive information relating, in particular, to: the purposes of the processing, the categories of personal data processed and the storage period, the recipients to whom the data may be disclosed.
- Right to rectification (Article 16, GDPR). Obtain from the controller without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data.
- Right to erasure (Article 17, GDPR). Obtain from the controller the erasure of the personal data without undue delay, in the cases envisaged by the GDPR.
- Right to restriction (Article 18, GDPR). Obtain from the controller restriction of processing, in the cases envisaged by the GDPR.
- Right to portability (Article 20, GDPR). Receive the personal data provided to the Controller in a structured, commonly used and machine-readable format, as well as obtain that they be transmitted to another controller without hindrance, in the cases envisaged by the GDPR.
- Right to object (Article 21, GDPR). Object to the processing of personal data concerning them, unless there are legitimate grounds for the controller to continue the processing.
It is possible to exercise the aforementioned rights and to revoke the consent given by simply sending a request to the Controller or the DPO to the respective addresses indicated in point 1.
Users are also entitled to lodge a complaint with the supervisory authority in accordance with Article 77 of the GDPR (https://www.garanteprivacy.it/).
This policy is written in Italian. In the event of a conflict between translations into different languages, the Italian version will prevail.
Update of 16 March 2023
