PRIVACY POLICY

In compliance with Article 13 of EU Regulation 2016/679 (General Data Protection Regulation - "GDPR"), we provide information about the processing of personal data conducted through the website https://www.suedtirol.info/it (hereinafter "the Site") and the mobile application “Südtirol Guide” (hereinafter "APP").

IDM Südtirol-Alto Adige (VAT IT 02521490215), with its registered office at Piazza della Parrocchia n. 11, 39100, Bolzano. Email: privacy@idm-suedtirol.com (hereinafter “Controller”).

The Controller has appointed a Data Protection Officer who can be contacted at data-protection-officer@idm-suedtirol.com or by writing to Responsabile Protezione Dati, Piazza della Parrocchia 11, 39100 Bolzano.

The data processed includes:

- Connection IP address;
- Information about the device used;
- Location information;
- Pages visited;
- General data provided for the use of services.

Additionally, for registered users:

- Name, surname, postal address, email, date of birth, and phone number;
- Information related to bookings made or events purchased;
- Features used, including login/logout logs of the personal profile;
- Information on preferences and interests.

Personal data will be processed for the following purposes:

1. Registration of an account and profile creation;
2. Utilizing the features of the Site and APP;
3. Managing requests for assistance or information.

The legal basis for the purposes under (1) is Article 6(b) of the GDPR: the execution of a contract to which the data subject is a party or pre-contractual measures taken at their request. Providing data is not mandatory but is necessary to perform requested services. Failure to provide it will prevent the services from being rendered.

Personal data will also be processed to fulfill legal obligations to which the Controller is subject (pursuant to Article 6(c) of the GDPR).

Data may be processed to pursue the Controller's legitimate interests, provided such interests do not override the data subject’s fundamental rights and freedoms, particularly for fraud prevention or, to a strictly necessary extent, ensuring network and information security. The legal basis for these purposes is Article 6(f) of the GDPR.

For users who have made a booking and/or utilized services/activities offered, the data will be processed to send email communications related to:

- Suggestions for activities and experiences in the area of interest (e.g., near the accommodation where the user is staying);
- Offers and/or discounts for the user’s birthday;
- Feedback requests on the services/activities used.

The data subject can object to receiving these communications at any time using the unsubscribe feature in the emails or by contacting the Controller. The legal basis for these purposes is Article 6(f) of the GDPR: the Controller’s legitimate interest.

With the prior consent of the data subject, personal data will be processed to:

- Inform the user via email, SMS, MMS, and social media (e.g., Facebook, WhatsApp) about services, initiatives, and events promoted by the Controller;
- Subscribe to the newsletter, which can be unsubscribed from at any time;
- Analyze consumption, preferences, and tastes (even automated) to provide the user with information on services or initiatives aligned with their interests. Automated decision-making does not produce legal effects or similarly affect the data subject;
- Provide information about nearby places and services of interest.

The legal basis for these purposes is Article 6(a) of the GDPR: the data subject’s consent. Providing data is optional but necessary to pursue the stated purposes.

User data will also be used in aggregated and anonymized form for statistical analysis.

Personal data will be processed with or without the aid of IT systems. The Controller ensures the logical and physical security and confidentiality of the processed data by implementing appropriate technical and organizational measures.

Personal data collected for the purposes outlined will be processed and stored for as long as necessary to achieve the purposes and in accordance with applicable legal prescription periods. Specifically:

- For profile creation and registration: until the profile is deleted;
- For booking-related services: for 10 years from the booking date;
- For marketing purposes: until consent is withdrawn;
- For profiling activities: until consent is withdrawn, but no longer than 18 months from collection or renewal of consent.

User location data is not stored by the Controller. Upon expiration of the retention period, data will be deleted or anonymized for statistical use.

Personal data is accessible to:

- Employees and collaborators authorized by the Controller to process data;
- Business partners and service providers performing outsourced activities for the Controller. The list of processors is available upon request.
- Public authorities or third parties (e.g., law enforcement) exclusively to fulfill legal obligations.

Data will not be disseminated or disclosed where prohibited by law.

No data transfers outside the EU or to international organizations are planned. If required for the Site or APP functionalities, the Controller will ensure compliance with GDPR Articles 44 and following, including adequacy decisions and standard contractual clauses approved by the European Commission.

Pursuant to Articles 15-21 of the GDPR, the user has the right to:

- Access (Article 15): Confirm whether data is being processed and receive related information.
- Rectification (Article 16): Correct inaccurate or incomplete data without undue delay.
- Erasure (Article 17): Request deletion of data in specific cases.
- Restriction (Article 18): Request limited data processing in specific cases.
- Portability (Article 20): Receive personal data in a structured, commonly used format or have it transferred to another controller.
- Objection (Article 21): Object to data processing unless there are overriding legitimate grounds.

These rights can be exercised by contacting the Controller or DPO. Users can also file a complaint with the supervisory authority pursuant to Article 77 of the GDPR (https://www.garanteprivacy.it/).