POLICY AND REQUEST FOR CONSENT PURSUANT TO AND FOR THE PURPOSES OF ARTICLE 13 OF EU REGULATION NO. 2016/679 (GDPR) UPDATED WITH THE NEW GUIDELINES OF THE ITALIAN DATA PROTECTION AUTHORITY PUBLISHED IN THE OFFICIAL JOURNAL NO. 163/2021, EFFECTIVE FROM 10 JANUARY 2022, REGARDING THE PROCESSING OF PERSONAL DATA
This section describes the management procedures of the internet site www.palazzodellascala.com as regards the processing of personal data belonging to users who visit it. Data is processed in accordance with the criteria provided by European Data Protection Regulation 2016/679, updated with the new guidelines of the Italian Data Protection Authority published in the Official Journal no. 163/2021, and any other national legislation, measure or authorisation of the authorities concerned. According to the indicated regulation, data processing must be characterised by the principles of correctness, lawfulness and transparency and protection of your confidentiality and your rights.
This privacy notice refers only to our company's website, not to other websites that may be accessed by the user via links it contains.
This document aims to provide information on the manner, timing and nature of the information data controllers must provide to users when they land on web pages of this site, regardless of the purpose for landing on them, according to Italian and European legislation.
This notice is subject to change due to the introduction of new data protection provisions and users are asked to check this page regularly.
If the user is under 16 years of age, in accordance with Art. 8, paragraph 1 of EU Regulation 2016/679, his or her parents are required to provide consent instead.
1 - Data Controller
1. The Data Controller is the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and manner in which personal data are processed. The above also looks after security aspects.
2. With regard to this Internet site, the Data Controller is PALAZZO DELLA SCALA, with registered office in Via Gardesana, 54 37017 Lazise for any clarifications and to exercise the rights of users, you may send a message to the following email address email@example.com.
2 - Place of data processing
1. Processing related to this website's web-based services takes place at the above offices (see point on data controller), and is only handled by staff and/or duly appointed external personnel in charge of maintenance and update tasks. No data from the web service is communicated or shared.
2. The User's Personal Data could be transferred to another country. For more information on the place of processing the User can see the section containing details on Personal Data processing.
3 - Data retention period
Data are processed and kept for the time required for the purposes for which they were collected and for at most 10 years thereafter, unless deletion is requested in the manner described in point 4.
1. Personal Data collected for purposes connected to execution of a contract between the Data Controller and the User will be kept until execution of the contract has been completed.
2. Personal Data collected for purposes tied to the lawful interest of the Data Controller will be kept until that interest is satisfied. The User can obtain additional information on the lawful interest pursued by the Data Controller in the relevant sections of this document or by contacting the Data Controller.
When processing is based on the User's consent, the Data Controller can keep the Personal Data longer until consent is withdrawn. In addition, the Data Controller may be obligated to keep the Personal Data for a longer period of time for fulfilment of a legal obligation or by order of the authorities.
At the end of the storage period the Personal Data will be deleted. Upon expiry of this time limit the right to access the Data, their deletion, correction and the right to portability of the Data cannot be exercised.
4 - Processing Method
The Data Controller takes appropriate security measures to prevent unauthorised access, disclosure, alteration and destruction of the Personal Data.
Processing is carried out by using IT and/or screen-based instruments with organisational procedures and logics strictly related to the indicated purposes.
Apart from the Data Controller, in some cases some people involved in the company organisation (administrative, commercial, marketing and legal personnel, system administrators) may have access to the data, and/or external subjects (such as third party technical service providers, courier services, hosting providers, IT companies, communications agencies) appointed by the Data Controller as Data Processing Officers, if necessary.
You may ask the Data Controller for an updated list of Data Processing Officers.
5 - Purpose of data processing
Personal data provided by users by browsing the website or by submitting the contact form will be processed for the purposes of fulfilling the service requested.
Processing related to registration for receiving the newsletter is aimed at sending information and promotional material in relation to our initiatives and/or of subsidiaries and/or associated companies.
Users are free to cancel their subscription to the newsletter at any time by sending an email message to the address given on the site.
6 - Types of data processed
- Browsing data. During normal operation, computer systems and software procedures that serve to keep the website operational collect certain personal information, whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects but given its nature, it may allow users to be identified when processed and associated with data kept by third parties.
This category includes IP addresses or the domain names of computers used by users who connect to the site, addresses in URI (Uniform Resource Identifier) notation of requested resources, the time the request is made, the method used to submit the request to the server, the file size obtained in response, the numerical code indicating the response status from the server (successful, error, etc.) and other parameters related to the user's operating system and computer environment.
On this site, these data are only used in order to obtain anonymous statistical information about the site and verify its correct functioning. Personal information could be used for verifying responsibility in case of computer crimes committed at the expense of the site. For these data and, to a limited extent, for the above purposes it is not necessary to obtain consent.
- Data supplied voluntarily by the user. Voluntarily choosing to send email messages to the addresses given on this site and completing the form in certain sections with obligatory and optional fields, means that the sender's information and address, necessary for answering his request for services and/or information, have been collected. For these data and, to a limited extent, for the above purposes it is not necessary to obtain consent.
7 - Data subjects’ rights
Users have the rights set out in Articles 15 to 21 of EU Regulation 2016/679, updated with the new guidelines of the Italian data protection authority published in the Official Journal no. 163/2021, effective from 10 january 2022 (Right to correction, right to oblivion, right to restrict processing, right to portability of data, right to opposition). Specifically:
- The right to access: for obtaining confirmation as to whether there is any personal data about them and to obtain access to such data and certain information (e.g. purpose of processing, categories of data in question, the addressees the data will be disclosed to);
- The right to correction: to obtain correction of inaccurate personal data without unjustified delay. In such case the Data Controller is obligated to send the correction to all addressees the data was sent to, unless this involves a disproportionate effort;
- The right of erasure: to obtain the deletion of personal data without unjustified delay. The data controller must delete it in certain cases (for example, if the personal data is no longer necessary for the purposes for which it was collected; if the data subject withdraws consent; or if it must be deleted due to legal obligations) and notify all parties that the data was disclosed to of the deletion, except where this might involve disproportionate effort;
- The right to restrict processing: you can ask the Data Controller to restrict processing of your data, for instance to just saving them without any further use, in certain cases (for instance: if processing is unlawful and the data subject objects to deletion of the data; if the data subject claims they are inaccurate, limited to the period when inaccurate data was found). In such case the Data Controller is obligated to send the processing restriction request to all addressees the data was sent to, unless this involves a disproportionate effort;
- The right to portability of the data: to obtain return of personal data supplied and to send it to others or ask for it to be sent to another data controller, if technically feasible;
- The right to opposition: to oppose at any time processing for purposes of public interest or for lawful interest; for marketing purposes; for scientific, historical or statistical research.
Data subjects can make a complaint to the Italian Data Protection Authority if necessary or just contact it to obtain more information on exercising the rights granted by the regulations referred to above.