INFORMATION ON THE PROCESSING OF PERSONAL DATA
(pursuant to art. 13 Regulation (EU) 2016/679)
Regulation (EU) 2016/679 (GDPR) provides for the right to protection of natural persons with regard to the processing of data. In compliance with this regulation, with reference to your personal data supplied to us, Pietreionne Farmhouse wishes to inform you in advance, pursuant to art. 12 and 13 GDPR, that such processing will be based on the principles of lawfulness, correctness, transparency and protection of your privacy and your rights as enshrined in art. 5 RGPD.
The “Data Controller” is the Company Pietreionne Agriturismo, with registered office in Ponte (BN), Via Pietreionne 3, CF/P.IVA: 01463360626.
At any time, you may contact the Data Controller through the following channels:
Phone: +39.377 4135119
Email: info@pietreionne.eu
CONTACT DETAILS OF THE DATA PROTECTION OFFICER
The “Data Controller”, in compliance with the provisions of Art. 37 GDPR, has appointed a Data Protection Officer (DPO).
Contact details of the DPO: info@pietreionne.eu
PURPOSES OF THE PROCESSING FOR WHICH THE PERSONAL DATA ARE INTENDED AND THE LEGAL BASIS OF THE PROCESSING;
At the time of booking, the user connects to the platform at https://pietreionne.eu , through which it is possible to request the booking of tourist services for the products registered in the database of the Pietreionne Agriturismo. The data entered by filling in the appropriate fields will be processed exclusively for specific, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes. In particular, Pietreionne Agriturismo will process your personal data collected exclusively for the following purposes:
1) Management of the booking and provision of the requested services and communication to third parties
- guarantee the finalization and execution of the reservation and for the provision of the requested service;
- communicate the data to third parties who perform functions necessary or instrumental to the provision of the requested Services;
- Administrative, accounting and tax management of practices relating to the services requested
- Storage and filing of the file relating to the requested service
The processing of your data for the purposes stated above is necessary to allow the booking of the services requested by the User, as well as to fulfill the legal obligations to which the Data Controller is subject.
In case of subscribing to the newsletter service by the user, Pietreionne Agriturismo will process your personal data collected also for the following purposes:
PROCESSING METHOD AND PERIOD OF STORAGE OF PERSONAL DATA
Data processing is carried out through paper supports or IT procedures by specifically authorized internal subjects. They are allowed access to your personal data to the extent and to the extent that it is necessary for the performance of the processing activities that concern you. Your data, especially those belonging to particular categories, are treated separately from the others also by means of pseudonymisation or aggregation methods that do not allow you to be identified easily and immediately.
Furthermore, to guarantee your / your confidentiality and the integrity of the personal information provided to us, your personal data will be processed in a manner that guarantees adequate security, including protection, by means of appropriate technical and organizational measures, from unauthorized processing or tort and accidental loss, destruction or damage.
Pietreionne Agriturismo periodically checks the tools by which the data are processed and the security measures envisaged for them, which it requires constant updating; verifies, also through the subjects authorized to the processing, that personal data which do not need to be processed or whose purposes are exhausted are not collected, processed, archived or stored; verifies that the data are kept with the guarantee of integrity and authenticity and of their use for the purposes of the treatments actually carried out.
Pietreionne Agriturismo guarantees that the data that, even following the verifications, are excessive or irrelevant or not essential will not be used except for the possible conservation, by law, of the deed or document containing them.
The data requested from you will be stored in a form that allows your identification for a period of time not exceeding the achievement of the purposes, after which your data will be permanently destroyed or made anonymous in a permanent and non-permanent way. reversible.
In particular, in relation to the purposes stated above, personal data will be stored according to the following criteria:
- for the purposes referred to in point 1) for a maximum time of 10 years or until the definition, with final judgment, of any judicial proceeding.
RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Your data will be stored at the aforementioned registered office of the Data Controller and may be communicated to other recipients for the performance of the regulatory obligations, for this purpose, provided for and in order to be able to comply with the obligations imposed by the laws in force, without prejudice to the guarantee. to protect all your / your rights.
Your data may be processed by persons in charge, authorized and trained for this purpose, in charge of managing the activities necessary to achieve the purposes.
Where necessary, for the stated purposes, some processing of your personal data may also be carried out by external subjects to whom Pietreionne Agriturismo entrusts certain activities (or part of them) functional to the provision of the services requested by the customer. In this case, the same external subjects, who will operate as Data Processors, essentially included in the following categories: Credit recovery companies, Companies in charge of printing and sending invoices to customers, Consulting companies (in particular, accounting and tax), credit transfer companies, suppliers of technological services for administrative management and booking of tourist services as well as Content Provider and CRM.
OPTIONAL NATURE AND CONSEQUENCES OF THE REFUSAL OF DATA
The communication of personal data for the purposes referred to in point 1) is optional but necessary to allow the booking of the requested services. Any failure or incorrect communication by you of one of the information we need and marked as mandatory, will have as its main possible consequences the inability to use the services requested and follow up on the contractual relationship. Failure to provide information not marked as mandatory will have no consequence on the provision of the requested service booking.
It will be your responsibility to notify the Data Controller of any change in the data subjected to processing, in order to ensure correct use of the services requested, without prejudice to your right of rectification.
RIGHTS OF THE INTERESTED PARTY
As an interested party, you can exercise, at any time, the right of access (Article 15 of the GDPR), the right of rectification (Article 16 of the GDPR), the right to cancellation (Article 17 of the GDPR), the right of limitation of treatment (Article 18 of the GDPR), the right to data portability (Article 20 of the GDPR) and the right to object (Article 21 of the GDPR) with the methods indicated in the same articles, to which express reference is made.
In particular, the User has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him, including profiling.
To exercise the aforementioned rights, the interested party may contact the Data Controller at the following email address: info@pietreionne.eu. For any further information and communication regarding their data, the interested party may contact the Data Controller through the communication channels indicated above.
RIGHT OF COMPLAINT TO THE SUPERVISORY AUTHORITY
Without prejudice to any other administrative or judicial appeal, the interested party who deems that the processing concerning him or her violates Regulation (EU) 2016/679 has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he usually resides. , works or the place where the alleged violation occurred.
RIGHTS OF THE INTERESTED PARTY
Art. 15 RGPD – Right of access by the interested party
1. The interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him is being processed and, in this case, to obtain access to personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients of third countries or international organizations;
d) when possible, the retention period of the personal data envisaged or, if not possible, the criteria used to determine this period;
e) the existence of the right of the interested party to ask the data controller to correct or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
f) the right to lodge a complaint with a supervisory authority;
g) if the data are not collected from the data subject, all available information on their origin;
h) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party.
2. If personal data are transferred to a third country or to an international organization, the interested party has the right to be informed of the existence of adequate guarantees pursuant to Article 46 relating to the transfer.
3. The data controller provides a copy of the personal data being processed. In case of further copies requested by the interested party, the data controller may charge a reasonable fee based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 must not affect the rights and freedoms of others. “
Art. 16 RGPD – Right of rectification
The interested party has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration. “
Art. 17 GDPR – Right to erasure (“right to be forgotten”)
1. The data subject has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if one of the following reasons exists:
a) the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
b) the interested party revokes the consent on which the processing is based in accordance with Article 6, paragraph 1, letter a), or Article 9 (2), letter a), and if there is no other legal basis for the processing;
c) the interested party opposes the processing pursuant to Article 21, paragraph 1, and there is no legitimate overriding reason to proceed with the processing, or opposes the processing pursuant to Article 21, paragraph 2;
d) the personal data have been unlawfully processed;
e) personal data must be deleted to fulfill a legal obligation under Union law or the law of the Member State to which the data controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8, paragraph 1.
2. The data controller, if he has made personal data public and is obliged, pursuant to paragraph 1, to delete them, taking into account the available technology and implementation costs, he shall take reasonable measures, including technical ones, to inform the data controllers who are processing the personal data of the request of the interested party to delete any link, copy or reproduction of his personal data.
3. Paragraphs 1 and 2 do not apply to the extent that the processing is necessary:
a) to exercise the right to freedom of expression and information;
b) for the fulfillment of a legal obligation that requires the processing provided for by the law of the Union or of the Member State to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of public authority of which the data controller is invested;
c) for reasons of public interest in the field of public health in accordance with Article 9 (2) letters h) and i), and of article 9, paragraph 3;
d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of this treatment; or
e) for the assessment, exercise or defense of a right in court.
Art. 18 RGPD – Right to limitation of treatment
1. The interested party has the right to obtain from the data controller the limitation of the processing when one of the following hypotheses occurs:
a) the data subject disputes the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
b) the processing is unlawful and the interested party opposes the cancellation of personal data and requests instead that its use be limited;
c) although the data controller no longer needs them for processing purposes, the personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
d) the interested party opposed the processing pursuant to Article 21, paragraph 1, pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
2. If the processing is limited pursuant to paragraph 1, such personal data are processed, except for storage, only with the consent of the interested party or for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest of the Union or of a Member State.
3. The interested party who has obtained the processing limitation pursuant to paragraph 1 is informed by the data controller before said limitation is revoked.
Art. 20 RGPD – Right to data portability
1. The interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments on the part of the data controller to whom he provided them if:
a) the processing is based on consent pursuant to article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), or on a contract pursuant to Article 6, paragraph 1, letter b); And
b) the processing is carried out by automated means.
2. In exercising their rights relating to data portability pursuant to paragraph 1, the interested party has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible.
3. The exercise of the right referred to in paragraph 1 of this article is without prejudice to article 17. This right does not apply to the processing necessary for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller.
4. The right referred to in paragraph 1 must not affect the rights and freedoms of others.
Art. 21 RGPD – Right to object
1. The interested party has the right to object at any time, for reasons connected to his particular situation, to the processing of personal data concerning him pursuant to Article 6, paragraph 1, letters e) or f), including profiling based on these provisions. The data controller refrains from further processing personal data unless he demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for ascertaining, exercising or the defense of a right in court.
2. If personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him for these purposes, including profiling to the extent that it is connected to such marketing. direct.
3. If the interested party objects to the processing for direct marketing purposes, the personal data are no longer processed for these purposes.
4. The right referred to in paragraphs 1 and 2 is explicitly brought to the attention of the interested party and is presented clearly and separately from any other information at the latest at the time of the first communication with the interested party.
5. In the context of the use of information society services and without prejudice to Directive 2002/58 / EC, the interested party may exercise his right to object by automated means using specific techniques.
6. If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89, paragraph 1, the interested party, for reasons connected to his particular situation, has the right to object to the processing of personal data concerning him, except if the processing is necessary for the performance of a task in the public interest.
Art. 22 RGPD – Automated decision-making process relating to natural persons, including profiling
- The interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person in a similar way.
- Paragraph 1 does not apply if the decision:
a) it is necessary for the conclusion or execution of a contract between the data subject and a data controller;
b) is authorized by the law of the Union or of the Member State to which the data controller is subject, which also specifies adequate measures to protect the rights, freedoms and legitimate interests of the data subject;
c) is based on the explicit consent of the interested party.
- In the cases referred to in paragraph 2, letters a) and c), the data controller implements appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller. , to express their opinion and to contest the decision.
- The decisions referred to in paragraph 2 are not based on the special categories of personal data referred to in Article 9 (1), unless Article 9 (2) (a) or (g) applies, and not adequate measures are in place to protect the rights, freedoms and legitimate interests of the data subject.