INFORMATION STATEMENT PURSUANT TO ART. 13 EU Reg. 2016/679 AND CONSENT PURSUANT TO ART. 7 EU Reg. no. 2016/679
To the processing of personal information
VILLLEGGIANDO VIAGGI DI VILLAS IN MED, S.R.L., VAT 01735720474 , Registered office in Viale G. Matteotti, 68 – 50052 Certaldo (Firenze) / Italy, Head office in Piazza P. Luchetti, 8 – 53031 Casole d’Elsa (Siena) / Italy, in the person of the legal representative Maria Elena Sànchez Sànchez, (hereafter the “Data Controller”), in her capacity as the controller of data processing, hereby informs you that, pursuant to art. 13 of EU Regulation no. 2016/679 (hereafter the “GDPR”), your data will be processed according to the following modalities and for the following purposes:
1. Subject of the processing
The Data Controller shall process the personal identifying information (in particular, first and last name, tax code, company title or name, VAT number, e-mail, PEC (certified electronic mail), telephone number, IBAN and any information which could identify the person concerned (hereafter “personal data” or also “data”) communicated at the first processing.
2. Purposes of the data processing
The personal data of the person concerned shall be processed for the following Purposes:
- To stipulate rental contracts with the Data Controller through the booking procedure; to permit the correct execution of the various contractual obligations and the sending of notifications related to the pre-contractual and contractual relationship with the Data Controller;
- To send the data of the persons concerned to the external data processors appointed by the Data Controller corresponding to the categories of persons (natural or legal) listed in the data processing register;
- To permit registration on the website and to the newsletter;
- To fulfil the pre-contractual, contractual and fiscal obligations deriving from the relations in existence with the Data Controller;
- To fulfil the obligations required by law, by a regulation, by EC rules or by an order of an Authority;
- To prevent or discover fraudulent activities or damaging abuse carried out even by third parties;
- To exercise the rights of the Data Controller, for example the right to defense in court;
- To receive information regarding the marketing of the Data Controller’s catalogues; to permit the publication of catalogues; to carry out surveys regarding the satisfaction of the Data Controller’s clients and to send commercial communications related to the Data Controller’s services and products that are similar to those already used, except in the case of express dissent.
3. Method of data processing
The personal data processing shall be carried by means of the operations indicated in art. 4 no. 2 GDPR and, more precisely: the collection, recording, organization, storage, consultation, processing, alteration, selection, retrieval, comparison, use, combination, blocking, communication, erasure and destruction of the data. The personal data of the person concerned may be subjected to processing in a paper or electronic and/or automated form.
4. Duration of data processing
The Data Controller shall process the personal data of the person concerned for the amount of time necessary in order to fulfil the purposes set down in art 2. of this information statement and, in any case, for no longer than 10 years from the termination of the relationship and no more than 2 years from the collection of the personal data for the Marketing purposes as per art 2, point 8 of this information statement.
5. Access to data
Your data shall be accessible for the purposes stated in art. 2: – to the Data Controller’s employees and co-workers in their capacity as data processing officers and/or Processors, as well as to the DPO (Data Protection Officer), where appointed, to third party subjects (for example, providers involved in the management and maintenance of the website, suppliers, banks, professional offices, service cooperatives, etc.) that carry out outsourcing activities on behalf of the Data Controller in their capacity as external data processors.
6. Data storage and transferal
The management and storage of personal data shall take place on servers located within the European Union belonging to the Data Controller and/or to third party companies appointed and duly nominated as Data Processors. These servers are currently situated in Italy. The data shall not be transferred outside the European Union. It shall, in any case, remain understood that, where necessary, the Data Controller, shall have the right to move the location of the servers in Italy and/or the European Union and/or non-EU countries. In this case, the Data Controller hereby assures that the transfer of data outside the EU shall take place in compliance with the applicable provisions of the law by stipulating, where necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses envisaged by the European Commission.
7. Data communication
The Data Controller may communicate the data of the person concerned for the purposes of art. 2 to Supervisory Bodies, judicial authorities as well as all the other subjects for which notification is compulsory by law for carrying out the said purposes without your express consent (pursuant to art. xx GDPR). The data of the person concerned shall not be disseminated.
8. Rights of the person concerned
In your capacity as the person concerned, you have the rights set down in art. 15 GDPR and, more precisely, the rights to:
i. obtain confirmation as to whether or not personal data about you exists, even if it has not yet been recorded, and communication of the same in an intelligible form;
ii. Receive an indication:
a) of the origin of the personal data;
b) of the purposes and methods of processing;
c) of the logic applied in the case of processing carried out with the assistance of electronic instruments;
d) the identifying details of the data controller, of the data processors and of the representative designated pursuant to art. 3, paragraph 1, GDPR;
e) of the subjects or the categories of subjects to whom the personal data may be communicated or that may obtain knowledge of the same in their capacity as the designated representative within the territory of the State of the processors or officers;
a) the updating, rectification, or, where interested, the supplementation of the data;
b) the erasure, rendering anonymous or blocking of any data processed in violation of the law, including data which it is not necessary to store in relation to the purposes for which the data was collected or subsequently processed;
c) certification that the operations described in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data has been communicated or disseminated, except for the cases in which this obligation is impossible or would involve a manifestly disproportionate effort with respect to the right protected;
iv. wholly or partially object to:
a) the processing of your personal data for legitimate reasons even though they are pertinent to the purpose of the collection;
b) the processing of your personal data for the purpose of sending advertising or direct sales material or for carrying out market research or for commercial communications using automated calling systems without the intervention of an operator, through email and/or by means of traditional marketing methods using the telephone and /or paper mail.
It shall be stated that the right to objection of the person concerned, set out in the previous point b), for the purposes of direct marketing using automated methods, shall be extended to traditional methods and that, in any case, the person concerned shall still have the possibility to exercise the right of objection, even only partially.
Therefore, the person concerned may decide to only receive communications via traditional methods or only automated communications or neither of the two types of communication. Where applicable, you shall also have the rights set down in articles 16-21 GDPR (Right to rectification, ‘right to be forgotten’, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Supervisory Authority.
9. Exercising of rights
You may exercise the rights described in articles 16-21 of the GDPR at any time by sending: – a registered letter with advice of receipt to VILLLEGGIANDO VIAGGI DI VILLAS IN MED, S.R.L., Viale G. Matteotti, 68 – 50052 Certaldo (Firenze) / Italy, for the attention of the Data Controller Mrs. Maria Elena Sànchez Sànchez Or – a PEC (certified e-mail) to firstname.lastname@example.org
10. Data controller, Processor and officers, Data Protection Officer
The Data Controller shall be Mrs. Maria Elena Sànchez Sànchez The updated list of the data processors and officers is held at the office of the Data Controller and can be consulted by submitting a request in writing.
11. Modifications to this information statement
This Information Statement, which consists of three pages, is subject to variation.
12. Right to withdraw consent
The Data Controller hereby states that, pursuant to art. 7, paragraph 3, GDPR, the person concerned may withdraw his/her consent at any time. The consequence of any refusal to consent to the processing of data with reference to the purposes envisaged in art. 2, points 1 and 2 shall be that the Data Controller cannot carry out its pre-contractual and contractual functions whereas any refusal to consent to the data processing with reference to the purposes set down in art. 2, point 8 shall produce no negative effects.