Privacy Policy

Privacy policy. Date of last update: 19 Novembre 2020 (11:48:02)

Pursuant to this privacy policy, in accordance to EU Regulation no. 679/2016 (herein after GDPR) and specific compatible national laws, Bagni Santo Stefano s.a.s. di Canneva Aurelia e c., with registered address in Lungomare Garassini, 17025 Loano, SV, Tax Code/Vat no. 01020060099 in quality of “Data Controller” (herein after “Controller”), informs on the methods and circumstances according to which he will process personal data and information conferred by visiting website bagnisantostefano.it , of which Bagni Santo Stefano s.a.s. di Canneva Aurelia e c. is the owner.

Type of data being processed

  1. Personal data

    The personal data processed by the Controller are the following: name, surname, date of birth, genre, telephone, home address, postal code, email address. For exhaustive information, see the specific section of this privacy policy.

  2. Browsing data

    These are information collected automatically by the Data Controller, through the Site, third party’s newsletters or applications. For example: data and time, IP addresses, URI (Uniform Resource Identifier) addresses, request time, method used to submit the request to the server, response size, numeric status code, in addition to browser and operating system, language and country.

  3. Cookies

    Cookies are small text files sent by the site to the user’s terminal (usually the browser), where they are stored and then re-transmitted to the site when the user logs in afterwards. A cookie cannot recall any other data from the user’s hard disc, nor transmit computer viruses or acquire email addresses. Each cookie is unique for the user’s web browser. Some cookie functions can be deferred to other technologies. In this document, the term ‘cookie’ refers to actual cookies and to all similar technologies. For further information on the use of cookies, see the Cookie Privacy document available on this Site.

Forms available on the site

Contact form –information request

One or more information request forms are available on the site, that the User can fill out to request information to the Data Controller. The conferred data are used only for the scope to provide the service to the User. The option to use the data for commercial, marketing scopes, etc. may be present in some request forms. The User will have the possibility to accept this option or not, without prejudicing the contact form function.

  1. Data required to execute the contract
    Upon User’s consent, data processing will take place for merely legal scopes linked to the specific service. For example, in case of information request, the data will be used only to respond to the User, providing the requested information. These data are necessary to execute the services set forth by the contract.
  2. Promotional, commercial and marketing scopes
    Upon User’s explicit consent, data will be processed with the scope to allow the Data Controller to send, on a regular basis, commercial notices, initiatives, discounts and offers related to the Data Controller or third parties. Those data input by the “Data Controller” on the Site may be object of processing, if obtained directly by the “Data Controller” or third subjects, in compliance with applicable laws. Nonetheless, the User’s data will not be disclosed and/or transferred to third subjects.

Data Controller, subjects appointed to process data and Data Processors

  1. Data Controller

    The Controller of the data conferred by users is the Data Controller, as defined in the preamble, in the person of his legal representative pro tempore.

  2. Subjects appointed to process data

    The subjects appointed by the Data Controller may become aware of your data as in charge to execute specific processing tasks which are related and instrumental to the supply of the service and/or further scopes allowed by the User.

  3. Data Processors

    In order to technically manage the above, the Data Controller has appointed the following subjects as external Data Processors:

    • Edinet S.r.l., Corso Italia, 66 Pietra Ligure SV

Processing methods

Personal data will be processed by means of manual or electronic tools, with methods strictly related to the above scopes and anyhow, in order to ensure security, protection and privacy of the same data. Moreover, it is further specified that personal data will be processed with methods that minimize risks of data destruction or loss, even accidental, non-authorised access or not allowed processing, in breach of collection scopes. In particular, when processing data, the Controller and Processors will resort to organisational, physical and logic measures suitable to ensure security and privacy, implementing any most suitable measure to ensure data classification, preservation and privacy. The personal data can be processed by employees, collaborators and consultants of the Data Controller, specifically appointed as persons in charge of processing, to execute specific operations that are necessary to attain the afore-cited scopes, under the direct authority and responsibility of the Data Processor and in compliance with the instructions imparted by the latter.

Data recipients

The data conferred by the User will NOT be transferred in any case to third subjects for scopes other than those for which they were specifically authorised. Without prejudice to the cases (e.g. security needs of the Public Safety Authority, etc.) specifically set forth by EU Regulation 679/2016).

Data preservation period

The User can object personal data processing at any time, by sending an email at the address indicated in section “Contact information of the Data Controller” of this privacy policy. In case of newsletters, the User will also have the possibility to opt out independently from the concerned list, using the link at the bottom of any email received from the afore-cited list. Some data may be preserved even after being erased. For example, data concerning consents, data that may be requested by the Authority to ascertain illicit activities, invoicing data or issued invoices. Should the transmission of notices be stipulated pursuant to a contract with the Data Controller, it will not be possible to erase the User’s data until the contract is concluded and/or until the parties exercise the withdrawal right, as set forth by applicable laws.

Transfer of data in extra-EU Countries

The Data Controller may resort to services offered by third companies, which will process your data as data processors, in accordance to the instructions imparted by the Data Controller. It may occur that some processing activities carried out by data processors take place outside the European Union, such as for example in USA. In these cases, the Data Controller relies on juridical measures to ensure suitable protection of your personal data (e.g. by requesting said counterparties to undersign Standard Contractual Clauses or to adapt to other specific security standards proposed or recommended by the European Union or Data Protection Authority).

User’s rights

In quality of data subject, you are recognised the following rights on the personal data collected and processed by the Data Controller as mentioned above:

  1. Access right

    Art 15: the User has the right to obtain confirmation from the Data Controller, of whether his personal data are being processed and in this case, obtain access to the personal data and following information: (i) processing scopes; (ii) categories of the personal data in object; (iii) recipients or categories of recipients to whom your personal data were or will be disclosed, in particular, if recipients of third parties or international organisations; (iv) if possible, the expected data preservation period or, if not possible, the criteria used to determined said period; (v) right to bring forward a claim before the control authority.

  2. Right of rectification, objection and erasure

    Art 16: The user is entitled to the right to obtain rectification of inaccurate personal data and, in view of the processing scopes, the right to obtain the integration of incomplete data, also providing integrative declarations. Moreover, you have the right to obtain erasure of your personal data, in view of one of the following reasons: (i) the personal data are no longer required in relation to the scopes for which they were collected or processed; (ii) the data are processed illegally; (iii) you revoked the consent pursuant to which the Data Controller had the right to process your data and there are no further legal grounds that allow the Data Controller to execute processing; (iv) you objected processing and there is no prevailing legitimate reasons; (v) personal data must be erased to fulfil a legal obligation. Nonetheless, the Data Controller is entitled to deny the abovementioned erasure rights if the right of freedom of expression and information prevails, or to fulfil a legal obligation or defend any of his rights in trial. You can object processing at any time, even for one of the processing scopes mentioned above.

  3. Right of erasure (“right to be forgotten”)

    Art. 17: the User has the right to obtain erasure of his personal data from the Data Controller, with no undue delay, and the Data Controller has the duty to erase the personal data with no undue delay, in case of any of the reasons set forth by art. 17 par.1 lett. a,b,c,d,e,f, par.2, par. 3 lett. a,b,c,d,e.

  4. Right to limit processing

    Art 18: the User has the right to request the Data Controller to limit processing: (i) for the time required by the Data Controller to verify the accuracy of said personal data of which you objected accuracy; (ii) in case of illicit processing of your personal data; (iii) when your data shall be processed to verify, exercise, defend a right in trial; (iv) for the time required to verify the prevalence of the legitimate reasons of the Data Controller in relation to your objection to process data.

  5. Data portability right

    Art 20: the User has the right to receive the personal data conferred to the Data Controller and processed by the latter based on consent, in a structured, common and legible format, and the right to transmit said data to another Data Controller indicated by the same, with no sort of impediment.

  6. Objection right

    Art.21: the User has the right to object the processing of his personal data at any time, for reasons related to his particular situation, pursuant to ar. 6, par. 1, lett. e or f, including profiling based on said provisions. If the personal data are processed for direct marketing scopes, the User has the right to object processing of his personal data for said scopes at any time, including profiling to the extent this is related to direct marketing. If you object processing for direct marketing scopes, the personal data will no longer be processed for said scopes.

Contact information of the Data Controller

The User can exercise his rights at any time, by sending a request to the Data Controller at email address info@bagnisantostefano.it