Privacy Policy

Version 1.0, dated 15 May 2025

PRIVACY NOTICE PURSUANT TO ARTICLES 13 AND 14 OF EU REGULATION 679/2016

This notice constitutes the Privacy Policy of the website https://discovervallidilanzo.it (hereinafter the “Website”) and is intended to provide information on how the personal data of users who visit or interact with it is processed.

This notice is provided in accordance with European Regulation 679/2016, concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter the “Regulation”), for users of Website services delivered via the internet.

This notice relates exclusively to the Website and does not apply to any other websites that may be accessible via links on the Website, for which the Lanzo, Ceronda and Casternone Valleys Mountain Union (hereinafter the “Data Controller”) bears no responsibility.

Article 4(1) of the Regulation defines “Personal Data” as any information relating to an identified or identifiable natural person (hereinafter the “Data Subject” or “User”).

“Processing” means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the Regulation). The Data Controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. In accordance with Articles 12 et seq. of the Regulation, the Data Subject must also be provided with appropriate information regarding the processing activities carried out by the Data Controller and the rights of Data Subjects.

1. Data Controller

The Data Controller is the Lanzo, Ceronda and Casternone Valleys Mountain Union, with registered office at Fraz. Fé 2, 10070 Ceres (TO), Tax Code 92049610014, Tel.: +39 0123 53339, Email: segreteria@unionemontanavlcc.it, Certified Email (PEC): unionemontana.vlcc.to@legalmail.it

2. Data Processor

The Website is managed by the Lanzo Valleys Tourist Operators Consortium, with registered office at Fraz. Fé 2, 10070 Ceres (TO), Tax Code 92049610014, Email: info@turismovallidilanzo.it, appointed as Data Processor by the Data Controller pursuant to Article 28 GDPR. The Data Processor processes personal data on behalf of the Data Controller in accordance with the terms set out in the appointment agreement.

3. Data Protection Officer

The Data Controller’s Data Protection Officer (DPO) is Avv. Gabriele Borghi, Email: gabriele.borghi@baldiandpartners.it, Certified Email (PEC): gabriele.borghi@ordineavvocatireggioemilia.it

4. Purposes and legal bases of processing

The Data Subject’s personal data will be processed for the following purposes and on the following legal bases:

a) To conclude and correctly perform the contract to which the Data Subject is a party, or to carry out pre-contractual measures taken at their request, for the information and/or services/products requested. This includes transmitting data to accommodation providers and commercial operators selected by the user so they can handle information and/or booking requests directly, as well as subscriptions to informational newsletters. The legal basis for the processing listed here is Article 6(1)(b) of EU Regulation 2016/679.

b) To respond to requests sent by the Data Subject by email and/or via the forms on the Website. The legal basis for the processing listed here is Article 6(1)(b) of EU Regulation 2016/679.

c) To enable and facilitate browsing of the Website, and to ensure an adequate level of security, integrity, and availability. The legal basis for this type of processing is the Data Controller’s legitimate interest, as provided for in Article 6(1)(f).

d) To manage the Website’s back-end infrastructure and carry out statistical analysis on aggregated or anonymous data, for the purpose of monitoring the proper functioning, traffic, usability, and interest of the Website. The legal basis for this type of processing is the Data Controller’s legitimate interest, as provided for in Article 6(1)(f).

e) To establish, exercise, or defend a right in legal proceedings. The legal basis for this type of processing is the Data Controller’s legitimate interest, as provided for in Article 6(1)(f).

f) To comply with obligations imposed by law, regulation, EU legislation, or an order of the relevant Authority. The legal basis for this type of processing is as provided for by Article 6(1)(c).

5. Types of personal data processed

The Data Controller processes identifying personal data collected during browsing of the Website or provided by the Data Subject in information requests or when subscribing to the newsletter.

In particular, the Data Controller processes the following types of data:

A. Browsing data

In the normal course of their operation, the computer systems and software procedures used to operate the Website collect certain personal data, the transmission of which is implicit in the use of internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes IP addresses or domain names of the computers used by users connecting to the Website, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s response (successful, error, etc.) and other parameters relating to the user’s operating system and computing environment. These data are used solely for the purpose of obtaining anonymous statistical information about the use of the Website and to monitor its proper functioning, and are deleted immediately after processing. These data could be used to establish liability in the event of hypothetical offences against the Website.

B. Data provided by the Data Subject

The optional, explicit, and voluntary sending of messages to the Data Controller’s email address and/or the completion and submission of contact forms on the Website entails the acquisition of the sender’s contact details, necessary for a response, as well as any personal data included in the communications themselves.

This category of data includes:

– name, surname, email address, and any other information shared by the Data Subject when requesting information via the contact methods indicated on the Website;

– name, surname, and email address of the Data Subject, required for subscription to the newsletter;

– name, surname, email address, and telephone number of the Data Subject, for the purpose of their transmission, at the Data Subject’s request, to accommodation providers and other commercial operators selected in order to request information and/or handle booking requests directly.

C. Cookies and other tracking systems

For information on the types of cookies used on this Website, please refer to the relevant cookie policy.

6. Nature of data provision and consequences of refusal

Apart from what is specified for browsing data, Data Subjects are free to provide their personal data. The Data Subject is therefore free to provide their data for the purposes set out in this notice; however, any refusal to provide such data may make it impossible to use the services offered by the Data Controller through the Website. Providing data for processing that requires consent is optional, and failure to do so will not prevent the Data Subject from using the products/services offered by the Data Controller through the Website. Even where consent has been given, the Data Subject will, in any case, have the right to object, in whole or in part, to the processing of their personal data for the purposes set out above by simply making a request to the Data Controller at the contact details indicated above. In particular, consent to receive the newsletter may be withdrawn by clicking the “unsubscribe” link at the bottom of each newsletter received.

7. Processing methods

Personal data is processed for the purposes set out above in accordance with the principles of lawfulness, fairness, and transparency, and is collected and stored using tools, including electronic tools, in compliance with the confidentiality and security rules set out in current legislation. The Data Controller and the service providers it uses employ appropriate security, organisational, technical, and physical measures to ensure that personal data is processed in a manner that is adequate and consistent with the purposes for which it is managed, and to protect information from alteration, destruction, loss, theft, or improper or unlawful use.

8. Automated decision making

No automated decision-making process is in place, including for profiling purposes, pursuant to Article 13(2)(f) of EU Regulation 679/2016.

9. Data recipients

The categories of recipients who may become aware of your personal data during or following the performance of the contract are:

– parties that process data in fulfilment of specific legal obligations

– external consultants providing services related to the purposes indicated above, appointed in writing and given specific written instructions regarding the processing of personal data

– parties with whom interaction is necessary in order to carry out the services requested (e.g. hosting providers, credit institutions)

– parties necessary for the provision of services offered by the Website, including, by way of example, the sending of emails and the analysis of Website performance, who typically act as data processors on behalf of the Data Controller

– persons authorised by the Data Controller to process personal data necessary to carry out activities strictly related to the provision of the Services, who have committed to confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g. employees and collaborators of the Data Controller)

– in general, all public and private parties to whom disclosure is necessary for the proper and complete fulfilment of the purposes indicated.

Users’ personal data may be disclosed to judicial authorities and law enforcement bodies only in cases provided for by law, and may be used by the Data Controller for the possible defence of its rights in legal proceedings, where strictly necessary.

As specified in point 4(a) of this Privacy Notice, data entered independently by the Data Subject into the forms provided for sending requests directly to accommodation providers and/or commercial operators listed on the Website is transmitted to those recipients independently selected by the Data Subject, who will process the data as independent Data Controllers.

An up-to-date list of data recipients may be requested from the Data Controller using the methods indicated in the section “Rights of the Data Subject” below.

10. Disclosure of data

Personal data will not be disseminated.

11. Place of processing and any transfer of data abroad

For the purposes indicated above, the Data Controller may use, including through its Data Processors, IT and telecommunications service companies that may store or route data in countries outside the European Economic Area. These service companies are selected based on their certifications and declarations regarding reliability, security, and compliance with national and European data protection legislation. In particular, in order to ensure an adequate level of protection of personal data, these companies may only carry out transfers to countries (or sectors thereof) that have been the subject of appropriate adequacy decisions adopted by the European Commission, or on the basis of Standard Contractual Clauses.

12. Data retention

As a general rule, personal data will be retained for the time strictly necessary to fulfil the purposes for which it was collected and processed, including the retention period required by applicable legislation and, in any event, for a maximum period of 10 years from the end of the relationship with the Data Controller, for a maximum period of 2 years for purposes requiring consent, and for a period of 30 days for browsing data, except where the Data Controller needs to defend a right in legal proceedings.

Cookie retention periods are set out in the relevant cookie policy.

13. Rights of the Data Subject

The Data Subject may exercise the following rights at any time:

– the right to request access to their personal data from the Data Controller, pursuant to Article 15 of EU Regulation 679/2016

– the right to request rectification of their personal data from the Data Controller, pursuant to Article 16 of EU Regulation 679/2016, provided this does not conflict with current data retention legislation

– the right to request erasure of their personal data from the Data Controller, pursuant to Article 17 of EU Regulation 679/2016, provided this does not conflict with current data retention legislation

– the right to request restriction of processing of their personal data from the Data Controller, pursuant to Article 18 of EU Regulation 679/2016

– the right to data portability, pursuant to Article 20 of EU Regulation 679/2016

– the right to object to processing, pursuant to Article 21 of EU Regulation 679/2016

– the right to withdraw consent to the processing of their personal data at any time without affecting the lawfulness of processing based on consent given prior to withdrawal, pursuant to Article 7(3) of EU Regulation 679/2016

– the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

In general, to exercise their rights, the Data Subject may contact the Data Controller by writing to the contact details indicated above. Before responding, the Data Controller may need to verify the Data Subject’s identity by requesting a copy of their identity document. A written response will be provided without undue delay and, in any event, no later than one month from receipt of the request.

If the Data Subject considers that the processing concerning them infringes the GDPR, they have the right to lodge a complaint with a supervisory authority. The supervisory authority may be that of the Member State in which the Data Subject habitually resides, or that of the place where the alleged infringement occurred. For Italy, the supervisory authority under current legislation is:

Garante per la protezione dei dati personali (Italian Data Protection Authority)

Address: Piazza Venezia 11, 00187 Rome

Telephone: +39 06 696771

Fax: +39 06 6967 3785

Email: garante@gpdp.it

Certified Email (PEC): protocollo@pec.gpdp.it

Website: https://www.garanteprivacy.it

14. Updates

This Website’s Privacy Policy is subject to updates; Data Subjects are therefore invited to check its content periodically.

To personalize your experience on our website we use our own and third-party cookies (which do not depend on us and could lead to the profiling of the user’s choices). For additional info, including how to remove/refuse cookies, please see our privacy policy.