Privacy Policy

This page has been automatically translated, the Italian version is the authoritative version.

Version No. 2.0 dated 08/04/2026

INFORMATION NOTICE PURSUANT TO ARTICLES 13 AND 14 OF EU REGULATION 679/2016

This notice describes how the personal data of users who browse or interact with the website https://discovervallidilanzo.it (hereinafter the “Website”) are processed.

This notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data.
This notice applies exclusively to the Website and does not apply to other websites that may be accessed via links on the Website.

1. JOINT DATA CONTROLLERS

Pursuant to Article 26 of Regulation (EU) 2016/679 (GDPR), the processing of personal data of Website Users is carried out under joint controllership by the following entities:

First Joint Controller: Unione Montana Comuni Valli di Lanzo, Ceronda e Casternone
Registered office: Fraz. Fè 2 – 10070 Ceres (TO) – Italy Tax Code: 92049610014 | VAT No.: 11510010017 Tel: +39 0123 53339 E-mail: segreteria@unionemontanavlcc.it PEC: unionemontana.vlcc.to@legalmail.it

Second Joint Controller: Unione Montana Alpi Graie
Registered office: Piazza V. Veneto, 2 – 10070 Viù (TO) – Italy Tax Code: 92050540019 Tel: +39 0123 696022 E-mail: amministrativo@unionealpigraie.it PEC: unionemontana.alpigraie@legalmail.it

The Joint Controllers have defined, through a specific internal agreement, their respective responsibilities regarding compliance with GDPR obligations, particularly with reference to the exercise of data subjects’ rights and the management of information obligations. The essential content of this agreement is made available to data subjects upon request by contacting either of the Joint Controllers. Regardless of the internal agreement, data subjects may exercise their rights with respect to each Joint Controller.
For the purposes of this notice, the Joint Controllers shall be collectively referred to as “Controllers” or “Controller”.

2. DATA PROCESSOR

The Website is managed by the Consorzio Operatori Turistici Valli di Lanzo, with registered office at Fraz. Fè 2 – 10070 Ceres (TO) – Italy, Tax Code and VAT No.: 08207460018, e-mail: info@discovervallidilanzo.it, appointed as Data Processor by both Joint Controllers pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR), under a specific appointment agreement.
The Consortium processes personal data on behalf of the Controllers, in accordance with their instructions and in compliance with appropriate technical and organizational security measures.

3. DATA PROTECTION OFFICER (DPO)

The Data Protection Officer (DPO) appointed by the Controllers is:

Attorney Gabriele BORGHI
E-mail: gabriele.borghi@baldiandpartners.it PEC: gabriele.borghi@ordineavvocatireggioemilia.it

4. DEFINITIONS

Pursuant to Article 4 of Regulation (EU) 2016/679 (GDPR):

  • “Personal Data”: any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
  • “Processing”: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure (Art. 4(2) GDPR).
  • “Data Subject” or “User”: the identified or identifiable natural person to whom the personal data relate.

5. PURPOSES AND LEGAL BASES OF PROCESSING

Users’ personal data are processed for the following purposes and on the basis of the corresponding legal grounds pursuant to Article 6 of Regulation (EU) 2016/679 (GDPR):

  1. Provision of services requested by the User (Art. 6(1)(b) GDPR) Processing necessary for the performance of pre-contractual or contractual measures taken at the request of the Data Subject, including: transmission of information and/or data to accommodation facilities and economic operators selected by the User for handling information and/or booking requests; subscription and management of the newsletter service; responses to information requests sent via contact forms or email.
  2. Security, technical functioning and statistical analysis of the Website (Art. 6(1)(f) GDPR) Processing necessary for the legitimate interest of the Controllers in ensuring the proper functioning, security, integrity, and availability of the Website, as well as in carrying out aggregated or anonymous statistical analyses of traffic and Website usage.
  3. Defense of rights in legal proceedings (Art. 6(1)(f) GDPR) Processing necessary for the legitimate interest of the Controllers in establishing, exercising, or defending a legal claim in judicial or administrative proceedings.
  4. Compliance with legal obligations (Art. 6(1)(c) GDPR) Processing necessary to comply with obligations established by EU law, laws, regulations, or orders of competent authorities.
  5. Processing based on consent For further processing not falling within the purposes listed above (e.g., sending optional promotional communications), the legal basis is the freely given, specific consent of the Data Subject, which may be withdrawn at any time pursuant to Article 7(3) GDPR, without affecting the lawfulness of processing carried out before withdrawal.

6. TYPES OF DATA PROCESSED

A. BROWSING DATA

The IT systems and software procedures used to operate the Website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category includes: IP addresses or domain names of users’ devices, URI (Uniform Resource Identifier) addresses of requested resources, request time, HTTP method used, size of the response file, server status code, and other parameters relating to the user’s operating system and IT environment.
These data are used for anonymous and aggregated statistical purposes and to ensure the security and proper functioning of the Website. They are not retained for more than 30 days, unless required for investigations by judicial authorities.

B. DATA VOLUNTARILY PROVIDED BY THE USER

The voluntary sending of messages via contact forms on the Website, subscription to the newsletter, or requests for information to accommodation facilities results in the acquisition of the sender’s contact details, including: first name, last name, email address, phone number, and any other information voluntarily provided by the User. These data are processed exclusively to respond to requests or provide the requested services.

C. COOKIES AND OTHER TRACKING TOOLS

For detailed information on the types of cookies and tracking tools used by the Website, please refer to the Cookie Policy available in the dedicated section of the Website.

7. NATURE OF DATA PROVISION

The provision of browsing data is necessary for using the Website and occurs automatically. The provision of data required for specific services (newsletter, information requests, etc.) is optional but necessary for the provision of the requested service; without it, the service cannot be provided.
The provision of data for consent-based processing is optional and does not affect the use of the Website.

8. METHODS OF PROCESSING

Personal data are processed in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality, as set out in Article 5 of Regulation (EU) 2016/679 (GDPR), using electronic tools and, where necessary, paper-based means, adopting appropriate technical and organizational security measures to protect data from unauthorized access, loss, destruction, alteration, or unauthorized disclosure.

9. AUTOMATED DECISION-MAKING

No automated decision-making processes, including profiling, are carried out pursuant to Article 13(2)(f) of Regulation (EU) 2016/679 (GDPR).

10. DATA RECIPIENTS

Users’ personal data may be disclosed, strictly within the limits necessary to achieve the purposes indicated, to the following categories of recipients:

  • Entities processing data in compliance with legal obligations;
  • External consultants, IT service providers (including the Website hosting provider), credit institutions, and other service providers, appointed as Data Processors pursuant to Article 28 GDPR;
  • Employees and collaborators of the Controllers and the Manager, authorized to process data in the performance of their duties;
  • Judicial Authorities and Law Enforcement Agencies, where required by applicable law.

Data entered by the User for information or booking requests to accommodation facilities or other tourism operators are transmitted to such parties, who act as independent Data Controllers for purposes related to managing the request.

Personal data are not subject to indiscriminate dissemination.

11. TRANSFER OF DATA TO THIRD COUNTRIES

The Controllers may use IT service providers whose infrastructure is located outside the European Economic Area (EEA). In such cases, data transfers occur only where one of the following safeguards is in place: an adequacy decision by the European Commission pursuant to Article 45 GDPR or, in its absence, Standard Contractual Clauses adopted by the European Commission pursuant to Article 46 GDPR.

12. DATA RETENTION PERIOD

Personal data are retained for the time strictly necessary to achieve the purposes for which they were collected, and in any case within the following limits:

Type of data Retention period
Browsing data 30 days
Data for contractual and legal purposes Up to 10 years after termination of the relationship
Data processed based on consent (e.g., newsletter) Up to 2 years from collection or until consent is withdrawn

After these periods, the data are deleted or permanently anonymized, unless retention is required by law.

13. DATA SUBJECT RIGHTS

The Data Subject has the right to exercise, at any time and free of charge, the following rights provided by Regulation (EU) 2016/679 (GDPR):

  • Right of access (Art. 15 GDPR): obtain confirmation of whether personal data are being processed and access such data.
  • Right to rectification (Art. 16 GDPR): obtain correction of inaccurate data or completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): obtain deletion of personal data where applicable.
  • Right to restriction of processing (Art. 18 GDPR): obtain restriction of processing in the cases provided by law.
  • Right to data portability (Art. 20 GDPR): receive data in a structured format for processing based on contract or consent.
  • Right to object (Art. 21 GDPR): object to processing where based on legitimate interest.
  • Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Requests to exercise these rights may be sent to each Joint Controller using the contact details indicated in paragraph 1, or to the DPO using the contact details indicated in paragraph 3. The Controllers will respond within one month of receiving the request, subject to extension in cases of particular complexity.
The Data Subject also has the right to lodge a complaint with the supervisory authority, the Italian Data Protection Authority: Piazza Venezia, 11 – 00187 Rome (RM) Website: https://www.garanteprivacy.it

14. UPDATES

This Privacy Policy is subject to periodic updates to reflect any regulatory or operational changes. Users are encouraged to regularly review this page to stay informed of the latest version. In the event of significant changes, the Controllers will provide notice via the Website.

Last updated: 08/04/2026

To personalize your experience on our website we use our own and third-party cookies (which do not depend on us and could lead to the profiling of the user’s choices). For additional info, including how to remove/refuse cookies, please see our privacy policy.