DESTINATION ITALIA S.p.A. – BOOKINGS

PERSONAL DATA PROCESSING POLICY

(pursuant to Article 13 of Regulation (EU) 2016/679)

Regulation (EU) 2016/679 (GDPR) establishes the right to protection of natural persons with regard to the processing of their data. In compliance with this legislation, with reference to the personal data you provide to us, Destination Italia S.p.A. informs you, pursuant to Articles 12 and 13 GDPR, that such processing will be based on principles of lawfulness, fairness, transparency and protection of their confidentiality and of your rights as laid down in Article 5 GDPR.

The “Data Controller” is Destination Italia S.p.A., with registered office in Milano, Galleria Sala dei Longobardi N.2, TIN/VAT: 09642040969.

You can contact the Controller at any time using the following contact methods:

Telephone: +39.070.51.34.89

Letter/Registered letter: Galleria Sala dei Longobardi N.2, Milano (20121)

Email: booking@charmingitaly.com

CONTACT DETAILS OF THE DATA PROTECTION OFFICER

In accordance with Article 37 GDPR, the “Controller” has appointed a Data Protection Officer (DPO).

DPO contact information: Lawyer Marco Paramucchi - Email: privacy@destinationitalia.com - marcoparamucchi@ordineavvocatiroma.org

PURPOSES OF THE PROCESSING FOR WHICH THE PERSONAL DATA ARE INTENDED AND THE LEGAL BASIS OF THE PROCESSING;

To make your reservations, you must go to https://www.charmingsardinia.com, where you can book tourist services from the products included in the database of Destination Italia S.p.A.. The data entered by filling out the relevant fields will be processed exclusively for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes. In particular, Destination Italia S.p.A. will process the personal data you provide exclusively for the following purposes:

1) Management of bookings, delivery of requested services and communications to third parties

- to process and execute the booking and provide the requested service;

- to communicate your data to third parties that perform functions necessary or appropriate for provision of the requested services;

- to perform administrative, accounting and tax procedures relating to the requested services;

- to store and keep on file the documents relating to the requested service.

The processing of your data for the above-mentioned purposes is necessary to enable booking of the services you requested and fulfilment of the controller’s legal obligations.

If you wish to sign up for our newsletter, Destination Italia S.p.A. will also process your personal data for the following purposes:

2) To send you targeted advertisements/newsletters

- to send you commercial information and offers, also from partner companies, matching your consumer preferences and habits, recorded by tracking your navigation on our website pages and accesses made by selecting offers sent by email; 

- to send you advertising and information materials and/or commercial communications, also interactive;

In order to send you targeted advertisements/newsletters your data may be communicated to third companies, even outside the territory of the European Union.

For the processing of your personal data for the purposes stated in point 2, your consent is required. You may give it by checking the appropriate box (“I have read the privacy policy [link]. I wish to receive targeted information and offers from Charming”), on the webpage containing the online form.

You may withdraw your consent at any time by contacting the Controller at the above addresses, or by cancelling the newsletter service in the manner set out above. However, the withdrawal of consent shall not affect the lawfulness of the processing based on consent before its withdrawal.

HOW YOUR PERSONAL DATA WILL BE PROCESSED AND PERIOD FOR WHICH IT WILL BE STORED

Your data will be processed in paper format or using IT procedures by duly authorised in-house staff. Such staff members will be given access to your personal information to the extent and insofar as it is necessary for performance of the data processing activities concerning you. Your data, especially those belonging to special categories, are processed separately from others’ data also through pseudonymisation or aggregation methods to prevent your easy and immediate identification. 

In addition, to ensure its confidentiality and integrity, the personal data you provide to us will be processed in a manner that ensures its appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Destination Italia S.p.A. periodically reviews the tools used to process the data and the security measures put in place, and regularly updates such tools and measures; we check, also through duly authorised parties, that no personal data whose processing is not required or is no longer necessary is collected, processed, stored or retained; we check that the stored data is complete and accurate and is used only for its intended processing. 

Destination Italia S.p.A. warrants that any data which, also as a result of checks, is found to be excessive, irrelevant or unnecessary, will not be used for any purpose other than for possible filing, in accordance with the law, of the act or document containing such data. 

The data requested from you will be kept in a format permitting your identification for the minimum period required for achievement of the intended purposes, after which your data will be permanently and irreversibly erased or anonymised.

In particular, in relation to the above-mentioned purposes, your personal data will be kept according to the following criteria:

Categories	Duration	Main regulatory references
Candidates	maximum 12 months	art. 11 lett. e) of Legislative Decree 196/2003 and art. 5 lett. e) of Regulation (EU) 2016/679.
Employees	10 years	art. 43 of Presidential Decree 600/73; art. 2946 Civil Code on ordinary prescription; Title I, Chapter III, of Legislative Decree 81/08 and subsequent amendments.
Website users, clients, and suppliers	5 - 10 years	art. 2948 Civil Code, which provides for a 5-year prescription period for periodic payments; art. 2220 Civil Code, which requires the retention of accounting records for 10 years; art. 22 of Presidential Decree 29 September 1973, n.600.
Users or other subjects, for commercial and promotional purposes	In compliance with the terms prescribed by law for the type of activity and in any case until consent is revoked or the right to object is exercised	art. 23 of Legislative Decree 196/03; General Provision of 15/05/13; art. 21 Regulation (EU) 2016/679.

CANCELLING YOUR NEWSLETTER SUBSCRIPTION

If you would like to stop receiving targeted advertisements/newsletters from Destination Italia S.p.A., you can do so by sending us an email request and following the procedure described in our reply.

If you also wish to be permanently deleted from our archives, please send us a request at booking@charmingitaly.com

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA

All your data will be kept at the registered office of the Controller and may be disclosed to other recipients for compliance with legal obligations under the applicable laws, while ensuring protection of all your rights.

Your data may be processed by duly authorised and trained mandated Parties, entrusted with the activities necessary to achieve the purposes.

Where necessary, for the stated purposes, some processing of your personal data may be also performed by third parties to which Destination Italia S.p.A. may entrust certain activities (or part thereof) necessary for provision of services you require. In this case, said third parties will operate as Processors. They may include: credit recovery firms, third-party billing firms, accounting, tax and other advisory firms, factoring companies, suppliers of IT services for administrative and booking management, content providers and CRM firms.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

Personal Data is mainly processed within the European Union. For some services, we use tools (including but not limited to online services offered by Google LLC., Hubspot Inc., Survey Monkey Inc. together with their respective European subsidiaries) of companies with registered offices in the United States of America in accordance with the standard clauses concerning the protection of the data subject's rights according to the GDPR. 

For the sake of better and more detailed information, please note that the email service referred to in the email addresses relating to the Platform is based on the email service made available by Gmail managed by Google LLC, headquartered in Mountain View, California, together with the European subsidiaries whose list is available here (hereinafter "Google"). 

If you do not wish to share your personal information and data through Google, please do not send this information and data to the aforementioned email address and agree with the Company on another method of sharing. 

The Company also makes use of the software services, in particular for the preparation of online information request forms, offered by www.hubspot.com, the company HubSpot Inc. (hereinafter, "HubSpot"), with registered office at 25 First Street, Cambridge, MA, USA, and affiliates.  Data collected through this service is processed in accordance with the guarantees set out in HubSpot's privacy policy (which also includes a complete list of its affiliated companies), available at this address. HubSpot declares that it complies with the principles established by the GDPR and the so-called Privacy Shield, the regulatory framework defined by the United States and the European Commission. It is currently on the list of companies covered by the Privacy Shield, available at this address.

For the preparation of specific satisfaction questionnaires (so-called customer feedback surveys), the Company makes use of the services offered by www.surveymonkey.com, of which the company SurveyMonkey Inc. (hereinafter "SurveyMonkey") with registered office in 1 Curiosity Way, San Mateo, California, and affiliates (the list of which is available at the following link: https://www.surveymonkey.com/mp/aboutus/office-locations/). Any data collected through this service will be processed in accordance with SurveyMonkey's privacy policy, which can be found at this address. For more information about SurveyMonkey's security safeguards for the processing of your personal data, you can view a summary document (a "White Paper") at this address. SurveyMonkey claims to comply with the principles set forth in the GDPR and the Privacy Shield, the regulatory framework established by the United States and the European Commission. SurveyMonkey is currently included in the list of companies covered by the Privacy Shield, available at this address.

OPTIONAL NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL TO PROVIDE DATA

Provision of your personal data for the purposes specified in paragraph 1) is optional but necessary to enable booking of the requested services. Should you fail to provide any of the information marked as required or provide incorrect information, we will be unable to provide you with the services you requested and to execute the contract. If, on the other hand, you do not provide any of the optional information, we will still be able to book the requested service for you.

Provision of your personal data for the purposes of point 2) is optional and is subject to your express and explicit consent. If you do not give your consent we will still process your requested booking, without any prejudice to you.

You should notify the Controller of any change to the data you provided, to ensure proper provision of the requested services, without prejudice to your right to rectification.

PROFILING ACTIVITIES 

With regard to user profiling and the sending of targeted advertisements/newsletters, Destination Italia S.p.A. wishes to inform you about the logics we use and the importance and expected consequences of this processing for you. In particular, when you register for our newsletter by filling in our online form or access our website by clicking an email message or a newsletter you received, website https://www.charmingsardinia.com, using cookies released by Hubspot Inc.’s marketing automation software, will track your interactions with the website and the information supplied by the browser, such as geographical area, IP address and repeated visits. In all other cases, when you don’t access by clicking on the newsletter or you don’t fill in the online form, the data will be processed in exclusively anonymous form.

RIGHTS OF THE DATA SUBJECT

In your capacity as data subject, you may exercise at any time your right of access (Article 15 GDPR), right to rectification (Article 16 GDPR), right to erasure, (Article 17 GDPR), right to restriction of processing (Article 18 GDPR), right to data portability (Article 20 GDPR) and your right to object (Article 21 GDPR) in the manner set out in the same articles, to which you are referred.

In particular, you, as data subject, have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling.

To exercise said rights, you may contact the Controller at the following email address: booking@charmingitaly.com. For any further information and communication on your data, you may contact the Controller using the above contacts. 

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes Regulation (EU) 2016/679.

RIGHTS OF THE DATA SUBJECT

Article 15 GDPR - Right of access by the data subject

1.  The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, any available information as to their source;

h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.  Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3.  The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4.  The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.”

Article 16 GDPR - Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”

Article 17 GDPR - Right to erasure (‘right to be forgotten’)

1.  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2.  Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3.  Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defence of legal claims.

Article 18 GDPR - Right to restriction of processing

1.  The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2.  Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3.  A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Article 20 GDPR - Right to data portability

1.  The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

b) the processing is carried out by automated means.

2.  In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3.  The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4.  The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Article 21 GDPR - Right to object

1.  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2.  Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3.  Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4.  At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5.  In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6.  Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Article 22 GDPR - Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 

2. Paragraph 1 shall not apply if the decision: 

a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c) is based on the data subject’s explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.