The Policy Privacy concerns only the above-mentioned website and not other websites that the user can visit by clicking the links.
Holder of personal data
The Holder of your personal data is the following:
• TERME SALUS s.r.l., via Marzia 2, 35031 Abano Terme (PD);
• telephone: 0498669056;
• email: firstname.lastname@example.org
Moreover, the role of independent holders can be taken by other partner websites that autonomously take part in the activities of data processing.
Data protection supervisor
For any issue relevant to the processing of your data and your rights deriving from the Regulations, you can contact the Data Protection Supervisor (DPS) as follows:
• certified email address: email@example.com
• telephone: 0498669056
The IT systems and the software procedures of this website acquire a few personal details that are later transmitted when internet communication protocols are used.
This information might be associated and processed with data held by third parties and they might consequently be used for identifying the users/visitors (for example, IP address, domain names of the computers used by the users/visitors that connect to the website, etc.).
This data is used for statistical information only and for checking the correct operations of the website.
The data from the website Contacts are not kept for more than 7 days except for investigating possible IT crimes against the website.
No data deriving from the website service will be communicated or diffused.
Data provided spontaneously by the users/ visitors
If the users/visitors, by connecting to this website, send their personal details to access specific services or send inquiries, they are aware that involves the Holder’s acquisition of the sender’s address and/or other personal details which will be processed only for answering the request or providing the service.
Personal details provided by the users/visitors will be communicated to third parties only if the communication is needed to fulfil the requests of the users/visitors or to comply with the regulations in force (i.e. for issuing invoices).
Data processing method
Processing is carried out by automatized instruments (i.e. by procedures and electronic supports) and/or manually (i.e. hard copies) for the time needed to achieve the targets for which data is collected in conformity with the regulations in force.
Purposes of data processing
Besides the purposes indicated in each information note that involves the completion of the forms, the purposes of the data holder’s processing are as follows:
• collecting, keeping and processing the data for managing the contractual relationship relevant to the supply of the service offered by the website;
• using the user’s personal data (i.e. email address) to give communication about the contractual relationship;
• processing the provided personal details and other data deriving from website navigation to provide a service that is consistent with the indications transmitted while the service is being used;
• collecting, keeping and processing the data for statistical analyses both anonymously and/or in an aggregate form;
• for carrying out business activities such as offering customized stays through newsletter services;
• for communicating commercial information about future initiatives, advertising new products or services;
• for marketing research, statistical and economic analyses;
• for sending advertising or promoting material.
Legal basis of the data processing
The Data Holder processes the User’s data if one of the following conditions occur:
• the User has authorized the processing for one or more specific aims. Note: in some countries, the law allows the Holder to process personal data without the user’s authorization, provided that the user does not opt out to this process. This does not apply to data processing ruled by the European law relevant to the protection of personal data;
• processing is needed to execute the contract with the User and/or to execute pre-contractual measures;
• processing is necessary to fulfil legal obligations the Holder is subject to;
• processing is needed to fulfil a task of public interest or for exerting the public powers the Holder is charged of;
• processing is needed to carry out the legitimate interest of the Holder or third parties.
However, it is always possible to ask the Holder for clarifications relevant to the legal basis of each processing and if the processing is based on the law, it is implied by a contract or it is needed to execute a contract.
Furthermore, the legal basis of processing the clients’ personal data by the Holder specified above consists of a signed contract with the concerned person; in the event there is no contract between the parties, the legal basis consists of the legitimate interest of the Holder to carry out free economic initiatives as given in article 41 of the Recital. Therefore, the legitimate interest of the Holder implies the possibility of processing the personal data to achieve a specific scope of the Holder or a third party to whom the data is communicated provided that the interests, rights or freedoms of the concerned person don’t prevail – regardless of the other specific hypothesis on the lawfulness given in art. 6 no. 1 of GDPR 2016/679.
By Recitals no. 47, the European law provides precise clarifications and motivations to justify the legitimate interest of the holder to process the data and considers the balance of the interests of the parties and the “reasonable expectations of the concerned person based on their relationships with the data processing holder” and all the consequences deriving from processing activities and relevant involved risks.
In the last paragraph of Recitals no. 47, it is written that “it is a legitimate interest to process the personal data for direct marketing purposes".
“Direct marketing” means that the commercial or marketing communication occur without any intermediate person: products and services are directly traded by the data processing holder also by means of interactive instruments.
Recalling articles 6 and 7 and Recitals no. 47 and 70 of the GDPR, it is possible to deduct a defined concept which is that, if there are justified legitimate interests and a proper information policy note, the “opt-out” mechanism is the rule in performing direct marketing purposes. It means that it is not necessary to ask the concerned person’s authorization for sending commercial communications. Despite this, at any time, the concerned person can refuse the processing operations for direct marketing purposes according to the right given in art. 21 of the GDPR.
For further purposes, a specific form will have to be filled out and considered as legally valid.
In a few cases, besides the holder, other responsible people and authorized subjects involved in the website organization (i.e. administrative, commercial, marketing, legal staff and system administrators) can access data. Furthermore, the Holder can use external subjects (such as providers of technical services, carriers, hosting provider, cloud service providers, IT companies, communication agencies) that might be appointed as external responsible people. The updated list of the responsible people can be asked to the data Processing Holder by sending an email to: SALUS@SALUSTERME.IT
Data transfer to a third country
For the website performances, the data Holder uses servers located in Italy and the data processed by the Holder will not be diffused to third countries.
The Users are entitled to get information relevant to the legal basis of the data transfer out of the European Community or to an internal organization of international public right set up by two or more countries, such as ONU for example, as well as getting information about the safety measures adopted by the Holder to protect the data.
Data processing place
The processing relevant to the web services of this website occur in the seat of the Holder and are treated by the technical personnel of the office in charge of the processing. If it is necessary, the data relevant to the newsletter service can be processed by the staff of the company that manages the Data Centre (i.e. they are responsible for the processing in accordance with Article no. 28 of the Regulations 2016/679/EU), in the seat of the company.
Time and place where data is kept
Data is processed for the time necessary to carry out the service required by the user and then it is destroyed by safe means such as devices to destroy hard copies and wiping for IT data.
• personal data is collected for executing a contract between the Holder and the User and it is kept until the execution of the contract is completed.
• personal data is collected for legitimate interest of the Holder and it is kept until this interest is met. The User can get further information about the Holder’s legitimate interest from the relevant section of this document or by contacting the Holder directly.
When processing is authorized by the User, the Holder can keep the personal data longer until the user’s consent is withdrawn. Moreover, the Holder might be obliged to keep the personal data for a longer period to fulfil legal obligations or to obey a public Authority’s order.
Data that can be provided spontaneously or compulsorily
Except for what is specified for the navigation data that are acquired automatically, the users/visitors are free to provide their personal details. If data is not provided, the required service might not be supplied
Rights of the concerned people
According to the GDPR, the subjects to whom the personal data refer are entitled at any moment to get the confirmation of the existence of this data and know its contents and origin, check its accuracy or ask for its integration, update or correction.
To exert the User’s rights, the Users can send a request to the Holder (see the contacts above). The requests are free and are met as soon as possible by the Holder and in any case within a month.
As concerns the processing of the personal data, the guest is entitled to obtain the following from the Holder:
• the confirmation of the existence of their data, their communication and knowledge of their origin as well as the logics the processing is based on;
• the cancellation, within a suitable time, of his data, its transformation in anonymous data or to have its data processing blocked if processing does not comply with the law;
• the updating of the data, its correction or completion;
• the proof that the operations of the items 2) and 3) have been performed and communicated to third parties provided that it is possible or reasonable.
Furthermore, the clients are entitled to have their data cancelled or corrected as well as to limit their processing.
The clients are entitled to withdraw the authorization relevant to the optional processing that is not relevant to the execution of the contract signed with the Holder.
Furthermore, the clients are entitled to oppose themselves for legitimate reasons to the processing of their personal data even if they meet the scope of the collection as well as to ask for their transferability, to exert the right to delete it, to ask for the intervention of the personal data protection Authority; in Italy, the personal protection Authority’s email address is firstname.lastname@example.org, fax n. 06 696773785, address Piazza di MonteCitorio 121, 00186 Roma (Italy).
The concerned persons that think the processing of their personal details carried out by this website infringes the regulations in force can claim with the Authority as given in art. 77 of the Regulations or address themselves to the proper courts (art. 79 of the Regulations).
Automized decisional processes
No decisional automatized processes are carried out on the collected aggregate data except for improving the website management.
Further information about the processing
Defence in court
The personal data of the user can be used by the Holder in a court of law or in the preparatory phases of a trial for defending themselves from the user’s fraud in using this Application or other Services.
The User declares that he is aware that the Holder might be obliged to disclose their personal details to comply with an order of a public authority.
System log in and maintenance
For needs relevant to the operation and maintenance, this Application and possible services of third parties might collect system logs that are files that record the interactions and can contain personal data such as the User’s IP address.
Information which is not contained in this policy
Further information relevant to the processing of Personal details can be asked to the Holder at any time.
If the modification needs the user’s authorization, the Holder will ask for the user’s authorization again.