Scopes and principles of data processing. In fulfilment of the legal obligations on this matter, this page describes how to manage the website in relation to the processing of personal data of users browsing it and interacting with web services that are accessible through telematic means starting from the address: www.th-resorts.com.
We inform you that HOTELTURIST will use your personal data to manage access to the portal and to the services that are included, manage technical matters, perform all the necessary or useful activities for the constant improvement of the service provided, and to assess responsibility in case of criminal actions against the Website and/or illegal doings through the Website. Specific additional scopes related to individual processing can be identified in detail, through additional information, within the various services included in the portal.
Website consultation can entail the processing of data relating to identified or identifiable persons. The personal data provided by users consulting the Website are processed by the recipient of the communication in order to process the requests that have been received.
Index of the topics (you can browse them by positioning the mouse on the list and clicking on the relative text)
– Type of data
– Scope and duration of the processing
Logics and forms of processing organisation
The logics and forms of processing organisation are strictly related to the individual scopes indicated above respectively. Processing takes place electronically, and/or in papery form. During processing the data are subjected to protection measures activated by HOTELTURIST to guarantee the data against the risk of authorised access or unauthorised processing. For example, personal data managed at a computerised level, can be consulted only by accessing the various processing or data entry programs, by entering mandatory personal passwords only by the staff authorised by HOTELTURIST that must, however, abide by predetermined limits of use.
– Mandatory and optional data communication and consequences of not providing data
Are there any cases of simplified consent or exemptions from the obligation of consent for direct marketing scopes?
Are there any cases of simplified consent or exemptions from the obligation of consent for direct marketing scopes?
As permitted by current legislation and for the fulfilment of the privacy obligations by HOTELTURIST in compliance with the principles of simplification (as per the General Provision by the Privacy Guarantor dated 15.05.2013 – “Consent to the processing of personal data for “direct marketing” scopes through traditional and automated contact means”), the consent requested by HOTELTURIST concerning the secondary purposes of profiling and direct marketing is unitary and general for all the possible means used for processing for marketing purposes (electronic/telematic, paper), as well as for all possible direct marketing scopes (i.e. without multiplying the formulas of consent for each distinct marketing scope that is pursued).
Note: HOTELTURIST can process personal data, through the use of phone calls with an operator and the use of postal mail, for the aforesaid secondary purposes, without the specific consent of the data subject (in this case, with the right for the subject to oppose to the processing by simplified procedures and also by telematic means by registering the telephone number, of which the data subject is the holder and other personal data relating to subscribers of printed and electronic directories available to the public, in the Public Register of Oppositions (http : //www.registrodelleopposizioni.it/) provided by Decree 178/2010 of the President of the Republic).
In the event that HOTELTURIST requests – for direct marketing purposes – that you communicate your telephone number and you have agreed to the optional and specific consent to its use, HOTELTURIST can use it even if the user is registered with the Public Register of Oppositions because in this case you communicated the number and it was not taken from public telephone directories.
We also point out that the Privacy Code allows the so-called “soft spam”. This means that without need for your express consent, we can use the e-mail address you gave us upon a previous purchase, to proceed with marketing communications and sales offers via e-mail, provided they are for products and services that are similar to those already purchased by you.
Upon receipt of any communication and/or promotional e-mail by HOTELTURIST for the scopes already provided, you are informed on the possibility of opposing to the processing at any time easily and free of charge (just by notifying your opt-out choice through our online platform).
Does the data subject’s consent to processing for profiling and direct marketing scopes apply to the communication of data to third parties as well?
Does the data subject’s consent to processing for profiling and direct marketing scopes apply to the communication of data to third parties as well?
HOTELTURIST communicates some data to other companies belonging to the HOTELTURIST Group or to third parties that upon agreement and being “data processors” are delegated to process data (for example, transmit commercial communications) on behalf of HOTELTURIST based on the same specific marketing consent (including communication to third parties for such purposes) you already provided in favour of HOTELTURIST.
HOTELTURIST can also, only with your further, separate, additional, documented, optional consent operate the communication or transfer of data to third parties that treat them as co-controllers or independent data controllers (as a rule these are third parties in the promotion of Events), that use them for direct marketing or profiling purposes).
Withdrawal of the consent
Even after giving your consent to the data processing for the scope of profiling and direct marketing, as a data subject, you can notify HOTELTURIST on a different will at any time, through one of the following alternative methods:
- clicking on the “unsubscribe” button, available to the user at the bottom of the promotional emails sent to the data subject, an email will be automatically sent to HOTELTURIST and consequently the name of the registered subject, in a special blacklist, preventing further future direct marketing actions by HOTELTURIST towards them;
- transmitting your declaration of revocation of consent (in this case it is manually registered in the Company’s CRM) to HOTELTURIST. This type of communication is always necessary if the data subject wants to express a more analytical, selective will, with regard to using specific individual means and not others for the reception (e.g. only paper, only electronic means, refusing those sent through automated systems, etc.), with prior consent, of marketing communications from HOTELTURIST, with regard to individual marketing scopes among those that are actually possible (choosing for example to receive only newsletters and not sent to our Events);
- sending a clear telephone communication without any formality revoking the consent to HOTELTURIST. Upon receiving this opt-out request, HOTELTURIST will proceed to the removal and deletion of data from the databases used for processing for direct marketing scopes and, where possible, will inform any third parties to whom the data has been communicated for the same scopes on this cancellation.
Just by receiving the cancellation request it will automatically be validated as a confirmation of cancellation.
- In case you want to revoke the consent to any advertising messages that come from social channels (e.g. Facebook, Twitter, etc.), you will have to communicate the revocation to the single social platform directly, according to the methods available from time to time by these and/or by the browser you use (as HOTELTURIST is not technically able to act on third-party social platforms for this scope).
The aforementioned opposition will not have any consequence on providing any contractual operation that is in progress.
Communication of data to third parties
Within the scope of the primary purposes and no prejudice to the communication to third parties made in execution of legal obligations or deriving from regulations or other community legislation, or upon request of judicial offices or other third parties to which the faculty is acknowledged by the aforementioned provisions, data are communicated by us to all the subjects for whom processing is reasonably necessary based on the performances requested by the data subject and/or by regulatory obligations, merely by way of a non-exhaustive example:
- banks and credit institutions, or electronic money institutes for the management of payments;
- insurance companies (in the case of accidents related to your stay, your family’s stay or that of accompanying persons) involving our responsibility;
- debt collection companies, factoring companies, leasing companies, insurance companies or credit transfer companies, credit consortia (for the sole scope of protecting credit and improving the management of our rights relating to the individual business relationship);
- commercial information companies;
- professionals and professional firms (lawyers, chartered accountants, directors, members of supervisory bodies 231, and auditors;
- subjects that provide web hosting services and/or maintenance and/or computer assistance in relation to our systems and databases and IT services;
- suppliers (e.g. travel agents, tour operators, airlines, hotels, tour guides, escorts, entertainers, photographers, car rentals, carriers, couriers, and so on) and subcontractors that provide tourist services to you or us for which knowledge of your data is needed;
- other companies, bodies and/or natural persons that carry out activities that are instrumental, that support or functional to the execution of the contracts or services you request;
- other companies of the HT Resorts Group (parent companies, subsidiaries or affiliated companies) or affiliated to the TH Resorts brand operating in the tourism/hotel sector;
- in the case of direct marketing and/or profiling scopes, marketing consultants, advertising, communication and public relations agencies, companies in charge of the design, printing and maintenance of advertising or promotional editorial materials and/or their online management, companied for the production or management of websites, web marketing companies, direct emailing companies (e.g. Mail-up or similar), call centre company with registered offices and operational centres in Italy, consultants and/or other entities to whom we assign functional activities for these scopes; third commercial partners that activates co-marketing with HOTELTURIST.
To make a payment on the website, you can use the online service by a third-party provider. The user, to complete the purchase, must enter the required data on the screen display of interest (e.g. credit card, expiry, security code, etc.). These data will be processed by the provider – as an independent Data Controller – without going through the HOTELTURIST server, that will receive only the order code that is issued and the notification of the payment.
In the sole case of processing for secondary purposes (profiling, direct marketing), pursuant to the General Provision of the Guarantor of July 4, 2013 containing the “Guidelines to contrast spam” we inform you that we will also communicate data – upon specific prior consent by you, specified hereunder – even to the following third party merchandise or economic categories: marketing consultants, advertising, communication and public relations agencies, companies in charge of the design, printing and maintenance of advertising or promotional editorial materials and/or their online management, companied for the production or management of websites, web marketing companies, direct emailing companies (e.g. Mail-up or similar), call centre company with registered offices and operational centres in Italy, consultants and/or other entities to whom we assign functional activities for these scopes; third commercial partners that activates co-marketing with HOTELTURIST.
We have appointed in writing, as external managers, the categories of third-party recipients to whom we communicate data, unless if they take the role of independent data controller by virtue of the decision-making sphere reserved to them for the scopes and/or means of the processing.
The data will also be processed by our in-house employees belonging to the functional areas that manage the reservation and management of the services you have purchased (administration offices, commercial, IT, customer care, logistics).
The data will not be disclosed.
Transfer of data abroad
The data can be transferred outside the EU by the data controller, for the primary scopes as indicated above (and provided that the chosen destination is to these countries), to:
- Foreign countries for which there is an Adequacy Decision by the EU Commission pursuant to Art. 45 of the GDPR and/or suited guarantees pursuant to Art. 46 of the GDPR, specifically: – Andorra – Argentina – Australia – PNR – Canada, Faroer – Guernsey – Isle of Man – Israel – Jersey – New Zealand – Switzerland – Uruguay;
- other non-EU countries for which there is no Adequacy Decision by the EU Commission pursuant to Art. 45 GDPR or Art 46 GDPR; in this case it should be said that it is excessively burdensome for the data controller to stipulate written agreements with foreign third-party importers to oblige them to comply with technical and organisational data protection measures and other measures to manage them in compliance with the GDPR, the customer cannot exercise the rights or use the resourcing means provided by the GDPR neither towards the data controller or the data controllers nor directly to the third recipients (such as: hoteliers, local carriers, local insurance companies, etc.) since this obligation to process and/or store data according to EU standards is not required by the laws of the country of the data importer; nevertheless, when the chosen destination is to these countries, the transfer HOTELTURIST makes is lawful, even without the express consent of the client, because it is necessary for the execution of a contract stipulated between the client and HOTELTURIST, the data controller or execution of pre-contractual measures adopted at the request of the data subject; or necessary to complete or execute a contract between HOTELTURIST, the data controller, and another natural or legal person (that could be a supplier or foreign partner of HOTELTURIST) in favour of the data subject.
Legal basis of the processing
Legal basis of the processing. HOTELTURIST can lawfully process data for the following reasons:
- Processing is necessary in the case of primary scopes, as the case may be, for the execution of pre-contractual measures taken upon request of the data subject (e.g. requests for clarification, sending of information or commercial offers), upon stipulation and execution of a contract of which the data subject is a party, or to fulfil a legal obligation for HOTELTURIST and/or to pursue the legitimate interest of HOTELTURIST (prevailing over the interests or rights and fundamental freedoms of the data subject) to process the data to manage the relationship with its users, customers and/or suppliers in an efficient way and organise the internal and external production and management processes necessary for the scope. Besides, there is the legitimate interest of the HOTELTURIST suppliers and partners to receive personal data from HOTELTURIST and process it to manage the activities connected to the request by HOTELTURIST to receive support to manage the activities towards the data subjects and for scopes of verifying the correct fulfilment by HOTELTURIST of the legal and contractual obligations towards the interested party and/or third parties (e.g. verification by the Public Authority of the fulfilment of tax obligations, verification by the Statutory Auditors or Auditors on the fulfilment of legal obligations, etc.).
- In the case of secondary scopes (profiling, direct marketing) the processing is based on the legitimate interest of HOTELTURIST to promote its products and/or services to customers using off-line and on-line methods (e.g. sending so-called soft spam or commercial communications through public telephone numbers). and, alternatively, with the consent of the data subject that has not been revoked.
What are cookies and how are they used
A cookie is a text-only string of information (text file) concerning the user’s activity on the website and that are stored while first browsing the website on the tool the user is using to browse internet (computer, smartphone or tablet), and then are transmitted back to these websites upon the next visit allowing our site to automatically recognise the user (or other users using the same tool) after the first visit and then improve their usage experience.
Their work totally depends on the browser that the user uses and can be enabled or not by the actual user.
To always guarantee the best possible browsing experience, website offers the best services when the cookies are enabled. By default, almost all web browsers are set to automatically enable cookies.
Cookies can be:
- “first party” when they are managed directly by the website manager;
- “third party” when cookies are set up and managed by managers unrelated to the website that the user is visiting.
Third-party cookies fall under the direct and exclusive responsibility of the manager, and in relation to their installation the first party site manager is a mere technical intermediary.
Which cookies we use and why
The Website uses or may use, even combined, the following cookie categories:
- Persistent cookies: these cookies are stored on the device even after leaving the website or in any case after closing the browser: in particular they are kept until their expiration date or until they are manually deleted by the user.
Persistent cookies satisfy many features in the interest of surfers (such as password storage), however they can also be used for promotional purposes in some cases
- Session (or temporary) cookies: They have a duration limited to the visit and are deleted when the browser is closed, which ends the access to the website “session”. As a rule, they allow the user to access customised services and take full advantage of the website’s features, avoiding the use of other technologies that could compromise the privacy of the users’ browsing.
- For example, technical-functional cookies for the transmission of session identifiers necessary to allow the safe and efficient exploration of the site. These cookies avoid the use of other technologies that could compromise the privacy of the users’ browsing.
The law requires the mere release of the information to the data subject for technical cookies, as it happens with this communication that is without the creation of specific banners on the Website.
On the other hand, for all non-technical cookies, the current legislation subordinates their installation upon expressing prior consent in the simplified forms provided by the Guarantor Provision 8.5.2014, i.e. through the publication of a synthetic banner that can be viewed by the user when first “landing” on the website and allowing to generate the further use of the Website (based on the “scrolling”, or on the continuation of surfing within the same web page) by which the user can implicitly communicate the consent or, alternatively, access an analytical cookie information document (namely, this information document), with which you can express the necessary consent or dissent. The consent or not can be formulated by the user not in reference to the individual cookies that are installed but in relation to broader categories of cookies, or to specific producers and/or intermediaries with whom the WebSite has established business relationships.
- Analytics: these cookies can be both temporary and permanent and allow collecting aggregate and/or disaggregated information and statistical analysis (e.g. the user’s geographical area of origin, the access means that is used, age, and so on) and in general the behaviour of users on the website and, therefore, to improve the experience and content that is provided.
These analytic cookies can be assimilated to technical cookies only if they are created and used directly by the first party website (without, therefore, the intervention of third parties). For example, the website uses log files (this means that it records the history of operations as they take place) and that include IP addresses, type of browser, operating system used by the user’s device, Internet Service Provider (ISP), date, time, page of entry and exit and the number of clicks, but even the pages that have been visited on the website, the third party websites from where the user comes). All this to analyse user behaviour trends and to administer and optimise the website. The information collected this way does not have a personal value because data are collected and analysed anonymously.
Instead if the analytical cookies are made and/or used by third parties (other than the first party website controller), these cannot be assimilated to technical cookies and have a different legal treatment.
- “Profiling” (or advertising) cookies (always of the permanent type) are used to obtain information, whether aggregated or not, useful to evaluate the use of the website and the activities carried out by the visitor (choice of displaying specific pages, specific products and/or services, etc.), used by the controller to create commercial advertising of targeted products and/or services based on the users’ previous activities (instead of the generalist offered indiscriminately to all).
List of cookies that are actually on the website
The above premise does not automatically imply that this website currently uses all the above-mentioned cookie categories. The list of cookies that is actually used by HOTELTURIST is indicated below.
|(Feature (technical, analytic, advertisement)
|Duration (if permanent and if not deleted before by the actual user)
The Website also uses Google Analytics cookies (Google Inc. cookies, which is an American company, third party). Please note that no strictly personal information is collected through the Google Analytics feature but, only in aggregate statistical form, data on the age, gender, and preferences of interest of our visitors (to better evaluate the use of our website and the activities carried out by the visitor and address the services provided at best). These cookies are stored on servers that can be located in the United States or in other countries. Google reserves the right to transfer the information collected with its cookie to third parties when required by law or when the third party processes information on its behalf.
The “Analytics” feature is however configured by HOTELTURIST, by default, in such a way as to significantly mask portions of the IP address of the user/visitor, and therefore the data relative to the IP address thus collected is already anonymised upon origin and therefore the analytical cookie does not allow to trace even indirectly – and in particular through further processing – the identity of the user/visitor. For this reason, HOTELTURIST that is the site manager from time to time, in accordance with the law, is not required to comply with the obligations and obligations provided for by the regulations on cookies (for example, notification of the processing of cookies to the Privacy Guarantor). The user can always disable Google Analytics cookies, using a special add-on made available by Google, at the following link.
In the event that HOTELTURIST should, in the future, decide to modify the configuration of the “Analytics” feature at any time to allow the collection of the user data of the last three numbers that make up its IP address, this choice must be notified in advance to the Privacy Guarantor by the data controller operated through the portal or website, to protect the user.
We hereby inform you that Google also ensures, as of now, not to associate your IP address with any other data held by Google to obtain a more detailed user profile.
No nominative profiling cookies are used on this website, i.e. based on personal identification data.
Our website uses re-marketing lists and ads on the display network that is online advertisements based on categories of general interests expressed by categories of users through previous web browsing.
Without prejudice to the above, our website uses the special advertising features of Google Analytics, that allow activating additional features that are not available through standard Google Analytics implementations and the related cookies.
These advertisement features allow collecting traffic data (through Google advertising cookies and anonymous identifiers) as well as data normally collected by us through a standard implementation of Google Analytics. The Google Analytics advertisement features are the following:
- Remarketing with Google Analytics
- Reports on the impressions of the Google Display network (if used through AdWords)
- Integrations with the DoubleClick platform
- Reports on demographics and Google Analytics interests
- Social cookies: these cookies are from third parties i.e. connected to services provided directly by the domains of the most common social media networks that are connected to our Website through links to official pages, buttons to share content and links. The use of these buttons and features involve the exchange of information (e.g. texts, photographs, videos, and so on) with these websites. If a social service is installed, even if users do not use the service, it collects traffic data for the pages on which it is installed. Facebook Like Button and social widgets (Facebook, Inc.)
- The “Like” and social widget button of Facebook are interacting services with the social network Facebook, provided by Facebook Inc.
- Collected Personal Data: Cookie and Data of usage.
- Place of processing: USA
- Social Tweet and widget button of Twitter (Twitter, Inc.)
- The social Tweet and widget button of Twitter are interacting services with the social network Twitter, provided by Twitter Inc.
- Collected Personal Data: Cookie and Data of usage.
- Place of processing: USA
- +1 button and social widget button of Google+ (Google Inc.)
- The +1 button and social widget button of Google+ are interacting services with the social network Google+, provided by Google+
- Collected Personal Data: Cookie and Data of usage.
- Place of processing: USA
The management of information and how to delete these social cookies is regulated by the same social media websites: the user is invited to consult the respective privacy policies for each of them, at the following links:
or Facebook: https://www.facebook.com/policies/cookies/ or https://www.facebook.com/privacy/explanation
or Twitter: https://help.twitter.com/it/rules-and-policies/twitter-cookies or https://twitter.com/it/privacy
or YouTube: https://www.google.com/policies/technologies/types/
or Pinterest: https://policy.pinterest.com/it/privacy-policy
or Instagram: https://help.instagram.com/519522125107875
or Linkedin: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy
or Google+: https://policies.google.com/privacy?hl=it
The use of these cookies is anonymous, no personal information is collected unless the user intends to provide it explicitly by sending contact and/or request forms of information.
Further information on privacy and on the use of social cookies is available on the websites of the respective third-party operators.
How cookies work and how cookies are disabled
Accepting or refusing cookies is your right
Hereunder are the links to configure the most popular browsers that describe how to manage cookies:
– Chrome: https://support.google.com/accounts/answer/61416?hl=it
– Firefox: https://support.mozilla.org/it/kb/Gestione%20dei%20cookie
– Internet Explorer: http://windows.microsoft.com/it-it/windows-vista/block-or-allow-cookies
– Opera: http://help.opera.com/Windows/10.00/it/cookies.html
– Safari: https://support.apple.com/it-it/HT201265
To change the cookie settings in browsers other than those listed, refer to the assistance documents prepared by the manufacturer of the specific browser.
The user can also disable the action of Google Analytics selectively by downloading and installing the additional opt-out component on your browser and specially provided by Google for your browser, at the following link:
Remember to set the preferences on cookies for each device and every browser used when surfing the Internet.
To delete cookies from the Internet browser of your smartphone/tablet, it is necessary to refer to the user manual of the device.
For further information on cookies and privacy, we invite you to consult the specific document drawn up by the Privacy Guarantor at the following link:
Co- Data Controllers
1 – HOTELTURIST SPA, with office in Via Forcellini, 150 – 35128 Padua, VAT 01047360910, email: email@example.com, tel. +39.049.2956414, fax +39.049.8033785;
2 – the management company of the accommodation structure constituting the object of the reservation from time to time.
A complete list of co-controllers can be consulted on the website www.th-resorts.com – Privacy section. A complete and updated list of external controllers can be consulted at the Company upon written request by the data subject.
Rights of the data subject
In case of non-acceptance of future changes, the data subject party must stop using the website or the features to which the privacy modification refers, and without this abstention the changes will be deemed as accepted (except those that modify the conditions to obtain consent, when mandatory, to the processing).
Amendment to the policy
Regarding the processing of personal data, the data subject can exercise the rights by writing to the Data Controller:
– ask the Controller to confirm whether or not personal data processing is being processed and, in this case, obtain access to personal data and the following information: a) the scope of the processing; b) the categories of personal data at issue; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organisations; (d) if possible, the storage period of the personal data provided or, if not possible, the criteria used to determine this period; e) the existence of the right of the data subject to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or her or to oppose to their processing; f) the right to file a complaint with a supervisory authority; g) if the data are not collected from the data subject, all the information available on their origin; h) the existence of an automated decision-making process, including profiling and, at least in these cases, important information on the logic used, as well as the importance and expected consequences for the data subject due to this processing.
– if personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed on the existence of suited guarantees regarding the transfer;
– request, and obtain, without undue delay, the correction of inaccurate data; taking into account the scopes of the processing, the integration of incomplete personal data, even by providing an additional declaration;
– request the deletion of data if a) personal data are no longer necessary with respect to the scopes for which they were collected or processed; b) the data subject revokes the consent on which the processing is based and there is no other legal basis for the processing; c) the data subject opposes the processing, and there is no legitimate main reason to proceed with the processing, or opposes the processing performed for direct marketing purposes (including functional profiling for this direct marketing); d) personal data have been processed unlawfully; e) personal data must be deleted to fulfil a legal obligation under Union or Member State law to which the controller is subject; f) personal data were collected with regard to the offer of services by the information company.
– request the limitation of the processing concerning the data subject when one of the following hypotheses occurs: a) the data subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of this personal data; b) the processing is illegal and the data subject opposes to the cancellation of personal data and asks instead that its use is limited; c) although the data controller no longer needs it for processing reasons, the personal data are necessary for the data subject to verify, exercise or defend a right in court; d) the data subject objected to the processing carried out for direct marketing scopes, awaiting a verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the data subject;
– obtain from the data controller, upon request, the communication of the third recipients to whom the personal data have been transmitted;
– revoke the consent to the processing of their personal data at any time when previously communicated for one or more specific scopes purposes, it being understanding that this will not affect the lawfulness of the processing based on the consent given prior to the revocation.
– to receive, in a structured format, of common use and readable by automatic device, personal data concerning the data subject provided by the data controller and, if technically feasible, to transmit this data directly to another data controller without impediments by the data controller to whom they have been provided, if the following (cumulative) condition occurs: a) the processing is based on the consent of the data subject for one or more specific purposes, or on an agreement for which the party is a party and for which the execution of the processing is necessary; and b) the processing is carried out with automated means (software) (total right to the so called “portability”). The exercise of the right of the so called “portability” is subject to the right to cancellation specified above;
– the data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or that has a similar impact on them.
At any time, the data subject – the interested party at any time can also file a complaint with the competent Supervisory Authority based on the GDPR (that of the place of residence or domicile).
The above-mentioned rights must be exercised separately to HOTELTURIST or to third parties that are recipients of the data, each within their own competence.
Type of data
Through the web forms available on the websites, we will never ask you for “particular” personal data (personal data suitable to reveal the racial and ethnic origin, religious beliefs, philosophical or political opinions, membership of parties, trade unions associations or organisations of a religious, philosophical, political or trade union nature, as well as personal data capable of revealing the state of health and sexual orientation) or “judicial” (data relating to criminal records, or relating to the status of defendant or suspect, etc.). The data we deal with can be of three general categories:
When (even via mobile via smartphone or tablet) you access this website or use our services, IT systems and software procedures used to operate the site acquire, during normal operation, some information on you that are qualified as “personal data” and whose transmission is implicit in the use of Internet communication protocols.
These include the hardware model, operating system and version, information on the mobile network and on the country from where the access takes place, the time of the request, the method used to submit the request to the server, the access time , the size of the file obtained in reply, the numerical code indicating the status of the reply given by the server (success, error, and so on), details of the itinerary followed within the webpages with particular reference to the pages visited and other parameters relating to the operating system and the user’s computer environment (browser used, version, geographical position, last page visited before accessing IEG Website services) and unique device identifiers (e.g. IP address or domain names of the computers used by the users, the URI – Uniform Resource Identifier – address, the MAC address – Media Access Control.
This information is not collected to be directly associated with identified data subjects but that for their very nature could, in theory, allow to identify users through processing and an association with data held by third parties (in particular, third party providers of internet connectivity services).
However, the data are used by us only to obtain statistical information in aggregate and anonymous form on the use of the website, to better understand the user’s browsing behaviour to offer the user a better browsing experience, to make the technical features of the website possible, to control and optimise the operating, to improve the quality of the services offered by the website as well as to ensure the maintenance of the related database and supporting IT infrastructure.
This browsing data will be deleted within 12 months from the date of collection after the aforementioned processing in an anonymous form.
Browsing data can also be used to ascertain responsibility in the event of offenses committed against the Website or carried out through the Website (malware attempts, spamming, illegal access to computer systems, etc.) and continue to be stored, in this case, for all the time necessary to protect the rights of IEg and/or third parties.
Data provided actively by the data subject
- the information sent by users in an optional and voluntary manner to the addresses indicated on the Website (e.g. email address, subject matter of the email, name or company name, name and surname, etc.);
- personal data provided by users to use services accessible on the Website or to participate in initiatives promoted via the Website;
- personal data provided by users that send requests for news and/or information material;
- personal data provided by users that send job applications (“curriculum vitae”, etc.).
Data collected from third parties
In the case of a sale of travel packages and tourist services by HOTELTURIST to third-party resale intermediaries to the final customer, HOTELTURIST collects, through forms given by these intermediaries to the latter, personal data of the data subject such as name and surname, nationality, tax code, type and number of identity document and expiration date, date of birth, family members, membership with organisations on behalf of which HOTELTURIST makes bookings, landline or mobile phone, area code, city, address, email address, data relating to the content and methods of delivery for the service purchased by the end customer, price, payment method. Among the data collected there could also be data on the data subject’s food intolerances or on memberships with organisations that reveal religious beliefs.
In any case, the user is not asked to provide information that have particular data (intended as only data relating to health – e.g. stay of disabled people, health visits, medical certificates, dietary habits and so on – and/or revealing their own racial or ethnic origin) or that of third parties, without having given their consent to the processing according to law (written consent).
The processing will be carried out, with or without the aid of electronic means, according to principles of correctness, lawfulness, transparency, to protect the confidentiality and rights of the data subject at any time in compliance with the enforced legislation.
Scope and duration of the processing
The data will be processed for the following scopes and respective durations:
To acquire and confirm – even through registering on this Website – your booking for tourist packages and services, other additional and non-additional services and to provide them to you by organising all the internal and external management and production activities that are necessary. The processing can concern also “particular data” (intended as only data relating to health – e.g. stay of disabled people, health visits, medical certificates, dietary habits and so on) and/or that reveal their own racial or ethnic origin. We do not process data concerning the life and sexual orientation, genetic data, biometric data, data that reveal political opinions, religious or philosophical convictions, union memberships. The data are also processed to manage contests and prize events in which the data subject participates. The processing does not require your consent. Giving personal data is optional but in case of a refusal to do so, with the exception of “particular” data, we will not be able to confirm the booking and/or provide the requested services. In case of disputes, we will process the data to protect our rights and up to their completion; in any case we will process the data for the duration referred to in the following point 4.
To speed up the registration procedures in case of your subsequent stays at our structure. For this scope, based on our legitimate interest in reducing in-house management activities, your data will be stored for a maximum period of fifteen (15) years, and will be used when you are our guest again for the scopes referred to in the previous points; this processing does not require your consent.
(limited to the details of the identity document, name and surname and date of birth of yourself and/or family members or people who are staying with you) to fulfil the obligation indicated in the “Consolidated Law on Public Safety Laws” (Article 109 of the Royal Decree 773 of date 18.6.1931) that requires that we communicate the details of the clients staying at our facility to the Police Headquarters and/or the Local Public Safety Authority for scopes of public security, in accordance with the procedures established by the Ministry of the Interior (Decree dated 7 January 2013). The provision of data is mandatory and does not require your consent, and without these we cannot host you in our structure. The data acquired for this scope are kept for as long as necessary (7 days). For this scope, the data are kept for as long as necessary (48 hours), without prejudice to the provisions of section 4 hereunder.
In the case of groups of guests, or families, the above-mentioned data relating to the identity documents collected and processed concern only the group leader or the head of the family.
To comply with current administrative, accounting and tax obligations. Giving personal data is optional but in case of a refusal to do so, we will not be able to provide the requested services. Data is stored by us for the time required by the respective regulations (ten years and, in the case of tax assessments, even longer, until their completion).
To receive and transfer messages and telephone calls, delivery of mail and parcels addressed to you, to your family and/or to the persons staying with you. Giving personal data is optional but in case this is not done, we will not provide the above services. For this scope, your consent is necessary, and revocable at any time later on. The processing ends with your departure.
To protect people and the company assets a video surveillance system is located in some areas of the residential structure and the positioning is indicated by specific external signs. This processing does not require your consent as it pursues our legitimate interest in protecting people and property with respect to aggression, theft, robbery, damage, acts of vandalism and similar. The recorded images are automatically deleted after 24 hours, except on holidays or other cases in which the structure is closed and in any case for no longer than a week. They are object of communication to third parties only if they have to adhere to a specific investigative request by the judicial authorities or judicial police and in this case they can also be communicated to lawyers and IT experts.
(upon expressing your consent) To send you newsletters and/or our promotional messages and updates on the prices and offers for tourist packages or services and accessory and non-accessory services, by email, text message, instant messaging, social networks, telephone calls with or without an operator, posting of papery documents. The provision of data and your consent to the processing are optional and if you do not agree to do so, this will prevent us from proceeding with the aforementioned operations but it will not interfere in any way on your right to obtain the services you booked or other information you request from us. At any time, you can oppose to the processing (the so-called opt-out option) or revoke the consent that was given previously.
Your prior consent is not required in the case of sending promotional emails of services and/or products similar to those you already purchased from us, or when we contact you using telephone number that are available on directories and/or public registers. Your data will be processed for a maximum period of twenty-four (24) months.
8. (upon expressing your consent) To carry out promotional activities, information and updates on the rates and offers made by other parties belonging to the same TH Resorts group (subsidiaries and/or affiliates or parent companies) to which we can transfer the data.
Your data is optional. Without your consent we cannot profile you (therefore we are unable to customise the initiatives of direct marketing concerning you), while this will not interfere in any way on your right to obtain the services you booked or other information you request from us. The consent can be revoked at any time later on. The duration of the processing carried out by third parties is managed by them.
(upon expressing your consent) For profiling scopes.
For your profiling we use the data (example name and surname, company name or organisation to which you belong, residence or seat, landline and mobile phone, email address you give us when you use individual services (even associating them with data on your browsing the HOTELTURIST websites or the use of services provided by the website (e.g. cookies) or data collected through other communication channels (e.g., likes on the social media you interact with, linked by our website).
We process data to analyse even in a predictive way and/or create groups of individuals according to market segments based on a minimum set of elements (e.g. geographical area of origin, contact language), up to more advanced profiles based on age, gender, preferences and interests declared by you, age, marital status, composition of the family unit, previous purchases, browsing behaviour on our internet websites and/or on our Apps (the web pages you visited, the offers or content you viewed, any data uploaded to online registration forms, other logs), how you interacted with our promotional email messages (how many and which messages you opened and/or viewed), the devices you used to interact with our online platforms.
This activity has a dual scope: to better understand customers, both as groups and individuals, and analyse the marketing effectiveness to develop and update our services and offers in line with your preferences.
The profiling aims at aligning services and goods offered by HOTELTURIST with the current and potential demand, measure the results of specific promotions, take corrective actions aimed at improving business results (e.g. reduce the risk of investing resources towards marginal thematic areas for the target) and the effectiveness of commercial processes (e.g. by ascertaining how many messages and promotional content we sent you and were viewed and clicked), limit the sending of promotional communications that are not relevant to your probable expectations or preferences through undesired channels ). This means that HOTELTURIST does not send the same offers to all data subjects and can send you advertising communications as close as possible to your tastes and interests or preferences, or through your favourite contact methods, improving your purchase experience, even to your own advantage.
Profiling does not imply your exclusion from specific benefits or the possibility to exercise your rights freely in relation to personal data processed by HOTELTURIST; in particular, it does not affect the possibility for the data subject to use the ordinary services (e.g. online pre-registration, purchase of services) sold by HOTELTURIST.
Providing data is unnecessary because we already have it due to the previous booking of our services made by you. Your prior consent is discretionary. Without your consent we cannot profile you (therefore we are unable to customise the initiatives of direct marketing concerning you), while this will not interfere in any way on your right to obtain the services you booked or other information you request from us. The consent given earlier can be revoked at any time. Your data will be processed for a maximum period of two (2) months.
The scopes referred to in the above paragraphs 1 to 6 are referred to as “primary scopes”; the scopes set out in paragraphs 7 to 9 are defined as “secondary scopes”.