Privacy Policy of the website http://www.termemargherita.it

This Privacy Policy concerning the processing of personal data is drafted and provided by Terme di Margherita di Savoia s.r.l., as Data Controller, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 on the protection of personal data of natural persons (hereinafter also the “Regulation” or “GDPR”), to users (data subjects) who access the website available at http://www.termemargherita.it or its third-level domains (hereinafter also referred to as the “Website”), unless otherwise expressly specified.

1. Data controller and contact information

Terme di Margherita di Savoia s.r.l., with registered office in Trani (BT), at v. San Giorgio 26, telephone: 0883655402, certified email address: termemargherita@pec.it and email: info@termemargherita.it, VAT number: 00123640716.

2. Data Protection Officer and contact information

The Data Controller has appointed Dr. Claudio Cesaroni of Autenticert S.r.l. as Data Protection Officer (DPO). The Data Subject may contact the DPO for any request regarding the processing of their personal data or to exercise their rights under the GDPR at the following addresses: ccesaroni@pec.it – dpo@claudiocesaroni.it.

3. Methods of processing personal data

The Data Controller processes the personal data provided and/or collected from users using analog, computerized, and/or telematic tools, adopting appropriate security measures to prevent unauthorized access to its systems and, therefore, to reduce the risk that they may be modified, disclosed, or destroyed.

Personal data may also be processed in aggregate form, using organizational methods and logic strictly suited to the purposes indicated in this policy.

On some occasions, the data may be processed by categories of subjects authorized by the Data Controller, involved in the organization of the provision of services related to the website, or even by external subjects (third-party technical service providers, hosting providers) who have been appointed as Data Processors. The updated list of Data Processors and authorized subjects may always be requested by the data subject and is available at the Data Controller's registered office.

Personal data is processed at the operational headquarters of the Data Controller and Data Processors, as well as at any other location where the parties involved in the processing are located.

4. Purpose of processing

Di seguito sono riportate le finalità del trattamento dei dati personali raccolti tramite il sito, assieme alle categorie di dati personali raccolte, a quelle degli interessati, alle condizioni di liceità, alle basi giuridiche, ove sia necessario indicarle e alla durata del loro trattamento.

Compliance with the obligations of the Consumer Code

Personal data is processed to fulfill the obligations set forth in the Civil Code and the Consumer Code regarding distance selling (including, but not limited to, the management of requests to exercise the right of withdrawal, returns, and requests for repair and/or replacement of products under warranty).

Categories of data subjects: customers.

Categories of data collected: first name, last name, tax ID number, email address, shipping address, phone number, order number.

Conditions of lawfulness: compliance with a legal obligation.

Legal basis: Consumer Code.

Duration of processing: for as long as necessary to fulfill the requests of the data subjects. The data is stored for twelve months after collection.

Website traffic analysis

Categories of data subjects: website users.

Categories of data collected: IP address; URI.

Conditions of lawfulness: consent.

Legal basis: provision of the Italian Data Protection Authority dated June 10, 2021.

Duration of processing: Data is processed and stored for twelve months after collection, after which it is anonymized.

N.B.: if the interested party does not consent to the collection of their personal data, the website will only record that it has received an anonymous visit for the purpose of compiling aggregate statistics.

Accounting and other legal obligations

Personal data is also processed to comply with legal obligations relating to accounting, taxation, and public safety.

Categories of data subjects: customers.

Categories of data collected: first name, last name, tax ID number, arrival date, departure date.

Conditions of lawfulness: compliance with a legal obligation.

Legal basis: Article 2220 of the Italian Civil Code, GDPR.

Duration of processing: for as long as necessary to complete the accounting operations.

Execution of the distance sales contract

Personal data is also processed to fulfill the distance sales contract for goods listed in the website catalog.

Categories of data subjects: customers.

Categories of data collected: first name, last name, tax ID number, email address, phone number, shipping address, billing address, order number.

Conditions of lawfulness: contract or pre-contractual measures.

Legal basis: GDPR.

Duration of processing: for as long as necessary to perform the distance sales contract.

Marketing

With the user's explicit consent, personal data is processed for the purpose of sending newsletters and commercial information, either by email, SMS, or similar tools (WhatsApp, Telegram, etc.), or by telephone.

Categories of data subjects: customers.

Categories of data collected: first name, last name, email address, phone number.

Conditions of lawfulness: consent.

Legal basis: Provision of the Italian Data Protection Authority dated May 15, 2013.

Duration of processing: data is processed for twenty-four months following its collection.

Room reservations

Personal data is also processed for hotel room reservations.

Categories of data subjects: customers.

Categories of data collected: first name, last name, email address, phone number, arrival date, departure date.

Conditions of lawfulness: contract or pre-contractual measures.

Legal basis: GDPR.

Duration of processing: for as long as necessary to book the rooms.

Response to user requests

Categories of data subjects: website users.

Categories of data collected: first name, last name, email address, phone number, arrival date, departure date.

Conditions of lawfulness: contract or pre-contractual measures.

Legal basis: GDPR.

Duration of processing: for as long as necessary to fulfill the requests of the data subjects. The data is stored for twelve months after collection.

Retention of processed personal data

The Data Controller will retain the user's personal data for 10 years after the conclusion of the processing operations listed above for the possible exercise of the right of defense.

5. Data transfer

The Data Controller does not transfer the data collected in the aforementioned processing operations to countries outside the European Union.

Should such a transfer ever be deemed necessary, the Data Controller will obtain prior consent from users for their transfer in accordance with Articles 44 et seq. of the GDPR.

6. Rights of Data Subjects

Users, as data subjects, may exercise their rights under the GDPR, namely:

1. the right of access;
2. the right to rectify data;
3. the right to erasure and to be forgotten;
4. the right to restriction of processing;
5. the right to object to processing;
6. the right to data portability.

The rights may be exercised by submitting an informal request to the Data Controller, who will respond within thirty (30) days of receipt. This period may be extended by a further sixty (60) days if the request is particularly burdensome for the Data Controller.

The Data Controller informs users that, if no response is provided within the specified time frame, or if the response is unsatisfactory, or if users believe that their rights have been violated, they may lodge a complaint with the Italian Data Protection Authority in accordance with the procedures indicated on the Authority's website, accessible at: http://www.gpdp.it.

7. Changes to this privacy policy

The Data Controller reserves the right to make any changes to this extended privacy policy by giving notice on this page.

The date of the last modification will be indicated at the bottom of this document to allow for the tracking of changes. A copy of each version of this policy is available to interested parties at the registered office of the Data Controller.

If the data subject does not accept the changes made, they may ask the Data Controller to remove their personal data.

Trani, March 16, 2023

The Data Controller

Margherita di Savoia Thermal Baths Ltd.