Palazzo di Varignana
This document describes how the website is managed with regard to the processing of users' personal data, and outlines the policy for the processing of personal data that Palazzo di Varignana uses on its premises.
Pursuant to art. 13 of European General Data Protection Regulation 679/2016 (the GDPR), this information is also provided to users of any of the services and/or products of Palazzo di Varignana available at the following address: www.palazzodivarignana.com
DATA CONTROLLER AND CONTACT DETAILS
Data relating to identified or identifiable persons may be processed after they access and browse this site.
Pursuant to the GDPR, the Controller of the Data Processing is the Company known as Palazzo di Varignana S.r.l. (hereinafter the "Data Controller"), which has its headquarters at Via Della Zecca no. 2, 40141 Bologna (BO) ITALY - VAT and Tax Code no. 0265821204, Tel +39 0510827029, Fax +39 0510822435, E-mail: firstname.lastname@example.org (hereinafter the "Company"), through its legal representative.
RECIPIENTS AND/OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
For the pursuit of those purposes set out in this policy, it may be necessary for the Data Controller to disclose the user's data to third parties, who will act as data processors pursuant to art. 28 of the GDPR and who will carry out or provide certain specific services:
- Web hosting and backend infrastructure;
- Management and support of the platform for the services and products offered by the Data Controller;
- Shipping and logistics;
- Administration of the Site;
- Cookie management;
- Marketing campaign and newsletter management;
The user can always request an updated list of Data Processors from the Data Controller by using the contact details given above.
Finally, the user's personal data may be disclosed to public and private subjects and/or bodies to whom the data must be communicated in order to comply with specific obligations required by laws, regulations or EU legislation, and/or to meet obligations relating to payments for services. These subjects act as independent data controllers.
LOCATION OF DATA PROCESSING
The processing related to the web services of this site, and also described by means of the same, is principally carried out at the operational headquarters of Palazzo di Varignana S.r.l., and by officially appointed personnel with specific training in the protection of personal data. No data originating from the web service are disclosed to third parties unless strictly relevant to the purposes of the processing or required by laws or regulations. The processing related to the web services of this site that takes place at the premises of the Data Controller is carried out by internal personnel, officially instructed and appointed as data processors, or by third parties designated as Data Processors.
PURPOSES AND LEGAL BASIS OF DATA PROCESSING
Your personal data may be processed for the following purposes:
1) Data processing to enable the purchase of products and services from the Data Controller.
By means of the company website, the Data Controller offers users the opportunity to purchase products or services.
The processing is carried out in order to execute the contract to which the user is a party, pursuant to art. 6, paragraph 1, point b) of the GDPR.
Personal information provided voluntarily and optionally by users is only used to carry out the service requested and will not be disclosed to third parties unless disclosure is required by law, or is strictly relevant and necessary for the fulfillment of requests.
In particular, the personal data provided voluntarily by users will be collected directly by electronic means, and/or through designated third parties (e.g. email service companies, website hosting companies) for the following purposes:
- - to allow registration, monitor the status of orders, consult the history of orders, access support services, make use of services offered from time to time;
- to check the availability of products and services;
- to enable the sale and dispatch of purchases;
- for execution of the order;
- for payment and invoicing;
- for transport and delivery, shipping and logistics.
The data will be processed electronically and on paper to ensure the sale is executed under the agreed conditions.
2) information and/or support at the request of the Data Subject
The processing of users' personal data is necessary when, at their request, the Data Controller provides support and/or information on products and/or services, or in order to find a contact request made by the user via the contact and customer care section.
2.1 Chatbot channel for requesting assistance and support
The Data Controller provides assistance and support for users via a chatbot channel. The Data Controller will process personal data (telephone number, name, surname) through the instant messaging platform for the sole purpose of processing the request.
The processing is carried out in order to process a request for assistance, pursuant to art. 6, paragraph 1, point b) of the GDPR. The Data Controller asks the user not to disclose/share any additional personal data other than those that are strictly necessary for the assistance and support service.
3) Carrying out operations that allow users to navigate between pages on the site
4) statistical analysis of aggregated data in relation to the performance of the Site
In order to stay updated on the Data Controller's latest initiatives, the user may decide to sign up to the newsletter service on a purely voluntary basis. The processing to enable this can only take place if the user gives his free consent, pursuant to art. 1, paragraph 1, point a) of the GDPR.
The data subject may exercise his right at any time to unsubscribe from the newsletter and/or withdraw his consent, pursuant to those rights set out in the GDPR.
By selecting the relevant tick box, the user consents or declares his wish to receive marketing messages, to learn about new initiatives and sponsored products or services offered by the Data Controller. Such messages may be sent by automated means, in compliance with the relevant privacy regulations. Users may decide not to receive any more such communications at any time, by means of the opt-out link at the bottom of each message, and in any event by exercising their right to withdraw consent. The processing is carried out on the basis of the user's voluntary and optional consent, as per art. 1, paragraph 1, point a) of the GDPR.
TYPE OF PERSONAL DATA PROCESSED
The personal data processed by the Data Controller are relevant and necessary for the purposes being pursued, and fall within the definition of personal data set out in Article 4 of the GDPR. They could therefore involve the following categories: name, surname, email, telephone number, date of birth (optional), country of origin (optional), destination address, payment method, billing address, shipping address, order date, customer IP address, device used, payment method, total purchased, type of product purchased, experience purchased, date and time of experience/purchase, purchase channel, language of experience, type of discount applied.
With regard to browsing data: the computer systems and software procedures used to operate this website acquire certain personal data during their normal operations. The transmission of said data is implicit in the use of Internet communication protocols. These data are not collected to be associated with identified data subjects, but by their very nature could allow users to be identified through processing and association with data held by third parties. This category of data includes the IP addresses or domain names of computers and terminals used by persons connecting to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, and other parameters relating to the user's operating system and IT environment. If the user makes the voluntary choice to either email one of the addresses given on the Site or to complete the designated contact form, he will need to provide certain personal data in order to elicit a response.
TRANSFER OF DATA TO NON-EU COUNTRIES
Personal data may be transferred to a country outside the EU, in compliance with the conditions set out in the GDPR. In particular, such a transfer can be implemented, without the need for special authorization, if the country to which the data is being transferred is classed by the European Commission as guaranteeing a suitable level of protection. However, if the European Commission has made no such decision regarding suitability, transfers to third countries can still be made by providing the appropriate safeguards referred to in art. 46 of the Regulation, on the basis of which the aforementioned transfer of personal data can take place. In the absence of an adequacy decision or of appropriate safeguards, the transfer of personal data to a third country can only take place where the relevant conditions are met, as well as other conditions set out in the GDPR: including the possibility of using, in particular situations, the derogations outlined in art. 49 of the Regulation.
DATA RETENTION TIMES
Please note that the data provided by the user and processed by Palazzo di Varignana S.r.l. for the purposes of purchasing products or services from the Data Controller, will be kept for 5 years from the completion of processing, in the event that such purchases are made. If the user has submitted a request for assistance through the WhatsApp channel or the contact and customer care form, the data will only be processed for the time required to handle their request.
If the user gives his consent, his personal data will be stored for 12 months from the time he subscribes to the newsletter, and for 24 months to allow processing for marketing purposes. This is without prejudice to the minimum storage periods set by law, and the possibility of revoking consent or exercising all the rights granted to data subjects by the GDPR and outlined below in this policy.
With regard to browsing data: the Data Controller will delete such data after 12 months following the user's last online interaction with either the Data Controller's communications or with the contents published on the Site, where the Data Controller has direct evidence of such an interaction (e.g.: clicking, opening or responding).
NATURE OF DATA PROVISION
The user's personal data have to be processed in order to provide him with services or respond to his requests. Therefore, if the user does not provide the necessary personal data, the Data Controller will not be able to perform the service and/or satisfy the request.
The provision of data for marketing purposes or the newsletter is entirely optional, and has no effect on requests for services or the execution of the same.
RIGHTS OF DATA SUBJECTS
Data subjects may exercise, where the conditions exist, all the rights set out in the GDPR. These include the rights to ask the Data Controller: to confirm whether or not their personal data are being processed; to allow access to their personal data, and enable the correction of inaccurate data or the integration of incomplete data; to obtain the cancellation of their personal data, or limitations to their processing; to receive their personal data in a structured, commonly used and machine-readable format; to oppose the processing of their personal data; to withdraw consent at any time if the processing is based on consent.
You can exercise these rights by writing to the Data Controller, using the contact details given above.
Finally, you have the right to lodge a complaint with the Guarantor for the protection of personal data.