Privacy

We provide this Privacy Policy according to EU’s new data protection law GDPR 2016/679 to indicate to users what we do with their personal data when they use our services and access our content, and how they can exercise their rights.

This document describes (i) how we manage the website https://www.agriturismolapromessa.it (hereafter the “site” or “website”) and treat users’ personal data, as well as (ii) personal data of those who, as clients or for any other reason, have contacts with Basconi Silvano (hereafter the “company” or “owner“) or otherwise provide the company with their personal data, for the purposes and further terms and conditions of this informative note or in relation to which the company carries out personal data processing operations (hereafter the “interested parties” or “user“).

We undertake to process personal data in accordance with the GDPR, Legislative Decree 196/2009 and the Directive 2002/58/EC (“Eprivacy”), the relevant measures and guidelines of national and European data protection authorities and judicial authorities, and the applicable national and European legislation.

We therefore invite you to read carefully this privacy policy and to contact us if you have any questions regarding the processing of your personal data.

1. Data controller
   The data controller, pursuant to Articles 4 and 24 of GDPR, is Basconi Silvano, with registered office in Padua (PD), Via Uruguay, no. 20, in the person of its  pro tempore legal representative, (VAT no. 05293250287).

The personal data collected within the company are also processed by employees, who undertake to comply with the instructions and information given to them. An up-to-date list of data processors is available at the owner’s registered office.

The company has also appointed an in-house System Administrator who will access and manage your personal data in order to ensure their protection and correct use in compliance with the Privacy Legislation.

Anyone interested can send a certified e-mail to silvanobasconi@gmail.com in order to exercise their rights under this policy, as well as for any information relating to them and/or to this policy.

1. Processed personal data, place and methods of data processing
   The owner may collect certain data from the Data Subject, when the user:

• • navigates the site;
  • subscribes to the newsletter;
  • uses the customer care service or contacts the company for any reason (e.g. for order enquiries, complaints, website problems) through the appropriate telephone, e-mail, postal and certified e-mail.

The collected personal data are:

• • Identifying and contact details (e.g. name, surname, gender, tax code, registered office, address, telephone number, place and date of birth, e-mail, certified e-mail, C.C.I.A.A data, marital status, visa, job, activity sector, user ID and password to access the systems offered to the data subject by the owner)
  • Video recording and images
  • Payment data (e.g. IBAN)
  • Financial data (e.g. fees due)
  • Data relating to users’ activities carried out in the website

The optional, explicit and voluntary sending of an e-mail address, as well as the sending of messages to the addresses indicated on the site, and via the published collection forms, entails the subsequent acquisition of the sender’s address and any other personal data entered, necessary to reply to requests.  Specific summary information may be set out or displayed from time to time and where strictly necessary on the pages of the site set up for particular services on request. In addition to this, any further personal data (such as, for example, personal details, professional data, job title, company role, contact details such as company and/or personal phone number, e-mail address) provided to the data controller or otherwise collected by the data controller from third parties, shall be processed by the data controller in accordance with this notice and within the limits set by the GDPR.

NOTE ON MINORS: the owner does not process minors’ personal data and does not send them requests to communicate their personal data, as control and security systems are in place in this regard. The owner does not collect minors’ personal data, even if they visit the website (art. 12).

• • Browsing data: information relating to IP address, geographical location, browsing history, cookies stored on the device (the user can consult the Cookie Policy on the following page: https://agriturismolapromessa.it/cookie-policy-ue/).

The computer systems and software procedures used in this site acquire certain personal data whose transmission is implicit in the use of Internet communication protocols.  We do not collect this information in order to associate it with identified data subjects, but this information could allow users to be identified through processing and association with data held by third parties.  This category of data includes the IP addresses or domain names of computers used by users who connect to the website, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the name of the internet service provider (ISP), browser types and parameters of the device used to connect to the website, the time of the requests, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user’s operating system and computer environment.

The processing related to services of this site, as well as the processing that is carried out by the company for any other reason pursuant to this policy, takes place at the data controller’s premises and is carried out by internal technical personnel. This is appointed in written form pursuant to the GDPR and/or by personnel external to the data controller’s organization, subject to appropriate written appointment, as data processor, pursuant to Article 28 of the GDPR. All personal data are processed in both paper and prevalently electronic form. All personal data will be kept in a form that allows the identification of the user only for the time needed to achieve the purposes for which the data were originally collected and, in any case, within the limits of law.  In accordance with the GDPR, specific security measures are observed to prevent data loss, unlawful or incorrect use and unauthorised access.

In order to ensure that personal data is always accurate, up-to-date, complete and relevant, we invite data subjects to report any changes to the following e-mail address: silvanobasconi@gmail.com.

Data will only be collected through communication by users or through the execution of contracts signed by users. It will not be collected or recorded through communication by third parties.

1. Purposes of data processing
   Data is processed within the commercial, professional and/or collaborative relationship established and/or to be established, for the following purposes:

1. fulfilment of both national and European legal obligations or regulations, as well as orders and dispositions of Public Authorities and/or Supervisory Bodies.
2. performance of obligations arising from contracts concluded with users and/or fulfilment, prior to the conclusion of the contract, of specific requests received from the users themselves or of pre-contractual measures and/or obligations aimed at the establishment of the contract, as well as other activities connected with the performance and management of the relationship.

These are purposes through which tax obligations are discharged, information is acquired prior to the conclusion of a contract, fees due are processed and paid, information is communicated to public bodies, as well as to the tax administration, etc.

1. exercise of the owner’s rights;
2. only with specific consent for marketing purposes (sending e-mails, text messages, newsletters).

These marketing purposes may correspond to to promote and offer products/services either by the owner or by third parties.

1. Legal basis for the processing of personal data
   We indicate here below the legal basis for the processing for each of the purposes indicated above:

• • Fulfilment of legal obligations or regulations  for the purposes set out in point A) (Art. 6, paragraph 1, (c) GDPR);
  • Execution of the contract of which the user is part  for the purposes set out in point B) (Art. 6, paragraph 1, (b) GDPR);
  • Handling of activities necessary for the conclusion of a contract for the purposes under point B);
  • Fulfilment of legal obligations or regulations  for the purposes set out in point A) (Art. 6, parapgraph 1, (c) GDPR);
  • Exercise of the owner’s rights for the purposes of point C);
  • Express consent of the user for the purposes set out in point D) (Art. 6, paragraph 1, (a) GDPR).

With regard to the purposes under A), B) and C) of paragraph 3, the processing of data by the data controller, also with regard to their communication to the subjects referred to in paragraph 9 below, to the extent that such communication is functional to the pursuit of the relative purposes, does not require consent, given that the legal basis of processing is, respectively, the fulfilment of legal obligations or regulations (A), the performance of the contract of which the user is part and/or the management of activities necessary for the conclusion of a contract and/or the performance of pre-contractual obligations (B) and the exercise of the rights of the data controller (C).

If the data subject refuses to provide the necessary information, it will be impossible for the owner to continue the relationship with the data subject.

With regard to the purposes at point D), dissent may be expressed by the data subject who has the right not to consent, as well as to object at any time, to the performance of the expected processing operations by the owner, since the legal basis is the consent of the data subject. The only consequence of disagreement will be the inability of the interested party to make use of the relevant services, without this entailing any detrimental consequences. Consent may be revoked at any time without compromising the lawfulness of the processing of personal data carried out previously.

1. Personal data processing methods
   Data are processed by manual, computerised and telematic means for the purposes outlined above and, in any case, in compliance with the necessary precautions, guarantees and measures prescribed by the reference legislation, aimed at ensuring the confidentiality, integrity and availability of the data, as well as at preventing damage, whether material or immaterial (e.g. loss of control of personal data or limitation of rights, discrimination, identity theft or usurpation, financial loss, unauthorised deciphering of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage). The processing of personal data carried out by the owner is not based on automated decision-making processes.

1. Third parties to whom personal data are transmitted
   Third parties to whom personal data are transmitted. The company undertakes not to disclose, disseminate, transfer or share users’ personal data. Except for the above purposes, the company may disclose users’ personal data to the following third parties:

1. Public bodies (economic and territorial), public administrations, social security and insurance institutions, supplementary pension funds and supplementary health funds;
2. other companies of the group to which the company belongs or, in any case, parent companies, subsidiaries or associated companies within article 2359 of the Italian Civil Code (also located abroad);
3. people involved in the prevention and protection of personnel from risks in the workplace, safety at work and the environment (e.g. Head of the Prevention and Protection Service);
4. companies involved in personnel selection, training and development, employment agencies, employment offices;
5. trade unions;
6. people performing data acquisition, processing and processing services;
7. people who provide services for the management of the company’s computer system and telecommunications networks (including mailing services);
8. people carrying out printing, enveloping, transmission, transport and sorting of communications;
9. people performing documentation storage and data-entry activities;
10. people who provide assistance to the company’s activities;
11. professional firms or companies that work in the field of assistance and consultancy  (e.g. accountancy firms, law firms, etc.);
12. people who carry out communication assistance and consultancy activities (e.g. market research aimed at detecting the degree of satisfaction of interested parties on the quality of the services and on activities carried out by the company, telemarketing, etc.);
13. people performing outsourcing activities on behalf of the owner of the company as external data controllers.

People who belong to the above categories operate independently as separate data controllers or as data processors appointed for this purpose by the company, whose list, constantly updated, is published on the website https://www.agriturismolapromessa.it.

The data may also be known, in connection with the performance of assigned tasks, by the controller’s own staff, including interns, temporary workers, and consultants specifically authorised by the company to process the data. The data will be processed by the owner’s in-house staff authorised to process the data in accordance with instructions given in compliance with current privacy and data security regulations.

Personal data, in any case, will not be disclosed and, therefore, will not be brought to the knowledge of unspecified people in any form, e.g. by being made available or consulted.

1. Transfer of data to non-EU countries/organisations
   No transfer of data to third countries outside the EU or to international organisations is planned within the scope of this contract.

However, it may be necessary to transfer personal data abroad or to countries and/or organisations outside the EU in order to pursue the above-mentioned purposes. Data transfer will guarantee a level of protection of your personal data that complies with the provisions established by the European Commission or with other appropriate safeguards, such as the Standard Contractual Clauses adopted by the European Commission.

1. Period of storage and erasure of personal data
   As in art. 5 par. 1 letter e) of the Regulation, data will be stored in a form that allows the identification of the user for a period of time necessary enough to achieve the above-mentioned purposes for which they were collected and processed. All of this in compliance with the principle of proportionality and necessity approved in the legislation on the protection of personal data. The laws applicable to the activities and sectors in which the owner operates (e.g. anti-money laundering rules and rules governing the keeping of accounting records) are also taken into account in determining the storage period.

In any case, the initial failure to provide data will make it impossible for the company to continue the relationship.

Upon expiry of the terms thus established, users’ personal data will be deleted or converted into anonymous form, unless their further storage is necessary to fulfil legal obligations or to comply with orders issued by Public Authorities and/or Supervisory Bodies or for the time provided for by current accounting, tax, civil and procedural law.

1. Rights of data subjects
   In relation to data processing described above, data subjects have the rights set out in art. 7, from 15 to 21 and 77 of the GDPR and in particular:

1. Right of Access – art. 15 GDPR: the right to obtain confirmation as to whether or not personal data relating to users are being processed and, if so, to obtain access to that personal data, including a copy of them;
2. Right to rectification – art. 16 GDPR: right to obtain, without undue delay, rectification of inaccurate personal data and supplement of incomplete personal data;
3. Right to erasure (Right to be forgotten) – art. 17 GDPR: the right to obtain, without undue delay, the deletion of personal data concerning users, in those cases permitted by the Regulation;
4. Right to restrict data processing – art. 18 GDPR: right to obtain the restriction of processing, when users contest the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such data, or when processing is unlawful and users object to the deletion of personal data and instead request that their use be restricted, or when personal data are for users necessary for the establishment, exercise or defense of a right in court, or when users object to processing pursuant to art. 18 21 GDPR, pending verification as to whether the legitimate reasons of the data controller prevail over those of the data subjects;
5. Right to data portability – art. 20 GDPR: the right to receive, in a structured, commonly used and machine-readable format, the personal data provided to the controller, as well as the transmission of personal data to another data controller at any time, including upon termination of any relationship with the controller.
6. Right to object – art. 21 GDPR: the right to object, at any time on grounds relating to the user’s particular situation, to the processing of personal data relating to them based on the lawful condition of legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority, including profiling, unless there are legitimate grounds for the controller to continue the processing that override the interests, rights and freedom of the user or for the establishment, exercise or defense of a legal claim.  Furthermore, this is the right to object at any time to the processing if personal data are processed for direct marketing purposes, including profiling, insofar as it is related to such direct marketing;
7. Right to obtain communication, to recipients to whom personal data have been transmitted, of requests for rectification/deletion of personal data and restriction of processing received from the data subject, unless this proves impossible or involves an excessive effort;
8. Right to withdraw – art. 7 GDPR: users have the right to revoke their consent at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent before withdrawal.

The Interested Party may also, at any time, exercise their rights by sending a registered mail with return receipt to the address of the data controller above or by e-mail to the pec address bssconi.silvano@pec.it.

The exercise of rights is free of charge pursuant to Article 12 GDPR. However, in the case of requests that are unfounded or excessive, also because of their repetitiveness, the controller may charge a reasonable fee for the administrative costs incurred in dealing with the data subject’s request, or refuse to comply with the data subject’s request.

The user also has the right to lodge a complaint with the Italian Data Protection Authority, located in Piazza Venezia, 11, 00187 Rome, as provided for in Article 77 of the Regulation, as well as to take legal action in accordance with Articles 78 and 79 of the Regulation.

1. Protection of personal data
   The company is committed to providing an adequate level of personal data protection and to ensuring that appropriate technical and organisational security measures are taken to protect personal data (including by providing training and education to the personnel involved), from accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, and from any other form of unlawful processing.

All personal data are stored on secure servers or archived hard copies or on those of the company’s suppliers and are accessible and usable according to the company’s security standards and policies or equivalent standards for suppliers.

In particular, the site uses technologies and data security such as firewalls, access control procedures and cryptographic mechanisms to prevent any unauthorised access to the data, guaranteeing maximum confidentiality. 

1. Third Party Websites
   Third-party websites that can be accessed through this site are not covered by this policy and are governed by their own privacy policies. This policy does not apply to third parties’ websites. To find out how third parties process personal data, the user is advised to consult the privacy statements of all third party websites.

1. Processing of personal data of minors
   The controller’s services are not intended for minors under the age of 18, and the controller does not deliberately collect personal information from minors.

In case information on minors is unintentionally recorded, we will delete it promptly at your request.

1. Amendments to this Policy
   Should this become necessary as a result of any regulatory changes or as a result of the evolution of some of our services or the technologies used to provide them, it is hereby provided that changes and amendments to this document may be made exclusively by the company, in accordance with the specific regulations in force at the time of the change.

We will report any significant changes.

However, we invite each user to visit this page periodically to check that nothing has changed.

In case of a change in the purpose of data processing, we will notify you of this change as soon as possible and, where necessary, ask your consent.

1. Contact us
   Should users wish to request information to the company or for any question on the protection of their personal data or to exercise their rights under Article 7, they may contact us at the pec address bssconi.silvano@pec.it.