INFORMATION ON THE PROCESSING OF PERSONAL DATA OF USERS CONSULTING THE WEBSITE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679
Pursuant to Regulation (EU) 2016/679 (hereinafter the “Regulation“), information is provided below regarding the processing of personal data of users consulting the institutional website of the Ministry of Tourism (hereinafter “MiTur” or “Ministry” or the “Owner“) and taking advantage of the services made available, accessible via telematic tools at the following address:
The information provided does not concern other sites, pages or online services that can be reached via hypertext links that may be published, but which refer to resources outside the Controller’s domain.
Following consultation of the website, data relating to identified or identifiable natural persons may be processed.
The Data Controller is the CO.ME.A. Industrial Technologies, with head office in Via Appia 11, 04028 Scauri – LT – Italy
Data Protection Officer
Pursuant to Article 37 of the Regulation, the Data Protection Officer (RDP or DPO) can be reached at the following address: firstname.lastname@example.org
Types of personal data
The Data Controller processes the following personal data of the data subject: first name, last name, e-mail address, photo, optional telephone number (hereinafter the “Data”).
These data shall be provided by the data subject who decides to create an account.
The Data Controller processes the location data of users, subject to their authorization, in order to enable users to view activities/attractions/places near their location and related to the interests they stated during registration and to show results close to their location when using booking services.
In addition, the Data Controller may process user location data in order to provide the best possible experience of browsing the web portal and to make suggestions or recommendations in line with their detected location and to send custom promotional communications.
To use this type of feature, users must allow the website to use their location data and they can revoke this permission directly from the settings of the browser being used.
Each time the user accesses the Website, the Data Controller will collect and process the following data:
- Technical information such as, but not limited to, IP address, login information, browser and operating system used;
- Information about the visit to the Website, including URI/URL (Uniform Resource Identifier/Locator) notation addresses of the requested pages, information about the interaction on the website;
Purpose of the treatment and legal
The data subject’s data are processed for the following purposes:
- to allow the user to access the website and use the services it provides through a registration procedure in order to create the account and authentication credentials which, after login, enable saving the viewed content as favourites in their account.
- The legal basis is identified in Art. 6, par. 1, point B) of the Regulation ([…]) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject. The provision of personal data for this purpose is optional, but failure to provide such data will make it impossible to activate or provide the services requested by the user.
- to fulfil the legal obligations to which the Data Controller is subject. The legal basis is identified in Art. 6, par. 1, point c) of the Regulation.
- for the sending of promotional communications and newsletters by the Ministry through remote communication tools, such as e-mail (hereinafter “Direct Marketing purposes“); the legal basis is identified in Art. 6, par. 1, point A), of the Regulation ([…] the data subject has given their consent to the processing of their personal data for one or more specific purposes
- for the sending by Partners of the Ministry, to whom the Data will be communicated, of promotional communications through remote communication tools (hereinafter “Purposes of Outbound Marketing by third parties”); the legal basis is identified in Art.6, par.1, point A), of the Regulation ([…] the data subject has given their consent to the processing of their personal data for one or more specific purposes
- for profiling the Data Subject in order to make the above-mentioned promotional communications and the browsing experience of the web portal better focused on the needs, habits and interests of the Data Subjects, based on the content displayed and the location data (if the user has given their authorization) and the information provided at the time of registration (hereinafter “Profiling Purposes“); the legal basis is based on Art. 6, par.1, point A), of the Regulation ([…] the data subject has given their consent to the processing of their personal data for one or more specific purposes.
- for the user’s location (hereinafter “Localization Purposes”): the legal basis is based on Art. 6, par. 1, point A), of the Regulation ([…] the data subject has given their consent to the processing of their personal data for one or more specific purposes).
In addition, specifically for the booking services, the data are processed – subject to the italia.it Service Partner sharing the booking data – for purposes of statistics on the service and to allow non-registered users to receive an invitation to register on the italia.it portal at the e-mail address communicated when booking. The legal basis is set out in Art.6, par.1, point A), of the Regulation ([…] the data subject has given their consent to the processing of their personal data for one or more specific purposes.
At any time, the Data Subject may revoke any consents given in the manner described at the end of this privacy notice.
Communication of data to possible recipients
The user’s personal data may be accessed or communicated, in compliance with the regulations in force and the purposes described above, to subjects appointed by the Ministry to carry out services of various kinds such as, by way of example, the maintenance of computer systems and to measure the quality of the service. Therefore, the Ministry shall designate such entities as Data Processors pursuant to Article 28 of the Regulation, from among those that present sufficient guarantees to implement adequate technical and organisational measures so that processing meets the requirements of the Regulation and ensure the protection of the rights of data subjects.
Personal data may also be disclosed to other entities or public administrations if this is necessary to comply with a legal obligation.
Personal data will be processed within the borders of the European Union.
The retention time of users’ personal data is limited to the period during which the user’s account is active; concerning newsletters, personal data is retained until the user revokes his or her consent.
This is without prejudice to the case in which the Ministry retains such data to ascertain, exercise or defend one of its rights in court.
Thereafter, all data will be permanently deleted or anonymised.
Rights of the data subject
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed and, if so, to obtain access to the personal data and the following information for the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated (including recipients in third countries or international organisations), the expected period of storage of the personal data or, if this is not possible, the criteria used to determine this period, the origin of the personal data where not collected from the data subject, the existence of an automated decision-making process including profiling and information on the logic used.
In addition, the data subject has the right, where applicable, to obtain:
- Correction of inaccurate personal data,
- Integration of incomplete personal data,
- Deletion (right to be forgotten),
- Limitation of the processing of personal data (in which case, the data are processed only with the consent of the data subject, except for the necessary storage of the same and in the other cases permitted by the applicable legislation),
- Portability of data, including transmitting the data subject’s personal data from one Data Controller to another, where technically feasible,
- Opposition to their processing.
Such requests should be addressed to the Data Controller, using the contact details provided by the latter in this notice or at email@example.com
The same e-mail address can be used to request cancellation of the account or to stop receiving newsletters.
In addition, in the event of a personal data breach likely to present a high risk to the rights and freedoms of the data subject, the Data Controller shall notify the data subject of the breach without undue delay, pursuant to Article 34 par.1 of the Regulation.
Right of complaint
Should the data subject consider that the processing of personal data carried out through this website is in breach of the provisions of the Regulation, he/she is entitled to lodge a complaint with the Data Protection Authority pursuant to Article 77 of the Regulation itself, or to take legal action (Article 79 of the Regulation).