The Site is the exclusive property of Enotria Viaggi S.r.l. with registered office in Piazza Europa n. 9, 87100 Cosenza (CS), Italy, registered in the Companies Register of Cosenza under n. CS – 246980, Tax Code and VAT number: 03613870785 (“Enotria”).
1. Information on the processing of personal data
Regulatory reference: Article 13 of Regulation (EU) No 679/2016 (“GDPR”)
In compliance with the GDPR, and in particular the provisions of art. 13, below you will be provided with information relating to the processing of your personal data so that you are aware of your rights and can protect them, as you are interested in the processing of your personal data.
2. Who is the Data Controller of your Personal Data? Which personal data does the Data Controller process about you?
Legal reference: (art. 13, paragraph 1, letter a, art. 15, letter b GDPR)
Enotria, in the person of its legal representative pro tempore, Eng. Carlo Stumpo, is the owner of the processing of personal data.
The Owner may be contacted by you for any request relating to the processing of your personal data at the address: firstname.lastname@example.org
The Data Controller processes the following personal data:
Personal data (name, surname, address, nationality, province and municipality of residence, fixed and/or mobile phone, fax, tax code, e-mail address(es)).
Bank details (Iban code and bank/postal details). The communication of such personal data to third parties takes place to allow the activities necessary for the proper performance of the relationship established and to meet the legal obligations related to the service requested. These data, therefore, will be stored in accordance with the terms provided by current legislation and / or national regulations, for the exclusive purpose of ensuring the specific fulfillment of certain services provided and, in any case, will be kept through the use of appropriate security measures specially prepared by the various third-party companies (banks and credit institutions, companies managing e-commerce payments, etc..) to preserve the confidentiality, integrity and availability of personal data of the customer / visitor and interested in the treatment.
With regard to this last category of data, we would like to inform you that Enotria has no availability and / or knowledge of the number of your credit card used, if any, economic transactions, in fact, are performed directly between the holder of the credit card and various credit institutions or banks, including through third companies that operate e-commerce payment platforms, without any kind of intervention or intermediation by Enotria.
Telematic traffic data (Log, IP address of origin).
Please note that the Owner does not treat the so-called “particulars” from art. 9 of the GDPR, namely personal data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, or genetic or biometric data that can uniquely identify a natural person, as well as data relating to health or sex life or sexual orientation of the person. If, for particular exceptional needs, you need to communicate particular preferences – or in any case where the service you request from Enotria requires – the processing of special data (e.g. preferences / food requirements relating to individuals suffering from coeliac disease, allergies, food intolerance or pharmaceutical/therapeutic needs etc.), you will be aware that at the time of communication of such data, you authorize and give your consent to the Owner about the processing of the same and contextual disclosure to third party providers of final services. This is because the collection and processing of such personal data is essential to provide the services requested as well as the provision of the service and / or the supply of the product requested. If the user concerned does not provide, or intends to revoke its consent to the processing of the necessary personal data requested (or already provided) by the Owner, acknowledges that the latter can not follow the processing related to the management of the services requested and / or the contract and services and products related to it, or the obligations that depend on them.
3. What are the Purposes of the Processing of Your Personal Data?
Legal reference: art. 13, paragraph 1 GDPR
The Data Controller processes your personal data in order to
perform the services referred to in the chosen contract and the products and services purchased on the Site;
to manage and execute the contact requests you submitted by filling out any forms on the Site;
registration and requests for contact and / or sending brochures and information material
to carry out the preliminary activities and consequent to the request for registration;
provide you with telephone and/or e-mail assistance;
the management of requests for information and contact and / or sending information material, as well as for the fulfillment of any other obligation arising;
the management of the contractual relationship
to comply with the legal and regulatory obligations to which the Holder is subject in relation to the activity carried out.
We would like to inform you that Enotria does not sell your personal data to third parties or use it for purposes other than those listed in points (i) to (viii) above.
Therefore, in the light of what has been explained in this paragraph, the processing of your personal data takes place substantially to carry out all the activities carried out in the process that leads to the provision of the service you requested, through the conclusion of the contract. That is, we refer to all preliminary activities and consequent to the purchase of products and services offered by Enotria for the management of the file, the provision of the service itself, the related billing and payment management, the treatment of any complaints and / or reports to the service and for the provision of assistance itself, for the prevention of fraud and for the fulfillment of any other obligation arising from the contract.
4. In which cases can the processing of your data be carried out even without your explicit consent and in which other cases is required in an unavoidable way?
The Owner, even without your explicit consent, may use your personal contact data communicated by you, for the purposes of
a) the tourist reservation;
b) the direct sale of its Services and/or Products related to those covered by the contract, unless the data subject expressly objects.
Otherwise, the Owner may also process your personal data for purposes of commercial promotion, surveys and market research with regard to the services and products that the Owner offers, only and exclusively if the data subject has given his explicit consent in this regard and does not object.
This last method of treatment can be done automatically, by sending a) e-mail, b) newsletter, c) sms or by telephone contact, and can be done if the user concerned has not revoked their consent to the use of data previously released. In the cases indicated in letter c) and therefore in the event that the processing is carried out through contact with a telephone operator, personal data will not be processed if the latter is registered in the register of oppositions referred to in Presidential Decree no. 178/2010.
The consent given by the interested party prior to the processing of his personal data is always revocable, freely and at any time, by writing an e-mail to the following address: email@example.com.
5. Guarantee of IT security
Normative references: art. 49; 33 GDPR;
The Owner, in compliance with art. 49 of the so-called GDPR, processes, also through its suppliers (third parties and/or recipients), the personal data of the user concerned relating to telematic traffic, to the extent strictly necessary and proportionate to ensure the security of networks and information, ie the ability of a network or an information system to withstand, at a given level of security, unforeseen events or unlawful or malicious acts that may compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted.
The Data Controller shall promptly notify the parties involved in the processing, in the event of a particular risk of a breach of their data, without prejudice to the obligations arising from the provisions of Article 33 of the so-called GDPR relating to notifications of breach of personal data to the competent supervisory authority.
Enotria processes such data in compliance with legal obligations and the legitimate interest of the Data Controller to carry out data processing for the purposes of protecting the company’s assets and the security of the Data Controller’s premises and systems.
6. So-called profiling and marketing activities
The personal data of the interested party may also be processed for profiling purposes (such as analysis of the data transmitted and the services and products chosen, propose advertising messages and/or commercial proposals in line with the choices made by the users themselves) only if the user concerned has given explicit and informed consent.
The profiling activity consists in the analysis of the travel preferences and market research of the Customer / Visitor, in order to improve the offer of services and commercial information presented by Enotria and making these offers more appropriate to the preferences of the Customer / Visitor. This activity may also be carried out through the administration of satisfaction questionnaires and/or the use of profiling cookies used when browsing our sites.
The consent given by the user concerned prior to the processing itself is always revocable, freely and at any time or through the management of consent by accessing your account and exercising your right to opt out, or simply by sending an e-mail to the following address firstname.lastname@example.org .
Processing for marketing purposes for both promotional and profiling activities may only take place on condition that the data subject has given his explicit consent.
However, it is always possible to ask the Owner to clarify the concrete legal basis of each treatment and in particular to specify whether the treatment is based on the law, provided for by a contract or necessary to conclude a contract.
7. Protection of minors
The services and products offered by the Owner are reserved for entities legally able, on the basis of the national legislation of reference, to conclude contractual obligations.
In fact, Enotria offers a service that can only be used by persons over the age of 18 (eighteen) years. The services offered by Enotria are intended only for persons over the age of 18 (eighteen) years. For persons under the age of 18 (eighteen) years, the use of our services is permitted only with the consent of parents or legal guardians. Enotria may, with parental or legal guardian consent, collect and use information from minors and in limited cases such as for a reservation or purchase of other travel-related services, or in other exceptional cases (e.g. family specific features). If Enotria becomes aware of the processing of data of persons under 18 (eighteen) years of age without the valid consent of a relative or legal guardian, it reserves the right to delete such data.
It should also be noted that personal data collected from persons under 16 years of age are only processed when this is necessary to ensure the proper use of the product / service required as a result of the conclusion of a contract to which the data subject is a party. It is therefore understood that such data will not be used in any way for further purposes unless necessary for the purpose mentioned above (by way of example and not limited to, may be used to ensure: insurance coverage of the child; reservations of flights, hotels or cruises).
If the legislation in force in other countries allows persons under eighteen years of age to be able to validly and effectively assume contractual obligations, the personal data of the user concerned will always be managed and processed for the performance of services relating to the contractual relationship between the parties and in compliance with the legal obligations imposed by the current GDPR.
In order to prevent unlawful access to its services, the Owner implements preventive measures to protect its legitimate interest, such as the control of the tax code and / or other checks, when necessary for the purchase of specific services and products, the correctness of the identification data of identity documents issued by the competent authorities.
8. Communication to third parties and categories of recipients
Normative references: art. 13, paragraph 1 GDPR
The communication of your personal data is mainly to partner companies and / or related to Enotria and / or third parties and / or recipients whose activities are necessary for the performance of activities relating to the relationship established and to meet certain legal obligations, such as purposes relating to administrative, accounting and related to the provision of contractual services, provision of services and products (assistance, provision of additional services) related to the provision requested.
It also takes place against:
credit and digital payment institutions, banking and postal institutions, in relation to the management of collections, payments, refunds related to the contractual service;
External professionals/consultants and companies in relation to the fulfillment of legal obligations, the exercise of rights, the protection of contractual rights and credit recovery;
Financial Administration, Public Bodies, Judicial Authorities, Supervisory and Control Authorities in relation to the fulfillment of legal obligations and the defense of rights; lists and registers kept by public Authorities or similar bodies on the basis of specific regulations, in relation to the contractual service provided;
Subjects formally delegated or with recognized legal title, such as legal representatives, trustees, guardians, etc..
Enotria requires its third party suppliers and any external data processors, duly appointed in writing, to comply with security measures equal to those adopted against the person concerned, limiting the scope of action of the Manager to processing related to the service requested.
We inform you that the Data Controller does not transfer your personal data to non-EU countries where the GDPR is not in force, unless specific indications to the contrary are given, for which you will be informed in advance and, if necessary, your explicit consent will be required.
Pursuant to Article 13(2)(e) of the GDPR, the collection and processing of personal data shall take place in so far as it is necessary for the performance of the services requested and for the provision of the service and/or the supply of the product requested. If the user concerned does not provide the personal data expressly provided for as necessary as requested by Enotria, the Owner may not proceed with the processing related to the management of the services requested and/or the contract and the services and products related to it, or the obligations that depend on them.
In the event that the concerned user does not give his consent to the processing of personal data for promotional, marketing and / or profiling purposes or in any case for purposes other than the provision of the requested service, said treatment will not take place for the same purposes, without this having effects on the provision of the requested services, nor for those for which the interested party has already given his consent, if requested.
In the event that the interested party has given his consent and should subsequently revoke it, or oppose the processing for commercial promotion activities, his data will no longer be processed for such activities, without this leading to consequences or detrimental effects for the user concerned and for the services requested.
9. Archiving and storage of personal data – Timing of storage of personal data
In accordance with art. 32 of the so-called GDPR, Enotria prepares the use of appropriate security measures to preserve the confidentiality, integrity and availability of personal data of the user concerned and imposes similar security measures on third-party suppliers and any external managers.
The personal data of the user concerned are stored in paper, computer and telematic files located in EU countries where the so-called GDPR is applied and, pursuant to art. 13, paragraph 2, letter a of the so-called GDPR, unless he explicitly expresses his willingness to remove them, his personal data will be kept as long as they are necessary with respect to the legitimate purposes for which they were collected.
In particular, they will be kept for the entire duration of your registration and, in any case, no longer than a maximum period of 12 (twelve) months of inactivity, or if, within this period, they are not associated with the services and / or purchased products through the same registry.
In the case of data provided to the Owner for purposes of commercial promotion for services other than those already acquired by the person concerned, for which initially the latter has given consent, will be kept for 24 (twenty-four) months, unless revoked consent given.
In the case of data supplied to the Data Controller for profiling purposes, these will be kept for 12 (twelve) months, unless the consent given is always revoked.
In the event that a Customer / Visitor forwards to Enotria personal data not requested or not necessary to perform the service requested, or the provision of a service closely related to it, Enotria can not be considered the owner of these data, and will delete them as soon as possible.
All personal data, therefore, will in any case be stored in accordance with the terms provided by current legislation and / or national regulations, through the use of specific databases adequately protected, for the exclusive purpose of ensuring the specific fulfillment, proper to some services provided.
Personal data will in any case be kept for the fulfillment of obligations (e.g. tax and accounting) that remain even after the termination of the contract (pursuant to art. 2220 c.c.); for these purposes, the Owner will keep only the data necessary for its prosecution.
If a judgment is instituted regarding the rights deriving from the contract, the personal data of the interested party, exclusively those necessary for the judicial purposes, will be processed for the time necessary for their prosecution.
10. Rights of the user concerned
Regulatory references: Articles 15 to 20 GDPR
In accordance with Articles 15 – 20 of the so-called GDPR, the person concerned has the right to obtain from the Data Controller:
confirmation that or not personal data concerning him are being processed and, if so, to obtain: access to personal data and information relating to the purposes of processing; the categories of personal data in question; the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients from third countries or international organizations; where possible, the period of retention of personal data provided for or, if this is not possible, the criteria used to determine this period; the existence of the right of the person concerned to request the data controller to correct or delete personal data or to limit the processing of personal data concerning him or to oppose their processing; the right to lodge a complaint with a supervisory authority; where data are not collected from the data subject, all available information on their origin; the existence of an automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used and the importance and expected consequences of such processing for the data subject; the appropriate safeguards provided by the third country (non-EU) or international data protection organization if transferred;
the right to obtain a copy of the personal data being processed, provided that this right does not infringe the rights and freedoms of others; In the event of further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs;
the right to obtain from the Controller the rectification of inaccurate personal data concerning him without undue delay;
the right to obtain from the Data Controller the deletion of personal data relating to him without undue delay, if the grounds set out in Article 17 of the GDPR exist, including, for example, if they are no longer necessary for the purposes of the processing or if the processing is unlawful, and if the conditions laid down by law are met; and in any event if the processing is not justified by another equally legitimate reason;
the right to obtain from the Data Controller the limitation of the processing, in the cases provided for in Article 18 of the GDPR, for example where the data subject has contested its accuracy, for the period necessary for the Data Controller to verify its accuracy. The data subject must also be informed, within a reasonable time, when the period of suspension has come to an end or when the cause of the restriction on processing has ceased to exist, and thus the restriction itself has been lifted;
the right to receive in a structured, commonly used and machine-readable format personal data relating to him and the right to transmit such data to another Controller without hindrance by the Controller of the processing to which he has supplied them, in the cases provided for in Article 20 of the GDPR, and the right to obtain the direct transmission of personal data from one Controller to another, if technically feasible.
In order to ensure that the above rights are exercised by the Interested Party and not by unauthorized third parties, the Holder may request the Interested Party to provide any additional information necessary for the purpose.
You can exercise your rights under this paragraph, from letter. A to letter. F you can contact the owner by writing to the following address: email@example.com.
Pursuant to art. 21 of the so-called GDPR, the user concerned, for reasons relating to his or her particular situation, may at any time object to the processing of his or her personal data if it is based on his or her legitimate interest or if it takes place in connection with commercial promotion activities, by sending the request to the Data Controller at the above e-mail address.
We inform you that you have the right to the cancellation of your personal data if there is no overriding legitimate reason of the Owner over the one that gave rise to the request, and in any case if you have exercised this right in order to oppose the processing for commercial promotion activities.
We also inform you that, pursuant to art. 15 of the GDPR, without prejudice to any other administrative or judicial action, you may submit a complaint to the competent Control Authority on Italian territory (Guarantor Authority for the Protection of Personal Data) or to the one that performs its duties and exercises its powers in the Member State where the violation of the GDPR occurred.
Please consult this page regularly, referring to the date of the last change indicated at the bottom of this page. If the changes involve treatments whose legal basis is the consent, the Owner will collect again the consent of the person concerned, if necessary.
12. Which personal data will be processed for the purposes of communications that take place via Certified Electronic Mail (PEC)?
Legal references: art. 13, paragraph 1 letter a, art. 15, letter b GDPR.
The category of data processed by Enotria through communications via certified e-mail includes personal data (e.g. copy of identity document and tax code) and data traffic data from the LOG of PEC messages. As required by current industry regulations, the personal data of the user concerned will be kept for the duration of his registration and, in any case, no longer than a maximum period of 12 (twelve) months of inactivity, or if, within this period, are not associated with the services and / or purchased products through the same registry.
The data of telematic traffic given by the LOG of PEC messages will be kept for a maximum period of 30 (thirty) months from the date of receipt of the PEC message.