Website privacy and web shop services

INFORMATION ON THE PROCESSING OF PERSONAL DATA IN COMPLIANCE WITH ARTICLE 13 OF THE EU GENERAL DATA PROTECTION REGULATION (GDPR)
This information is provided in compliance with the provisions of Regulation (EU) 679/2016 (GDPR) and it describes the methods for processing the personal data of users who consult the websites of TurismoFVG (www.turismofvg.it) and PromoturismoFVG (www.promoturismo.fvg.it) and their various subsidiary websites.

THE DATA CONTROLLER
The data controller: PromoTurismoFVG
Registered office: via Locchi, 19 - 34123 Trieste
Operational and administrative headquarters: Via della Vecchia Filatura, 10 - 33035 Torreano di Martignacco (UD) Tel. 0039 0432 1697000
Marketing headquarters: Trieste Airport - Via Aquileia, 46 - 34077 Ronchi dei Legionari (GO) Tel. 0039 0431 387111
Freephone number: 800 016 044 / +39 0431 387130
Tax Code: IT01218220323 - Fiscal Code: 01218220323

THE DATA PROTECTION OFFICER (DPO)
The Data Controller has appointed a Data Protection Officer (DPO). Name and contact details are available on the following webpage.

THE TYPES OF DATA PROCESSED and THE PURPOSES OF THE PROCESSING
The personal data collected on these sites/apps and any other information associated with you, directly or indirectly, are processed in a lawful, correct and transparent manner for the purpose of providing the services that have been requested as well as responding to communications and requests from Users in compliance with EU Regulation number 679/2016 (GDPR) governing the protection of personal data.

Data related to website use
Specifically, the computer systems and software procedures used to operate these websites acquire, in the course of their normal operation, certain personal data which are transmitted implicitly in the use of Internet communication protocols and whose type and number vary according to the section of the websites that are accessed. This is information that is not collected to be associated with identified interested parties, but which by its very nature could, using processing and associations with data held by third parties, allow users to be identified. This category of data includes:
- the time of the request and the time users are present on the website
- the method used to submit a request to the server,
- the size of the file received in response,
- the numerical code indicating the status of the response given by the server (successful, error, etc.)
- the User's cookie consent status
- and other parameters relating to the User's operating system and computer environment identifiable within the cookie policy.
This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website and to check its correct operation.

Data provided voluntarily by the User
Unless additional and specific information is provided during your navigation, the Data Controller informs you that the data you provide within the websites of TurismoFVG (www.turismofvg.it) and PromoturismoFVG (www.promoturismo.fvg.it), and any subsidiary websites/apps, are processed using IT tools and procedures, for the following purposes:
- enable and improve navigation on the various websites/apps and their various sections;
- technical management of website use (please refer to the specific information regarding cookies available on this webpage and the "modify consents" function in the footer of the TurismoFVG and PromoturismoFVG websites and any of their subsidiaries).

1. Registration and creation of a personal account, managing the reserved area, purchased products and services

In order to benefit from some of the functions provided within the websites/apps, the User is under the obligation of creating a personal account for the purpose of, for example, purchasing products and services, receiving information on news and events promoted by the Data Controller, maintaining control over the personal data uploaded onto the websites/apps and the preferences expressed, fulfilling legal obligations (for example, the issue of invoices, etc.), fulfilling the Data Controller's corporate administrative and accounting requirements, and processing requests submitted by the User. Specifically, the websites provide the following:

1.A) Purchasing ski passes at the ski facilities located in the Region of Friuli Venezia Giulia
In order to purchase ski passes, it is necessary to register a personal account within the dedicated platform, which requires the processing of a series of User identification data including: name, surname, date of birth, e-mail, address of residence, postal code, city and country for the purpose of inspecting the regularity of the purchase and use of the ski pass.
Additionally, the User is also requested to upload his/her identity document bearing his/her photograph. The Data Controller's staff may eventually request an additional up-to-date photograph of the User's face when necessary.
If the User purchases ski passes also for members of his/her family, the system is going to request the User to upload, in addition to the above information referring to the individual ski pass holder, the document certifying the family status of the User.

The legal basis for this processing is article 6, paragraph 1, letter B (performance of a contract or execution of pre-contractual measures taken at the request of the Data Subject) and C of the GDPR (fulfilment of legal obligations).

The retention of data acquired in order to use the ski pass is at least 10 years from the end of the validity of the ski pass.

2.A) Purchasing FVG Cards
This is a nominal digital card that entitles the holder to access affiliated facilities and benefit from special discounts.
In order to purchase an FVG Card it is necessary to register a personal account within the dedicated platform, which includes the processing of a series of user identification data including: first name, surname, e-mail, telephone, date of birth and country, fiscal code and any other individuals to whom the card is registered.

The legal basis for this processing is article 6, paragraph 1, letter B (performance of a contract or execution of pre-contractual measures taken at the request of the Data Subject) and C of the GDPR (fulfilment of legal obligations).

The retention of data acquired in order to use an FVG card is at least 10 years from the end of the validity of the FVG card (5 years).

2. Subscribing to the general newsletter using the specific form

All users, whether registered or not, have the option of subscribing to the Data Controller's newsletter service using the appropriate registration form on the website.
This service enables the User to receive exclusively informative material and communications that are in line with the User's interests as a result of features known as "Experience suggestion", which allows users to personalise the contents of the newsletter by selecting the topics they are interested in, therefore enabling them to receive relevant and appropriate content in relation to their preferences. (for example, events, mountains, culture, family, etc.).
The form prompts the User to enter his/her e-mail address (in order to complete the subscription process, it is necessary to click on the confirmation button inside the first e-mail sent), which is used by the Data Controller to send e-mails containing the various information according to the interests selected by the User.
In addition to the e-mail address, the personal identification data processed are as follows: first name, last name and country.

Subscribing to this service is optional and is based only on the consent of the User who completes the registration procedure (the legal basis is in compliance with article 6, paragraph 1, letter A of the GDPR).

The requested personal data is retained for the duration of the subscription to the service; the User is entitled to proceed to the cancellation or modification of consents and/or various preferences at any time by following the procedure in the footer of each communication received or by sending a specific request to the Data Controller.

3. Request for information using the specific

All users, whether registered or not, have the option of requesting information and/or expressing doubts or concerns using the dedicated "request for information" form available on the website.
Users are also informed that the data collected by filling in the form mentioned above are processed, both on paper and electronically, in order to allow the Data Controller to provide a response to your request, which may concern, for example, information on the various merchandising products, issues regarding the purchase of ski passes, requests regarding the various itineraries to be followed, etc.
Users are informed that for the purposes mentioned above and for other purposes the following data entered in the "information request" form are processed: name, surname, e-mail, telephone number (optional), country and the text of the message.

The legal basis of the processing for this activity is article 6, paragraph 1, letter b (performance of a contract or the execution of pre-contractual measures undertaken at the request of the Data Subject)

The personal data requested is only stored for as long as necessary to achieve the purposes for which it is collected.

4. Subscription to the "Training newsletter" using the specific form

All tour operators have the option of subscribing to the Data Controller's "Training newsletter " service using the specific registration form available on the website.
The website/app enables the User to exclusively receive information material and communications that are in line with his/her interests as a result of what is known as the "Experience suggestion" feature, which allows a tour operator subscribing to this service to personalise the contents of the newsletter by selecting the topics of his/her interest, therefore enabling him/her to receive relevant and appropriate content in relation to his/her preferences (for example, the possibility of subscribing to a course, local events, special offers and packages, etc.).
The form requests the user's e-mail address (to complete the registration process it is necessary to click on the confirmation button contained in the first e-mail that is sent) that is used by the Data Controller to send the e-mails with personalised content.
In addition to the e-mail address, the personal identification information that is processed is as follows: first name and surname, name of the structure/organisation/company, category of the organisation (optional), role/profession, telephone number (optional), municipality, province and region of origin.

Subscribing is optional and is based only on the consent of the User who completes the registration procedure (the legal basis is in compliance with article 6, paragraph 1, letter A of the GDPR).

The requested personal data is stored for as long as users subscribe to the service; in order to cancel or change consents and/or various preferences, it is necessary to follow the procedure in the footer of each communication received or alternatively users may decide to send a specific request to the Data Controller.

5. Registration to the "Digital Nomads" service using the specific form

An additional service which is only available when using the TurismoFVG website in English consists of the "Digital Nomads" form.
This is a service that allows digital nomads to register on the website mentioned above using the specific form in order to receive a series of benefits designed to improve their stay in the region of Friuli Venezia Giulia.
Specifically, this service allows the User to receive on his/her e-mail address a range of information regarding, for example: the FVG membership card, exclusive events, where to find working spaces and the possibility of becoming a "special ambassador".
In any case, for more information on this service, please refer to the "digital nomads" section of the website.
Users are informed that for the purposes mentioned above and for other purposes the information entered in the "Digital Nomads" form is processed. This information includes: first name, last name, e-mail, Country, date of birth, education level, job sector, name of the company for which the User is working remotely (optional), period of stay, date of arrival and departure (optional), the place where the User decides to stay.
In any case, users are invited to examine the specific form mentioned above in order to review any other data that may be subject to processing.

The legal basis of the processing for this activity is article 6, paragraph 1, letter b (performance of a contract or the execution of pre-contractual measures undertaken at the request of the Data Subject).

The requested personal data is stored for as long as users subscribe to the service; in order to cancel or change consents and/or various preferences, it is necessary to follow the procedure in the footer of each communication received or alternatively users may decide to send a specific request to the Data Controller.

For all processing related to the services 1-2-3-4-5 described above, it is stated that the data provided may be disclosed to the Data Controller's staff and collaborators and possibly to companies/systems and suppliers that process data in outsourcing on behalf of the Data Controller, in any case for the sole purpose of perfecting the activities requested and enabling the smooth operation of the services.
Some data may be processed by the Data Controller's technological partners for the only purpose of managing the technical/IT functions of the web service.

In any case, the data is never disseminated and is always stored within the territory of the EU until the User expressly requests the Data Controller to delete his/her account/personal data. In this case, however, it is possible that, in order to comply with specific regulatory obligations, it may not be possible to permanently delete all of the User's personal data on the Data Controller's systems.

Illustrated below are some specifications concerning the services/products that the User may access through the Data Controller's sites/apps:

Please note that, in order to benefit from some specific products and services that have been purchased by the User, it may be necessary for the Data Controller to issue and deliver a physical device (for example, a card). Delivery of the device may be free of charge or subject to payment of an additional fee. In any event, when purchasing services and products, the Data Controller undertakes to specify whether there are additional costs for the issue of the physical device. In the User's personal area, the identification data of the physical devices that have been issued and associated with the User's name are displayed.
For the purchase of the products and services mentioned above, Users are given a choice between the different payment methods provided by the Data Controller as indicated at the time of purchase.

Lastly, please note that by registering on the site/app and making purchases, the Data Controller may use the e-mail address provided by the User to send information material and communications, discount coupons and promotions, news and activities promoted by the Data Controller, unless the User expressly denies this option. These notifications are provided in compliance with article 130, paragraph 4, of Italian Legislative Decree Number 196/03, which prescribes that, unless the interested party expressly objects, it is possible for the Data Controller to send, by automated and non-automated tools, communications regarding "similar services" to the ones that have already been used. The User may object to such communications by contacting the Data Controller or the DPO using the contact details indicated above or by completing the cancellation procedure indicated at the bottom of each communication that is received (OPT - OUT). Users may also receive "questionnaires" concerning their satisfaction with the services they have received and suggestions for improvement. Participating in the questionnaire is optional and is permitted under article 6, paragraph 1, letter F of the GDPR (legitimate interest of the Data Controller).

THE RIGHTS OF DATA SUBJECTS
Users are always entitled to contact the Data Controller in order to claim the rights provided for in articles, 13, 15, 16, 17, 18, 20, 21, and 77 of EU Regulation 679/16, which are outlined below for convenience.

1) Right to withdraw consent (article 13): You are entitled to withdraw your consent at any time for all the processing operations for which the prerequisite of legitimacy is a declaration of Your consent. Specifically, the withdrawal of consent is valid for the processing of data performed for the purpose of sending advertising or direct sales material or for conducting market research or business communication activities for promotional purposes, including those performed in compliance with article 130, paragraph 4 of Italian Legislative Decree 196/03. Withdrawal of consent does not affect the legality of the processing that took place prior to the withdrawal of consent.

2) Right of access to data (article 15): You are entitled to request (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or are going to be disclosed, specifically if they are recipients from third countries or international organisations; (d) if possible, the period for which the personal data are planned to be stored or, if this is not possible, the criteria used to determine this retention period; (e) the existence of the Data Subject's right to request the Data Controller to amend or delete the personal data or to restrict the processing of personal data concerning the Data Subject or to object to their processing; (f) the right to lodge a complaint with a supervisory authority; (g) if the data are not collected from the Data Subject, all the available information relating to their origin; (h) the existence of an automated decision-making process, including profiling as referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information explaining the logic used and the importance and the envisaged consequences of such processing for the Data Subject. You are entitled to request a copy of the personal data which are being processed.

3) Right to rectification (article 16): You are entitled to request the rectification of inaccurate personal data relating to you and to obtain the integration of any incomplete personal data.

4) Right to be forgotten (article 17): You are entitled to have personal data concerning you deleted by the Data Controller if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw your consent, if there is no overriding legitimate reason to proceed with profiling processing, if the data have been processed unlawfully, if there is a legal obligation to erase the data; if the data are related to web services provided to minors with no consent. Deletion of data is possible unless the right to freedom of expression and information prevails, the data are retained for the fulfilment of a legal obligation or the performance of a task undertaken in the public interest or the exercise of official authority, for reasons of public interest in the health sector, for archiving in the public interest, for scientific or historical research or statistical purposes, or the establishment, exercise or defence of legal claims.

5) Right to the restriction of processing (article 18): You are entitled to obtain from the Data Controller the restriction of processing when you have disputed the accuracy of your personal data (for the period necessary for the Data Controller to verify the accuracy of such personal data) or if the processing is unlawful, if it is necessary for the establishment, exercise or defence of legal claims.

6) Right to data portability (article 20): You are entitled to receive in a structured, commonly used and machine-readable format the personal data that relates to you and that you have provided to us. You are also entitled to transmit to a third party if the processing has been undertaken based on your consent, by contract and if the processing is effected by automated means unless the processing is necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority and such transmission does not violate the rights of a third party.

7) Right to lodge a complaint with the Data Protection Authority.

The execution of the rights referred to above is subject to the limits, rules and procedures provided for in the Rules and Regulations referred to above, which the User is required to know and implement. In compliance with the provisions of article 12, paragraph 3, the Data Controller undertakes to also supply the data subject with information relating to the action undertaken without unjustified delay and, in any case, no later than one month from receipt of the request. This period may be extended by two months, if necessary, taking into account the complexity and number of requests. The Data Controller is required to inform the Data Subject of this time extension, including the reasons for the extension, within one month of receipt of the request.

To exercise the rights referred to above, the Data Subject is entitled to use the form on this page to be submitted to the Data Controller, after it has been properly completed and undersigned.

DPO DATA Informativa videosorveglianza Operator privacy information Tourist privacy policy