The Tour Operator based in Turin, Corso Re Umberto 12 - 10121 Turin - 011-03631594 Mail info@siramani.it in the person of its data controller Mr. Ragusa Alessandro protects the confidentiality of personal data and guarantees to them the necessary protection from any event that could put them at risk of violation. As required by the European Union Regulation no. 679/2016 ("GDPR"), and in particular to the art. 13, HERE BELONGING TO THE US User concerned the information required by law regarding the processing of their personal data SECTION I - the purposes The data are used by the Data Controller to follow the registration request and the contract for the provision of the chosen Service. / o of the purchased tourist product, manage and execute the contact requests sent by the interested party, provide assistance, comply with the regulatory and legal obligations to which the Data Controller is held according to the activity carried out. In no case does our Agency resell the personal data of the Data Subject to any third parties or use them for undeclared purposes. In particular, the data of the interested party will be processed for: a) registration and contact requests and / or informative material The processing of personal data of the interested party takes place to start the preliminary activities and consequent to the registration request. , management of requests for information and contact and / or sending information material, as well as for the fulfillment of any other obligations arising b) the management of the contractual relationship The processing of personal data of the interested party takes place to carry out activities preliminary and consequent to the purchase of a Service and / or a Product, the management of the related order, the provision of the Service itself and / or the production and / or shipment of the Product purchased, the related invoicing and the management of the payment , the handling of complaints and / or reports to the assistance service and the provision of the assistance, the prevention of fraud as well as the compliance of any other obligation deriving from the contract. c) Legitimate interests pursued by the data controller or third parties Your data are processed on the basis of legitimate interests; the processing of the information will be fair and will respect the principles of protection of personal data provided for by the regulations in force GDPR679 / 2016. d) promotional activities on Services / Products similar to those purchased by the interested party (Recital 47 GDPR) The Data Controller, even without his explicit consent, may use the contact details provided by the Interested Party, for direct sales purposes. own Services / Products, limited to the case in which the Services / Products are similar to those sold, unless the interested party explicitly objects. e) Marketing - business promotion activities on Services / Products different from those purchased by the interested party. The personal data of the interested party may also be processed for commercial promotion purposes, for surveys and market research with regard to Services / Products that the Data Controller offers only if the Data Subject has authorized the processing and does not object to this. This treatment can be done automatically by e-mail; - sms; - telephone contact; letter e can be carried out: 1. if the interested party has not revoked his consent for the use of the data; 2. if, in the event that the processing takes place through contact with the telephone operator, the interested party is not registered in the register of oppositions referred to in the D.P.R. n. 178/2010; The business partners belong to the following product categories: a. receptive activities in direct form and / or through OLTAs or platforms; b. airlines / shipping companies; rail carriers; vectors on rubber; c. travel agencies, tour operators, events and events companies, and networks; d. insurance. f) computer security The Data Controller, in line with the provisions of Recital 49 of the GDPR, treats, also through its suppliers (third parties and / or recipients), the personal data of the interested party relating to traffic to a strictly necessary and proportionate extent to ensure network and information security, ie the ability of a network or information system to resist, at a given level of security, unforeseen events or illicit or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted. The Data Controller will promptly inform the Interested parties, if there is a particular risk of violation of their data without prejudice to the obligations arising from the provisions of art. 33 of the GDPR concerning notifications of violation of personal data. g) profiling The personal data of the interested party may also be processed for profiling purposes (such as analysis of the transmitted data and the selected Services / Products, propose advertising messages and / or commercial proposals in line with the choices expressed by the users themselves) in the event that the interested party has provided an explicit and informed consent. The Services / Products offered by the Data Controller are reserved to subjects legally able, on the basis of the national reference legislation, to conclude contractual obligations. In order to prevent unlawful access to its services, the Data Controller implements prevention measures to protect its legitimate interest, such as the correctness of the identification data of the identity documents issued by the competent authorities, the control of the tax code and / or other checks, when necessary for specific Services / Products, i) fraud prevention (recital 47 and article 22 GDPR) only if online payments are present: the personal data of the interested party, with the exception of the particular ones (Art 9 GDPR) o judicial (Art 10 GDPR) will be: - processed to allow controls for the purpose of monitoring and preventing fraudulent payments, by software systems that perform an automated check and preliminary to the negotiation of Services / Products; exceeding these checks with a negative result will make it impossible to carry out the transaction; - the interested party may in any case express his opinion, obtain an explanation or contest the decision motivating his reasons for the Customer Assistance service - personal data collected for fraud purposes only, unlike the data necessary for the correct execution of the service request, they will be immediately canceled at the end of the control phases. SECTION II - Legal basis of the treatments: points a b c: it is the fulfillment of the services inherent in the contractual relationship and the respect of mandatory legal obligations. points d - e-g: is the consent given by the interested party before the treatment itself, which can be revoked by the interested party freely and at any time (see Section III) points f- i: compliance with legal obligations and legitimate interest of the owner to carry out processing related to purposes of protection of corporate assets and security of the sites and systems applied in point h: consent for consent for minors 16 years issued by those who exercise parental authority in accordance with current legislation. SECTION III - Communication to third parties and categories of recipients (Article 13, paragraph 1 of the GDPR) Communication of personal data of the interested party takes place mainly with regard to third parties and / or recipients whose activity is necessary for the performance of activities inherent to the relationship established for the supply and management of the selected tourism product and to meet certain legal obligations, such as: Third-party suppliers: for purposes such as provision of services (assistance, maintenance, delivery / shipment of products, provision of additional services, providers of electronic communications networks and services, insurance) connected to the requested service Formally delegated subjects or with recognized legal title: port authorities, airport, customs, border, Legal representatives, curators, guardians, etc. Credit institutions: for purposes such as management of collections, payments, reimbursements related to the professional service contract external consultants and consultancy companies: for purposes such as the fulfillment of legal obligations, the exercise of rights, protection of contractual rights, the recovery of the accountant credit: for purposes such as administrative, accounting and contractual obligations, on the basis of the regulations in force and labor consultants for administrative, accounting and contractual obligations pursuant to the applicable law on financial administration, public bodies, judicial authorities, supervisory authorities and supervisory authorities: mandatory legal obligations ATTENTION: The Data Controller requires strict compliance with the Third-Party Suppliers and the Data Processors with respect to security measures equal to those adopted towards the Data Subject, restricting the Manager's scope of action to the treatments related to the requested service. The Data Controller does not transfer your personal data to countries where GDPR (non-EU countries) is not applied, unless there are specific indications to the contrary for which it will be informed in advance and, if necessary, your consent will be requested. The legal basis of these treatments is the fulfillment of the services inherent to the relationship established, compliance with the obligations of the law and the legitimate interest of our Travel to make treatments necessary for these purposes. Failure of the data subject to identify his / her data identified as necessary for the execution of the requested service (Article 13, paragraph 2, letter and GDPR) The provision of personal and / or sensitive data is not compulsory , but any refusal could make the provision of the services you requested impossible or extremely difficult. The collection of data is only aimed at the good and proper management of the trip or tourism product requested by the passenger to our Travel Agency. Lack of authorization or lack of consent to the processing of personal data for commercial promotion activities on Services / Products different from those purchased In the event that the interested party does not consent to the processing of personal data for such purposes, said processing will not take place for the same purposes, without this having effects on the provision of the services requested, or for those for which he has already given his consent, if required. In the event that the interested party has given consent and should subsequently withdraw or oppose the treatment for commercial promotion activities, his data will no longer be processed for such activities, without this having consequences or detrimental effects for the interested party and for the requested services Data processing of the data subject The Data Controller uses appropriate security measures in order to preserve the confidentiality, integrity and availability of the data subject of the interested party and explicitly requests third-party suppliers and similar measures managers safety. Where the data of the interested party are stored The personal data of the interested party are kept in paper, computerized and electronic archives at our headquarters, paper files, at the headquarters of the service providers and / or touristic products; computerized and telematic located in countries where the GDPR (EU countries) is applied; at any intercontinental ticket office depending on the International Reference Company and / or Low Cost. Estimated retention time of the data of the interested party The legal basis of the treatment imposes specific retention times, which will be respected, for the sole purpose of guaranteeing specific fulfillments, of some Services Supplies, for the fulfillment of obligations (which remain after the termination of the contract (Article 2220 of the Civil Code), for these purposes the Holder will retain only the data necessary for the relative prosecution, unless the interested party expressly expresses their intention to remove them, by means of appropriate communication, the personal data of the interested party will be kept until they are necessary with respect to the legitimate purposes for which they were collected .data registration: kept for the entire duration of his registration and in any case within maximum 18 months from the date of acceptance and consent or specific consent: retained for a period of 36 months unless new services are purchased, in which case the expiry date will start again from the last service contract service assistance: stored for up to 6 months after the expiry of the contract, assistance or services required for direct marketing: 36 months from the date of acceptance and profiling consent: kept for 18 months SECTION IV - Rights of the interested party According to art. 15 (right of access) and Article 16 (right of rectification) of EU Reg. 2016/679 the interested party has the right to obtain from the data controller confirmation that personal data is being processed or not. and in this case, to obtain access to personal data and the following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; d) the retention period of the personal data provided or, if not possible, the criteria used to determine this period; e) the existence of the right of the interested party to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment; f) the right to lodge a complaint with a supervisory authority; h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject. - Right pursuant to art. 17 of Reg. UE 2016/679 the interested party has the right to obtain from the data controller confirmation that it is or is not undergoing treatment of personal data concerning him and in this case, to obtain access to personal data and following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; d) the retention period of the personal data provided or, if not possible, the criteria used to determine this period; e) the existence of the right of the interested party to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment; f) the right to lodge a complaint with a supervisory authority; h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject. - Right pursuant to art. 17 of EU Reg. 2016/679 - right to cancel ("right to be forgotten") The data subject has the right to obtain from the Data Controller the deletion of personal data concerning him / her and the Data Controller is obliged to cancel without personal undue delay, if one of the following reasons exists: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; (b) the data subject revokes the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and whether there is no other legal basis for the processing ; (c) the data subject objects to the processing pursuant to Article 21 (1), and there is no legitimate overriding reason to proceed with the processing, or is opposed to the processing of the data
pursuant to Article 21 (2); d) personal data have been processed unlawfully; e) personal data must be deleted to fulfill a legal obligation under Union or Member State law to which the controller is subject; f) personal data have been collected in relation to the offer of information society services of which
Article 8, paragraph 1 of EU Reg. 2016/679 - Right referred to in art. 18 - Right of processing limitation The interested party has the right to obtain from the Data Controller the processing limitation when one of the following hypotheses occurs: a) the interested party disputes the accuracy of personal data, for the period necessary to the holder of the treatment to verify the accuracy of such personal data; b) the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited; c) although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to verify, exercise or defend a right in court; (d) the data subject has opposed the processing pursuant to Article 21 (1) of the EU Regual 2016/679 pending
the verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party. - Right pursuant to Article 20 - Right to data portability The data subject has the right to receive, in a structured, commonly used and automatically readable form, personal data concerning him / her provided to a data controller and has the right to transmit such data to another data controller without impediments by the previous data controller To exercise these rights can send communication by mail to info@siramani.it