Information pursuant to Articles 13 and 14 of EU Regulation 679/2016

This page represents the “Privacy Policy” for this site and is intended to provide information on how the personal data of users who visit the site and make use of the services it provides will be processed, in addition to providing the information required by Articles 13 and 14 of EU Regulation 2016/679.

This information has been provided exclusively for this site and no other websites consulted by the user through the links present in the pages of this website.

EU regulation 679/2016, concerning the protection of personal data (hereinafter the “Regulation”), establishes standards relating to the protection of individuals with regard to the processing of their personal data, in addition to standards regarding to the free circulation of this data and protects the fundamental rights and liberties of individuals, with particular regard to the right to the protection of their personal data.

Article 4 no. 1 of the Regulation stipulates that “Personal Data” is to be understood as any information that may concern an identified or identifiable individual (hereinafter the “Data Subject”).

“Processing” is to be understood as the operation of complex of operations, performed with or without the assistance of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organisation, structuring, preservation, adaptation or amendment, extraction, consultation, use, transmission, dissemination or any other form of disclosure, comparison or interconnection, restriction, deletion or destruction (Article 4 no. 2 of the Regulation).

Pursuant to Articles 12 and following, it also stipulates that the Data Subject must be made aware of the appropriate information relating to the Processing activities to be performed by the Data Controller and of the rights of the Data subjects.

Data Controller

Aquaclub Valle del Chiese | E.S.CO BIM - Comuni del Chiese
Via Oreste Baratieri n° 11, 38083 BORGO CHIESE (TN)
C.F./P.IVA 02126520226

Data Protection Officer

The Data Protection Officer appointed by the Data Controller may be contacted in the following methods:
email: dpo@rpdprivacy.it
PEC email: dpoprivacy@pec.it 

Purposes of processing and legal basis for processing

The user’s personal data will be processed in pursuit of purposes and on the legal basis indicated below:

1. for the conclusion and correct execution of the contract in which the Data Subject is one of the Parties, or the execution of precontractual measures adopted on their request, for requested information and/or services/products, including subscriptions to newsletters; also for the purposes of responding to requests sent by the Data Subject (information/products/services/subscription to newsletters); the legal basis for the processing listed is represented by Article 6 paragraph 1 letter b) of EU Regulation 679/2016;
2. to send, periodically, commercial communications concerning services, products and activities offered by the Data Controller using remote technologies (mail, telephone, SMS, WhatsApp); the legal basis is represented by consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
3. to send, periodically, commercial communications concerning services, products and activities offered by the partners and sponsors of the Data Controller via remote technologies (mail, telephone, SMS, WhatsApp); the legal basis is represented by consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
4. to carry out retargeting activities and/or the use of email to exploit social media profiles (Facebook, Instagram) for personalised marketing campaigns; the legal basis for which is represented by the consent as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
5. to send commercial and promotional information concerning the sale of our products/services, of the same type as those previously purchased by the Data Subject, unless processing is refused by them, enforceable at all times; the legal basis for this type of processing is represented by the legitimate interest of the Controller as stipulated by Article 6 paragraph 1 letter f);
6. to carry out market research in order to develop and improve the range of products services and activities offered by the Controller and their partners; the legal basis for this is represented by consent, as provided for by Article 6 paragraph 1 letter a) of EU Regulation 679/2016;
7. to respond to requests sent by the user by mail and/or forms present on the website; the legal basis for the listed processing is represented by Article 6 paragraph 1 letter b) of EU Regulation 679/2016;
8. to make navigating the site functional and possible, as well as ensuring that it has an adequate degree of availability; the legal basis for this type of processing in represented by the legitimate interests of the Controller as provided for by Article 6 paragraph 1 letter f);
9. the analysis of statistical data on aggregated or anonymous data for the purpose of monitoring that the site, traffic usability and interest is functioning correctly; the legal basis for this type of processing is represented by the legitimate interest of the Controller, as stipulated by Article 6, paragraph 1 letter f);
10. to ascertain, exercise or defend a right in court; the legal basis for this type of processing is represented by the legitimate interests of the Controller, as provided for by Article 6 paragraph 1, letter f);
11. to fulfill the obligations stipulated by law, regulations or EU legislation or by an order of the Authority to which the Data Controller is subject; the legal basis for this type of treatment is the fulfillment of the legal obligation as provided for by art.6, paragraph 1, letter c);

Type of Data

The Data necessary for the pursuit of the objectives described above will be collected and processed:

• identifying data
• contact information
• data relating to the contractual relationship
• data relating to the preferences and interests of the Data Subject

Navigation Data

Computer systems and software processes responsible for the functioning of this website will acquire certain personal data in the course of their normal use, for which transmission is implied when using internet communication protocols.

This concerns information that is not collected in order for it to be associated to identified Data Subjects, but which due to their same nature could, through processing and association with data held by third parties, enables users to be identified.

Falling into this category is data such as the IP addresses or domain names of the computers used by users visiting the site, addresses in the URI (Uniform Resource Identifier) notation of the requested resources, the time requested, the method used to make the request to the server, the size of the file received in response, the numeric code indicating the status of the response given by the server falls into this category (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment.

This data is used exclusively to pull anonymous statistical information concerning the use of the site and to monitor that it is functioning correctly and is immediately deleted after processing.

The data could be used to ascertain liability in the event of hypothetical cyber crimes against the site.

Refusal to Provide Data

Apart from what is specified for the navigation data, user/visitors are free to provide their own personal data. The provision of Data is required in some cases, as any refusal to provide it could lead to a failure to conclude, or the incorrect fulfilment of the contract of which the Data Subject is a party and/or a failure to comply with legal obligations that the Controller is subject to.

The provision of Data for processing requiring consent is optional, failure to provide it will not lead to users being unable to benefit from the products/services offered by the Controller. Even in the event where consent is provided, the Data Subject will in any case be entitled to subsequently object, fully or in part, to the processing of their personal data for the above purposes, simply by making a request to the Controller at the above contact details.

Sources of Data

Data will be provided by the Data Subject or collected from third parties.

Data Processing Methods

With reference to the provisions of Article 5 of the regulation, the Personal Data subject to processing will be:

1. processed in compliance with the law, correctly and transparently in relation to the Data Subject;
2. collected and recorded for the established purposes, explicitly and legitimately, and subsequently processed in terms that are compatible with this purpose;
3. suitable, pertinent and limited to what is necessary in relation to the purposes for which it has been processed;
4.  accurate and, if necessary, updated;
5. processed in a manner that ensures an adequate level of security;
6. stored in a form that enables the identification of the Data Subject for a period of time no longer than required for the purpose for which it being processed.

Processing will be carried out using both manual and/or computerised and electronic methods using organisational and processing logic strictly related to the purpose itself and in any case in such a way that guarantees the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures stipulated by the provisions in effect.

Communication of Data

Personal Data may be communicated to parties authorised for processing, as well as to external managers appointed for processing by the Controller (the full list of external managers is available from the Controller), responsible for managing the purposes described above. With their consent, the Data may also be communicated to the Controller’s third party sponsor companies and/or commercial partners who may use it for the purposes described in no. 3) of the Article concerning “Purposes of Processing” cited above. In the context of pursuing the purposes stated above, the Data may be communicated to other parties acting as autonomous Controllers.

Dissemination of Data

Personal data will not be subject to dissemination.

Transfer of Data to Other Countries

For the purposes stated above,Personal Data will be processed within the European Economic Area (EEA). If it were to be transferred to a Third Party country, in the absence of an adequacy decision by the European Commission, the provisions stipulated by the applicable legislation concerning the transfer of Personal Data to Third Party Countries will be complied with, such as the European Commission’s Standard Contractual Clauses.

Storage of Data

In general, Personal Data will be stored for the time strictly necessary for the pursuit of the purposes for which it was collected and subjected to processing, including the storage period required by the applicable legislation and, in any case, for maximum of 10 years from the termination of the relationship with the Controller, and for a maximum of 2 years for the purposes in which consent was required, unless there is a need for the Controller to defend their rights in court.

Rights of the interested party

In accordance with the EU Regulations 679/2016 art. 15 and ss and current national legislation, the interested party may, in the manner and within the limits stated by current legislation, exercise the following rights:

• Art 15 The Right to be informed

  Description
  The interested party has the right to be informed by the processing controller whether or not his/her data is currently being processed and, if so, has the right of access to the personal data and the following information:

  • The purpose of the processing
  • The type of personal data in question
  The recipients or type of recipients to whom the data has been or will be communicated, in particular where recipients are in third
  • countries or international organisations
  • Where possible, the length of time the data will be stored, where not possible, the criteria used to establish the length of time
  The existence of the interested party’s right to ask the data controller to rectify or delete the personal data or to restrict the
  • processing of personal data concerning him or her or to oppose their processing
  • The right to lodge a complaint with data protection regulators
  • Where the data was not collected directly from the interested party, whatever information is available on the origin of the data

  The existence of an automated decision-making process, including profiling as referred to in Article 22 para. 1 and 4 and at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party. Where personal data are transferred to a third country or an international organization, the data subject shall have the right to be informed of the existence of adequate safeguards under Article 46 relating to the transfer. The data controller shall provide a copy of the personal data processed. Where additional copies are requested by the interested party, the controller may charge a reasonable fee based on administrative costs. Where the interested party makes the request by electronic means, and unless otherwise indicated by the interested party, the information shall be provided in a commonly used electronic format

  Assumptions
  The right to obtain a copy of your personal data must not infringe the rights and freedoms of others.

  How to exercise it
  The interested party can exercise this right by written request to email address

  To be able to provide a positive response to the request, the interested party must provide the information necessary to identify the interested party

  Before providing a response, the data controller may need to identify the interested party as the right can only be exercised by the interested party his/her self or his/her delegate.

• Art 16 Right to rectification

  Description
  The interested party has the right to request the data controller to rectify incorrect data without unjustified delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.

  Assumptions
  Processing of incorrect and/or incomplete data

  How to exercise it
  The interested party can exercise this right by written request to email address

  To be able to provide a positive response to the request, the interested party must provide the information necessary to identify the interested party

  Before providing a response, the data controller may need to identify the interested party as the right can only be exercised by the interested party his/her self or his/her delegate.

• Art 17 Right to erasure

  Description
  The interested party has the right to request the data controller to cancel personal data without unjustified delay and the data controller has the duty to cancel the personal data without undue delay Where the controller has made personal data public and is obliged, in accordance with the preceding paragraph, to delete them, taking into account the available technology and the costs of implementation, he shall take reasonable steps, also technical, to inform the controllers who are processing the personal data of the interested party’s request to delete any link, copy or reproduction of his personal data.

  Assumptions
  The right may be exercised if one of the following reasons exists:

  • personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the interested party withdraws the consent on which the processing is based in accordance with Article 6 paragraph 1 letter a) or Article 9 paragraph 2 letter a), and if there is no other legal basis for the processing;
  • the interested party opposes the processing as stated in Article 21, paragraph 1, and there is no overriding legitimate reason for processing, or opposes the processing as stated in Article 21, paragraph 2;
  • the personal data has been unlawfully processed;
  • the personal data must be deleted in order to comply with a legal obligation under European Union or Member State law to which the controller is subject;
  • the personal data has been collected in relation to the offer of the information services company referenced in Article 8(1) (where Article 6 paragraph 1 letter a)applies), regarding the direct offer of the information services company to minors, the processing of personal data of the child is lawful where the child is at least 16 years old. Where the child is under the age of 16, such processing shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility. Member States may establish by law a lower age for these purposes provided that it is not less than 13.

  The right of cancellation does not apply to the extent that processing is necessary for:

  • exercising the right to freedom of expression and information;
  • the fulfilment of a legal obligation regarding processing under European Union or Member State law to which the controller is subject, or for the performance of a task carried out in public interest or during exercise of official authority vested in the Controller;
  • reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, paragraphs h) and i), and Article 9, paragraph 3;
  • archiving for reasons of public interest, scientific or historical research or for statistical purposes in accordance with Article 89, to the extent that the right referred to in paragraph 1 risks rendering impossible or seriously affecting the achievement of the objectives of such processing;
  • the establishment, exercise or defense of a right in court.

  How to exercise it
  The interested party can exercise this right by written request to email address

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art 18 Right to the limitation of processing

  Description
  The interested party has the right to insist that the data controller limits the processing.

  Where processing is restricted in accordance with the preceding paragraph, such personal data shall be processed, except for the purpose of storage, only with the consent of the interested party or for the purpose of verification, the exercise or defence of a right in court or to protect the rights of another natural or legal person or on grounds of a major public interest of the Union or a Member State.

  The interested party who has obtained the restriction of processing in accordance with the initial paragraph shall be informed by the controller before the restriction is lifted.

  Assumptions
  The right can be exercised if one of the following is true:

  • the interested party contests the accuracy of their personal data, for the time necessary for the data controller to verify the accuracy of such data;
  • the processing is illegal and the interested party opposes cancellation of personal data and requests instead that such data be limited;
  • even if the data controller no longer needs the data for processing purposes, the personal data is necessary to the interested party for verification, exercise or defence of a right in a court of law;
  • the interested party is opposed to the processing in accordance with art.21 para 1 pending the verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.

  How to exercise it
  The interested party can exercise this right by written request to email address

  In order to be able to provide a positive reply to the request, the necessary identification details of the data subject must be provided.

  Before providing a response, the controller may need to identify the data subject as the right may only be exercised by the data subject or their delegate.

• Art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing

  Description
  The controller shall communicate to each of the recipients to whom the personal data have been transmitted any corrections or cancellations or limitations of the processing carried out in accordance with Article 16 of Article 17, paragraph 1, and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall notify the interested party of such recipients if the data subject so requests.

  How to exercise it
  The interested party can exercise this right by written request to email address

  To be able to provide a positive response to the request, the interested party must provide the information necessary to identify the interested party

  Before providing a response, the data controller may need to identify the interested party as the right can only be exercised by the interested party his/her self or his/her delegate.

• Art 20 Right of data on demand

  Description
  The interested party has the right to receive in a structured format, of common use and readable by automatic device the personal data relating to him/her provided to a data controller and has the right to transmit such data to another data controller without hindrance by the data controller to whom he/she has provided them.

  In exercising his/her data portability rights under the previous paragraph, the interested party shall have the right to obtain the direct transmission of personal data from one controller to another, if technically feasible.

  The exercise of the right referred to in the initial paragraph shall not affect Article 17 - Right to erasure («right to be forgotten»).

  Assumptions

  The right cannot be exercised if one of the following applies:

  • processing is based on consent under Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), or a contract under Article 6, paragraph 1, letter b);
  • the processing is carried out using automated procedures.

  This right shall not apply to the processing necessary for the performance of a task in the public interest or relating to the exercise of official authority by the controller.

  The exercising of the right must not affect the rights and freedoms of others.

  How to exercise it
  The interested party can exercise this right by written request to email address

  To be able to provide a positive response to the request, the interested party must provide the information necessary to identify the interested party

  Before providing a response, the data controller may need to identify the interested party as the right can only be exercised by the interested party his/her self or his/her delegate.

• Art. 21 Right to object

  Description
  The interested party has the right to object at any time

  The data controller shall refrain from further processing of personal data unless he demonstrates the existence of compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the interested party or for verification, the exercise or defence of a right in court.

  Where personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him/her carried out for such purposes, including profiling to the extent that it is related to such direct marketing.

  Where the interested party objects to processing of personal data for direct marketing, personal data are no longer processed for these purposes.

  Where personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with Article 89, paragraph 1, the interested party for reasons related to his/her particular situation, has the right to object to the processing of personal data concerning him/her, except where processing is necessary for the performance of a task of public interest.

  Assumptions

  The right can be exercised if one of the following is true:

  • reasons relating to his particular situation,
  • processing of personal data concerning him/her in accordance with Article 6(1) letter e) and processing is necessary for the performance of a task in the interest of the public or in connection with the exercise of official authority by the controller (the processing is necessary for the pursuit of the legitimate interest of the controller or third parties, provided that the interests or fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail, in particular if the person concerned is a minor.), including profiling on the basis of such provisions

  How to exercise it
  The interested party can exercise this right by written request to email address

  To be able to provide a positive response to the request, the interested party must provide the information necessary to identify the interested party Before providing a response, the data controller may need to identify the interested party as the right can only be exercised by the interested party his/her self or his/her delegate.

  In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his right of objection by automated means using technical specifications

  Before providing a response, the data controller may need to identify the interested party as the right can only be exercised by the interested party his/her self or his/her delegate.

In general, to exercise his/her rights, the interested party can contact the Data Controller by writing to him at the aforementioned contact address. Before replying the Data Controller may need to identify the interested party by requesting a copy of a document of identity. A written reply will be produced without unjustified delay, and in any case, no later than one month after receipt of the query.

Template version: 2.2

Last edit: 23/01/2023