|Personal data processing policy pursuant to Article 13 of Regulation (EU) 2016/679
In accordance with current legislation concerning the protection of personal data, Terme di Sirmione S.p.A. provides users who register for their services with the following information regarding personal data processing concerning them.
Identification and contact details of the Data Controller
Terme di Sirmione S.p.A. can be contacted at its registered office in Piazza Virgilio, 1 25019 Sirmione (BS) or by sending an email to firstname.lastname@example.org.
Contact details of the Data Protection Officer
Terme di Sirmione S.p.A., the Data Controller, has appointed a Data Protection Officer, who can be contacted using the details above.
Purpose and legal basis of personal data processing
Provision of services and user management
Terme di Sirmione S.p.A. processes personal data supplied during the user registration process or data subsequently provided or otherwise generated through use of the services, to which registered users grant access in order to make the following and other processes possible:
Personal data processed during the registration process can vary based on the type of registration chosen. It will include your email address (if you register with one) or a unique ID code given to you via social media (if you register with a “Social” account). Under no circumstances shall Terme di Sirmione S.p.A. have access to the social media account used for registration or to the password associated with this (this information is sent by the user only to the social media site in question).
You are advised not to reveal your log-in details to anybody else. These can be used to access Terme di Sirmione S.p.A. services.
The legal basis for data processing is the need to implement a contract of which the user is one party, or the fulfilment of pre-contractual measures adopted at the request of the user (Article 6, Paragraph 1, Letter b) of Regulation (EU) 2016/679). Subsequently, as will be explained in further specific information briefings, the supply of services could result in personal data processing that has as its legal basis the need to fulfil a legal obligation to which the Data Controller is subject (Article 6, Paragraph 1, Letter c) of Regulation (EU) 2016/679).
Where the legal basis is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, failure on the part of the data subject to provide personal data to the Data Controller could make it impossible to provide the service or sell the product.
Working of the app
Terme di Sirmione S.p.A. would like to inform the user that the app experience is made possible as a result of profiling processes necessary to personalise the service and ensure it reflects your interests. The use of profiling information necessary to allow you to use the app services is only required for the app itself and is not otherwise used, except where the user consents to profiling-based marketing.
With regards to the working of the app and the experience the app is designed to offer the user, Terme di Sirmione S.p.A. informs users that they will be asked to allow the app to access Bluetooth® services in order for them to enjoy certain features available at the Aquaria centre (e.g. personalised Acquaria experience). The app also features a notification service, which is partly linked to the Bluetooth geolocation system (e.g. to show you refreshment points during the Aquaria experience or to inform you of new offers from Terme di Sirmione). You can change your preferences regarding the app’s ability to access Bluetooth geolocation services and notifications in the settings section of your mobile device.
Marketing and profiling-based marketing
In addition to the purposes set out above, if the user provides consent on the second page of the registration form (consent may be changed at any time), Terme di Sirmione S.p.A. will perform personal data profiling for:
Subscription to the newsletter, by adding the email address provided by the user to the list of recipients for newsletters regarding commercial offers, promotions or correspondence relating to services and/or products on offer (e.g. services at our facilities, spa products, etc.).
The correspondence set out under the “subscription to the newsletter” paragraph may be sent using digital tools (e.g. SMS) or traditional means such as a telephone call with an operator.
Provided that the user gives their further specific consent, activities regarding the sending of newsletters and other promotional activities could refer to services and/or products that the Data Controller believes could be of interest to the user, based on services used, products bought and preferences indicated in the past.
Provision of personal data for marketing and profiling-based marketing purposes is optional. The legal basis for such data processing is the consent provided by the data subject (Article 6, Paragraph 1, Letter a) of Regulation (EU) 2016/679).
The user has the right to withdraw their consent at any time, without prejudice to the legality of data processing based on this consent before it was withdrawn.
Recipients and categories of recipients of personal data
The attainment of the aforementioned purposes may also take place by means of data transmission and communication to third parties, meaning third parties authorised to process that data, where commissioned to perform or provide specific services strictly required for the execution of the contractual relationship. Persons in receipt of personal data subject to data processing include Terme di Sirmione S.p.A. staff who have been authorised for this purpose and suppliers of services associated with the aforementioned activities, who operate in their capacity as Data Processors and are bound by specific obligations.
Personal data storage period
For data processing associated with the “provision of services and user management” and the “working of the app”, personal data will be stored for the time required to achieve these purposes. For data processing associated with “marketing and profiling-based marketing”, personal data will be stored until consent is withdrawn, for the sending of non-profiled correspondence, and for a maximum of five years with reference to profiles generated on the basis of services used, products bought and preferences indicated in the past.
As a data subject, the user has the right to request that Terme di Sirmione S.p.A. give them access to their personal data. The user also has the right to obtain the correction or erasure of personal data, the restriction of data processing concerning them or to object to data processing.
The data subject has the right to withdraw their consent at any time, without prejudice to the legality of data processing based on this consent before it was withdrawn.
The data subject also has the right to make a claim to the data protection authority.