Privacy and cookie policy

Privacy and cookie policy

Dear Data Subject,
we would like to inform you that the 'European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data' (hereinafter, 'GDPR') provides that the protection of personal data relating to individuals is to be regarded as an individual’s fundamental right. Therefore, pursuant to Article 13 of the GDPR, we hereby provide the following information.

1. PRELIMINARY REMARKS

This notice describes the methods for processing the personal data of users visiting the websites of the facilities belonging to the company Golf Bogliaco S.r.l. subject to the direction and coordination of Terme and Grandi Alberghi Sirmione S.p.A, more specifically:

  • Golfbogliaco.com
  • Lodge Booking (link)
  • Apartments Booking (link)
  • Online Newsletter subscription (link)

This information does not concern other sites, pages or online services that can be reached through hypertext links that may be published on the sites but that refer to resources outside the domain of Golf Bogliaco S.r.l.

2. DATA CONTROLLER

The Data Controller (hereinafter referred to as the 'Data Controller') is Golf Bogliaco S.r.l. subject to the direction and coordination of Terme and Grandi Alberghi Sirmione S.p.A, and can be contacted via the following e-mail address: privacy@termedisirmione.com.

3. DATA PROTECTION OFFICER

In accordance with the provisions of Article 37 of Regulation (EU) 2016/679, the Data Controller has appointed a Data Protection Officer (DPO) who can be contacted at the above addresses.

4. LOCATION OF DATA PROCESSING AND STORAGE PERIOD

Data processing operations associated with the internet services of this website take place at the registered office of the Data Controller and are only performed by persons expressly authorised to do so, or by any third-party suppliers appointed to conduct occasional maintenance operations, having been appointed Data Processors in accordance with Article 28 of the GDPR. The data gathered will only be retained - for each kind of data processed - for the time necessary to fulfil the specific purposes set out in the relevant documentation, which can be viewed on the website and has been drawn up for the various services.

5. ORIGINS AND CATEGORIES OF PROCESSED DATA

The personal data in the Data Controller’s possession is collected primarily from the data subject. More specifically, the Data Controller will process the personal data provided by you (hereinafter jointly referred to as 'data'), such as:

  • identifying and non-particular data, including but not limited to: name, surname, date of birth, e-mail, telephone number;
  • payment information;
  • data expressing your purchasing preferences;
  • other information provided voluntarily (the optional, explicit and voluntary submission of personal data by the user on the registration forms on the websites for the individual facilities listed above; this is necessary for the provision of the requested service);
  • browsing data
  • Cookies

The computer systems and software procedures used to operate this website acquire certain personal data during the course of their normal operation, the transmission of which is implicit in the use of internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP addresses or domain names of the computers used by those connecting to the site, the URI (Uniform Resource Identifier) numbering addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.
This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check it is working correctly, and is deleted immediately after processing.

6. PURPOSE OF THE PROCESSING

The processing of your data has the performance of the contract (point a.), your consent (points b. and c.), and the Data Controller’s legitimate interest (points d. and e.) as its legal basis and will be carried out:
a. for the management of the contract and pre-contractual communications between the user and the Data Controller;
b. for sending automated newsletters relating to the Data Controller's activities;
c. for profiling activities;
d. in order to comply with obligations laid down by law, a regulation, EU legislation or an order of the Authority;
e. to exercise the Data Controller's rights, such as the right of defence in court. 

7. OPTIONAL DATA PROVISION

Apart from what is specified for browsing data, the data subject is free to provide their personal data or not. However, failure to provide it may result in it being impossible to obtain what has been requested.

8. PROCESSING METHODS

The processing of your personal data is carried out by means of the operations indicated in Art. 4 no. 2) GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of the data. Your personal data will be processed both on paper and electronically; the processing of your data will be automated with particular reference to sending regular newsletters, provided that you have given your consent to receive them.

9. PROCESSING DURATION

The data collected will be retained for a period of time not exceeding the fulfilment of the purposes which they were collected and processed for ('retention limitation principle', Art. 5, GDPR) or in accordance with the deadlines stipulated by legal regulations. More specifically, the data collected for the purpose of sending commercial communications will be kept for 5 (five) years from the last transaction you made, while data collected for profiling purposes will be kept for 5 (five) years from the last transaction you made. Checks on the obsolescence of stored data in relation to the purposes which they were collected for are carried out periodically by the Data Controller.

10. DATA SHARING, COMMUNICATION AND DISSEMINATION

The data collected may be transferred or communicated to other companies for activities strictly connected with and instrumental to the operation of the service, such as the management of computer systems. The personal data provided by users who request for informative material to be sent (brochures, material, etc.) is used for the sole purpose of performing the service or provision requested and is passed onto third parties only if necessary for that purpose (companies that provide enveloping, labelling, or mailing services). Beyond these cases, the personal data will not be disclosed unless provided for by contract or law, or unless specific consent is requested from the person concerned. In this sense, the personal data may be passed on to third parties, but only and exclusively in the event that:
- there is explicit consent to share the data with third parties;
- there is a need to share information with third parties in order to provide the requested service;
- this is necessary to comply with requests from the Judicial or Public Security Authorities.
The data may be sent to the Data Controller’s suppliers in order to comply with the purposes set out in this policy, and to optimise the browsing services on the websites belonging to the companies linked to the Data Controller.

11. RIGHTS OF THE DATA SUBJECT

The data subject, as provided for in EU Regulation 679/2016 has the right to obtain the following from the Data Controller at any time: confirmation that the data exists and communication of it; its updating, rectification, integration, cancellation, transformation; the blocking of data processed in violation of the law; the data subject may object to their personal data being processed by sending a registered letter to the Data Controller's head office, or an email to privacy@termedisirmione.com.

12. SECURITY OF THE DATA SUBJECT'S PERSONAL DATA

The Data Controller hereby informs you that the personal data collected is processed lawfully and fairly, is collected and recorded for the stated purposes, and is used in other operations that are compatible with those purposes. The Data Controller undertakes to adopt appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of the data subject’s personal data. The personal data is processed on paper and/or by automated means; specific security measures are observed to prevent any loss, including accidental loss, alteration, misuse, illegal or incorrect use and unauthorised access. The Data Controller shall not be held liable for any untruthful information sent directly by the site user to the addresses listed there (e.g. the accuracy of e-mail address or credit card or postal address details), as well as information concerning them that was provided by a third party, albeit fraudulently.

13. RIGHT TO APPEAL TO THE SUPERVISORY AUTHORITY

You have the right to lodge a complaint with the supervisory authority (for Italy, the body to be addressed is the Garante della Privacy, https://www.garanteprivacy.it) at any time if you believe that your data is being processed in an unorthodox way; data subjects may alternatively apply to the supervisory authority of their country of residence, or the country where the data subject works, or where the breach occurred.

14. NEWSLETTER SUBSCRIPTION INFORMATION

Pursuant to EU Regulation 679/2016, we would like to inform you that, following your subscription to the newsletter, your personal data will be processed by Golf Bogliaco S.r.l. subject to the direction and coordination of Terme and Grandi Alberghi Sirmione S.p.A, in its capacity as Data Controller.

a. Purpose
The data will be processed, only if you give your consent in relation to the individual purposes, to:
1. send the Golf Bogliaco S.r.l. newsletter and further promotional material on the services provided by Golf Bogliaco S.r.l. including discounts, vouchers, product samples both through traditional channels (e.g. telephone calls with operator and paper mail), and through automated channels such as e-mail, SMS, communications through social media (Facebook, Instagram, etc...), as well as to inform you of purchasing opportunities and promotions of products and services provided by partner companies;
2. send promotional and informative material in line with your preferences, habits and consumption choices.
We would like to inform you that when you receive communications by e-mail, certain information relating to receiving these communications or opening the links contained there will be collected by means of anonymous statistical tracking and for the sole purpose of optimising the submission system.

b. Legal basis for processing
Processing personal data for these purposes is free. Refusal to provide personal data or refusal to give consent shall only result in you not being able to receive promotional communications from the Data Controller.

c. Processing method and the possible communication of data
Processing will be carried out on the personal data provided directly by you by means of: filling in forms; front desk forms at the Data Controller’s individual facilities; or, if you give your consent for purpose 2, on additional personal data inferred from your habits, consumer choices, purchases, etc. The processing will be done manually and by means of computerised devices, with organisational methods and logic strictly related to the indicated purposes. The personal data will therefore be stored for a period of time consistent with the objectives pursued in carrying out the company's promotional activities, taking into account any expressed opposition. The aforementioned purposes may also be achieved by passing on and communicating data to third parties, understanding third parties as those authorised to process the data themselves, insofar as they are entrusted with carrying out or providing specific services which are strictly functional to the performance of the contractual relationship, such as suppliers of products and services related to the pursued purposes. Your personal data will not be disseminated. In order to achieve the purposes set out in point 2(a) of this Article, the personal data may be sent to third countries, in particular to your CRM application provider and External Data Processor. The Data Controller will check that these data recipients comply with the provisions of Articles 44 and 49 of the GDPR. In the absence of an adequacy decision pursuant to Article 45(3) or adequate safeguards pursuant to Article 46, including Binding Corporate Rules and pursuant to Article 49 of the GDPR, the Data Controller requests you provide for the possibility of sending personal data to a third country or an Organisation after obtaining your specific consent.

15. COOKIE POLICY

a. What are cookies?
Cookies are small text files that Terme di Sirmione websites can create on the device you are using to browse. The purpose of cookies in general is to store and transport information. This is useful both for companies who can, for example, measure how users visit their sites, and for site users, allowing them to set their own personal browsing preferences (e.g. language choice). The Data Controller uses cookies on its sites mainly to improve browsing, such as maintaining customisation for visits after the first one, or once articles have been placed in the shopping cart, finding them again on the next visit after having had to leave the session or switch off the computer. This is possible thanks to a cookie. The Data Controller cannot use cookies to retrieve your personal information such as name, surname or email address, unless you provide it directly. The Data Controller makes use of different types of cookies. Some of these are essential for the site to function, others are not. In any case, you have the possibility to set your computer browser to accept all cookies, only some, or to reject them completely at any time.

b. Which cookies do we use?
The cookies used by the Data Controller can be distinguished according to the length of time they remain on the device you use to browse, where they come from and what purpose they serve.

c. Length of preservation
Session (or temporary) cookies: these are deleted and disappear from your device when you leave the website and close your browser. Persistent cookies: they remain on your device even after you leave the website until you delete them or until their expiry date is reached. The Data Controller's sites create this type of cookie and store it on the user's device so that it can be read on subsequent visits to our sites. This allows, for example, previously set preferences (e.g. wish lists) to be retrieved.

d. Origin
First-party cookies: these are cookies issued by the website you are visiting; the website is the one corresponding to the address you typed in (website displayed in the URL window). Third-party cookies: these are cookies issued by a website other than the one you are visiting (e.g. those used by our business partners or service providers such as Facebook or Google Analytics).

e. Purpose
Strictly necessary or 'technical' cookies: these cookies are essential for browsing the site you are visiting and using some of its functionalities. Without these cookies some online services that you may require cannot be provided. With this type of cookie we do not collect any of your personal information and therefore the Data Controller can never in any way identify you.
Performance cookies: these cookies collect anonymous information and help the Data Controller to understand how users interact with its sites. For example, they inform you which pages are visited most, the time spent on the site, any error messages, etc. The performance cookies that the Data Controller uses only collect information on an aggregate and anonymous basis, and serve to improve site operation and your browsing experience.
Functionality cookies: these cookies allow the site to remember the choices you make (such as the font size of displayed text, language preference, the country you are in, etc.) and to provide you with the personalised features you have selected. In some cases, these cookies may also be used to offer online services (e.g. offering a live chat service) or to avoid re-proposing services or messages that you have already refused in the past. The sites in question release this type of cookie on your device in a completely anonymous manner without giving the Data Controller the possibility of identifying you. Please note that if you delete this type of cookie, the preferences and/or settings you have selected will not be stored for your future visits.
Promotional or targeting cookies: promotional cookies are used to collect information about your browsing habits in order to provide you with advertisements that are as relevant as possible to you and your interests. This means that the Data Controller also uses them to limit the number of times it displays a particular advertisement. For the Data Controller, the aim is therefore to communicate more effectively; for you, it is to receive advertising that is less invasive and closer to your preferences. While you are browsing the Terme di Sirmione websites, promotional cookies allow the Data Controller to confirm that you are viewing our advertisements and to show you promotional content that we believe may be of interest to you based on what you have previously visited. While you are browsing other sites, these cookies also allow us to show you content that you have recently viewed on Terme di Sirmione sites for promotional purposes. Our sites use promotional cookies on an anonymous basis only: We offer you targeted advertising but we do not know who you are. The promotional cookies we use are permanent, although they remain on your device for a limited time, and can be first and third party cookies.
You can find out how to delete or manage performance cookies in the section below.

f. Do you want to refuse and block cookies?
Most internet browsers are initially set to accept cookies automatically. This means that you have the possibility to set your browser to accept all cookies, only some, or to reject them by disabling their use by the sites at any time. You can also normally set your browser preferences so that you are notified whenever a cookie is stored on your computer. At the end of each browsing session, you can delete the cookies collected from your device’s hard disk. If you wish to delete the cookies installed in the cookie folder of the browser you are using, please remember that each browser has different procedures for managing settings. By clicking on the links below, you can obtain specific instructions for some of the major browsers.
- Microsoft Windows Explorer: http://windows.microsoft.com/en-us/windows-vista/block-or-allow-cookies
- Google Chrome: https://support.google.com/chrome/bin/answer.py?hl=en&answer=95647&p=cpn_cookies
- Mozilla Firefox: http://support.mozilla.org/en-US/kb/Enabling and disabling cookies
- Apple Safari: http://docs.info.apple.com/article.html?path=Safari/5.0/en/9277.html
- If you do not wish to receive Google Analytics cookies, you can deactivate them by going to https://tools.google.com/dlpage/gaoptout/
- If you would like to learn more about cookies in general, please visit www.allaboutcookies.org
- If you want to learn more about behavioural advertising and online privacy, visit http://www.youronlinechoices.com
- If you want to learn more about Google Analytics cookies visit http://www.google.com/intl/it/analytics/privacyoverview.html

g. Cookie features in use
For the web platforms used by the Data Controller, the cookies in use can be found in the document available at the following link: www.termedisirmione.com/documenti/PDF/Elenco_cookie_in_uso_golfbogliaco_e_verticalbooking.pdf