This privacy policy describes how your personal information is collected, used, and shared when you visit www.lecarillonportofino.it (the "Site").

This website is managed by Società Per lo Sviluppo Turistico del Tigullio SRL, which is the Data Controller (hereinafter: "Data Controller" or"Company"), pursuant to Regulation (EU) 2016/679 (cd. General Regulations for the Protection of Personal Data, hereinafter referred to as"Regulations") and Legislative Decree n. 196/2003 (so-called Code regarding the protection of personal data, hereinafter the "Code".The owner has adopted proactive behaviors useful for the concrete implementation of the measures aimed at protecting the rights enshrined in the 2016/679 EU Regulation.

The Data Controller has configured the personal data processing activities, providing the essential guarantees at each stage to meet the legal requirements, taking account of the overall context where the processing is located and the risks to the rights and freedoms of the Data Subjects involved.

The principles applied to the processing of personal data are those set out in Art.5 of GDPR: correctness, legality, transparency, purpose limitation and retention, minimization and accuracy, integrity and confidentiality, as well as the principle of accountability.

This privacy policy:
‍
A | Is understood as referring to the website www.lecarillonportofino.it (hereafter: "Website");
B | Forms an integral part of the Website and services that we offer;
C | Is provided pursuant to Articles 13 and 14 of the Regulation, for those who interact with the Website’s services, both by means of simple consultation and by using specific services made available via the website (for example, the purchase of products, filling in the form to request information or subscribe to the newsletter, etc.), as well as the other services provided (assistance via telephone operator or e-mail).

This information does not relate to other sites, pages, or online services accessible via links possibly published but is related to external resources.

Furthermore, it should be noted that theWebsite may include links to websites of third parties with respect to the Company. If you access other websites through the links provided on the Platforms, the operators of these third-party websites with respect to the Company may be able to collect some of your Personal Data. Such Personal Data will be processed according to the privacy regulations of these sites, which may differ from our privacy policy. It is therefore advisable to check the privacy regulations published on third-party sites to correctly understand the procedures adopted by them for the collection, processing, and disclosure of your Personal Data. The Company hereby denies any liability for any violation of the applicable legislation on the processing of your Personal Data by such third-party sites even though they are reached through this Site.

We kindly invite you to read the following privacy policy carefully.

The Data Controller of your Personal Data is the Company. For any information concerning the processing of your Personal Data by the Company, including the list of data processors, you can send a written communication by post to Società Per lo Sviluppo Turistico del Tigullio SRL, Via G. Leopardi, n ° 2, 20123 Milan, or bye-mail at info@lecarillonportofino.it.

Following your use of the Website, we inform you that the Company will process your personal data.

In particular, your e-mail address, as well as any additional data and/or information suitable for identifying you (hereinafter, the "Personal Data").

We also point out that:

a. Browsing data. In normal operation, the computer systems and software procedures involved in the operation of the Website acquire some personal data which are implicitly transmitted when using Internet communication protocols. This information, which is not collected to be associated with identified data subjects, but by its very nature could, by means of processing and associations with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by the users who log into the Website, addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (completed, error, etc.) and other parameters related to the user’s operating system and computer environment. These data are only used to obtain anonymous statistical information on the use of the Website and to check its correct operation, to identify anomalies and/or abuse; in each case, they are deleted immediately after processing. The data could be used to ascertain liability in case of hypothetical computer crimes to the detriment of the Website or third parties.

Furthermore, both own and third-party cookies are used on the websitewww.lecarillonportofino.it to improve the Services offered. For more information or to deny consent to their use, consult the site's Cookie Policy. [https://www.lecarillonportofino.it/it/cockie-policy]


b. Common personal data voluntarily provided by the user. Data voluntarily entered in the various forms contained within the site, such as, for example, the newsletter subscription form.

This privacy policy is also intended for the processing of Personal Data voluntarily provided by you through the Site.

With reference to these types of data, we invite you to enter in the aforementioned forms only the personal data strictly necessary for the purposes of managing your request, thus excluding information that is not relevant and/or that may fall within the category of particular categories of personal data referred to in art. 9 of the Regulations


c. Common personal data of third parties voluntarily provided by the user. In the use of the site services, the processing of personal data of third parties may occur, communicated by you to the Data Controller such as, for example, in the case of subscription to newsletters with an e-mail that is not your own. With respect to these hypotheses, you place yourself as an independent data controller, assuming all the obligations and responsibilities of the law. In this sense, you grant the widest indemnity on this point with respect to any dispute, claim, request for compensation for damage from treatment, etc. that should reach the DataController from third parties, whose personal data have been processed through your use of the site's services in violation of the applicable rules on the protection of personal data. In any case, if you provide or otherwise process personal data of third parties in the use of the Site, you guarantee from now - assuming all related responsibility - that this particular hypothesis of treatment is based, where necessary, on the previous acquisition - by your -the consent of the third party to the processing of information concerning him.The Data Controller will not process Personal Data concerning personal beliefs, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information relating to health, sexual life, or sexual orientation (hereinafter " Special Categories of Data ").

The Data Controller will process the data using IT methods. The data relating to promotional purposes will be processed through automated decision-making processes.

Your Personal Data will be processed, with your consent where necessary, for the following purposes:

a. Provision of all the services made available by the Data Controller (such as, by way of example but not limited to, the information, contact for reservations, the "Contact" section), including the management of the Site's security. Please note that, through the Site, additional services are made available to the Customer, including, in particular, the telephone and email assistance service, through which you can formulate specific requests, receive information and make reservations at the establishment and restaurant of Le Carillon box by the owner's staff.

LEGAL BASIS: Art. 6, para. 1(b) of the Regulations ([…] the processing is necessary for the performance of a contract to which the Data Subject is party or in the implementation of pre-contractual measures adopted on their request) as the processing is necessary to provide the services. The conferral of personal data for these purposes is optional, but failure to do so would make it impossible to activate the services requested.

RETENTION TIMES: the data will be kept for the time strictly necessary to achieve the same purposes, i.e. for the time necessary to perform the contract, provide the legal or agreed upon guarantees, in accordance with the mandatory legal retention times (see also, in particular, Art. 2946 of theCivil. Code and subsequent amendments and additions).


b. Fulfillment of any obligations under applicable laws, regulations, or community legislation, or satisfy requests from authorities.

LEGAL BASIS: art. 6, par.1, lett. c) of the Regulation ([…] the processing is necessary to fulfill a legal obligation to which the data controller is subject). In fact, once the personal data has been provided, the processing is indeed necessary to fulfill legal obligations to which the Data Controller is subject.

RETENTION TIMES: The personal data processed for the purposes referred to in this section will be kept until the time required by the specific obligation or applicable law.


c. Direct sending via e-mail of advertising material and commercial communications in relation to products or services similar to those already purchased by the user, pursuant to art. 130, paragraph 4 of the Code as well as the Provision of the Guarantor Authority for the protection of personal data of 19 June 2008, unless your express refusal to receive such communications, which you can express during registration on the Site or on subsequent occasions by contacting the Society.

LEGAL BASIS: art. 6, par.1, lett. c) of the Regulation ([…] the processing is necessary to fulfill a legal obligation to which the data controller is subject). With reference to this purpose, it is specified that if the Data Controller uses the e-mail or paper coordinates provided by the interested party in the context of the sale of a product or service, for the purpose of direct sales of its products or services, it may, pursuant to art. 130, paragraph 4 of the Code, do not request the consent of the interested party, as long as they are products or services similar to those being sold and the interested party, adequately informed, does not refuse such use, initially or on the occasion of subsequent communications.

RETENTION TIMES: your personal data will be processed until you object to the processing.


d. Sending communications and commercial proposals, including newsletters, through automated tools. It should be noted that the Data Controller collects global consent for the marketing purposes described here, pursuant to the General Provision of the Guarantor for the Protection of Personal Data "Guidelines on promotional activities and the fight against spam" of 4 July 2013; if, in any case, if you wish to object to the processing of your data for marketing purposes carried out with the automated means indicated here, you can do so at any time by contacting the Data Controller at the addresses indicated in this information, without prejudice to the lawfulness of the processing carried out before the opposition.

LEGAL BASIS: art. 6, par.1, lett. c) of the Regulation ([…] the processing is necessary to fulfill a legal obligation to which the data controller is subject). With reference to this purpose, it is specified that if the Data Controller uses the e-mail or paper coordinates provided by the interested party in the context of the sale of a product or service, for the purpose of direct sales of its products or services, it may, pursuant to art. 130, paragraph 4 of the Code, do not request the consent of the interested party, as long as they are products or services similar to those being sold and the interested party, adequately informed, does not refuse such use, initially or on the occasion of subsequent communications.

RETENTION TIMES: your personal data will be processed until you object to the processing.


e. Purpose to satisfy any defensive needs.

LEGAL BASIS: meet any defensive needs of the Data Controller pursuant to art. 6.1. Lett. f) of theRegulations.

STORAGE TIMES: personal data are kept for the entire duration of the complaint and/or out-of-court and/or judicial proceedings until the deadlines for judicial protections and/or appeals are exhausted.


f. Evaluation and statistical monitoring purposes. This purpose implies an analysis of aggregate information not referable to identified or identifiable natural persons and which, therefore, do not configure personal data and do not in any way allow the Data Controller to trace your identity. This processing, not having as its object personal data, does not fall under the scope of the legislation on the protection of personal data and can therefore be freely carried out by the Data Controller. In general, the Data Controller reserves the right, in any case, to keep your data for the time necessary to fulfill any regulatory obligation to which it is subject or to meet any defensive needs. In fact, the possibility remains for the Data Controller to keep your personal data for the period of time envisaged and permitted by Italian law to protect their interests (Article2947 of the Italian Civil Code).

Your personal data may be shared, for the purposes referred to in section 4 of thisPrivacy Policy, with:

A | People authorized by the Data Controller to process personal data pursuant to art. 29and 2-quaterdecies of the Code, namely: i) persons, companies, or professional firms that provide assistance and advice to the Company in accounting, administrative, legal, tax, and financial matters relating to the provision of the Services; ii) subjects with whom it is necessary to interact for the provision of the Services (for example hosting providers, payment managers, sellers, ...) iii) or subjects delegated to carry out technical maintenance activities (including maintenance of network equipment and electronic communication networks);
‍
B | Third parties authorized by the Company to process Personal Data necessary to carry out activities strictly related to the provision of the Services, and who in the provision of services typically act as data processors pursuant to art. 28 of the Regulation (by way of example:technological, communication and advertising services, assistance and consultancy services in accounting, administrative, legal, tax and financial matters, technical maintenance, transport services, banking, and insurance services). The Data Controller keeps an updated list of the appointed data processors and guarantees that they have been read to the interested party at the aforementioned office or upon request addressed to the addresses indicated above.
‍
C | Subjects, bodies, or authorities to whom it is mandatory to communicate your Personal Data by virtue of the provisions of the law or orders of the authorities themselves.

These subjects are, hereafter, collectively defined as "Recipients".

Your personal data is shared with Recipients who are located only within the EU.

Some of your Personal Data is shared with Recipients who could be found outside the European Economic Area. The Company ensures that the processing of your Personal Data by these Recipients takes place in compliance with the Regulations. Indeed, transfers can be based on an adequacy decision, on theStandard Contractual Clauses approved by the European Commission, or on another suitable legal basis.

You, as an interested party, can exercise the rights referred to in Articles. 15-22 GDPRand revoke the consent given at any time without prejudice to the lawfulness of the processing carried out before the revocation.

In particular, you can request access to your Personal Data pursuant to art. 15GDPR, the rectification pursuant to art. 16 GDPR, the cancellation of the same pursuant to art. 17 GDPR, the limitation of processing in the cases provided for by art. 18 of the GDPR as well as to obtain the portability of data concerning you in the cases provided for by art. 20 of the GDPR. You can make a request to object to the processing of your data pursuant to art. 21 and22 of the GDPR in which to highlight the reasons justifying the opposition: the Data Controller reserves the right to evaluate your request, which will not be accepted in the event of the non-existence of binding legitimate reasons to proceed with the processing that prevail over your interests, rights, and freedom.

Requests must be sent in writing to the Data Controller at the addresses indicated in this Privacy Policy.

In any case, you always have the right to lodge a complaint with the competent Supervisory Authority (Guarantor for the Protection of Personal Data), pursuant to Article 77 of the Regulation, if you believe that the processing of your Personal Data is contrary to the legislation in force, or to take the appropriate judicial offices (Article 79 of the GDPR).

The Company reserves the right to modify or simply update the content of this Privacy Policy, in part or completely, also following changes in the applicable legislation. The Company will inform you of such changes as soon as they are introduced, and they will be binding as soon as they are published on this website. The Company, therefore, invites you to regularly view the Privacy section of the Website.