PRIVACY POLICY

INFORMATION ON THE PROCESSING OF PERSONAL DATA

pursuant to art. 13 of the General Data Protection Regulation – EU Reg. 2016/679 (“Privacy Policy”)

DATA CONTROLLER

The data controller is PUGLIA SPORT DESTINATION, part of the company Declaps Srl, with registered office in Via De Rossi 22, 701200 Bari. Operational headquarters: Via Di Vittorio 1/g, Noci (Ba) – 70015 –

1. PERSONAL DATA PROCESSED

1.1. For the negotiation, establishment and management of the contractual relationship with the customer / interested party, the Company / controller processes the personal data of the customer / interested party, in particular of the natural persons related to him, which include: name and surname, date and place of birth, details and / or copies of identity documents and tax code, contact details (telephone, e-mail, address), residential address, bank details and other data necessary or useful for the management, including from a tax point of view, of the relationships with the customer / interested party. Each subject with whom the Company / controller interacts, declares to be authorized or, in any case, to have the power to legally transmit to the Company / controller, the personal data necessary for the establishment, management and execution of the travel contract,

1. SPECIAL CATEGORIES OF PERSONAL DATAThe Company / data controller, always with the aim of establishing and managing the contractual relationship with the interested party, may process information belonging to the special categories of personal data described in art. 9 of the regulation, which include:
2. Health status – for example in the case in which the customer / interested party communicates particular allergies or food intolerances that the Company / controller must take into account in the management of the travel package or other needs relating to health problems;
3. Data revealing religious or philosophical beliefs – for example, if the customer/data subject communicates particular nutritional needs related to religion or requests that days off coincide with specific religious holidays;
4. Data revealing racial or ethnic origin – as may appear, for example, from identity documents or other material provided by the customer / data subject for the signing, management and fulfillment of the contract with the Company.

2.2. With regard to employees, with regard to data processed by the occupational physician who is responsible for carrying out the tasks provided for by Legislative Decree 81/08 and other provisions on hygiene and safety in the workplace, for compliance with previous and periodic medical assessments, such data will be processed only by the same physician as an independent data controller.

1. PURPOSE OF THE PROCESSING AND ITS LAW In accordance with the principles of correctness, lawfulness and transparency, the Company / data controller collects personal data for the management of the relationship with the customer / interested party in the pre-contractual and contractual phases, for the purposes and on the basis of the conditions of lawfulness indicated below.

Management and execution of pre-contractual and contractual obligations, arising from the travel contract with the customer / data subject, including but not limited to, the management of the personal data file, the organization and support to the customer / person during the trip. Legal basis: processing permitted if necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the same – art. 6.1. (b) of the regulation.

Compliance with legal obligations

(e.g. processing and storage of accounting documents relating to the relationship with the customer/data subject, communications to the competent bodies) to which the Company/data controller is subject, according to national and international regulations, rules relating, for example, to taxes, administrative accounting and anti-money laundering. Legal basis: processing permitted if necessary to comply with a legal obligation to which the controller is subject – art. 6.1 (c) of the Regulation. Direct marketing activities by sending communications or material (e.g. by email) relating to products/services similar to those already provided by the Company/data controller to the customer/data subject. Legal basis: processing permitted, if necessary for the pursuit of a legitimate interest of the controller – art. 6.1. (f) of the Regulation. The legitimate interest of the controller is represented by the promotion of its business through direct marketing – see Recital no. 47 of the Regulation.

1. MANDATORY OR OPTIONAL PROCESSINGThe provision of personal data by the customer / data subject or natural persons connected to them for the purposes described in articles 3, paragraph 1, letter a) and 3.1. (b) is optional but is necessary to establish, manage and execute the contractual relationship with the Company / controller. Any refusal to provide the data, in whole or in part, may make it impossible for the Company / controller to originate or execute the contract or to correctly perform all the obligations relating to the contract.

4.2. The provision of personal data by the customer / interested party, or by the natural persons connected to it, for the purposes referred to in art. 3.1.c., is optional. Any refusal to provide them in whole or in part does not affect the possibility for the Company / controller to originate, or execute the contract, or to correctly perform all the obligations relating to the contract.

1. CATEGORIES OF RECIPIENTS

5.1. Personal data may be communicated, exclusively for the purposes indicated above, to the following subjects or categories of subjects: subjects to whom communication is necessary for the establishment, management and fulfillment of the contract by the Company / data controller: a. natural persons authorized in writing by the Company / data controller pursuant to art. 29 of the Regulation to fulfill their work responsibilities (e.g. employees, system administrator, etc.);

1. professionals and collaborators who support the Company for the activities carried out for the interested party (e.g. tourist guides / tour leaders, companies that deal with transport, hotels, commercial partners of the Company / controller who have organised all or part of the trip);
2. c) professionals and service companies for the administration and management of the Company/controller, who operate on behalf of the Company/controller for its internal purposes (e.g. accountants, consultants);
3. d) subjects, entities, authorities to whom it is mandatory to communicate the data of customers / interested parties, according to the provisions of the law and the orders of the authorities.

5.2. With reference to paragraphs a, b), c) of art. 5.1, the Company / data controller undertakes to rely on subjects who provide adequate guarantees in terms of data protection and to appoint such subjects, to the extent that this is advisable, as data controllers pursuant to art. 28 of the regulation.

1. DATA TRANSFER

6.1. Personal data may be transferred outside the European Union exclusively for the fulfillment of the requests of the customer / data subject and when such transfer is necessary for the management and fulfillment of contracts with the customer / data subject, in relation to the travel of the customer / data subject to non-European countries. Transfers of personal data of the customer / data subject outside the European Union must take place: with regard to business partners, accommodation facilities, tour leaders, tour guides, transport companies and other external operators who support the Company / controller for the management and fulfillment of contracts with the customer / data subject (e.g. for the management of customers traveling with travel packages organized by partners).

With regard to recipient countries, please note that for some of the countries listed below, following an appropriate analysis, the European Commission has issued a decision on the adequacy of the level of protection of personal data guaranteed in those countries: (Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and, in the context of ad hoc international agreements, Australia, Uruguay and the United States. Other recipient countries may present potential risks for the protection of personal data in relation to regulatory, cultural or socio-political factors in place in the country.

6.2. In all cases of transfer of personal data outside the European Union, the Company / data controller accepts:

1. transmit only the data necessary for the purposes described above;
2. obtain from the recipient the appropriate security and confidentiality obligations in relation to the personal data transmitted, the commitment to use such data exclusively for the implementation of the relationships with the Company / controller, in addition to the appropriate protections for the exercise of the rights to which the interested party / data subject is entitled, as well as in the event of a data breach;
3. inform the customer / interested party before sending personal data to non-European countries that have not been indicated in this Privacy Policy.

1. TREATMENT METHODS

7.1. Personal data are stored in the archives of the Company / data controller and are processed using paper and electronic means, subject to the adoption of adequate security measures to avoid unlawful processing.

7.2. The processing of personal data is based on the principles of minimization, correctness and transparency. Only personal data necessary for the purposes described will be processed and will be accessible only to personnel involved in the activities necessary for the purposes described.

1. PERSONAL DATA STORAGE PERIODPersonal data are stored for the entire duration of the contractual relationship with the customer / data subject and also subsequently, for the period of 10 years from the termination of such relationship, in consideration of the mandatory term for keeping accounting records and the expiry period of any complaints arising from the relationship between the Company / data controller and the data subject / data subject, as required by law.

8.2. In the event that disputes arise between the Company / data controller and the customer / data subject, the retention period will be extended for the duration of the dispute and for 10 years following its final resolution (e.g. settlement agreement or final court decision).

1. DATA SUBJECT RIGHTS

9.1. At any time, any interested party may exercise against the Company/controller the rights set out in art. 15-22 of the regulation, namely the right to request:

1. access to personal data or be informed by the Company/data controller of their personal data held by the Company/data controller, the purposes for which such data are processed, their origin and other information required by art. 15 of the regulation;
2. the rectification of personal data in case of inaccuracy;
3. the erasure of personal data (the so-called “right to be forgotten”);
4. the limitation of the processing of personal data or the right to obtain the suspension of the processing of personal data for the period necessary to verify the request for rectification of personal data, or in other cases provided for by art. 18 of the regulation. Furthermore, the interested party has the right to the following rights:
5. the right to data portability, i.e. the right to receive personal data in a structured, commonly used and machine-readable format – including by requesting direct transfer to another controller (with respect to data whose processing is carried out by automated means);
6. the right to lodge a complaint with a data protection authority or supervisory authority of the place where you reside, work or where the infringement occurred, if you consider that the processing of your personal data has occurred in violation of the Regulation.

9.2. Requests for clarification on this Privacy Policy and requests for the exercise of the rights described herein can be sent to: tel. 0039 0808932899 – booking@yuniqly.it