PERSONAL DATA POLICY IN ACCORDANCE WITH ARTICLES 13 e 14 REG. UE 2016/679
SITE CUSTOMERS
In accordance with Reg. UE 2016/679 (hereinafter “Regulation”), we provide the personal data policy referred to the data provided by a customer (hereinafter “Customer”) when he books a tour or a service or when Customer asks information about products or services of the Controller, as defined follow.
1. Data controller
Data Controller (hereinafter “Controller”): Puglia Cycle Tours S.r.l.
Data controller information: Via San Giacomo 20, 70017 Putignano (BA), PIVA/CF 07973400729
Contact details: Estramurale a Levante 146, 70017 Putignano (BA), TEL +39 080 205 11 87; EMAIL marketing@pugliacycletours.com; PEC pugliacycletours@pec.it
2. Types of personal data collected.
The types of personal data collected and processed by the Controller especially are: biographical data, contact data, financial and transaction data, data relating to the services purchased, data that Customer freely provides to Controller for his requests, technical data (which includes IP address, login data, type of device, operating system and platform, browser language) and special categories of personal data as like health data (for example health problems during a tour).
To be able to supply the requested services or for the execution of the contractual relationship, Customer has to provide the data marked with appropriate symbols. For the same aims, some personal data are automatically collected when using our platform (for example IP address) and other personal data should be necessary. The provision of all the other data is not required and it doesn’t compromise the execution of the contractual relationship.
In particular:
a. To complete a tour booking
To complete a tour booking or to provide a tour, the Controller may especially process biographical data, contact data, financial and transaction data, data relating to the services purchased, technical.
b. When Customer contact the Controller to specific requests or to obtain information
When Customer contact the Controller to specific requests or to obtain information, the Controller may especially process biographical data, contact data, data that Customer freely provides to Controller for his requests.
c. To fulfil legal obligation
To fulfil legal obligation, the Controller may especially process biographical data, contact data, financial and transaction data, data relating to the services purchased, technical data (which includes IP address, login data, type of device, operating system and platform, browser language).
d. When Controller has to handle a complaint or defend or act in court
When the Controller hast to handle a complaint or defend or act in court, he may especially process biographical data, contact data, financial and transaction data, data relating to the services purchased, data that Customer freely provides to Controller for his requests, technical data (which includes IP address, login data, type of device, operating system and platform, browser language), and special categories of personal data as like health data (for example health problems during a tour).
3. Purposes and legal basis for the processing
a. The personal data collected are processed, with automated and non-automated methods, for the following purposes and on the legal basis indicated below.
a.1 Purpose: fulfil legal obligation – Legal basis: Processing is necessary for compliance with a legal obligation to which the controller is subject (art. 6, 1, c, Regulation)
a.2 Purpose: Management of the contractual relationship or of the provision of requested service – Legal basis: Processing is necessary for the performance of a contract to which the data subject is party (art. 6, 1, b, Regulation)
a.3 Purpose: Site security and functionality – Legal basis: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, 1, f, Regulation)
a.4 Purpose: Request management – Legal basis: Processing is necessary for the performance of a contract to which the data subject is party (art. 6, 1, b, Regulation)
a.5 Purpose: Litigation management – Legal basis: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, 1, f, Regulation)
a.6 Purpose: Litigation management about special categories of personal data – Legal basis: processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity (Art. 9, 2, f, Regulation, and recital n. 52 Regulation)
a.7 Purpose: Direct marketing activities for similar services and by e-mail, so-called “soft spam” – Legal basis: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, 1, f, Regulation, and art. 130, c. 4, D. Lgs. 196/2003).
a.8 Purpose: Customer satisfaction (The Controller may use the contact data in the context of carrying out surveys to measure satisfaction to improve services and customer relations. For example, the Controller may send a request to fill in a satisfaction questionnaire or a survey strictly connected to the service which he has used immediately. It is specified that the Customer can freely choose whether or not to express his opinion) – Legal basis: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, 1, f, Regulation)
b. Lastly, some personal data might be processed, with automated and non-automated methods, for further optional purposes. The Controller doesn’t need these data to the execution of the contractual relationship or to provide the requested service. In any case, customer’s consent is required.
b.1 Purpose: Marketing and commercial information, to be received by SMS, instant messaging, e-mail (The Controller will carry out marketing activities in order to, for example, update the Customer on news, new destinations, special and seasonal offers and promotions. These communications will only take place to the addresses communicated, by e-mail, instant messaging, SMS, etc.) – Legal basis: Consent (art. 6, 1, a, Regulation).
4. Categories of recipient
In connection with previous purposes, the Controller may communicate personal data collected to the following categories of recipient: Public bodies, public authorities, advisers and consultants, companies or organizations which provide services for the controller (for example IT service, or marketing service); banks and insurance companies; companies specialized in market research and data processing; other organizations that provide services for the Controller; parent company, associates, subsidiaries.
5. Data disclosure
Personal data will be not transfer.
6. Data source
Personal data are collected directly from Customer, however in some cases personal data are collected from other subject. For example, during the booking of a guided tour when the person in charge of the booking communicates the personal data of the other eventual participants in the tour. In this case, the contact person who proceeds to fill in the forms declares to be authorized to provide the personal data of the other participants and to have provided them with a copy of this data policy.
7. Data transfer
The Controller may transfer personal data to third countries for ancillary reasons connected to previous purposes. If personal data will be transfer outside the European Union recipients, it will be adopted all the cautions imposed by the Regulation, and any transfer of personal data shall be based on: an adequacy decision; appropriate safeguards; binding corporate rules.
8. Data retention
The Controller keeps personal data for a limited period of time, which varies according to the purposes for which they are collected. Once this period has expired, the data will be kept for other purposes or, if they cannot be used for other purposes, they will be definitively canceled or irreversibly anonymized. Personal data will be processed by the Controller: (i) for no longer than is needed for the purposes of the contract although further retention required by law for the purpose under 3.a, that is up to 10 years from last registration; (ii) up to the expiration of the term for legal action for purpose under 3.a.5 and 3.a.6; (iii) for 5 (five) years from provision of consent for purpose under 3.b.1, except withdraw.
9. Rights of the data subject
Customer is entitled to exercise the following rights at any time: right of access, right to rectification, right to erasure; right to restriction of processing, right to object, right to data portability, right to withdraw the consent.
To exercise any of the above rights, Customer has to contact the Controller by writing to the contacts under point 1.
Customer has also the right to lodge a complaint with the supervisory authority of the State where he live, work or where the violation appends (in Italy, Data Protection Authority) if he believes that the processing of his personal data by the Controller is in violation of the Regulation or applicable law.
Latest release 07/08/2023
