INFORMATION ON THE PROCESSING OF PERSONAL DATA

PURSUANT TO ART. 13 OF REGULATION (EU) 679/2016 (General Data Protection Regulation - GDPR)

The personal data of users accessing and using the website www.sitas.ski.it (hereinafter also referred to as the ‘Site’) are subject to processing in compliance with the legislation on the protection of personal data. In compliance with the principle of transparency towards the data subjects and with a view to accountability, SITAS SPA provides, in this section, information on the processing of the personal data of users of the Site. This information is provided only for the Site and its related sub-domains and not for third party websites accessible through hypertext links contained in the Site, for which the Data Controller is in no way responsible.

1. Data controller

   
   The Data Controller is SITAS SPA (hereinafter also referred to as the ‘Data Controller’), with registered office in Via Ostaria n. 79/C 23041 LIVIGNO (SO).

2. Data Protection Manager

   
   He has not been appointed.

3. Nature of data conferment

   
   In order to take advantage of the services offered through the Site, the user may be asked to provide the personal data necessary to ensure their use: in particular, for the purposes of filling in the forms on the Site, the provision of the data marked with an asterisk is necessary for the management of and response to communications forwarded by the user. It should be noted, in any case, that the user is free to provide the data requested, in the sense that there is no regulatory obligation to provide them: failure to provide the data indicated as necessary, however, makes it impossible for the Controller to provide the service requested.

4. Types of data processed, purpose and legal basis for processing

   
   The types of data being processed include, in particular:

   1. Browsing data

      
      During the user's navigation on the Site, the computer systems responsible for its operation automatically acquire certain information whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is processed for purposes related to the provision of the services offered through the Site. The legal basis for the processing is, therefore, the performance of a contract to which the data subject is party, pursuant to Article 6(1)(b) of Regulation (EU) 679/2016 (GDPR). In particular, navigation data are processed in order to ensure the correct functionality of the Site and the usability of its services;

   2. Data provided by the data subject

      
      SITAS SPA processes the data provided voluntarily by the user, by filling in the forms present in certain sections of the Site or by sending e-mail messages to the e-mail addresses indicated, for purposes connected with the provision of the services offered through the Site. In this case, the legal basis of the processing is the execution of a request by the user, pursuant to Article 6(1)(b) of Regulation (EU) 679/2016 (GDPR). Certain types of processing may also be, in addition, based on the consent of the data subject, pursuant to Article 6(1)(a) of Regulation (EU) 679/2016 (GDPR), on the need to fulfil a legal obligation, pursuant to Article 6(1)(c) of Regulation (EU) 679/2016 (GDPR), or on the legitimate interest of the Data Controller, pursuant to Article 6(1)(f) of Regulation (EU) 679/2016 (GDPR). In particular, the personal data provided by the data subject may be processed for the following purposes
      1. In relation to data conferred through the optional and voluntary sending of e-mail messages to the e-mail addresses indicated on the Site (which include, in particular, the sender's e-mail address and any other personal data contained in the message) in order to carry out the processing activities necessary to respond to the data subject's requests
      2. In relation to the data provided by filling in the ‘Work with Us’ form requesting to work for the company (including name, surname, e-mail address and any other personal data contained in the message), in order to assess and acknowledge the request. Users may also express their consent to receive informative newsletters and promotional communications on the services and initiatives of SITAS SPA;
      In any case, the user's e-mail coordinates and personal data may be used to send informative and promotional newsletters on the services and initiatives of SITAS SPA, on the basis of its legitimate interest, pursuant to Article 6(1)(f) of Regulation (EU) 679/2016 (GDPR), in using the user's e-mail coordinates and personal data, acquired in the context of offering a service through the Site, for the purposes of information and direct promotion of similar services and initiatives.

5. Method and duration of processing

   
   The processing will be carried out by means of paper and/or computer tools, also by persons authorised to do so, operating under the direct authority and according to the instructions given by the Data Controller, with logic strictly related to the purposes indicated and, in any case, in such a way as to guarantee the security and confidentiality of the data processed. Processing operations are carried out in such a way as to guarantee the security of data and systems. Specific security measures are adopted in order to reduce to a minimum the risks of destruction or loss, even accidental, of the data themselves, of unauthorised access, of processing that is not permitted or does not conform to the purposes indicated in this information notice. The security measures adopted, however, do not allow the risks of interception or compromise of personal data transmitted by telematic means to be absolutely excluded. It is therefore recommended to check that the device in use by the user is equipped with appropriate software systems to protect the telematic transmission of data, both incoming and outgoing (such as, for example, up-to-date antivirus systems, firewalls and anti-spam filters). The processed data will be kept for a period of time not exceeding that necessary to achieve the purposes for which they were collected and subsequently processed. In particular:
   • The data processed for sending informative newsletters and promotional communications will be kept until the data subject exercises his/her right to object or withdraw his/her consent;
   • Data sub a) of paragraph 4.2 will be kept for the time necessary to provide feedback to the data subject;
   • Data processed for the purpose of responding to a request for cooperation (paragraph 4.2, letter d) will be retained for a maximum period of 12 months after their provision;

6. Categories of recipients

   
   The personal data of the data subject may be communicated to specially authorised collaborators and employees of the Data Controller, within the scope of their duties; Under no circumstances shall personal data be communicated, disseminated, transferred or in any case transferred to third parties for unlawful purposes and, in any case, without informing the interested parties accordingly and obtaining their consent, where required by law. This is without prejudice to the possible communication of the data at the request of the judicial or public security authorities, in the manner and in the cases provided for by law. Personal data will not be transferred abroad, to countries or international organisations outside the European Union that do not guarantee an adequate level of protection, recognised, pursuant to Article 45 GDPR, on the basis of an adequacy decision by the EU Commission. In the event that it is necessary for the provision of the Site services, the transfer of personal data to non-EU countries or International Organisations, for which the Commission has not adopted any adequacy decision pursuant to Art. 45 GDPR, will only take place in the presence of adequate safeguards provided by the recipient country or Organisation, pursuant to Art. 46 GDPR and provided that the data subjects have enforceable rights and effective remedies. In the absence of an adequacy decision by the Commission, pursuant to Article 45 GDPR, or of adequate safeguards, pursuant to Article 46 GDPR, including binding corporate rules, the cross-border transfer will only take place if one of the conditions set out in Article 49 GDPR is met

7. Rights of the data subject

   
   The person concerned has the right to access his or her personal data, to ask for them to be corrected, updated and deleted or limited, if incomplete, incorrect or collected in violation of the law, as well as to oppose their processing for legitimate reasons or to obtain their portability. In particular, the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him/her exist, regardless of their being already recorded, and communication of such data in intelligible form.
   The data subject also has the right to obtain information on:
   • The purposes and methods of the processing;
   • Of the logic applied in the event of processing carried out with the aid of electronic instruments;
   • The identity of the data controller, data processors and of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as authorised processors.
   The data subject has the right to obtain:
   • The updating, rectification or integration of their data;
   • The cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes of processing;
   • The restriction of processing, when one of the cases referred to in Article 18 GDPR occurs;
   • Certification to the effect that the operations as per letters a), b) and c) have been notified to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
   • The transmission of data concerning him, provided to the Data Controller and processed on the basis of the consent expressed by the data subject for one or more specific purposes, in a structured, commonly used and machine-readable format. Pursuant to Article 20 GDPR, the Data Subject also has the right to transmit such data to another data controller without hindrance and, if technically feasible, to obtain the direct transmission of personal data from one data controller to another;
   • Where the processing is based on consent, to revoke their consent at any time (pursuant to Article 7(3) GDPR).
   The data subject has the right to object, in whole or in part:
   • On legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection to the processing of personal data concerning him/her for the purpose of sending advertising materials or direct selling or for carrying out market research or commercial communication.;
   • To automated decision-making processes that significantly affect him/her..
   Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to lodge a complaint with a supervisory authority, notably in the Member State in which he/she normally resides or works or in the place where the alleged infringement took place.

8. Exercise of rights

   
   The above rights are exercised by making a request to the Data Controller by sending an e-mail to amministrazione@sitas.ski. The request is formulated freely and without formality by the interested party, who is entitled to receive an appropriate response within a reasonable time, depending on the circumstances of the case.

In order to know his/her rights, to lodge a complaint and to be kept up-to-date on the legislation on the protection of persons with regard to the processing of personal data, the data subject may contact the Data Protection Authority by consulting the website at http://www.garanteprivacy.it/.