This page describes how to manage the site with reference to the processing of personal data of users who consult it. This information is provided pursuant to art. 13 of EU Regulation 2016/679 applicable from 25 May 2018 – General Regulations for the Protection of Personal Data (hereinafter referred to as GDPR) to those who interact with the web services of Terme di Saturnia S.p.A., accessible electronically from the www.termedisaturnia.it address managed by Terme di Saturnia S.p.A..
The policy is provided only for the website www.termedisaturnia.it and not for other websites that may be consulted by the user through links for which Terme di Saturnia S.p.a. is not liable.
Pursuant to art. 4 no. 7 of the GDPR 2016/679, the Data Controller for the website is the company Terme di Saturnia S.p.a. – Località Saturnia – 58014 Manciano (GR).
Pursuant to art. 28 of the GDPR 2016/679, the Data Processor for reservations that take place through the company’s institutional website through the platform https://be.synxis.com is the company The Leading Hotels of the World, Ltd. – 485 Lexington Avenue, Suite 401 New York, NY 10017.
Leading Hotels of The World, Ltd uses Sabre Hospitality Solutions GmbH for this purpose.
Pursuant to art. 28 of GDPR 2016/679, Responsible for the processing of data for bookings relating to pool entrances, wellness clubs, spas and gift vouchers is the Vertical Booking S.r.l. company with headquarters in Piazza Pontida no. 7 – 24122 Bergamo.
DATA PROTECTION OFFICER
In accordance with article 37 of the GDPR 2016/679, Terme di Saturnia S.p.a. has officially appointed a Data Protection Officer (Data Protection Officer hereinafter referred to as DPO) whose contact details are: [email protected]
The DPO is at the disposal of data subjects for any information concerning the processing of their personal data and the exercise of their rights.
PLACE OF DATA PROCESSING
The data processing connected to the web services of this website occur at the registered office of Terme di Saturnia S.p.a. – Località Saturnia – 58014 Manciano (GR) and at the external booking managers, and are looked after only by technical staff of the service in charge of the processing. No data from the web service is communicated or disclosed. The personal data provided by users who request the sending of informative material are used only to perform the service or supply requested and are communicated to third parties only if this is necessary for that purpose.
TYPES OF DATAPROCESSED
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by their very nature they could allow user identification through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers used by users connecting to the site, URI notation addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the answer from the server (successful, error, etc..) and other parameters regarding the user’s operating system and computer environment. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site: except for this possibility, the data on web contacts is not kept for more than thirty days.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this site involves the subsequent acquisition of the sender’s address, necessary to respond to requests, and any other personal data included in the message. Specific summary information will be progressively reported or displayed in the pages of the site prepared for particular services on request.
The voluntary compilation of data acquisition forms to request information, register or book activities involves the subsequent processing of personal data provided to guarantee the execution of a contract to which the data subject is a participant or the execution of pre-contractual measures adopted upon request by the same.
Personal data are processed by automated tools for the time necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent loss of data, illicit or incorrect use and unauthorized access.
In compliance with art. 8 of GDPR 2016/679, the services of this website are not intended for children under 16 years of age. We do not knowingly collect personal data from minors.
However, in the cases in which it is requested, the consent to the processing of his/her personal data is legitimately expressed directly by the minor only when he/she has reached the age of 16. In other cases, Terme di Saturnia S.p.a. requires that consent to the processing is given or authorised by the holder of parental responsibility for the child.
If we become aware that we have collected the Personal Data of a minor, we will immediately delete it, unless we are required by law to keep such data.
Please contact us if you believe that the Data Controller has mistakenly or unintentionally collected information about a child.
PURPOSE, LEGAL BASIS AND NATURE OF THE PROVIDED DATA
The Personal Data that the user provides through the website in question will be processed by Terme di Saturnia S.p.a. for the following purposes:
- to ask for information in Terme di Saturnia about Golf, the SPA, conference rooms, cosmetics shop. The legal basis of the processing is based on article 6, sub. 1 letter b) of the GDPR 2016/679, or the processing is necessary for the execution of pre-contractual measures to which the data subject is a party. Consent Not required;
- to register for the Terme di Saturnia newsletter and receive periodic promotional and commercial communications. The legal basis of the processing is based on article 6, sub. 1 letter a) of the GDPR 2016/679 or the processing requires the explicit consent of the data subject;
- to make room reservations at the Terme di Saturnia Resort. The legal basis of the processing is based on article 6, sub. 1 letter b) of the GDPR 2016/679, or the processing is necessary for the execution of pre-contractual measures to which the data subject is a party. Consent Not required;
- to buy gifts (Gift Card) that involve the various services offered by Terme di Saturnia. The legal basis of the processing is based on article 6, sub. 1 letter b) of the GDPR 2016/679 or the processing is necessary for the execution of a contract to which the data subject is a party. Consent Not required;
- to book treatments in the spa or enter the thermal pools of Terme di Saturnia. The legal basis of the processing is based on article 6, sub. 1 letter b) of the GDPR 2016/679, or the processing is necessary for the execution of pre-contractual measures to which the data subject is a party. Consent Not required;
- purposes related to the selection of personnel through the receipt of the curriculum vitae in the Work with Us section for the evaluation of a potential job application within Terme di Saturnia. The legal basis of the processing is based on article 6, sub. 1, letter b) of the GDPR (execution of a contract or pre-contractual measures adopted at the request of the data subject) and, with regard to the information on the processing, in addition to those specified herein, the Data Controller may provide further information to the first useful contact pursuant to article 111 bis of Italian Legislative Decree 196/ 2003. Consent Not required;
- purposes of research and statistical analysis on anonymous aggregate data, to measure the operation of the Website, measure traffic and evaluate usability and interest to improve functionality and performance; Consent is not required since it does not affect the processing of personal data;
- for accounting, tax and administrative purposes. The legal basis of the processing is based on article 6, sub. 1 letter c) of the GDPR 2016/679 or the processing is necessary to fulfil a legal obligation to which the Data Controller is subject. Consent not Required;
- purposes relating to the compliance with laws and regulations. The legal basis of the processing is based on article 6, sub. 1 letter c) of the GDPR 2016/679 or the processing is necessary to fulfil a legal obligation to which the Data Controller is subject. Consent not required
- purposes necessary to establish, exercise or defend a right either in court or whenever courts exercise their jurisdiction functions. The legal basis of the processing is based on article 6, sub. 1 letter f) of the GDPR 2016/679 or the processing is necessary for the pursuit of the legitimate interest of the Data Controller. With regard to the possible processing, for the same purposes, of the data referred to in the particular categories pursuant to art. 9, par. 1 of the GDPR, the condition of lawfulness is found in par. 2, letter f) of the same article: “the processing is necessary to ascertain, exercise or defend a right in court”. Consent not Required.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
The Data Controller undertakes to restrict the areas of circulation and processing of personal data (e.g. storage, archiving, storage of data on its servers) to countries belonging to the European Union, with the express prohibition of transferring them to countries outside the EU that do not guarantee (or in the absence of) an adequate level of protection, or, in the absence of protection instruments provided for by EU Regulation 2016/679 – CHAPTER V (adequacy decision, Standard Contractual Clauses or explicit consent by the interested party after adequate indication and description of the risks associated with the transfer).
More information and explanations can be found at the DPO of Terme di Saturnia.
Terme di Saturnia processes your Personal Data for the time strictly necessary to achieve the purposes indicated in this policy.
By way of example but not limited to, Terme di Saturnina will process Personal Data for the newsletter service until you decide to cancel by simply clicking on the e-mail received (in particular, the unsubscribe link).
Requests will be deleted within 30 days of receipt.
Without prejudice to the above-mentioned facts, Terme di Saturnia will process your Personal Data up to the time allowed by Italian law to protect its interests (Art. 2947(1)(3) of the Italian Civil Code).
Further information regarding the period of retention of Personal Data and the criteria used to determine this period may be obtained by writing to the DPO.
RESERVATIONS SYSTEM SECURITY
Sabre Hospitality Solutions GmbH uses the credit cards provided at the time of booking in compliance with the PCI DSS security protocol (Payment Card Industry Data Security Standard) having obtained regular certification from the PCI Security Standard Council, LCC.
All information sent to this website, if in an SSL session, is encrypted and protected against disclosure to third parties.
This information, prepared in compliance with art. 13 of the GDPR 2016/679, can also be used by Terme di Saturnia for any advertisements published for the search of personnel on sites or portals it does not directly manage.
The Company will treat the CVs received via email or third-party personnel selection companies (publications on portals, etc.) to evaluate potential applications within the Company or which may be submitted in the near future.
Processing is carried out electronically, with the exception of CVs received by ordinary mail.
CVs considered “interesting” will be stored at the company’s headquarters for a period of 12 months and will be processed in full compliance with the security measures provided for in article 32 of GDPR 2016/679.
CVs considered not relevant as well as those CVs whose retention time has exceeded 12 months will be erased.
The CVs will be kept in the human resources office of Terme di Saturnia and will not be disclosed to unauthorized third parties.
The same may be assessed by heads of department of the spa appointed as persons authorised to process them (ex art. 29 and 32 subsection 4 of GDPR 2016/679 and art. 2-quaterdecies of Italian Legislative Decree 196/2003).
In compiling your CV, please follow these rules:
- fill in your CV in the European format;
- send the CV in pdf format;
- avoid including particular categories of personal data in the CV as defined by article 9, sub. 1 of the GDPR 2016/679 (relating, in particular, to the state of health, religious, philosophical or political beliefs) not relevant in relation to the job offer;
The company reserves the right to delete CVs that do not comply with the above requirements.
The purpose of the treatment related to the management of CVs, will involve activities strictly related to the assessment, recruitment or selection of personnel, with the aim of collaboration, temporary or permanent employment, internship, or to allow the chosen candidate to prepare his thesis at our headquarters.
Pursuant to art. 111-bis of Italian Legislative Decree 196/2003, the information referred to in art. 13 of the GDPR, in cases of receipt of CVs spontaneously transmitted by the data subjects for the purpose of establishing an employment relationship, is provided at the time of the first useful contact, following the sending of the CV.
In compliance with the specified purposes, pursuant to art. 6, par. 1, lett. b) of the GDPR the consent of the data subject for the processing of the personal data present in the CV is not required.
AUTOMATED PROCESSING AND PROFILING
The Data Controller does not carry out automated processing, including profiling on personal data acquired through the forms of this website. On this point, we specify that the indication of the preference of the chosen service, which is not binding, in the contact forms, represents only information necessary for organisational purposes.
RIGHTS OF THE DATA SUBJECTS
The persons to whom the personal data refer have the right at any time to obtain confirmation of the existence or absence of such data and to know its content and origin, verify its accuracy or request it is added more data, updated or corrected (Section III GDPR 2016/679). Pursuant to this Article you have the right to request the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, and in any case, refuse their processing for legitimate reasons. Requests should be addressed to Terme di Saturnia S.p.A.: Loc. Follonata 58014 Saturnia (GR) – Italy to the attention of the Data Protection Officer.
The user can freely exercise the rights pursuant to articles 15 et seq. of the GDPR 2016/679 which we reproduce in full or:
- revoke consent at any time. The User can revoke his/her consent to the processing of his/her Personal Data previously expressed;
- object to the processing of his/her Data. The User can object to the processing of his/her Data when it occurs on a legal basis other than that for which consent was provided;
- access his/her Data. The User has the right to obtain information on the Data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the Data processed;
- verify and request rectification. The User can verify the correctness of his/her Data and request that it be updated or corrected;
- obtain the restriction of the processing. When certain conditions are met, the User can request the restriction of the processing of his/her Data. In this case, the Data Controller will not process the Data for any other purpose other than for the storage of the same;
- obtain the erasure or removal of his/her Personal Data. When certain conditions are met, the User can request the erasure of his/her Data by the Data Controller;
- receive his/her Data or have it transferred to another Data Controller. The User has the right to receive his/her Data in a structured, commonly used and machine-readable format and, where technically feasible, to have it transferred without delay to another Data Controller. This provision is applicable when the Data is processed using automated instruments and the processing is based on the User’s consent, on a contract to which the User is party or contractual measures connected to the same;
- object to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or significantly affects him/her in a similar way.
Requests are to be directed to the Data Protection Officer who can be contacted at the following e-mail: [email protected]
RIGHT TO COMPLAIN
Data subjects who believe that the processing of their personal data through this website takes place in breach of the provisions of the Regulation have the right to lodge a complaint with the Supervisory Authority, as provided for by art. 77 of the Regulation, or taking legal action (art. 79 of the Regulation).
UPDATING AND REVISING