PRIVACY POLICY

INFORMATION PROVIDED PURSUANT TO ARTICLES 13-14 OF THE GDPR (GENERAL DATA PROTECTION REGULATION) 2016/679

In accordance with the legislation indicated, this processing will be based on the principles of correctness, lawfulness, transparency and protection of your confidentiality and your rights.

Pursuant to Article 13 of GDPR 2016/679, we therefore provide you with the following information:

A – Personal information (such as your first name, last name, details of your identity document and a copy thereof, telephone number, email address, etc.) will be requested at the time of your membership, depending on the type of association you require.

In accordance with Article 28 of the General Data Protection Regulation (GDPR) 2016/679, the Data Processor for data relating to bookings made through the company’s official website, using the https://be.synxis.com platform, is The Leading Hotels of the World, Ltd. company, with registered office at 485 Lexington Avenue, Suite 401, New York, NY 10017.

The Leading Hotels of The World, Ltd relies on the assistance of Sabre Hospitality Solutions GmbH for this purpose.

Also in accordance with Article 28 of the GDPR 2016/679, the Data Processor for data relating to bookings for access to swimming pools, health club, spa and gift vouchers is the company Woo Commerce, based for European countries at Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland.

The Company, as the controller of your personal data, provides you with information on the use of such data and your rights, so that you can knowingly give your consent, if necessary, and assert your rights under the General Data Protection Regulation (European Regulation 679/2016, hereinafter: “the Regulation”). Your personal data (provided by you, by third parties or collected, within the limits of the law, from public sources) may be processed for the following explicitly stated purposes: fulfilment of a contract, fulfilment of an obligation outside the contract, fulfilment of a legal obligation, protection of your own rights or those of third parties. The legal basis for the processing may be:

A – Legal obligation or regulation,
B – Contract with the data subject or performance of contracts,
C – Legitimate interest of the controller or a third party,
D – Vital and urgent interest of the data subject,
E – Explicit consent of the data subject,
F – Performance of a task in the public interest.

Below, we explain in detail the meaning of the different purposes:

1. Legal purposes: this category includes the fulfilment of obligations laid down by law, regulations, European Union legislation and the provisions of legally authorised authorities or competent supervisory or control bodies (in these cases, your consent is not required as the processing of the data is linked to the fulfilment of such obligations/provisions). The data processed for legal reasons include those related to tax regulations and anti-money laundering registers.

2. Contractual and administrative-accounting purposes: this type of processing concerns the fulfilment of obligations arising from contracts to which you are a party or the execution of specific requests made by you prior to the conclusion of the contract. This may include the use of distance communication techniques, such as a dedicated telephone call centre. In these cases, your consent is not required as the processing of your data is for the purpose of managing the relationship or executing your requests. These processing operations also include the mutual protection of interests in legal disputes, tax purposes and other legal obligations, such as anti-money laundering record keeping, if applicable.

3. Direct marketing purposes: this type of processing concerns the sending of information and informative, commercial and advertising material on products, services or initiatives of the company, in order to promote them, make direct sales, conduct market research and verify the quality of the products or services offered. Data may be processed with your voluntary consent or on the basis of the legitimate interest of the company, provided that it does not conflict with your rights.

4. Profiling: this processing aims to optimise commercial offers, carry out targeted commercial communications, conduct statistical research and create profiles based on your personal preferences, behaviour and attitudes, in order to make appropriate commercial decisions or analyse and predict your preferences for commercial purposes. In these cases, your consent is optional and does not affect your relationship with the company.

5. Indirect commercial purposes: this category includes the sharing of your data with third parties who carry out autonomous commercial activities, as described in the previous section. Again, your consent is optional and does not affect your relationship with the company.

6. Post-commercial purposes: this processing concerns the investigation of the reasons for the termination or revocation of relations with the company, after they have ended. Again, your consent is optional and does not affect your relationship with the company.

Particular data,’ also known as ‘sensitive data,’ are personal data that may reveal ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify an individual, data relating to a person’s health, sex life or sexual orientation (Art. 9 of the Regulation), or data relating to criminal convictions and offences or related security measures (Art. 10 of the Regulation). This data can only be processed with your explicit written consent or if one of the reasons listed in Art. 9 para. 2 and Art. 10 of the Regulation is applicable. Consent is optional, but refusal to give consent could jeopardise the performance of one or more activities required of the company, which specifically concern matters requiring the processing of such data.
Consent to the processing of your data may be binding for the conclusion of contracts with the owner company or third parties. Only data whose processing is essential for the conclusion of the contract are binding for the conclusion of the contract, whereas you may freely give or withhold consent for non-essential data, in particular for profiling, commercial communications and marketing purposes.
The Controller collects and processes your data in order to protect your vital interests if you are under the age of 18 and over the age of 14. Your data will be treated with the utmost confidentiality and only for the time strictly necessary to provide the requested services to the Controller, excluding any other purpose beyond the ongoing relationship between you and the Controller.
Your data may be shared with third parties for the purposes stated by the Controller. In particular, it may be transferred to third countries subject to an adequacy finding or, failing that, subject to your explicit consent.

B – DATA PROCESSING METHODS.
Your data is processed by means of manual/paper filing and electronic and automated means, in accordance with the purposes stated above. If you have given your consent, the processing may include profiling or data comparison. The Company has implemented technical and organisational measures to prevent and limit the risk of loss, deterioration or theft of your data, and to ensure timely recovery in the event of a data breach.
The processing is designed to ensure the security, protection and confidentiality of your data. Within the company, staff responsible for or in charge of the processing may have access to your personal data, including employees, managers, directors or partners of the company who occupy administrative, collaborative or commercial positions with self-employment contracts within the company structure. These individuals have received the appropriate training from the company to ensure the storage, updating and security of your data, so consent from these individuals is not required, as it is required by law.
Outside the Company, your data may be processed by collaborators with self-employment contracts operating outside the Company’s structures, as well as by consultants of various kinds (lawyers, accountants, engineers, architects, labour consultants and other professionals registered or not registered with professional bodies). These consultants perform technical, support and control tasks on behalf of the company. Data transfers are carried out using tools that protect the data from external intrusion.
Your data may be transferred abroad. If the transfer takes place within the European Union, your data will be processed in accordance with the same regulations as in Italy. If the data is transferred outside the European Union, your rights under the European Regulation will be respected. It is possible to request a list of third parties to whom the data is transmitted.
Public bodies or administrations may receive the data in fulfilment of legal obligations. Since the data you provide may be considered “special” or “sensitive” data within the meaning of the European Regulation, processing may only take place with your prior written consent and only for the purposes specified in this processing form, except in cases where processing is permitted by law.
The company may only process data relating to criminal convictions or offences involving security measures to the extent permitted by law. Since the data you provide may include ‘biometric data,’ such as fingerprints, palm prints, facial features or signatures acquired by technological means, it will be processed in accordance with applicable law, with your consent where necessary, and only for the purposes specified in this processing form.
To protect your data, the Data Controller has appointed a Data Protection Officer, identified as Luca Rampazzo.
The Data Protection Officer undertakes to limit the use and management of personal data, such as storage and archiving on our servers, to countries within the European Union. In the case of data transfer to countries outside the European Union, the parties involved may ensure compliance with the rights under the European Regulation through voluntary compliance and appropriate security measures to protect the data from unauthorised access. The transfer of such data to countries outside the European Union is prohibited, unless adequate protections are ensured or security measures are in place in accordance with EU Regulation 2016/679 – CHAPTER V.
For further details and clarifications, you can contact the Data Protection Officer (DPO) of Terme di Saturnia.

This information notice, drafted in compliance with Article 13 of the General Data Protection Regulation (GDPR) 2016/679, is also applicable by Terme di Saturnia to advertisements published on websites or portals for personnel recruitment that are not directly managed by the company itself.
The company will process curricula vitae received by e-mail or through third party companies specialised in personnel selection (such as advertisements published on portals, etc.) in order to assess possible applications within the company or in anticipation of future opportunities.
The processing is mainly carried out electronically, with the exception of CVs sent by traditional mail.
Resumes deemed “interesting” will be stored at the company’s premises for a period of 12 months and will be processed in accordance with the security measures prescribed by Article 32 of GDPR 2016/679.
Resumes deemed irrelevant or those whose retention period exceeds 12 months will be removed.
CVs will be stored in the human resources office of Terme di Saturnia and will not be disclosed to unauthorised third parties.
They may be evaluated by departmental managers of the spa appointed as authorised subjects for processing, in accordance with Articles 29 and 32(4) of GDPR 2016/679 and Article 2-quaterdecies of Legislative Decree 196/2003.
For the compilation of resumes, please kindly follow the following guidelines:

– Use the European format for the CV;
– Send the CV in PDF format;
– Avoid including special categories of personal data, as defined in Article 9(1) of GDPR 2016/679 (e.g. health information, religious, philosophical or political beliefs), unless they are directly relevant to the job position offered.

The company reserves the right to delete CVs that do not meet these requirements.
The processing of data in connection with the handling of CVs will primarily be for the purpose of evaluating, recruiting or selecting personnel, with the aim of collaboration, employment on a fixed-term or open-ended basis, internships or to enable the successful candidate to prepare his/her dissertation at our premises.
In compliance with Article 111-bis of Legislative Decree 196/2003, the information required by Article 13 of the GDPR is provided at the time of the first significant contact following the sending of the curriculum vitae, in the case of spontaneous applications for the establishment of an employment relationship.
In accordance with the specified objectives and based on Article 6(1)(b) of the GDPR, the data subject’s consent to the processing of personal data contained in curricula vitae is not required.

Information on your Personal Data:

Our company has obtained data about you from third parties. In this form, we provide you with the following information:

  • Who is the Data Controller and who is the representative, if applicable.
  • Who is the Data Protection Officer, if applicable.
  • The purposes and legal basis of the data processing.
  • The categories of data we collect.
  • Who the recipients of the data are.
  • The possibility of transferring the data abroad.
  • The data retention period or the criteria for determining this period.
  • Your rights, including access, revocation, correction, deletion, portability, restriction.
  • The possibility to lodge complaints with the supervisory authority.
  • The source of your data.
  • The use of automatic decision-making processes and your right to intervene.

Terme di Saturnia will only store personal data for as long as is necessary to achieve the purposes described in this policy.
For example, if you subscribe to the newsletter service, Terme di Saturnia will keep your data until you decide to unsubscribe from the service, which you can easily do by clicking on an unsubscribe or “unsubscribe” link in the email you receive. Any request sent will be deleted within 30 days of receipt.
With the exception of the above, Terme di Saturnia will retain your personal data for as long as is required by Italian law to protect its interests, as stipulated in Art. 2947(1)(3) of the Italian Civil Code.
Data that is not subject to specific legal obligations will be deleted within 10 years.
The data controller does not use automated procedures, including profiling and all detailed evaluations based on personal data collected via forms on this website. It is important to note that when you provide preference information via contact forms, this is not binding and serves exclusively for organisational purposes.
Regarding any profiling activities involving the use of cookies, please see our Cookie Policy for further details.

Rights of the Data Subject:
You have several rights under the Regulation, including:
 
  • The right to complain to the national authority (Data Protection Supervisor) if you believe your rights have been violated.
  • The right to have accurate and up-to-date data.
  • The right to withdraw consent to the processing of your data.
  • The right to access your data.
  • The right to request correction of data.
  • The right to request deletion of data, except where there are legal obligations to keep it.
  • The right to keep the data if you contest the accuracy or lawfulness of the processing.
  • The right to be informed if your data is modified or deleted.
  • The right to transfer your data to another operator, within the limits provided by law.
  • The right to object to data processing, profiling and the use of data for direct marketing.
  • The right to request a human review of decisions based on automated decision-making processes.

The company may use automated procedures to make decisions about you, but you have the right to request a human review before binding decisions are made.

Persons Involved in the Processing of Data:
Here is who may process your data:
[Data Controller]: [Company].
[Representative]: Not applicable.
[Responsible]: The CEO and department heads.
[RDP/DPO]: Luca Rampazzo.
Ways to Exercise Your Rights:
You can make written requests by sending them to the company address, Terme di Saturnia S.p.a. – Località Saturnia – 58014 Manciano (GR) or by e-mail to [email protected]. Alternatively, if available, you can do this yourself in the online personal area using a unique identifier.

 

Prenota Terme di Saturnia

Prenota online sul nostro sito ufficiale con vantaggi riservati

Prenota ingressi giornalieri al Parco Termale e al Club, con trattamenti ed esperienze SPA e Medical SPA

Prenota trattamenti e rituali viso e corpo

Prenota uno dei nostri programmi salute e benessere