This Privacy Policy aims to describe the management methods of the website www.visitvaldichiana.it (hereinafter: the "Website") concerning the processing of users' personal data.
This is a general information document provided in accordance with Art. 13 of Regulation (EU) 2016/679 regarding the protection of individuals concerning the processing of personal data and the free movement of such data (hereinafter "Regulation") to all users who consult and, more generally, interact with the services provided through the Site by the Municipality of Cortona - Piazza della Repubblica, 13 Cortona (AR) (hereinafter: the "Data Controller" or "Entity").
This information will illustrate the purposes and methods by which the Data Controller may collect and process your personal data, which categories of data are subject to processing, what are the rights of data subjects to the processing, and how they can be exercised.
This information is provided exclusively for this Website; therefore, the Data Controller assumes no responsibility for other websites that may be consulted through hyperlinks present on the Website itself. Data processing will be carried out using computerized and manual tools.
By using this Website, users accept this information and are therefore invited to read it before providing any kind of personal information.
Data Controller
Municipality of Cortona - Piazza della Repubblica 13, 52044 – Cortona (AR)
Contact details of the Data Protection Officer
The Data Protection Officer for the Municipality of Cortona can be contacted at the following addresses: Dr. Marco Marcellini (Data Protection Officer) Phone: +39 0575 62524, +39 339 2758634 Email: privacy@next20.it PEC: marco.marcellini@postecert.it
Types of data processed
Navigation data
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. These are information that is not collected to be associated with identified data subjects, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the operating system and the user's IT environment. This data is used for the sole purpose of obtaining anonymous statistical information about the use of the site and to check its correct functioning and is deleted immediately after processing. The data may be used to ascertain liability in case of hypothetical computer crimes against the site. Some personal data whose transmission is implicit in the use of internet communication protocols (e.g., personal data acquired through the site's access log) are acquired by Web Analytics Italia. This data is processed for the technical management of the website and for the collection of analytical data on its traffic. For more information, please refer to WAI's specific privacy policy at https://webanalytics.italia.it/privacy.
Data provided voluntarily by the user
Subject to what is specified above regarding navigation data, the entity will acquire personal data that the user may provide through the Site to make requests via email, to subscribe to any newsletters, and will also acquire name, surname, email address, etc. only if they wish to contact the Controller or use the services offered on this site through specific forms. Through the Website, the Data Controller will not acquire sensitive data or data belonging to the special categories referred to in Article 9 of Regulation (EU) 2016/679 or data relating to criminal convictions or offenses. The processing of data provided by the user will be carried out in compliance with the purposes and methods indicated in this information and the specific information made available from time to time.
Processing methods
Personal data are processed using both manual and computerized tools to achieve the purposes for which they were collected. Specific security measures are observed to prevent the loss of data, unlawful or incorrect use, and unauthorized access. The processing of data will be carried out by personnel under the direct authority of the Data Controller and/or by individuals or legal entities specifically appointed by them as data processors, properly designated and authorized persons responsible for processing.
Legal basis and purposes of processing for the provision of requested services
The data provided as described in the section "Data provided voluntarily by the user" will be processed by the Data Controller exclusively to respond to requests and provide the services that the user intends to use. The data will be processed only for these purposes. The provision of such data is necessary.
Recipients of the processing
The recipients of the processing are all users of the website or the services made available through it, in accordance with the applicable laws and what is defined by Regulation (EU) 2016/679.
Optional provision of data
The user is free to decide whether to provide their personal data to the Data Controller through this website and/or the services connected to it. Failure to provide the data may result in the Data Controller's inability to provide the services requested.
Communication and Data Transfer
The data provided will not be disclosed or communicated to third parties under any circumstances, except for subjects authorized to access the data by law or orders of the authorities, as well as external and/or foreign subjects used by the Data Controller for instrumental and/or ancillary activities, including providers of software solutions, web applications, and storage services.
Further information can be obtained by the data subject by requesting it from the Data Controller. For the described purposes, the Data Controller may also communicate some personal data collected to third parties, who will process the personal data as Data Processors.
The list of data processors can be requested from the Data Controller by writing to: Municipality of Cortona - Piazza della Repubblica 13, 52044 - Cortona (AR)
Data Retention Period
The data will be kept to follow up on requests and selected services requested through the Website. The data will be retained for the strictly necessary period.
Rights of the Data Subjects
It is noted that, in accordance with the current regulations, the data subject has the following rights:
In particular, the following rights are recognized: Articles 15 - "Right of access by the data subject", 16 - "Right to rectification", 17 - "Right to erasure", 18 - "Right to restriction of processing", 20 - "Right to data portability" of EU Regulation 2016/679 within the limits and conditions provided for in Article 12 of the Regulation itself.
These requests can be addressed to Municipality of Cortona - Piazza della Repubblica 13, 52044 - Cortona (AR). It is also informed that, in accordance with current regulations, it is possible to lodge complaints regarding the processing of personal data with the Guarantor for the protection of personal data.
Cookies
Depending on the web browser used, the user has the option to disable or selectively accept the use of cookies. In this case, browsing may not be as smooth, some functions of the site may not be available, and some web pages may be displayed incorrectly.
The site uses Web Analytics Italia (WAI) cookies to collect information, in aggregated form, about the number of users and how they use the site, solely for the purpose of producing anonymous statistics and verifying its correct operation.
For more information, please consult the specific privacy policy of WAI at the address https://webanalytics.italia.it/privacy.
You can access the full cookie policy via a link available at the bottom of this site or by clicking here. (Link???)
Types of Data Collected
Among the Personal Data collected by this website, either independently or through third parties, are: ZIP code, email, province, geographical location, Usage Data, Cookies, and various types of Data indicated here for illustrative purposes, but not exhaustively. Complete details on each type of collected data are provided in the dedicated sections of this privacy policy or through specific informational texts displayed before data collection.
Personal Data may be freely provided by the User or, in the case of Usage Data, collected automatically during browsing. Unless otherwise specified, all requested data is mandatory. In cases where certain data is indicated as optional, Users are free to refrain from communicating such data without any consequence on the availability or operation of the Service. Users who have doubts about which data is mandatory are encouraged to contact the Data Controller.
The possible use of tracking tools by this website or by third-party service providers used, unless otherwise specified, is aimed at providing the Service requested by the User, in addition to any other purposes described in this document. The User assumes responsibility for Personal Data of third parties obtained, published, or shared and guarantees the right to communicate or disseminate them, releasing the Owner from any liability to third parties.
Processing Methods
The Owner adopts appropriate security measures to prevent unauthorized access, disclosure, alteration, or destruction of Personal Data. Processing is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, other parties involved in the management of this website (administrative, commercial, marketing, legal, system administrators) or external parties (such as third-party technical service providers, postal couriers, hosting providers, IT companies, communication agencies) may have access to the Data, appointed, if necessary, as Data Processors by the Owner. An updated list of these parties may be requested from the Data Controller.
Legal Basis of Processing
The Owner processes user data exclusively following specific user registration within an area reserved for services offered by the owner. Data is processed exclusively following a request and/or adherence to a service provided by the owner, which may also have a legitimate interest of the owner, a public interest, or the provision of a service directly to the user.
Location
Data is processed at the Owner's operational headquarters and in any other place where the parties involved in the processing are located. For further information, contact the Owner. User Personal Data may be transferred to a country other than the one in which the User is located. For information on the location of processing, the User can refer to the section containing details on the processing of Personal Data.
The User has the right to obtain information regarding the legal basis of transferring Data outside the European Union or to an international organization governed by public international law or established by two or more countries, such as the UN, as well as information on the security measures adopted by the Owner to protect the Data. If one of the transfers described above takes place, the User can refer to the respective sections of this document or request information from the Owner by contacting them at the contact details provided at the beginning.
Data Transfer Abroad
Data is not transferred to third countries outside the European Economic Area.
Retention Period
Data is processed and stored for the time required by the purposes for which it was collected. Therefore:
When processing is based on the User's consent, the Owner may retain Personal Data longer until such consent is revoked. Additionally, the Owner may be obliged to retain Personal Data for a longer period in compliance with a legal obligation or an order from an authority. At the end of the retention period, Personal Data will be deleted. Therefore, upon expiration of this period, the right to access, delete, rectify, and the right to data portability cannot be exercised anymore.
Purposes of Data Processing
User Data is collected to allow the Owner to provide its Services, as well as for the following purposes: registration and limited authentication for specific services offered by the site, contacting the user, location-based interactions, statistics, displaying content from external platforms, payment session, infrastructure monitoring, support request management, and contact. For further detailed information on the purposes of processing and the Personal Data specifically relevant for each purpose, Users may refer to the respective sections of this document.
Data Processing Controllers
The Organization may use third parties for the performance of activities and related processing of personal data of which it is the owner. In accordance with the regulations, such subjects ensure levels of experience, capacity, and reliability to guarantee compliance with current regulations on processing, including data security profiles.
Instructions, tasks, and obligations are formalized by the Organization in favor of these third-party subjects with their designation as "Data Processing Controllers." These subjects are subject to periodic checks to verify the maintenance of the guarantee levels recorded at the time of the initial assignment.
User Rights
Users can exercise certain rights regarding the Data processed by the Owner. In particular, the User has the following rights:
Details on the right to object
When Personal Data is processed in the public interest, in the exercise of official authority vested in the Owner, or for the legitimate interests pursued by the Owner, Users have the right to object to processing for reasons related to their particular situation.
Users are informed that if their Data is processed for direct marketing purposes, they can object to the processing without providing any justification. To find out if the Owner processes Data for direct marketing purposes, Users can refer to the respective sections of this document.
How to exercise rights
To exercise User rights, Users can make a request to the contact details of the Owner indicated in this document. Requests are free of charge and processed by the Owner as soon as possible, in any case within one month.
Changes to this privacy policy
The Data Controller reserves the right to make changes to this privacy policy at any time by informing Users on this page. Users are therefore encouraged to check this page regularly, referring to the date of the last modification indicated.
If the changes affect processing activities based on consent, the Owner will collect the User's consent again, if necessary.
Legal defense
User Personal Data may be used by the Owner in court or in the preparatory stages leading to possible legal action arising from improper use of this site or related Services by the User.
The User declares to be aware that the Owner may be required to disclose the Data at the request of public authorities.
Specific information
Upon request of the User, in addition to the information contained in this privacy policy, additional and contextual information regarding specific Services, or the collection and processing of Personal Data, may be provided.
System logs and maintenance
For operation and maintenance needs, this site and any third-party services it uses may collect system logs, i.e., files that record interactions and may also contain Personal Data, such as the User's IP address.
Additional Information
Further information regarding the processing of Personal Data can be requested at any time from the Data Controller using the contact details provided.
Details on the Processing of Personal Data
Personal Data is collected for the following purposes and using the following services:
Technical and Organizational Security Measures for Data Protection
Appropriate technical and organizational security measures have been adopted in accordance with Article 32 of the GDPR to ensure: