This privacy notice is provided pursuant to Articles 13 and 14 of EU Regulation 2016/679 (General Data Protection Regulation – GDPR) to individuals purchasing products or booking services/activities offered by Turismo Torino, acting as Independent Data Controller, either through the Controller’s website or at information points.
Source and Type of Data
The data processed are those requested in the purchase/booking forms.
Purposes and Legal Basis of Processing
Personal data are processed for the following purposes:
1. To fulfil the purchase/booking request of the product or service/activity (including the issuance of the Card/pass for access thereto) and to manage subsequent assistance and communications with the user.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
2. In the case of online purchases, to record and allow the user to view bookings and purchases within the dedicated section of their personal account.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
3. To comply with accounting and tax obligations related to the purchase of products or services.
Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
4. To manage potential disputes in judicial or extrajudicial proceedings.
Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR); exercise or defence of legal claims.
5. To send, by email, information, promotional communications, and informational/commercial material concerning activities and initiatives promoted by Turismo Torino e Provincia S.c.r.l.
Legal basis: consent (Art. 6(1)(a) GDPR).
6. To carry out analytical activities in order to send personalised promotional and/or informational communications consistent with the data subject’s profile.
Legal basis: explicit consent (Art. 6(1)(a) GDPR).
7. To conduct surveys and statistical analyses – including through the use of questionnaires/polls – aimed at assessing the impact of initiatives and/or defining strategies for the development and improvement of the regional tourism offer.
Legal basis: performance of a task carried out in the public interest (Art. 6(1)(e) GDPR).
Withdrawal of Consent
Pursuant to Art. 7 GDPR, the data subject may withdraw their consent at any time with regard to the purposes indicated under point 6. Withdrawal of consent shall result in the cessation of the sending of generic and/or personalised promotional communications.
Nature of Data Provision
The provision of data is indispensable for the purchase/booking of the product or service. Therefore, refusal to provide data will make it impossible to fulfil the request. Data provision is mandatory to comply with legal obligations connected to the purchase. Failure to provide data for the purposes set out under points 5 and 6 will not affect the purchase/booking but will only result in the Controller being unable to send promotional communications.
Data Retention
Data collected will be retained for compliance with tax and accounting obligations until administrative prescription. For promotional/informational communications, data will be retained until consent is withdrawn.
Recipients of Data
The acquired data may be communicated to and processed by:
• Authorised personnel (employees and collaborators);
• External entities appointed as Data Processors (e.g. companies specialising in digital services, possibly entrusted with the management of the website, execution of promotional or informational campaigns, or administration of online surveys);
• Public authorities (e.g. Revenue Agency).
Data may also be communicated to parties legally entitled to access them by virtue of statutory provisions, regulations, or EU legislation.
Data Transfers
The Controller does not transfer personal data to third countries or international organisations. However, cloud services may be used. In such cases, transfers will be carried out exclusively to providers operating in countries deemed adequate under Art. 45 GDPR, adhering to the EU-U.S. Data Privacy Framework, or offering appropriate safeguards under Art. 46 GDPR.
Further information on transfers and/or copies of the applicable safeguards can be obtained by contacting the Controller.
Data Subject Rights
The data subject may exercise the rights set forth in Articles 15–22 GDPR 2016/679, including:
• To obtain confirmation as to whether personal data concerning them are being processed and, if so, to access such data (right of access);
• To request rectification of inaccurate data and completion of incomplete data (right to rectification);
• To request erasure of data, unless legal obligations or legitimate interests of the Controller require retention (right to erasure);
• To request restriction of processing (right to restriction);
• To request the transfer of data to another controller, applicable only to processing based on consent or contract (right to data portability).
The Controller reminds that the data subject may exercise the right to object under Art. 21 GDPR, particularly with regard to the purpose set out under point 7. However, the Controller may reject the request where compelling legitimate grounds exist for continuing the processing.
The data subject may exercise the above rights by submitting a request to the Controller, specifying the right being exercised and providing suitable elements of identification.
Furthermore, the data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).