Information on the processing of personal data

Reserved area registration

Pursuant to Article 13 of the EU Regulation 2016/679 (hereinafter also referred to as “GDPR”), users of the “Vera Italia” application are hereby informed of the processing operations of their personal data carried out in full compliance with the legislation in force on the processing of personal data.

1. Data controller

The Data Controller is Vera Italia di Chiara Barbera, (hereinafter also referred to as “Vera Italia”), with registered office in Corso Mediterraneo n. 245, Scalea (CS), C.A.P. 87029, P.IVA 03925960787, in the person of its legal representative, Chiara Barbera, (hereinafter also referred to as “Data Controller”)

A Data Protection Officer (DPO) has not been appointed, as one of the cases referred to in Article 37(1) GDPR does not apply.

2. Type of data processed

Vera Italia is a digital and interactive platform (hereinafter also referred to as platform) that operates in the tourism sector by carrying out activities of intermediation, tourism promotion, provision of tourist information and visitor assistance services. Through the platform, interested users can interact with providers of cultural experiences, so-called Culture Creators, and proceed to book and purchase them.

The use of the application requires the creation of a user profile (hereinafter also ‘account’) . Pursuant to the current legislation on the processing of personal data, Reg. 2016/679/EU (GDPR) and Italian Legislative Decree no. 196/2003 (personal data protection code ) the registration to the App, through the creation of a personal profile, entails the processing of the data of the natural person who has registered (hereinafter referred to as “User” or “Data Subject”). In particular, the personal data processed by Vera Italia as data controller are indicated below.

2.1. Identification and contact details

When registering on the platform, data directly identifiable to a natural person are processed, such as, name and surname, as well as contact data, such as, residence/domicile address, mobile phone number and e-mail address.

2.2. Navigation data

Browsing data are data acquired automatically by the systems and services responsible for the operation of the platform and are necessary for the use of web services. This category of data includes, for example: IP addresses, the browser used, the domain names of the systems used by users to connect to the website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used in to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User’s operating system and computer environment.

As a rule, navigation data are only used in an aggregate manner to draw up anonymous statistics on the consultation of the web platform and to check its correct functioning, and do not allow the Users concerned to be identified.

Such data may, however, be used to ascertain liability in the event of computer offences committed against the website, since in this case they are treated as personal data.

2.3. Bank data

In the case of payments to and from the Data Controller, bank data will be processed by Stripe on behalf of Vera Italia di Chiara Barbera, as well as by Vera Italia’s bank receiving the payments, who act as autonomous Data Controllers.

The data collected refer to the natural person of the Data Subject. There is no obligation to provide personal data; however, failure to do so may make it impossible to conclude or implement the supply contract.

2.4. Multimedia contents

In the performance of the activities booked through the platform, the User may be the subject of video-photographic filming that will include images (also in motion), with and without audio of those involved in the processing. Such multimedia contents will be used, transmitted, reproduced, disseminated and advertised, for the promotion of the services offered by Vera Italia, subject to the User’s release.

Limited to the aforementioned hypothesis, data relating to one’s image will be processed that can be qualified as biometric data in the event that they portray physical, physiological or behavioural characteristics linked to a natural person. In fact, such multimedia content makes it possible to clearly identify the data subject or to confirm his or her identity. Furthermore, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership may be processed by means of video-photographic footage.
Such data are ‘special data’ (so-called sensitive data), for which explicit consent of the data subject is required pursuant to Art. 9 GDPR.

For all other types of processing, the Data Controller does not require the Data Subject to provide so-called ‘special’ data, i.e., in accordance with the GDPR (Art. 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data concerning the health or sexual life or sexual orientation of the person.

3. Data processing methods

The data are provided by the User through registration on the platform. This data is processed using IT tools, in accordance with Reg. 2016/679/EU and Italian Legislative Decree No. 196/2003.

The processing activities carried out are as follows: collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by means of transmission, dissemination or any other form of making available, comparison or interconnection, restriction, erasure or destruction (at the end of the processing, in accordance with the duration).

The Data Controller and the Data Processor, also through their respective appointees, undertake to adopt all appropriate security measures to prevent the loss and alteration of personal data, as well as any unlawful and unauthorised use thereof.

The security of the collected information cannot be guaranteed by possible violations of the security rules and procedures put in place for data protection (e.g. hacker attacks). In the event of attacks or other breaches, however, these will be communicated to those concerned and to the relevant authorities in accordance with the law.

4. Purpose of processing and legal basis of processing

The personal data collected are used for the following purposes and in accordance with the following legal bases:

Final Purpose of processing Legal bases for processing 1.   Conclusion and fulfilment of obligations under the service provision contract and related pre-contractual agreements (e.g. provision of requested services, booking of services, service communications, advertising of services offered and activities performed).   The performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject (Art. 6(1)(b) GDPR) and the data subject’s consent (Art. 6(1)(a) GDPR).   2.   The video-photographic filming of activities and their dissemination.   The consent of the data subject (Art. 6(1)(a) GDPR). 3.   Improve the Users’ browsing experience and check the correct functioning of the web platform, i.e. improve the content offered, including the processing of anonymous statistics on the Users’ browsing.   The express consent of the data subject (Art. 6(1)(a) GDPR) for the processing of personal data via cookie banners and browser preferences. 4.   Carrying out marketing activities (e.g. market analysis, promotion of new commercial products). The express consent of the data subject (Art. 6(1)(a) GDPR) is optional and will be expressly requested for marketing activities following the completion of the information request form or during registration to the reserved area of the platform. In any case, failure to grant the consent of the person concerned for marketing purposes will not result in the impossibility of obtaining the performance of the other services offered by the website. Such processing will be based on the principles of lawfulness, fairness, transparency, appropriateness, relevance and limitation under Article 5(1) GDPR. Specific summarised information will eventually be reported or displayed on the pages of the sites set up for particular services on request.     5.   Notifications regarding updates to the web platform or changes to the data protection and cookie policy.   The fulfilment of a legal obligation by the Controller or the Manager (Art. 6(1)(c) GDPR).     6.   The establishment of liability in case of hypothetical crimes (including computer crimes), fraudulent or harmful activities against the platform.   The legitimate interest of the Data Controller or third parties in carrying out processing necessary for the purposes indicated (Art. 6(1)(f) GDPR). 7.   Communication of data at the request of a judicial or other independent authority within the terms of the law.   The fulfilment of a legal obligation by the Controller or the Manager (Art. 6(1)(c) GDPR).   8.   Compliance with any other legal obligations not included in the preceding purposes. The fulfilment of a legal obligation by the Controller or the Manager (Art. 6(1)(c) GDPR).

5. Duration of the processing

The storage of the processed data referred to in Article 4(1) and (2) above will last for the time necessary for the correct and complete execution of the contract, as well as the activities relating to the video-photographic filming and its dissemination.

The activities referred to in point No. 3 will last for the time necessary for the correct and complete execution of the activities required to improve the Users’ browsing experience and to check the correct functioning of the web platform, i.e. to improve its contents.

The data processed for marketing purposes as set out in No. 4 above may be retained for a period of up to 24 months from the date of the User’s registration, which is necessary in order to obtain measurable, qualifiable and quantifiable responses and to meet the User’s needs.
Furthermore, the data processed for the purposes set out above in points 5, 6, 7 and 8 may be kept for the minimum time necessary to fulfil the legal obligations of the Data Controller or the Data Processor and the protection of the legitimate interests of the Data Controller or of third parties.

In any case, the data will be stored within the time limits imposed by law.

6. Recipients of data and place of processing

The processing of personal data is carried out by the Data Controller and by staff identified and expressly authorised by the Data Controller or according to the specific purposes of the services requested and subscribed to.

Specifically, the data may be processed by subjects authorised by the Data Controller, including possible Data Processors (Art. 28 GDPR) and public subjects for the fulfilment of obligations provided for by law, who carry out their respective processing activities as autonomous Data Controllers.

The subjects authorised by the owner include Culture Creators, companies and/or any natural person or entity providing services for the organisation, realisation and execution of events and activities on the territory of the Italian State, mainly family businesses (e.g. oil mills, wine cellars, cheese factories), restaurants and trattorias, local artisans, home chefs, specialised chefs, accommodation facilities with a strong connection to local history or culture (e.g. agritourisms, family-run B&Bs), entities promoting cultural events, cultural associations, museums or bodies for the protection of local cultural heritage, entities supporting sustainable tourism and the preservation of traditions, professionals with expertise in cultural and historical traditions.

Other subjects authorised by the Data Controller include, by way of example: other suppliers, operators in the commercial and legal departments, suppliers of software and related services, working, through identified and authorised personnel, within the scope of the intended purposes and in such a way as to guarantee the maximum security and confidentiality of the data. The processed data will not, however, be disclosed to unspecified recipients.
The data may also be processed by persons acting under the authority of the Data Controller or under the authority of the Data Processor, appropriately instructed in accordance with Article 29 GDPR (so-called data processors or data processors).
In other cases, the personal data collected will not be disclosed to third parties, except with the express consent of the data subject or in the event of the fulfilment of obligations imposed by laws, regulations or provisions of supervisory authorities, or if it is essential to protect the rights of other users or of the data controller.
The data processed will not, however, be disclosed to unspecified recipients.

Personal data will be processed and stored, exclusively for the above-mentioned purposes and for safekeeping and archiving, on remote servers operated by industry-leading providers that ensure compliance with high standards of protection with regard to the processing of personal data.
In particular, the data is transferred to Aruba S.a.S. (www.aruba.it) the company that provides servers on which the data collected and the related services are stored. The Aruba Italia servers are located in Europe. Furthermore, Aruba Italia (https://www.aruba.it/gdpr-regolamento-europeo-privacy.aspx), declares to be compliant with the regulations in force on the processing of personal data and to comply with the obligations imposed by the GDPR deriving from the possible transfer of the data outside the European Union, as well as to adopt all the necessary technical and organisational measures to preserve the integrity and security of the data entered.

Data may be transferred outside the EU to Stripe, a US company based in San Francisco, California, which provides a software infrastructure that enables individuals and companies to send and receive payments via the Internet. Stripe claims to be GDPR compliant (https://support.stripe.com/questions/personal-data-subject-access-requests-for-eu-residents-under-gdpr?locale=it-IT).

Data may also be disclosed to LatePoint, a US-based reservation management company. Late Point also claims to protect the privacy of users (https://latepoint.com/privacy-policy/).

Any transfer by the aforementioned service providers to a non-EU third country may only take place in the case of an adequacy decision issued by the European Commission pursuant to Article 45 of the GDPR, or in the case of a transfer subject to adequate safeguards pursuant to Article 46 of the GDPR, or on the basis of binding corporate rules approved through the specific procedure pursuant to Article 47 of the GDPR.

7. Rights of the persons concerned

During the processing, the data subject may exercise the following rights at any time:

• Right of access: to obtain confirmation of the existence or otherwise of the same data and, if so, to have access to it and to know the information indicated in Article 15(1) GDPR;
• Right of rectification: request the rectification of inaccurate data, the integration of incomplete data or the updating of outdated data (Art. 16 GDPR);
• Right to erasure: request the erasure of data processed in breach of the law, i.e. in the presence of one of the other conditions set out in Article 17(1) GDPR;
• Right of restriction of processing: obtain the restriction of processing where one of the cases provided for in Article 18 GDPR applies;
• Withdrawal of consent: you may withdraw your freely given consent to the processing of personal data for the specified purposes at any time, in cases where the processing is based on that legal basis (Art. 7(3) GDPR);
• Right to data portability: to obtain the release of processed personal data in a format compatible with standard IT applications, in order to allow their transfer to other platforms of the data subject’s choice, without impediments to the direct transmission of the processed data to another Data Controller, where such direct transmission is technically possible (Art. 20 GDPR);
• Right to object: in order to object to processing pursuant to Articles 21 and 22, GDPR.

Requests relating to the exercise of the aforementioned rights should be addressed to the Data Controller at the certified e-mail address [email protected] or by registered mail with return receipt (A/R) addressed to Corso Mediterraneo n. 245, Scalea (CS), C.A.P. 87029.

In the event of failure or partial response by the Data Controller to the aforesaid requests, the data subject shall have the right to lodge a complaint with The Italian Data Protection Authority (www.garanteprivacy.it) or take legal action within the terms and according to the procedures provided for pursuant to Article 77 et seq. of the GDPR.

8. Privacy policy updates

This policy may be subject to updates as a result of changes in the legal framework governing the processing of personal data.

Any changes are promptly communicated to the Data Subject and acceptance thereof is required for the continuation of the contractual relationship and, in general, of the processing activities.