Terme Antica Querciolaia S.p.A. with registered office in Via Trieste, 22 – 53040 Rapolano Terme (SI) (hereinafter “TermeAQ”) constantly undertakes to protect the privacy of its users within the facility and online.
This document has been drawn up according to art. 13 of the EU Regulation 2016/679 (hereinafter: “Regulation”) to allow you to become acquainted with our privacy policy, to understand how your personal information is managed when you use our website (https://www.termeaq.it/, “Website”) and, if necessary, give your express and conscious consent to the processing of your personal data. The information and the data provided by you or otherwise acquired within the scope of the use of the services of TermeAQ, hereinafter “Services” -, will be processed in compliance with the provisions of the Regulation and the obligations of confidentiality that inspire the activity of TermeAQ. According to the rules of the Regulation, the processing activities carried out by TermeAQ are based on the principles of legality, fairness, transparency, limitation of purposes and retention, minimisation of data, exactness, integrity and confidentiality.
CONTENT
1. Data controller
2. Personal data processed
a. Browsing data
b. Data provided voluntarily by the subject
c. Data of third parties voluntarily provided by the subject
d. Cookies
3. Purposes of the processing
4. Legal basis and mandatory or optional nature of processing
5. Recipients of personal data
6. Transfer of personal data
7. Retention of personal data
8. Rights of the interested party
9. Changes
1. Data controller and Data Protection Officer “DPO”
The controller of the data processed through the Website is TermeAQ as defined above, reachable at the email address
privacy@termeaq.it and by ordinary mail at the address Terme Antica Querciolaia spa, in Via Trieste, 22 – 53040 Rapolano Terme (SI).
The Data protection officer (hereinafter “DPO”) pursuant to art. 37 and subsequent amendments of the Regulation is reachable at the email address
dpo@termeaq.it and by ordinary mail at the address Terme Antica Querciolaia spa, in Via Trieste, 22 – 53040 Rapolano Terme (SI) for the attention of Data Protection Officer.
2. Personal data processed
Following browsing of the website, we inform you that TermeAQ will process your personal data which may take the form of an identifying element such as name, identification number, an online identification or one or more characteristic elements of your physical, economic, cultural or social identity suitable to making the data subject identified or identifiable (hereinafter “Personal Data”).
The Personal Data processed through the Website is the following:
a. Browsing data
The I.T. systems and software procedures for the functionality of the Website during their normal operation acquire some Personal Data whose transmission is implicit in the use of Internet communication protocols. It is information which is not collected to be associated to identified parties, but which for its very nature could, through processing and associations with data held by third parties, allow to identify the users. This category of data includes IP addresses or the names of domains of the computers used by the users that connect to the Website, the addresses in URI notation (Uniform Resource Identifier) of the resources requested, the time of the request, the method used in submitting the request to the server, the dimension of the file obtained in response, the numerical code indicating the status of the response given by the server (good result, error, etc.) and other parameters related to the operating system and to the I.T. environment of the user. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check the correct functioning, to identify anomalies and/or abuses, and is deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical I.T. crimes that damage the Website or third parties; not withstanding this eventuality, at the present time the data on the web contacts does not persist for more than seven days.
b. Data provided voluntarily by the data subject
This Privacy Policy is also intended for processing data voluntarily provided by you through the Website. To this end, we invite you not to enter into the forms of the Website information which can fall within the special categories of personal data pursuant to art. 9 of the Regulation (for example, data referred to your state of health) namely, whenever it is made necessary to agree to the processing activity by giving your consent.
c. Data of third parties voluntarily provided by the data subject
In using the services it could happen that the personal data of third-party subjects communicated by you to TermeAQ may be processed. Should this happen, you are the independent data controller, assuming all legal obligations and responsibilities. On this point, you grant the widest indemnity in respect of any dispute, claim, request for compensation of damage arising from the processing activity, etc. which should reach the Data controller from third parties, whose personal data has been processed through your use of the services of the Website in violation of the applicable regulation on personal data protection.
In any case, if you provide or in any other way process personal data of third parties in the use of the Website, you guarantee from now – assuming any related responsibility – that such processing hypothesis is based on the prior acquisition – on your part – of the consent of the third party to the processing of the information that concerns it.
d. Cookies
In detail, the cookies sent by TermeAQ through the Website are listed within the Cookie Policy which can be found at the address:
Cookie Policy
3. Purpose of the processing
The processing which we intend to carry out, upon your specific consent where necessary, has the following purposes:
- a. allow browsing of the Website
- b. meet specific requests addressed to TermeAQ
- c. fulfil any obligations required by the laws in force, regulations or community law or satisfy requests originating from the authorities
- d. send you promotional and marketing communications, including the sending of newsletters and market research, through automated (email, sms, mms, push notifications, fax) and non-automated (paper mail and telephone with operator) tools; we point out that the Data Controller gathers a single consent for the marketing purposes described herein, according to the General Provision of the Data Protection Authority “Guidelines on the matter of promotional activities and combatting spam” of 4 July 2013; if, in any case, you wish to oppose the processing of your data for the marketing purposes carried out by the means indicated herein as well as withdraw the consent given, you can do so at any time by contacting the Data Controller or DPO at the contact points indicated herein, without prejudice to the lawfulness of the processing activity based on the consent given before withdrawal.
4. Legal basis and mandatory or optional nature of processing
The legal basis of the processing of Personal Data for the purposes set out at section 3 (a-b) is art. 6 (1)(b) of the Regulation since the processing activities are necessary to provide the Services or to respond to requests from the data subject. The provision of the Personal Data for these purposes is optional but any failure to provide it would result in the impossibility of activating the Services provided by the Website. The purpose of section 3.c represents a legitimate processing of Personal Data according to art. 6(1)(c) of the Regulation. Once the Personal Data has been provided, the processing is indeed necessary to fulfil a legal obligation to which TermeAQ is subjected. The legal basis of the processing for purpose d) is art 6.1 a) of the Regulation. The provision of your Personal Data for the purpose of letter d) is optional; there are no consequences in the event of your refusal.
5. Recipients of personal data
Your personal data may be shared for the purposes of section 3 above, with:
- a. subjects typically acting as data controllers pursuant to art. 28 of the Regulation namely: i) people, companies or professional firms that provide assistance and consulting activities to TermeAQ on accounting, administrative, legal, tax, finance and credit recovery related to the provision of Services; ii) subjects with which it is necessary to interact for the provision of the Services (for example hosting providers) iii) namely subjects appointed to carry out technical maintenance activity (including maintenance of network equipment and electronic communication networks); (collectively “Recipients”); the list of data protection officers who may process data can be requested from the Data Controller or DPO by writing to the addresses indicated in the section Data Controller.
- b. subjects, entities or authorities, independent data controllers to which it is mandatory to communicate your Personal Data because of legal provisions or orders from the authorities.
- c. people authorised by TermeAQ to process the Personal Data pursuant to art. 29 of the Regulation necessary to carry out activities strictly related to the provision of the Services, who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality (e.g., employees of TermeAQ).
6. Transfer of personal data
The Data Controller does not transfer your Personal Data outside of the European Economic Area. Regarding the possible future transfer of the Data to Third Countries, the Company informs that any processing shall be carried out in compliance with legislation namely according to one of the methods allowed by the current law such as, for example, consent of the data subject, adoption of the Standard Clauses approved by the European Commission, the selection of participants in international programmes for the free circulation of data (e.g., EU-USA).
7. Data retention
Personal Data processed for the purposes of section 3 (a-b-c-d) will be retained for the time strictly required to achieve those purposes in conformity with the principles of minimisation and limitation of retention pursuant to art. 5.1e) of the Regulation. In any case, the Data Controller will process the Personal Data for the time required to fulfil contractual and legal obligations. More information regarding the period of data retention and criteria used to determine this period can be requested in writing from the Data Controller or from the DPO.
8. Rights of the data subjects
You have the right to access your data at any time according to art. 15-22 of the GDPR. You may request the rectification, erasure, restriction of processing of the data in cases provided for by art. 18 of the GDPR, withdrawal of consent, obtain the portability of your data in cases provided for by article 20 of the GDPR as well as lodge a complaint with the competent control authority pursuant to article 77 of the GDPR (Data Protection Authority).
You may make a request to object to the processing of your data pursuant to article 21 of the GDPR in which you give evidence of the reasons justifying the opposition: the Data Controller reserves the right to assess your request, which would not be accepted in case of the existence of compelling legitimate grounds necessary to proceed to processing which take precedence over your interests, rights and freedom.
The requests are made in writing to the Data Controller or to the DPO at the contact details listed above.
9. Changes
This privacy policy is in place since 25 May 2018. TermeAQ reserves the right to modify or simply update the content, in part or completely, also due to changes in the applicable legislation. TermeAQ will inform you of such changes as soon as they will be introduced and will be binding as soon as they are published on the Website. TermeAQ invites you to visit this section regularly to take note of the most recent and updated version of the privacy policy so that you are always updated on the data collected and, on the use, which TermeAQ makes of it.