Privacy Policy

Preamble

EU Regulation No. 679/2016 (hereinafter also GDPR) lays down rules on the protection of natural persons with regard to the processing of personal data, as well as rules on the free movement of personal data. In order to protect the fundamental rights and freedoms of natural persons, the Regulation therefore imposes on data controllers the obligation to provide data subjects with the information set out in Articles 12, 13 and 14, as well as the specific indication of the data subject's rights set out in Articles 15 to 22 of the GDPR.
Please refer to Art. 4 of the GDPR - "Definitions", for possible specification and further explanation of the meanings of the terms used below.

Information pursuant to Art. 13(1)

Data controller and contacts
The data controller is Ariturismo Il Belvedere, with head office in Via Belvedere 6, 24030 Gromlongo, Bergamo - Italy - Tel: +39 393.315.59.54 mail: agriturismo@agrilbelvedere.it

The Data Controller informs you that your personal data will be processed:
- pursuant to Articles 12 and 13 of EU Regulation No. 679/2016 (General Data Protection Regulation, hereinafter referred to as 'GDPR' for brevity), by specifically authorised persons, limited to the purposes and in the manner specified below with reference to the functionalities of the web portal www.agribelvedere.it

Contact details of the Data Protection Officer
The activity carried out, for the purposes set out in this information notice, by the company agribelvedere.it does not fall within the hypotheses envisaged by Article 37 of EU Reg. no. 679/2016.

Subject, purpose of processing
The Data Controller informs you that it will process your personal data, specifically, your common personal data, i.e. first name, surname, e-mail address, telephone number and IP addresses or domain names

Your data, as described above, will be processed in the manner and in the form prescribed by the GDPR, in order to perform the functions of the Website, with reference to the procedures described therein for collecting data via the contact form for bookings.

In particular, the personal data you provide to the Data Controller will be processed for the pursuit of the following purposes purpose:
- to fulfil specific requests made by you to the Controller through the Website and its communication tools;

- for other purposes ancillary to or related to those set out above and in any event within the scope of the Website's activities;

The data provided in a generic manner will be processed, also as a result of automatic collection during navigation, for the sole purpose of ascertaining and controlling access to the Website. This also applies to any technical cookies, to be understood as session, functionality or analytics cookies that meet the requirements specified by the Garante. Please refer to the relevant Cookie Policy for further information.

This information notice is effective only with reference to the aforementioned portal www.villatiboldi.com, but not with reference to other, different portals or websites that may be consulted via the links therein, of which  Farmhouse Il Belvedere is in no way an owner.

Legal basis for processing

The communication by you to the Data Controller of the personal data specified above has the following legal bases as prerequisites for the lawfulness of the processing:
- Art. 6(1)(a) of the GDPR, concerning your express, free, specific, informed and unequivocal consent, to this end We inform you that the aforementioned consent may only be given if you are 16 (sixteen) years of age or older. failing which you may not proceed You but only and exclusively the holder of parental responsibility.
- Art. 6(1)(b) GDPR, concerning the performance of a contract to which the data subject is party or the performance of pre-contractual measures taken at the request of the data subject.

Both of the above-mentioned legal bases are, therefore, merely optional and not mandatory in nature, having no other consequence than the impossibility for the Data Controller to properly carry out the aforementioned direct communication or contractual/pre-contractual execution services. And, in any event, the consent you may have given may be revoked by you at any time, with immediate effect on the aforementioned activities and services.

In particular, in relation to the purposes indicated above, the data may be communicated to the following subjects and/or categories of subjects indicated below, or they may be communicated to companies and/or persons who provide services, including external services, on behalf of the Data Controller. For the sake of clarity, these include, by way of example but not limited to subjects - internal or external to the company - who provide computer and telematic services for the management of the information system used by the Data Controller and the telecommunications networks (including e-mail and management of web portals and websites - hosting), subjects that the Data Controller reserves the right to appoint as data processors; financial administrations and other companies or public bodies in fulfilment of regulatory obligations competent authorities and/or Supervisory Bodies for the fulfilment of legal obligations; consultancy companies and firms; companies and law firms for the protection of contractual rights; subjects carrying out control, audit and certification of the activities carried out by the Controller who act as external data processors pursuant to art. 28 of the GDPR, or in total autonomy as separate Data Controllers.

Information pursuant to Art. 13(2)

A) data retention period
We would like to inform you that, in compliance with the principles of lawfulness, purpose limitation and data retention and minimisation, in accordance with Article 5 of the GDPR, the period of retention of your personal data is established for a period of time not exceeding the fulfilment of the purposes for which they are collected and processed, i.e. for the entire duration of the fulfilment of the aforementioned purposes.

B) rights of the data subject
- Right of Access and Rectification
Pursuant to Article 15 of the GDPR, in your capacity as Data Subject, you have the right to obtain from the Data Controller confirmation as to whether or not personal data relating to you are being processed, to obtain access to them and to all the information referred to in Article 15(1)(a) to (h), by means of the release of a copy of the data being processed in a structured, commonly used, machine-readable and interoperable format.
Pursuant to Article 16 of the GDPR, in your capacity as Data Subject, you have the right to obtain from the Data Controller the rectification and/or supplementation of the data being processed if they are out of date and/or inaccurate and/or incomplete.
- Right of Cancellation and Right of Limitation
Pursuant to Article 17 of the GDPR, in your capacity as Data Subject, you have the right to obtain, without undue delay, from the Data Controller, exclusively in the cases referred to in Article 17(1)(a) to (f) of the GDPR, the erasure of data concerning you - with the exception of the cases specifically provided for in Article 17(3).
Pursuant to Article 18 paragraph 1, letters (a) to (d), of the GDPR, in your capacity as Data Subject you have the right to request and obtain from the Controller, the restriction of the processing of your personal data, i.e. that such data are not subject to further processing and can no longer be modified. The Data Controller shall ensure that the restriction of processing is implemented by means of appropriate technical devices that guarantee inaccessibility and unchangeability.
- Right to Portability
Pursuant to Article 20 of the GDPR, in your capacity as Data Subject, you have the right to receive from the Data Controller the personal data concerning you, the processing of which is carried out by automated means, in a structured, commonly used and machine-readable format, and you also have the right to transmit such data to another Data Controller, or to obtain from the Data Controller, where technically feasible, the direct transmission of such data to another specifically identified Data Controller.
- Right of Opposition
Pursuant to Art. 21 of the GDPR, in your capacity as Data Subject, you have the right to object at any time to the processing of personal data concerning you on grounds relating to your particular situation, in cases where the processing of your data is necessary (1) for the performance of a task carried out in the public interest and/or in connection with the exercise of official authority vested in the Data Controller; (2) for the pursuit of a legitimate interest of the Data Controller or a third party; (3) for profiling activities, if carried out by the Data Controller on the basis of the preceding points. You also have the right to object to the processing of your personal data on grounds relating to your particular situation where the data is processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, except where the processing is necessary for the performance of a task carried out in the public interest.

You have the right to object processing also in the event that your personal data are processed by the Controller for the purposes of Direct Marketing and/or profiling activities related to Direct Marketing. In such cases the Data Controller, having received your communication in the manner indicated below, will refrain from further processing your personal data.

Methods of exercising rights
You may exercise the rights listed above by sending a request to the e-mail address: villatiboldi@villatiboldi.it to the attention of the Privacy Officer; or by registered mail with return receipt to the address of Agriturismo Il Belvedere, located at Via Belvedere 6, 24030
Gromlongo, Bergamo - Italy.
The Data Controller shall acknowledge receipt of your request and provide you with information on the action taken, with reference to the exercise of your rights provided for in Articles 15 to 22 of the GDPR, within one month of receipt of your request. If necessary, and taking into account the complexity and number of requests, the Controller may extend this period by two months, subject to a reasoned communication to be sent within one month of receipt of the request.
The Data Controller shall communicate any rectification, erasure, restriction or opposition to all recipients, as identified in Article 4(1)(9) of the GDPR, to whom such data has been transmitted, unless this proves impossible and/or involves a disproportionate effort.
Following the sending of your request for rectification, cancellation, restriction or opposition, if the Data Controller has reasonable doubts about your identity, it will request further information to confirm it. These communications will be sent by email from the above address, and will be processed by the person specifically authorised for this purpose.
In the event that the Controller does not comply with your request within one month of receipt of your request, the latter will inform you of the reasons for non-compliance, informing you as of now of your right to lodge a complaint with the Supervisory Authority (Garante per la protezione dei dati personali), as specified pursuant to Article 13(2)(d) and governed by Articles 77 et seq. of the GDPR.

C) revocation rights
Pursuant to Art. 6 par. 1 let. a) you have given your consent to the processing of your data for the purposes specified above and therefore your express consent is merely optional and not mandatory, having no other consequence than the impossibility for the Data Controller to properly carry out the aforesaid direct communication services. And, in any event, any consent you may give may be revoked by you at any time, with immediate effect on the aforesaid company activities and services. Please note that said revocation will not affect the lawfulness of the processing based on the consent given before the revocation.

D) right of complaint
Pursuant to Article 77 of the GDPR, in your capacity as Data Subject you have the right to lodge a complaint with a supervisory authority in the manner indicated in that article.

Consequences for failure to communicate your data
The communication of your data is not a legal obligation. But as previously specified, it has as prerequisites for lawful processing either your express, free, specific, informed and unambiguous consent or, possibly, the execution of a contract to which you are a party or the execution of pre-contractual measures taken by you.
Both of the aforementioned legal bases are, therefore, merely optional and not mandatory in nature, having no other consequence than the impossibility for the Data Controller to properly carry out the aforementioned direct communication services or contractual/pre-contractual performance. And, in any event, the consent you may have given, as stated, may be revoked by you at any time, with immediate effect on the aforementioned activities and services.

Automated decision-making and profiling
The Data Controller hereby informs you that, for the purpose of processing your personal data, it does not use automated decision-making processes, i.e. those aimed at making decisions based solely on technological means on the basis of predetermined criteria (i.e. without human involvement), nor does it carry out profiling activities, i.e. those aimed at using your personal data to analyse or predict aspects of your professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements, etc.

Treatment modalities
The processing of the personal data that you have communicated is carried out by means of the operations indicated in Article 4 no. 2) of the GDPR, namely: 'collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, communication, deletion and destruction of data'.
Your data will be processed by means of suitable paper, electronic and/or telematic tools, with logic strictly related to the above-mentioned purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data.
Your personal data are processed with the aid of IT tools in a lawful and correct manner for the fulfilment of the above-mentioned purposes and are protected by suitable security measures that guarantee their confidentiality, integrity, accuracy, availability and updating.
Personal data will only be processed by authorised data processing personnel appointed directly by the Data Controller, who has put in place all the necessary IT security measures to minimise the risk of users' privacy being infringed by third parties, which are constantly updated and whenever it proves indispensable.
It should be noted, in particular, that the personal data that you have communicated will be processed only at the premises of the data controller, except as specified below, will not, therefore, be disseminated, and, pursuant to Article 13(1)(e), may be processed only by authorised parties and/or external data processors (in the person of individual professionals and/or complex professional associations), including, explicitly, the hosting company and/or complex professional associations. (e), the same may be processed only by authorised parties and/or external data processors (in the person of individual professionals and/or complex professional associations), including, explicitly, the hosting company and/or technical personnel in charge of website management and/or maintenance, but only and exclusively for the purposes expressly and specifically indicated above.