The purpose of this privacy policy is to provide all information on the personal data processing carried out by Treccani Esperienze S.r.l. when the User makes use of the services promoted on this Website (as explained in detail below).

1. INTRODUCTION - WHO IS THE DATA CONTROLLER?

Treccani Esperienze S.r.l. with registered office at 4 Piazza della Enciclopedia Italiana, 00186 Rome, tax code 17413041009 and VAT number 17413041009 (hereinafter, “Data Controller”), in its capacity as Data Controller of the personal data of Users who visit and/or use the services and functionalities of the website https://treccaniesperienze.it (hereinafter, “Users” and the “Website”), hereby provides the privacy policy pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter, the “Regulation”, or the “Applicable Legislation” or the “GDPR”).

1. HOW CAN YOU CONTACT US?

The Data Controller takes the privacy rights and the protection of the personal data of its Users very seriously. For more information on this privacy policy, Users may contact the Data Controller at any time by sending an e-mail to privacy@treccaniesperienze.it.

The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at privacy@treccaniesperienze.it.

1. WHAT DO WE DO? - PURPOSES OF PROCESSING

Browsing data: with regard to the activities that can be carried out through the Website, the Data Controller collects personal data relating to Users. The cookies policy of this website can be viewed at the following link: www.treccaniesperienze.it.

Data provided by the User: by browsing the Website, the User can find out about the Data Controller's products (hereinafter, the “Service”) and request information on same. The Service can be purchased by persons of 18 years of age and above. As such, the Data Controller does not collect the personal data of minors under the age of 18 unless they are the beneficiaries of the service purchased for them by a person over the age of 18. In particular, the personal data of Users will be lawfully processed in accordance with Article 6 letter b) of the Regulation for the following purposes:

1. contractual obligations and provision of the Service: in order to provide the Service offered on the Website; to fulfil any and all specific requests made by the User (e.g. requests for assistance, information, etc.) with the processing of their name, surname, email address, shipping address, billing address, telephone number and, in the case an invoice is requested, also their tax code, as well as all personal information that the User may have voluntarily provided such as company name, certified email address (PEC) and electronic invoice recipient code (“codice destinatario”), etc. (Art. 6(1)(b) of the GDPR). The User's personal data will be used by the Data Controller in order to verify the User's identity (also by validating their email address), thus avoiding any potential episodes of fraud or abuse (art. 6 paragraph 1 letter f) of the GDPR), and to contact the User for purposes relating exclusively to the service (e.g. to send notifications regarding the performance of the Service or problems encountered or for the management of bookings/cancellations, payments and anything else necessary for the performance of the Service); administrative-accounting purposes, i.e. to carry out activities of an organisational, administrative, financial and accounting nature, such as internal organisational activities and activities necessary for the performance of contractual and pre-contractual obligations;
2. legal obligations, i.e. to fulfil obligations established by law, by an authority, by a regulation or by European legislation (Art. 6 (1) (c) of the GDPR).

The provision of personal data for the above-mentioned processing purposes is optional but necessary for the performance of the contract.

The personal data required to pursue the processing purposes described in this paragraph 3 is generally indicated with an asterisk (*) on the information request or order form. If this data is not provided, the Data Controller will be unable to proceed with the contract or perform the legal obligation to which it is bound in full.

ADDITIONAL PROCESSING PURPOSES

3.1 Marketing (sending of advertising, direct sales and commercial communication materials)

Some of the User's personal data (e.g. name and email address) may be processed by the Data Controller to promote its products and services, i.e. so that the Data Controller can contact the User by email in order to propose products and/or services provided by the Data Controller itself and communicate offers, promotions and commercial opportunities. Should the User refuse to give their consent, their ability to browse the Website and make purchases will not be affected or influenced in any way. The User’s name (first name only, not surname) is requested in order to establish a more direct relationship with the User when sending emails and to avoid any cases of identical names or the use of non-named email addresses (e.g. secretary, admin, info, etc.) The User may revoke their consent at any time by making a request to the Data Controller in the ways indicated in paragraph 7 below. The User may also easily object to the receipt of further promotional emails from the Data Controller by clicking on the specific consent withdrawal link found in every promotional email. The Data Controller hereby communicates that, following the User’s exercising of their right to object to the receipt of promotional communications/to withdraw their consent, it is possible that, due to technical and operational reasons (e.g. the finalisation of contact lists shortly before the Data Controller receives the objection request), the User will continue to receive some additional promotional messages. Should the User continue to receive promotional messages at least 72 hours after they exercised their right to object, this problem should be reported to the Data Controller using the contact details indicated in paragraph 7 below. At the latest, this right will be exercised within one month of the request.

In the event of specific and separate consent, the User may also receive commercial information on products and initiatives in line with any preferences they have expressed or Services they have previously purchased. Once again, they may withdraw their consent at any time. Said activity may take place via email or using other contact details provided by the User (landline or mobile telephone number; postal address).

3.2 Requests for information or complaints

The Data Subject may submit written requests to the Data Controller (by email or filling out a form). The Data Controller will process this data in order to respond to requests from Data Subjects. In the case of pre-contractual, contractual or post-sales information, the Data Controller will reply to the User in order to begin or follow up on contractual questions. Conversely, unsolicited requests from the Data Subject will be processed on the basis of their consent in a limited and pertinent manner.

1. LEGAL BASIS

Contractual obligations and provision of the Service (as described in paragraph 3(a)): the legal basis is Article 6(1)(b) of the Regulation, i.e. processing is necessary for the performance of a contract to which the User is party or for the performance of pre-contractual measures taken at the User's request.

Administrative and accounting purposes (as described in paragraph 3(b)): the legal basis is Article 6(1)(b) and (c) of the Regulation, as processing is necessary for the performance of a contract and/or the implementation of pre-contractual measures taken at the User's request.

Legal obligations (as described in paragraph 3(c)): the legal basis is Art. 6(1)(c) of the Regulation, as processing is necessary to comply with a legal obligation to which the Data Controller is subject.

Additional processing purposes: for processing relating to marketing activities (as described in paragraphs 3.1) and 3.2)), the legal basis is Article 6(1)(a) of the Regulation, i.e. the provision of the Data Subject’s consent to the processing of his or her personal data for one or more specific purposes. For this reason, the Data Controller asks the User to provide specific free and optional consent in order to pursue this processing purpose.

3.3 Processing carried out by the Data Controller in order to suppress possible episodes of fraud or crimes may take place according to the legitimate interest of the Data Controller (Art. 6(1)(f) of the GDPR).

1. PROCESSING METHODS AND DATA STORAGE PERIODS

The Data Controller will process the personal data of Users using manual and electronic tools, adopting an approach strictly related to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of such data, in compliance with the requirements of Article 32 of the GDPR. The personal data of Website Users will be stored for the time required to perform the contract and fulfil all legal obligations and until the termination of the relationship. Your personal data will be stored in accordance with the law, and in particular on the basis of the limitation period (generally 10 years after termination of the contract, contractual purposes). At the end of this period, personal data will be deleted or made irreversibly anonymous.

In the cases outlined in paragraphs 3.1 and 3.2 above, User personal data shall be stored for the time strictly required to fulfil the purposes set out therein and, in any event, until the User revokes his or her consent. In the event of the withdrawal of User consent, processing based on said consent will cease and all prior processing will remain lawful. The withdrawal of consent does not entail the deletion of data that the Data Controller is obliged to store by law or contractually. In any case, any retention periods provided for by law or regulations, as well as any existing contracts, are unaffected.

The processing carried out for the purposes in paragraph 3.3 shall be for a period equal to the stated purpose, and the data shall be stored until the expiry of the Data Controller’s rights or the conclusion of the legal proceedings arising therefrom.

1. SCOPE OF COMMUNICATION AND DISCLOSURE OF DATA

The User's personal data may be transferred outside the European Union and, in this case, the Data Controller will ensure that the transfer takes place in accordance with the Applicable Legislation and in particular in accordance with Articles 45 (Transfers on the basis of an adequacy decision) and 46 (Transfers subject to appropriate safeguards) of the Regulation. The personal data of Users may be disclosed to employees and/or collaborators of the Data Controller appointed to manage the Website and/or the requests of Users or other activities required to perform the Services and functions of the Website. Said parties, who have been instructed to this end by the Data Controller pursuant to Article 29 of the Regulation, shall process the User's data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Legislation. User personal data may also be disclosed to third parties who may process personal data on behalf of the Data Controller in their capacity as Data Processors. These may include, for example, suppliers of IT and logistics services necessary for the functioning of the Website, suppliers of outsourced or cloud computing services, professionals and consultants.

1. RIGHTS OF DATA SUBJECTS

Users may exercise the rights guaranteed to them by the Applicable Legislation by sending an email to the Data Controller at privacy@treccaniesperienze.it.

Pursuant to the Applicable Legislation, the Data Controller hereby communicates that, pursuant to Articles 15 to 22 of the GDPR, Users have the right to:

• access, update, rectify or, if desired, supplement their data;
• obtain the erasure, transformation into anonymous form or restriction of data processed in breach of the law, including data whose storage is not necessary for the purposes for which the data was collected or subsequently processed;
• receive notification that the operations as per letters a) and b) have been communicated, also as regards their content, to each recipient to whom the personal data has been disclosed, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.

In addition, Users have:

• the right to withdraw their consent at any time (including via their personal profile);
• the right (where applicable) to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format);
• the right to object:
• in whole or in part, for legitimate reasons, to the processing of personal data concerning them, even if pertinent to the purpose of data collection.
• in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communications;
• where personal data is processed for direct marketing purposes, to the processing of their data for said purpose, including profiling to the extent that it is related to such marketing, at any time.
• if they believe that the processing concerning them is in breach of the Regulation, the right to lodge a complaint with a supervisory authority (in the Member State in which they habitually reside, in the Member State in which they work or in the Member State in which the alleged breach occurred). The Italian supervisory authority is the Garante per la protezione dei dati personali, with head office at 11 Piazza Venezia, 00187 - Rome(http://www.garanteprivacy.it/).

 

1. CHANGES

The characteristics, functionalities and services offered by the Website, as well as the ways in which data is processed by the Data Controller, may change in the future and this policy may therefore be subject to modifications and updates and/or additions. Users are therefore invited to periodically check its content by visiting the Website and/or the dedicated web pages.