Privacy policy

Information for the purpose of Articles 13-14 of the GDPR 2016/679 (General Data protection Regulation)

 
In compliance with the aforementioned legislation, your data will be processed according to principles of fairness, lawfulness, transparency, to ensure respect of your confidentiality and rights.
SAG Srl, with registered office in Via Borromei 1/A – 20123 Milan, in its capacity as the Data Controller, pursuant to articles 13 and 14 of the GDPR 2016/679 hereby informs you that your data will be processed in the following manner and for the following purposes:


Subject of the processing
The Controller shall processe personal, identifying and non-sensitive data (specifically name, surname, tax id. code, VAT number, e-mail, mobile phone number – hereinafter “personal data” or just “data”) communicated to him/her.
Anyone attending the events we organize must be aware that SAG Srl will publish the photos and videos taken during social occasions on its social media channels and will use such material to promote the activities of the companies of the group, including Isole Borromee, Rocca di Angera, Parco Pallavicino, Parco del Mottarone).


Purposes of the processing
The legal grounds for the processing of personal data is the consent granted by the data subject. Personal data is processed for the following purpose:

– Communication of the Mandatory Data is necessary for SAG Srl to process the request of the User and meet the relevant related legal, administrative, accounting and tax requirements. If any data is missing, it will be impossible to establish and/or to proceed with the relationship and specifically it will be impossible to:

– ensure the delivery of newsletters, miscellaneous communications, events and additional Services that may be required – to fulfill pre-contractual, contractual and tax obligations (VAT tax register, etc.), arising from the existing relationships of all the companies represented or owned by SAG srl

– fulfill the obligations established by law, regulations, EU legislation or by the order of an Authority;

– exercise the rights of the Controller, for example the right of defence of legal claims.

Arrangements for the processing of the data.
Personal data are processed as indicated in Article 4 of GDPR 2016/679 and Article 4 ( 2) of the GDPR and more precisely: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, blocking, communication, erasure and destruction of data. Therefore personal data may be processed by both paper and electronic and/or automated means.


Access to data
Data may be made accessible for the purposes referred to in Articles 2 (A) and 2 (B):

– to the employees and collaborators of the company SAG SRL who are informed by the Controller as they are in charge of processing and/or act as internal processors and/or system administrators;

– to the company SAG SRL as informed by the Controller (for example for activities in support of a feasibility study of a client’s project, for technical project management activities, for storage of personal data, etc.) .

 

Disclosure of data
Without express consent (Article 6 (b) and (c) of the GDPR), the Data Controller may anyway disclose the data for the purposes referred to in Article 2 (A) to Supervisory Bodies, Judicial Authorities and any other persons or entities to whom it is mandatory to disclose it by law as required for the aforementioned purposes. The data shall not be divulged.

 

Transfer of data
Personal data shall be managed and stored in servers located within the headquarters of the Data Controller and/or the Data Processor.
The data shall not be transferred outside the European Union. It is however understood that the Data Controller, if necessary, shall be entitled to move the server’s location, if necessary. In that case, the Data Controller hereby ensures that the data shall be transferred in accordance with the provisions of the law.

 

Nature of the transfer of data and consequences of a refusal to reply
We inform you that, in consideration of the purposes of the processing as illustrated above, the required data must be provided and the failure to do so, or their partial or incorrect provision, may determine the impossibility to be registered, enrolled in the various courses, receive miscellaneous communications and updates, and fulfill the contractual obligations provided for in the contract.

 

Rights of the data subject.
Your rights as data subject are set out in Article 15 of the GDPR, namely the right to:

• obtain confirmation on the existence of personal data, including unrecorded data, and communication of such data in an intelligible form;

• obtain information on:
– the origin of personal data;
– the purposes and arrangements for the processing of personal data;
– the logic applied if the data are processed by means of electronic instruments;
– the identification details of the controller, the processor and the designated representatives pursuant to Article 3 (1) of GDPR 2016/679;
– persons or categories of persons to whom personal data may be communicated or who may become aware in their capacity as designated representatives in the territory of the State, processors or appointed operators;

• obtain:
– updates, rectification or, when necessary,  integration of the personal data;
– erasure, conversion to the anonymous form or blocking of unlawfully processed data, including data whose retention is unnecessary for the purpose for which the data has been collected or subsequently processed;
– an attestation that the operations referred to in letters (a) and (b), including their contents, have been disclosed, communicated or disseminated to others, except where such requirement proves impossible or entails the application of means that are manifestly disproportionate to the right to be protected;

• to object, in full or in part:
– for legitimate reasons, to the processing of personal data, if they are not relevant to the purpose of the collection;
– to the processing of personal data, for the purpose of sending advertising material through the use of automated call systems without operator, by e-mail and/or through traditional marketing methods by telephone and/or hardcopy mail. The right of the data subject to object to the use of his/her personal data, as set out under point (b) above, for the purposes of direct marketing through automated methods also applies to traditional methods and anyway the data subject shall always be entitled to exercise the right to object even only partially. Therefore, the data subject can decide whether to receive communications either by traditional means only or by automated means only or neither.

Where applicable, you will have the rights referred to in Articles 16-21 of the GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object) as well as the right to file a claim with the Data Protection Authority.

 

How to exercise your rights
You can exercise your rights at any time by sending a communication by:

– registered letter with return receipt to SAG SRL, in Via Borromei 1/A – 20123 Milan or by email to privacy@isoleborromee.it

 

Duration of the processing
Personal data is kept for the duration of the relationship with SAG SRL and, in the event of revocation and/or other type of termination of the relationship.
The Data Controller will process personal data for the time necessary to accomplish the aforementioned purposes and in any event no longer than 10 years from termination of the relationship.

 

Controllers, processors and appointed operators
The Data Controller is SAG SRL.
An updated list of data processors and appointed operators is kept at the Data Controller’s headquarters.