PROVINCE and CONSORTIUM will, hereinafter, be jointly referred to only as “Joint Controllers”: in this regard, they specify that the essential content of the relevant Joint Controllership agreement for processing pursuant to Article 26, paragraph 2 of the GDPR can be easily viewed by sending a specific request to any of the contact addresses provided in Article 6 below.
1. Legal framework.
1.1. The Policy is inspired by the following (first and/or second level) EU and/or national regulatory measures: (i) Directive 2002/58/EC of 12.07.2012 (so-called ePrivacy Directive), as amended by Directive 2009/136/EC; (ii) Art. 122 of the revised Legislative Decree No. 196/2003 (Privacy Code), which implemented the ePrivacy Directive into the national legal system; (iii) GDPR Art. 4, numbers 11), 7, 12, 13, 25 and 95 (as well as, especially, Recitals 30, 32 and 173); (iv) Guidelines 5/2020 adopted on 04.05.2020 by the EDPB, replacing the Guidelines of 10.04.2018 called Art. 29 WP; (v) Measure No. 231 of 10.06.2021 [web Doc. No. 9677876] signed by the Italian Data Protection Supervisor; (vi) Recommendation No. 2/2001 of Art. 29 WP; (vii) Opinion No. 2/2010 of Art. 29 WP; (viii) Opinion No. 4/2012 of Art. 29 WP; (ix) Guideline 8/2020 of the EDPB; (x) Measures No. 224 of 09.06.2022 [web Doc. No. 9782890], No. 243 of 07.07.2022 [web Doc. No. 9806053] and No. 254 of 21.7.2022 [web Doc. No. 9808698] signed by the Data Protection Supervisor.
2. Cookies and other tracking tools: definition and classification.
2.1. Cookies (1) are, as a rule, strings of text that a website (“publisher” or “first-party”) you visited or another website (“third-party”) places and stores on a terminal device you are using, either directly (in the case of the first-party website) or indirectly (through the latter, in the case of a third-party website). In this regard, the Data Protection Supervisor has specified the fact that the information, encoded in cookies, can include both personal data referred to in Art. 4, No. 1) of the GDPR (e.g., IP address, user name, e-mail address, unique identifiers) as well as non-personal data referred to in Art. 3, No. 1) of EU Regulation No. 1807/2018 (e.g., language; type of device used).
Alongside (or beyond) them, “other tracking tools” may exist (and, therefore, be used), which can be divided into “active” (which possess almost the same characteristics as cookies) and “passive” (e.g., finger printing).
2.2. Beyond their described intrinsic characteristics, cookies (and other tracking tools) can record different peculiarities in terms of time (and, therefore, be considered “session” or (2) “persistent” (3) , depending on their duration), from the subjective standpoint (depending on whether the publisher is acting independently or on behalf of a “third party”) as well as, finally (but especially), according to the purpose of processing, so they can be divided into two different (macro) categories:
- “Strictly necessary”, used for the sole purpose of transmission of a communication over an electronic communications network, or as strictly necessary to the service provider of a company of the information explicitly requested by the contracting party or you to provide the service” (Art. 122, 1 of the Privacy Code).
In this regard, the Data Protection Supervisor pointed out, in Measure No. 231 of 10.06.2021 (in continuation of the previous Measure of 2014 on the subject), that “analytical cookies” (4) may well be included within the hive of cookies (or other tracking tools) of a “strictly necessary” nature (and, therefore, may be used without the prior consent of the data subject), if certain conditions are met, and which preclude that the possibility of direct identification of the data subject (singled out) is achieved through their use (5).
“profiling”/“marketing” (not strictly necessary), used to trace back to specific, identified or identifiable subjects specific actions or repeated behavioural patterns in the use of the offered features in order to group the different profiles within homogeneous clusters of different breadths, so that it is possible for the Controller, among other things, to also modulate the provision of the service in an increasingly personalised manner beyond what is strictly necessary for the provision of the service, as well as to send targeted advertising messages (i.e., in line with the preferences expressed by you while browsing the web).
3. Cookies installed by our site.
3.1. When visiting our Site, the following types of cookies will be installed (or may be installed, subject to providing your consent):
4. Browser settings.
4.1. The Joint Controllers highlight the possibility for you to delete and block the cookies described in Art. 3 above at any time by using the appropriate browser settings: in this regard, the Joint Controllers add that, if you decide to disable the strictly necessary cookies referred to in Art. 2.2. point i), the quality and speed of the services and features offered and made available on the Site may deteriorate.
You can find information on how to manage cookies on some of the most popular browsers by visiting the following web pages:
5. Rights of the data subject.
5.1. In relation to the user’s personal data, the Joint Controllers inform you that pursuant to Art. 4, No. 1 of the GDPR, the relevant data subject has the right to exercise the following rights, possibly subject to the restrictions provided for in article 2 undecies and 2 duodecies of the Privacy Code: right of access pursuant to Art. 15 of the GDPR: right to obtain confirmation as to whether or not your personal data are being processed, as well as the information referred to in Art. 15 of the GDPR (e.g., purpose of processing, storage period); right to rectification pursuant to Art. 16 of the GDPR: right to correct, update or complete incomplete personal data; right to erasure pursuant to Art. 17 of the GDPR: right to obtain the erasure or destruction or anonymisation of personal data, where, however, the conditions listed in the same article are met; right to restriction of processing pursuant to Art. 18 of the GDPR: right with a markedly precautionary connotation, aimed at obtaining the restriction of processing where the assumptions governed by the same Art. 18 exist; right to data portability pursuant to Art. 20 of the GDPR: right to obtain personal data, provided to the Joint Controllers, in a structured, commonly used and machine-readable format (and, where required, to transmit them directly to another Controller), where the specific conditions indicated by the same article are met (e.g., legal basis of consent and/or performance of a contract; personal data provided by the data subject); right to object pursuant to Art. 21 of the GDPR: right to obtain the termination, on a permanent basis, of a specific processing of personal data; right to lodge a complaint with the Supervisory Authority (i.e., Italian Data Protection Supervisor) pursuant to Art. 77 of the GDPR: right to lodge a complaint when it is believed that the processing in question violates national and EU personal data protection legislation.
5.2. In addition to the rights described in Art. 5.1. above, the Joint Controllers specify that, in relation to the personal data of the data subject, there exists, where possible, the right to exercise, on the one hand, the (sub)right provided for in Art. 19 of the GDPR (“The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.”), to be considered connected and related to the exercise of one or more rights regulated in Articles 16, 17 and 18 of the GDPR; on the other hand, the Joint Controllers specify that, in relation to the personal data of the data subject, there exists, where possible, the right to exercise the right provided by Art. 22(1) of the GDPR (“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”), subject to the exceptions provided for in paragraph 2 below.
5.3. In compliance with Article 12, paragraph 1 of the GDPR, the Joint Controllers undertake to provide you with the communications referred to in Articles 15 to 22 and 34 of the GDPR in a concise, transparent, intelligible, easily accessible form and in simple and clear language: this information will be provided in writing or by other means, possibly electronic, or, at your request, will be provided orally provided that your identity is proven by other means.
5.4. In compliance with Art. 12 paragraph 3 of the GDPR, the Joint Controllers undertake to provide the data subject with information regarding the action taken regarding any request made under Art. 15 to 22 of the GDPR without undue delay and, in any case, no later than one month after receipt of the request; this period may be extended by 2 months if necessary, taking into account the complexity and number of requests (in such case, the Controller undertakes to inform the user of such extension and the reasons for the delay, within one month of receipt of the request).
5.5. The user may, at any time, exercise the rights set out above (with the exception of the right provided by Article 77 of the GDPR) by using the contact details explained in Article 6.
6. Contact details.
6.2.The Data Protection Officer (DPO) referred to in Art. 37 of the GDPR, appointed by PROVINCE, may be contacted at the following address: firstname.lastname@example.org; the Data Protection Officer (DPO) referred to in Art. 37 of the GDPR, appointed by CONSORTIUM, may be contacted at the following address: email@example.com
7. Social plug-ins.
7.1. In compliance with the EDPB’s Guideline No. 8/2020, the Joint Controllers also specify that they hold the status of Joint Controller of the processing pursuant to Articles 4, No. 7 and 26 of the GDPR with some social media providers (e.g., Facebook and Instagram), by reason of the installation, on the Site, of their social plug-ins, which can be easily viewed and used on our Site.
Belluno, dated December 3, 2023 (date of most recent update)..
PROVINCIA DI BELLUNO
Consorzio DMO (Destination Management Organization) Dolomiti
(in the person of their respective legal representatives in office)