Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679 (GDPR)

CONSORZIO MOTOSCAFISTI SIRMIONE S.C.R.L as Data Controller (hereinafter: "Consortium" or also: "Data Controller") and SIRMIONE BOATS S.R.L as Joint Data Controller (hereinafter: "SB" or also: "Joint Data Controller") consider privacy and the protection of Personal Data one of the main objectives of their activity. This document has been prepared pursuant to Article 13 of the EU Regulation 2016/679 (hereinafter: "Regulation") in order to allow you to know our privacy policy. Before communicating any personal data to the Data Controller/Contractor, please read this Privacy Policy carefully as it contains important information on the protection of your personal data. 


This Privacy Policy:

is intended for the Site https://gardatours.com (hereinafter: "Site") and not for other websites that may be accessed by the interested party through links and is an integral part of the Site and the services we offer; 
is provided pursuant to Art. 13 of the GDPR and the Privacy Code to those who interact with the web services of the Site or who contact the company by mail or email.

The processing of your personal data will be based on the principles of correctness, lawfulness, transparency, limitation of purpose and storage, minimization and accuracy, integrity and confidentiality, as well as on the principle of accountability under Article 5 of the GDPR.

Your personal data will therefore be processed in accordance with the legislative provisions of the GDPR and the confidentiality obligations therein as well as those of the Privacy Code still in force today.

Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in Article 4.2 of the GDPR.

1. CO-OWNERS OF THE PROCESSING

The data controller is CONSORZIO MOTOSCAFISTI SIRMIONE S.C.R.L, with registered office in Via Trento n. 1 - 25019 Sirmione (BS), VAT no. 02784020980, tel. 030 9196694 email: privacy@gardatours.com

Co-processor of the data processing is SIRMIONEBOATS S.R.L., with registered office in Via Trento n. 1 - 25019 Sirmione (BS), P. IVA 04084210980, tel. 030 9196694 email: rent@sirmioneboats.info

2. PERSONAL DATA SUBJECT TO PROCESSING

We inform you that as a result of browsing the site, the personal data being processed may consist (even depending on your decisions on how to use the services) of an identifier such as name and surname, an identification number, location data, an online identifier, bank data, IP addresses, cookies, email address, suitable to make the person identified or identifiable, depending on the type of services requested (hereinafter only "personal data").

The personal data processed through the Site are as follows:

a. Navigation data

The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or the domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used for the sole purpose of obtaining any anonymous statistical information on the use of the Site to check its correct functioning, to identify anomalies and/or abuses, and is deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the Site or third parties.

b. Data provided voluntarily by the user


Without prejudice to specific information, this Privacy Policy shall also apply to the processing of data voluntarily provided by you through the use of the platform for the purchase of services provided by the owners on the site https://gardatours.com or subscription to the newsletter. In this regard, we invite you not to enter in the forms contained within the Site, information that may fall into the category of special categories of personal data referred to in Article 9 of the GDPR (for example, data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual life/orientation and genetic data, biometric data or data relating to your health). If you provide such information voluntarily in the course of a booking requesting transport or special needs, the data will only be processed with your consent, which can be revoked at any time, or deleted immediately.

c. Third party data voluntarily provided by the user

The use of some services of the Site may involve the processing of Personal Data of third parties sent by you. With respect to such hypotheses, you act as autonomous data controller, assuming all the obligations and responsibilities of law. In this sense, you hereby grant the widest possible indemnity in respect of any dispute, claim, request for compensation for damage caused by processing, etc., that may be received by the Controller from third parties whose Personal Data have been processed through your use of the functions of the Site in violation of the applicable rules on the protection of Personal Data.

In any case, should it provide or otherwise process Personal Data of third parties in the use of the Site, it warrants as of now - assuming all related liability - that this particular processing hypothesis is based on a suitable legal basis pursuant to art. 6 of the Regulation which legitimates the processing of the data in question.

d. Cookies 

Information on the cookies served by the Site is available at the link cookie policy.

e. Your Credit Card details: they are not saved in our systems and no one is able to read them. The only thing we can see is the type of Credit Card used and the last 4 digits. We need this information to be able to respond to your customer service requests and to keep track of how orders are paid for.

For Credit Card payments we use the world's most secure systems and partners such as Stripe and others.


3. PURPOSE OF PROCESSING

Your personal data will be processed, with your consent where necessary, for the following purposes, where applicable:

3.1. to allow users to use the services offered by the platform, (e.g. request for contact, for a quote, request for information, request to send documentation, report abuse), including the possibility of purchasing our services online boat hire with or without driver, excursions etc. through the Company Site; 

3.2. meet specific requests, also by telephone, addressed to the Consortium or SB;

3.3. to fulfil any obligations provided for by the laws in force, regulations or Community legislation, or to satisfy requests from the authorities;

3.4. to exercise the rights of the Owner;

3.5. for statistical purposes, without it being possible to trace your identity;

3.6. Soft opt-in: to carry out direct marketing via e-mail provided by you for services similar to those previously purchased by you as an existing customer (including: demos, material or documentation downloadable from the Site), unless you expressly refuse to receive such communications, which you may express when requesting the services or on subsequent occasions. Your personal data will be processed by automated and non-automated means.

Specific security measures are observed to prevent the loss of data, unlawful or incorrect use and unauthorised access.

3.7. Marketing: to carry out marketing activities such as: carrying out studies, research, market statistics; sending you information and promotional material regarding the activities and services of the Consortium or SB and its commercial partners (without any communication of personal data belonging to the Consortium or SB to said partners); sending you surveys to improve the service ("customer satisfaction"). Such communications may be made via e-mail by subscribing to the newsletter and/or through the Controller's official pages on social networks; it should be noted that the Controller collects only one consent for the marketing purposes described herein, pursuant to the General Provision of the Garante per la Protezione dei Dati Personali "Linee guida in materia di attività promozionale e contrasto allo spam", of 4 July 2013; if, in any event, you wish to object to the processing of your data for marketing purposes carried out by the means indicated herein, you may do so at any time by contacting the Data Controller or co-owner at the email address privacy@gardatours.com, without prejudice to the lawfulness of the processing based on the consent given before revocation.

4. LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF PROCESSING

The legal basis for the processing of personal data for the purposes referred to in section 3.1. and 3.2. is Article 6(1)(b) of the GDPR ([...]processing is necessary for the performance of a contract to which the data subject is party or the performance of pre-contractual measures taken at the request of the data subject), as the processing operations are necessary for the provision of services. The provision of personal data for these purposes is optional, but failure to do so would make it impossible to activate the services requested.

The legal basis for the purpose referred to in section 3.3. is Article 6(1)(c) of the GDPR ([...]the processing is necessary for compliance with a legal obligation to which the controller is subject). Once personal data have been provided, in fact, the processing is indeed necessary to comply with legal obligations to which The Controller is subject.

The legal basis for the purpose referred to in section 3.4. is Article 6(1)(f) of the GDPR (.... Processing is necessary for the purposes of pursuing the legitimate interests of the Data Controller or third parties, provided that the interests or fundamental rights or freedoms of the Data Subject do not prevail).

It should also be noted that the processing referred to in section 3.5. is not performed on personal data and can therefore be freely carried out by the Controller.

The processing of your Personal Data for the purpose described in section 3.6. represents legitimate processing under applicable data protection legislation, which does not require your consent (art. 130 co. 4 Legislative Decree 196/2003). You may object to the processing of your Personal Data for this purpose both when requesting the products and services available on the Site and when receiving subsequent communications from the Data Controller.

The provision of your Personal Data for the purposes indicated in point 3.7. is entirely optional and does not affect, in any way, the use of services. This means that if you do not wish to give your consent, you may still use the services made available through the Site. The only consequence of your failure to provide such consent will be that, in the event of refusal to consent to processing for Marketing purposes, you will not be able to receive offers and promotions from the companies involved.

5. RECIPIENTS OF PERSONAL DATA

Your personal data may be shared, for the purposes referred to in section 3 of this Privacy Policy, with: 

5.1. persons who typically act as data processors, i.e.: a) persons, companies or professional firms that provide assistance and advice to the owners in administrative and legal matters, relating to the provision of services; b) persons with whom it is necessary to interact for the provision of services (such as hosting providers); c) persons delegated to carry out technical maintenance (including maintenance of network equipment and electronic communications networks);

5.2. persons authorised by the Consortium or SB to process personal data necessary to carry out activities strictly related to the provision of services, who have committed to confidentiality or have an adequate legal obligation of confidentiality and who guarantee the Processing of Data in accordance with the GDPR.

5.3. entities, bodies or authorities to which it is mandatory to communicate your Personal Data by virtue of legal provisions or orders from the authorities or in the case of reports to investigate complaints and identify the source of messages received from users;

The complete and updated list of Data Processors is kept at the Data Controller's operational headquarters.

Translated with www.DeepL.com/Translator (free version)



6. TRANSFER OF PERSONAL DATA

The data provided will not under any circumstances be disclosed or communicated to third parties, with the exception of subjects whose right to access the data is recognised by legal provisions or orders of the authorities, as well as subjects, also external and/or foreign, to whom the communication is necessary to fulfil fiscal or administrative obligations, or subjects whose co-owners make use of in order to carry out activities that are instrumental and/or accessory to the fulfilment of their obligations deriving from the conclusion of the contracts governed by the General Conditions of Sale on line and/or in any case connected to the services offered (by way of example only: Consortium members or authorised employees of SB). Please also note that in order to carry out the above activities, the data collected may be transferred to servers that may be located in non-EU countries (booking service). In this case, subject to verification that the country in question guarantees an "adequate" level of protection pursuant to Article 46 GDPR 679/16, the Data Controller will guarantee suitable security measures based on the provisions of the Regulations.


7. STORAGE OF PERSONAL DATA

Personal data processed for the purposes set out in section 3.1. - 3.2. - 3.6. shall be kept for the time strictly necessary to achieve those purposes and, in the case of processing carried out for the provision of services, up to the period of time provided for and permitted by Italian law to protect the interests and rights of defence of the Data Controller, having regard to the limitation periods provided for by the applicable legislation (Art. 2946 c.c. et seq.). Personal Data processed for the purposes referred to in section 3.3. will be kept until the time provided for by the specific obligation or applicable law. For the Marketing purposes referred to in section 3.7., your Personal Data will instead be processed, as a general rule, until your consent is revoked. If you withdraw from the services you have requested from the co-owners without having revoked these consents, your data may also be processed after your withdrawal. Further information on the data retention period and the criteria used to determine this period may be requested by sending a written request to the Controller at the email address indicated in this notice. This is without prejudice, however, to the possibility for the co-owners to keep your personal data for the period of time provided for and allowed by Italian law to protect their interests (Art. 2947(1)(3) c.c.). In addition, the Owner will keep the data for anti-fraud purposes (section 3.4.): the Owner and the Stripe Data Processor (privacy policy stripe) will keep the personal data of the users, including those of unsuccessful and/or unauthorised transactions, included in the black list, for 24 months from collection, except for the data necessary for the ascertainment, exercise or defence of a right in a court of law.

8. RIGHTS OF THE DATA SUBJECT

As a data subject, you are guaranteed all the rights specified in Articles 15 to 22 of Regulation (EU) 2016/679, Art. 7.3 GDPR (free withdrawal of consent); in particular, pursuant to the applicable legislation, you are entitled to:
(a) obtain: indications on the origin of the personal data, on the purposes and methods of processing, on the legal basis of processing, on the logic applied in case of processing carried out with the aid of electronic tools and in case there is an automated decision-making process and in this case the importance and the expected consequences of such processing; indication of the identification details of the Data Controller and of the Managers; indications of the entities or categories of entity to whom or which the data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State's territory, data processor(s) or person(s) in charge of the processing; indications of the period of retention of personal data or, if this is not possible, the criteria used to determine that period; access, updating, rectification or integration of the data concerning him/her; erasure without undue delay or restriction of processing; data portability, i.e. the transmission of the data in a commonly used and machine-readable format and the right to transfer them to another data controller (where technically feasible); certification that the operations referred to in the preceding points have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, unless this requirement proves impossible or involves the use of means manifestly disproportionate to the protected right;

b) withdraw the consent given at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
c) object, in whole or in part, at any time, to the processing of personal data concerning him/her, where it is carried out for the purpose of commercial information or sending advertising or direct sales material or for carrying out market research or commercial communication surveys. 

Please note that the data subject's right to object, as set out in point 3.7 above, for the purposes of direct marketing using automated methods is extended to traditional methods and that, in any case, the data subject may exercise his/her right to object even partially. Therefore, the interested party may decide to receive only communications by traditional means or only automated communications or neither of the two types of communication.

In order to exercise the rights provided by the GDPR, the Data Subject may: 
(i) forward his requests to the co-owners, by means of written communication to be sent by e-mail to the e-mail address: privacy@gardatours.com

(ii) express communication at the Data Controller's registered office.

In any case, you always have the right to lodge a complaint with the competent supervisory authority (Garante per la protezione dei dati personali), pursuant to Article 77 of the GDPR, if you believe that the processing of your data is contrary to the legislation in force.

9. CHANGES

CONSORZIO MOTOSCAFISTI SIRMIONE S.C.R.L and SIRMIONEBOATS. S.R.L reserve the right to modify or simply update the content of this Privacy Policy, in part or completely, also due to changes in the applicable legislation. The co-owners therefore invite you to regularly visit this section in order to become aware of the most recent and updated version of the Privacy Policy so that you can be kept up to date on the data collected and the use made of it by the co-owners.

10. MINORS

Please note that the co-owners' registration and booking services are not aimed at minors. In limited cases, as part of the collection of passenger data for booking purposes, we may only collect and use information from children (under the age of 14) if provided by their parent or guardian or with their consent.

11.LINKS TO OTHER WEBSITES AND THIRD PARTIES

Our website may include links to and from the websites of our partner networks, advertisers and affiliates, or to social media platforms. If you follow a link to any of these websites, you should note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before submitting any personal data to their websites.


Last updated: 01/06/2021