Privacy Policy

In accordance with the aforementioned regulation, this processing will be carried out based on the principles of fairness, lawfulness, transparency, and the protection of your confidentiality and rights. Pursuant to Article 13 of GDPR 2016/679, we are providing you with the following information:

A – Personal information (such as your first name, last name, ID details and a copy thereof, telephone number, email address, etc.) will be collected at the time of registration, depending on the type of membership you require. In accordance with Article 28 of the General Data Protection Regulation (GDPR) 2016/679, the Data Processor for data relating to bookings made through the company’s official website, via the https://www.demontel.it/ platform, is Scuderie De Montel – Terme di Milano srl a Socio Unico.

The Company, as the processor of your personal data, provides you with information on how your data will be used and your rights, ensuring that you can give informed consent, if necessary, and exercise your rights under the General Data Protection Regulation (European Regulation 679/2016, hereinafter: “the Regulation”).

Your personal data (provided by you, by third parties, or collected from public sources within the limits of the law) may be processed for the following explicitly stated purposes: fulfilment of a contract, fulfilment of an obligation outside the contract, compliance with a legal obligation, and protection of your rights or those of third parties. The legal basis for the processing may be:

• A – Legal obligation or regulation,
• B – Contract with the data subject or fulfilment of contracts,
• C – Legitimate interest of the data processor or third parties,
• D – Vital and urgent interest of the data subject,
• E – Express consent of the data subject,
• F – Performance of a task in the public interest.

The meaning of the different purposes is explained in detail below:

1. Legal purposes: this category includes the fulfilment of obligations set forth by law, regulations, European Union legislation, and the directives of legally authorised authorities or competent supervisory or regulatory bodies. In these cases, your consent is not required, as the processing of the data is necessary for the fulfilment of such obligations or provisions. Data processed for legal reasons include those related to tax regulations and anti-money laundering records.
2. Contractual, administrative and accounting purposes: this type of processing concerns the fulfilment of obligations arising from contracts to which you are party or the execution of specific requests made by you prior to entering into the contract. This may include the use of remote communication techniques, such as a dedicated call centre. In these cases, your consent is not required as the data processing is aimed at managing the relationship or fulfilling your requests. These processing operations also include the mutual protection of interests in legal disputes, tax purposes and other legal obligations, such as anti-money laundering record keeping, if applicable.
3. Direct marketing purposes: this type of processing involves sending information, as well as commercial and advertising material, regarding the company’s products, services, or initiatives. The aim is to promote them, carry out direct sales, conduct market research, and assess the quality of the products or services offered. Data may be processed with your voluntary consent or based on the legitimate interest of the company, provided that it does not conflict with your rights.
4. Profiling: this processing aims to optimise commercial offers, carry out targeted commercial communications, conduct statistical research and create profiles based on your personal preferences, behaviour and attitudes. The goal is to make informed commercial decisions or analyse and predict your preferences for commercial purposes. In these cases, your consent is optional and will not affect your relationship with the company.
5. Indirect marketing purposes: this category includes the sharing of your data with third parties who carry out autonomous commercial activities, as described in the previous section. Again, your consent is optional and will not affect your relationship with the company.
6. Post-marketing purposes: this processing involves analysing the reasons for the termination or revocation of your relationship with the company after it has ended. Again, your consent is optional and will not affect your relationship with the company.

“Special category data”, also known as “sensitive data”, are personal data that may reveal ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify an individual, data relating to a person’s health, sex life or sexual orientation (Article 9 of the Regulation), or data relating to criminal convictions and offences or associated security measures (Article 10 of the Regulation). This data can only be processed with your express written consent or if one of the reasons listed in Article 9, paragraph 2, and Article 10 of the Regulation applies. Consent is optional, but refusal to provide consent may hinder the performance of one or more activities required of the company, specifically those involving the processing of such data.

Consent to the processing of your data may be required for entering into contracts with the Data Controller or third parties. However, only data necessary for the execution of the contract is mandatory. You are free to provide or withhold consent for non-essential data, particularly for profiling, commercial communications and marketing purposes.

The Data Controller collects and processes your data to protect your vital interests if you are under 18 and over 14 years of age. Your data will be processed with the utmost confidentiality and solely for the time necessary to provide the services requested from the Data Controller, excluding any purposes beyond the ongoing relationship between you and the Data Controller.

Your data may be shared with third parties for the purposes stated by the Controller. Specifically, it may be transferred to third countries if deemed adequate or, if not, subject to your express consent.

B – DATA PROCESSING METHODS.

Your data is processed using manual/paper filing as well as electronic and automated means, in line with the aforementioned purposes. If you have provided your consent, the processing may include data profiling or comparison. The Company has implemented technical and organisational measures to prevent and minimise the risk of loss, deterioration, or theft of your data, as well as to ensure prompt recovery in the event of a data breach.

The processing is designed to ensure the security, protection and confidentiality of your data. Within the company, personnel responsible for or in charge of the processing may have access to your personal data, including employees, managers, directors or partners of the company who occupy administrative, collaborative or commercial positions with freelance contracts within the company structure. These persons have received appropriate training from the company to ensure the storage, updating and security of your data, so consent is not required by these individuals, as it is provided for by law.

Outside the company, your data may be processed by contractors with freelance contracts operating outside the company’s structures, as well as by consultants of various kinds (lawyers, accountants, tax consultants, etc.) who work with the company. In this case too, the external parties have received appropriate training to ensure the storage, updating and security of your data, and the company has taken contractual and organisational measures to ensure that the data is processed in accordance with GDPR 2016/679.

The company may use third-party service providers to carry out certain activities involving the processing of your data. However, these suppliers act exclusively on behalf of the company and follow the instructions provided by the latter, ensuring maximum data security and confidentiality. External suppliers may be subject to specific rules and regulations, ensuring an adequate level of data protection.

C – DATA RETENTION PERIOD.

Your personal data will be retained for the period necessary to fulfil the purposes for which they were collected. The retention period may vary depending on the purpose of processing. For example:

• Contractual, administrative and accounting purposes: data will be retained for the duration of the contract and for the subsequent period required by law to fulfil tax and accounting obligations.
• Direct marketing purposes: data will be retained as long as your consent is in effect or until you exercise your right to object.
• Profiling: data will be retained as long as your consent is in effect or until you exercise your right to object.
• Indirect marketing purposes: data will be retained as long as your consent is in effect or until you exercise your right to object.
• Post-marketing purposes: data will be retained as long as your consent is in effect or until you exercise your right to object.

In some cases, the company may be obliged to retain data for a longer period due to regulatory requirements or to protect its interests in the event of litigation.

D – RIGHTS OF THE DATA SUBJECT.

As the data subject, you have the right to obtain confirmation as to whether or not personal data concerning you exists, even if it has not yet been recorded, and its communication in an intelligible form. You have the right to be informed of the:

• origin of the personal data;
• processing purposes and methods;
• logic applied in the event of processing by electronic means;
• identification details of the data controller, data processors and the representative designated pursuant to Article 5, paragraph 2;
• subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representatives within the national territory, data processors or appointed persons.

You have the right to obtain:

• the updating, rectification or, when relevant, completion of the data;
• the cancellation, transformation into an anonymous form or blocking of data processed in breach of the law, including data that does not need to be retained in relation to the purposes for which the data were collected or subsequently processed;
• certification to the effect that the operations as per letters a) and b) have been made known, also as regards their content, to those to whom the data have been communicated or disclosed, unless this proves impossible or involves a manifestly disproportionate effort compared to the right being protected.
  You have the right to object, wholly or in part:

You have the right to object, wholly or in part:

• for legitimate reasons to the processing of personal data concerning you, even if relevant to the purpose for which it was collected;
• to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or marketing communications.

You have the right to data portability, that is, the right to receive personal data concerning you in a structured, commonly used and machine-readable format, and you have the right to send such data to another data controller without hindrance. Furthermore, you have the right to withdraw your consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal of consent.

E – HOW TO EXERCISE YOUR RIGHTS

You may assert your rights at any time by writing to the Data Controller by recorded delivery sent to the Company’s registered office or by email to: info@demontel.it. The Data Controller shall reply to your request without undue delay and, in any case, within one month from receipt thereof. San Siro Benessere S.r.l. a Socio Unico, Registered office: Largo A. Ildefonso Schuster 1 – 20122 Milano, Italy.

F – REQUEST FOR CONSENT AND WITHDRAWAL.

Consent for data processing is optional. However, failure to provide consent for the processing of the data strictly necessary for entering into and fulfilling the contract may result in the impossibility of proceeding with the contractual relationship or failure to fulfil contractual obligations.

The provision of consent for the purposes of profiling, commercial communications, marketing and the sharing of data with third parties for indirect marketing purposes is optional and does not affect the contract. You may withdraw your consent at any time without prejudicing the lawfulness of the processing based on the consent given prior to the withdrawal. Withdrawal of consent prevents the company from pursuing the purposes for which consent is required.

G – LODGING A COMPLAINT WITH THE REGULATORY AUTHORITIES.

In any case, you have the right to lodge a complaint with the competent regulatory authority (Italian Data Protection Authority) if you consider that the processing of your personal data contravenes the applicable legislation.

H – DATA CONTROLLER.

The Data Controller is San Siro Terme, with registered office at Scuderie De Montel – Terme di Milano Srl a Socio Unico. Registered Office: Largo A. Ildefonso Schuster 1 – 20122 Milano, Italy. Tax code and VAT reg. no. 11763560965. If necessary, the Data Controller may appoint one or more data processors, mentioning them in this notice or informing the data subject at a later stage.

I – UPDATES.

This notice may be subject to updates. Any future changes will be published on the company’s website and, if relevant, communicated directly to the data subject.

Please read this notice carefully and contact the company if you have any questions or require further information.

• [Representative]: Not applicable.
• [Data Processors]: The CEO and departmental managers.
• [DPO]: Luca Rampazzo.
• How to Exercise Your Rights:
  You can send a written request to the company at Largo A. Ildefonso Schuster 1 – 20122 Milano, Italy or email it to privacy@demontel.it. Alternatively, if available, you can do this yourself in the personal online area using a unique identifier.