Globest Srls in its capacity as Data Controller (hereinafter, “Globest” or “Data Controller”) pursuant to Regulation (EU) 2016/679 (hereinafter “GDPR” or “Regulation”) and D.lgs. n. 196/2003 (“Privacy Code”) – is committed to protecting the confidentiality of personal data of users of its website.
This Privacy Policy is intended to inform, pursuant to art. 13 and 14 of the GDPR, those who interact with the website https://www.globest.it/ , either by simple consultation or by using specific services made available through the Site, regarding the way in which personal data will be processed during the use of it.
This information is not intended to be used for other websites that may be accessed through links contained in this Site.
The processing of personal data will be based on the principles of correctness, legality, transparency, limitation of purposes and storage, minimization and accuracy, integrity and confidentiality, as well as the principle of accountability referred to in art. 5 of the GDPR.
“Processing of personal data” means any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, the preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, deletion or destruction.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The data controller is Globest Srls, in the person of the legal representative, based in Palermo in via Ercole Bernabei at number 19, which can be contacted at: info@globest.it
The Globest Data Protection Officer can be contacted at the Controller’s headquarters at the above address and by e-mail at: info@globest.it
2. PERSONAL DATA SUBJECT TO PROCESSING
We inform you that the personal data processed may consist of an identifier such as name, identification number, location data, online identifier or one or more elements characteristic of your physical identity, physiological, psychological, economic, cultural or social suitable to make the data subject identified or identifiable, depending on the type of services requested (hereinafter only “personal data”).
The personal data processed through the Site are as follows:
a. Navigation data
The computer systems and software procedures used to operate the Site acquire, in the course of their normal operation, certain personal data whose transmission is implied by the use of Internet communication protocols. This is information that is not collected to be associated with identified data subjects, but that by its very nature could, through processing and associations with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of computers used by users connecting to the Site, the addresses in notation URI (Uniform Resource Identifier) of requested resources, the time of request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (good end, error, etc.) and other parameters related to the user’s operating system and computer environment.
These data are used only for the purpose of obtaining anonymous statistical information on the use of the Site to check its proper functioning, to identify anomalies and/ or abuses; the data is deleted as a rule after processing, unless it is necessary to identify those responsible in the case of hypothetical computer crimes against the Site or third parties.
b. Data voluntarily provided by the user
Except for the reference to specific vertical information that may be available in the different sections of the Site, this Privacy Policy is also intended for the processing of personal data voluntarily provided as part of the forwarding of specific requests for assistance and/ or information to the Controller’s e-mail addresses available on the Site (such as, but not limited to, email address, personal data, identification data).
With reference to these types of data, we invite you to share only the personal data strictly necessary for the purpose of managing a possible request, Excluding therefore information that is not relevant and/or that may fall within the scope of the particular categories of personal data referred to in art. 9 of the GDPR ([…]personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to the person’s health or sexual life or sexual orientation).
In the event of transmission of personal data not relevant or strictly necessary to manage the request, the Controller will refrain from processing such data and will delete them immediately.
This information is also made for the processing of personal data resulting from the voluntary subscription to the newsletter through the appropriate form on the Site, under which your identification data are processed (such as name and surname) and contact details (in particular, the e-mail address).
c. Data processed due to online services
Except for the reference to specific information that may be available in the different sections of the Site, this Privacy Policy is also intended for the processing of data voluntarily provided for the purpose of performing the services rendered online, with particular reference to the following services:
– service for the creation of a quote for the tourist package, including the execution of related administrative activities, including the sending of the service e-mail containing the requested quotation to the e-mail address you have provided, in the context of which personal and contact data may be processed;
– personal account creation service and access to the personal area of the Site, within which personal data (in particular name, surname, age), contact details (address of residence/ domicile; e-mail and telephone number) will be processed, information on the occupation.
Within the personal area, the Data Controller will also process, in addition to the above-mentioned data, additional personal data, such as information on the history of requested quotes.
d. Cookies and other tracking technologies
Information on cookies served by the Site is available here.
3. PURPOSE, LEGAL BASIS OF PROCESSING AND NATURE OF THE CONFERMENT
Personal data will be processed, with consent where necessary, for the following purposes:
a) allow the navigation of the Site, the registration in private areas and access to all other services made available by the Owner (such as, for example, the service of requesting and creating quotes for tourist packages, including the execution of related contractual and administrative activities), including the management of the security of the Site.
b) manage and verify the specific requests addressed to the Data Controller forwarded to the e-mail addresses and/or telephone numbers of the Data Controller available on the Website;
c) subscription to the newsletter, in order to receive by e-mail communications and information of a commercial nature, promotional and direct marketing on services, products and offers of the Data Controller;
d) to send, with the specific consent of the data subject, promotional and marketing communications, including newsletters, promotional offers, commercial initiatives, advertising material, direct sales and market research on products and services of the Controller, through automated contact systems such as e-mail, SMS, instant messaging systems and non-automated such as paper mail or telephone with operator; it is specified that the Data Controller collects a single consent for the marketing purposes described here, pursuant to the General Measure of the Data Protection Authority “Guidelines on promotional activities and combating spam” of 4 July 2013.
If, in any case, you would like to object to the processing of data for marketing purposes carried out with some or all of the means of contact indicated above, it is possible at any time to do so by contacting the Data Controller at the addresses indicated in paragraph 1 of this information, without prejudice to the lawfulness of the processing carried out before the objection;
e) comply with any obligations under applicable laws, regulations or Community legislation, or respond to requests from the authorities;
f) satisfy any defensive needs of the Owner both in the out-of-court and judicial phase;
The legal basis for the processing of personal data for the purposes referred to in Art. a) and b) is to be found in Art. 6, para. 1, lett. b) of the GDPR ([… ]the processing is necessary for the execution of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the same), as the processing is necessary for the provision of the services requested by the data subject.
The provision of personal data for the aforementioned purposes is optional, however any failure to provide it could result in the impossibility for the Controller to activate and provide the requested services.
The processing carried out for the purposes set out in Art. 6, para. 1, lit. a) of the GDPR is based on the consent given pursuant to Art. 6, par. 1, lett. a) of the GDPR (… ] the data subject has expressed consent to the processing of his or her personal data for one or more specific purposes).
The consent is revocable at any time without prejudice to the lawfulness of the processing carried out prior to the revocation in accordance with art. 7 of the GDPR. The provision of personal data for these purposes is therefore entirely optional and does not affect the use of services. If you wish to object to the processing of your data for marketing purposes, you can do so at any time by contacting the Controller and/or the DPO at the addresses indicated in paragraph 1 of this privacy policy.
The purpose referred to in lett. e) represents a legitimate processing of personal data pursuant to art. 6, para. 1, lit. c) of the GDPR ([… ]the processing is necessary to comply with a legal obligation to which the data controller is subject). Once the personal data has been transferred, in fact, the processing is necessary to comply with legal obligations to which the Controller is subject.
The processing referred to in point f) is carried out in order to pursue the legitimate interest of the Holder ex art. 6, par. 1, letter. f) and 9, par. 2, lit. f) of the GDPR, because once personal data has been provided, its processing may become necessary to establish, exercise or defend a right in court or whenever judicial authorities perform their functions.
4. RECIPIENTS OF PERSONAL DATA
Personal data may be shared, for the purposes set out in paragraph 3 of this Privacy Policy, with:
1. persons authorised by the Data Controller to process personal data pursuant to art. 29 of the GDPR and 2-quaterdecies of the Privacy Code (e.g. personnel involved in administration, support, CRM, management of information systems, etc.);
2. third parties who, in the provision of services (for example: technology services, administrative, legal, tax and financial advisory and support services, hosting providers, technical maintenance service providers, marketing and communication service providers, etc.) typically act as data processors pursuant to art. 28 of the GDPR. The Data Controller keeps an updated list of data processors and ensures that the data subject can view it at the place indicated above and by sending a written request to the Data Controller at the addresses indicated in paragraph 1 of this privacy policy;
3. entities, bodies or authorities to which it is mandatory to communicate personal data pursuant to legal provisions or orders of the authorities.
These entities are collectively referred to as “Recipients”.
5. EXTRA-EU TRANSFER OF PERSONAL DATA
The personal data provided through the Site will be processed and stored in the information systems of the Controller, whose servers are located within the European Economic Area. However, in the event of any transfer of personal data to recipients located outside the European Economic Area, the Controller ensures that the transfer will be carried out in compliance with the conditions indicated by artt. 44 ff. of the GDPR, such as the adoption of Standard Clauses approved by the European Commission, the selection of subjects participating in international programs for free movement of data or operating in countries considered safe by the European Commission, In accordance with recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board (EDPS).
You can request more information, on request, about the data transfers made and the guarantees adopted for this purpose, from the Controller and/ or the DPO at the contacts indicated in paragraph 1 of this notice.
6. STORAGE OF PERSONAL DATA
Personal data will be collected and stored, in accordance with the principles of minimization and limitation of storage set out in art. 5.1.c) and e) of the GDPR, guaranteeing security measures to prevent data loss, illegal or incorrect use and unauthorized access.
The personal data processed for the purposes referred to in points a) and b) of paragraph 3 of this information will be kept for the time strictly necessary to achieve those same purposes, ie for the time necessary to perform the service, in accordance with the storage times required by law. In particular, regarding quotations, including the personal information contained therein, we inform you that they will be kept until the validity of the quotation itself.
For the purpose of subscribing to the newsletter and, in general, direct marketing referred to in Sections. c) and d) of paragraph 3 of this policy, personal identification and contact data will be processed until you object or revoke your consent.
In general, the Data Controller reserves the right to store the data for the time necessary to comply with any regulatory obligation to which it is subject or to meet any defensive needs. Specific security measures are observed to prevent data loss, illegal or incorrect use and unauthorized access.
More information about the data retention period and the criteria used to determine this period can be requested by sending a written request to the Controller and/or DPO at the addresses indicated in paragraph 1 of this notice.
7. RIGHTS OF DATA SUBJECTS
As a data subject, you can assert your rights and/ or ask for information about the processing of your data by contacting the Controller and the DPO at the addresses indicated in paragraph 1 of this privacy policy, preferably by inserting in the subject of the communication the wording “Request for exercise of privacy rights”.
In particular, the following rights may be exercised at any time:
1. revoke any consent given (Art. 7 of the GDPR) – The data subject has the right to revoke at any time any consent given, without prejudice to the lawfulness of the processing carried out prior to the revocation;
2. right of access (art. 15 GDPR) – The data subject has the right to obtain confirmation as to whether or not his personal data is being processed and the right to receive any information regarding this processing;
3. right of rectification (art. 16 GDPR) – The data subject has the right to have his or her personal data rectified, if they are incomplete or inaccurate;
4. right to erasure (Art. 17 of the GDPR) – in certain circumstances, the data subject has the right to have his or her personal data contained in our records deleted;
5. right to restriction of processing (Art. 18 GDPR) – if certain conditions are met, the data subject has the right to obtain limitation of processing of his personal data;
6. right to portability (Art. 20 of the GDPR) – The data subject has the right to have his or her personal data transferred to a different controller as well as the right to obtain in a structured format, the data concerning you is commonly used and readable by automatic devices;
7. right to object (art. 21 of the GDPR) – The data subject has the right to submit a request for objection to the processing of his personal data in which he provides evidence of the reasons justifying the objection; the Controller reserves the right to assess this request, which may not be accepted if there are compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms. The data subject also has the right to object at any time and without justification to the sending of commercial, promotional and direct marketing communications, including newsletters, market research, invitations to events, through automated contact systems and not. With regard to this type of communication, the possibility of exercising this right in part, namely by opposing, for example, only the sending of promotional communications carried out through automated means, remains unaffected;
8. the right to lodge a complaint with the supervisory authority (Art. 77 of the GDPR) – in the manner indicated in the following paragraph, if the data subject considers that the processing of personal data violates the law on the protection of personal data, may lodge a complaint with the supervisory authority of the Member State in which he or she is habitually resident, works or where the alleged breach occurred;
9. the right to apply to the appropriate courts (Art. 79 GDPR).
8. CHANGES
The Owner reserves the right to modify or simply update its content, in part or completely, also due to changes in the applicable legislation. The Data Controller therefore invites you to visit this section regularly to take cognizance of the most recent and updated version of the privacy policy.