Privacy policy pursuant to European Regulation No. 2016/679 (“GDPR”)

Please read carefully this policy (hereinafter, “Privacy Policy”), which is provided to users of the website www.teatroluxuryapartmentsfirenze.it (hereinafter, the “Website”), pursuant to article 13 of the GDPR, in which we indicate you all details relating to the processing of your data and its use.

1. Data controller and DPO

Corso Italia S.r.l., with registered office in Milan (MI), via San Paolo n. 7, VAT number 11678740967 (hereinafter “Data Controller” or “Corso Italia”), who can be contacted at the email address: corsoitaliasrl-mi@legalmail.it.

For matters relating to privacy, in addition to the Data Controller, you can contact the Data Protection Officer (“DPO”) by writing to: Privacy.Corsoitalia@StudioDiRevisori.it.

2. Purpose of the processing

The Data Controller will process the following personal data:

1. Data provided voluntarily by the user: (e.g., name, surname, address, telephone number, e-mail address): (hereinafter “Personal Data” or also “Data”): this is data directly provided by you by filling the contact forms on or by creating your personal area within the Website.
2. Data collected using cookies or similar technologies: for further information, please refer to the Cookie Policy: https://www.teatroluxuryapartmentsfirenze.it/en/privacy-policy
3. Technical data: This category of data includes the IP addresses or domain names of the devices used by users who connect to the website, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment. These data is used only for statistical information (and is therefore anonymous), to check the correct functioning of the website and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the Website: except for this possibility, web contact data does not persist for more than 7 days.

3. Purpose, legal basis for processing and nature of data provision

Your personal data will be processed for the following purposes:

1. to follow up on requests made through the contact forms on the Website, including requests for quotes.
   With reference to this purpose, the legal basis for the processing of your personal data is represented by Article 6, paragraph 1, letter b) of the GDPR: “Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” The provision of data for this purpose is therefore necessary in order to respond to your requests.
2. to create your personal area within the Website.
   With reference to this purpose, the legal basis for the processing of your personal data is represented by Article 6, paragraph 1, letter b) of the GDPR: “Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
   The provision of data for this purpose is optional, but without it, the Data Controller will not be able to finalise the creation of your personal area.
3. for the performance of direct marketing activities.
   We process your personal data, subject to your free, specific and informed consent, to send you promotional communications (e.g., newsletters), in order to update you on our commercial and advertising initiatives on events, initiatives or partnerships of the Data Controller, to conduct market and user satisfaction surveys, in accordance with the provisions of the Italian Data Protection Authority “Guidelines on promotional activities and combating spam - 4 July 2013 [2542348]”.
   If you decide to give your consent, we inform you that these activities may be carried out, as provided for by current regulations, by post, telephone contact via an operator (“traditional methods”), e-mail (newsletter), text messages, push notifications and the use of social networks (“automated methods”).
   With reference to this purpose, the legal basis for the processing is Article 6, paragraph 1, letter a) GDPR: “consent of the data subject”.
   The provision of personal data for this purpose is optional and may be revoked at any time in accordance with point 7 of this Privacy Policy.
4. to fulfil legal obligations to which the Data Controller is subject.
   With reference to this purpose, the legal basis for the processing is Article 6, paragraph 1, letter c) GDPR: “Processing is necessary for compliance with a legal obligation to which the controller is subject.”
   The provision of data is therefore necessary in order to allow the Data Controller to fulfil its legal obligations.
5. for the pursuit of the legitimate interests of the Data Controller or third parties.
   The Data Controller may use your personal data for preventing fraud committed through the Website and to allow protection in court and/or out of court.
   Legal basis: Article 6, paragraph 1, letter f) GDPR: “legitimate interest”.
   Processing is not mandatory and you may object as described in this Privacy Policy.
6. allow the Data Controller to complete extraordinary corporate transactions.
   Legal basis: Article 6, paragraph 1, letter f) GDPR: “legitimate interest”.
   Processing is not mandatory and you may object in the manner described in this Privacy Policy.

Your personal data will be processed by means of the operations indicated in Article 4(2) of the GDPR, namely: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, interconnection, restriction, erasure and destruction of data. Your personal data will be processed both on paper and electronically and/or automatically, in compliance with the rules of confidentiality and security provided for by laws, regulations and internal provisions.

4. Data recipients and data transfer

Your data may be shared with:

• entities acting as independent data controllers, data processors and/or sub-processors (e.g., companies responsible for managing the Website, the facility and/or other third parties providing services to the Data Controller);
• persons authorised by the Data Controller to process personal data who have committed themselves to confidentiality or have an adequate legal obligation of confidentiality;
• persons delegated and/or appointed by the Data Controller to carry out activities strictly related to the pursuit of the above purposes, duly appointed, where necessary, as data processors;
• persons, companies or professional firms that provide assistance and advice to the Data Controller, duly appointed as data processors where necessary.

Outside of the aforementioned hypotheses, your personal data will not be disclosed except to subjects, entities or authorities to whom disclosure is mandatory under the provisions of law or regulations.

Your personal data may be transferred outside the European Economic Area only if the requirements set out in Articles 44 et seq. of the GDPR are met.

5. Data retention period

The Data Controller will process Personal Data for the time strictly necessary to fulfil the purposes referred to in point 3 above.

For purpose 3(a): data will be kept for the time strictly necessary to manage the request.

For purpose 3(b): data will be stored until the personal area is deleted and, subsequently, for the applicable prescription period.

For purpose 3(c) (marketing): data will be stored until withdrawal of consent. Periodic assessments of user interest will be performed.

For purpose 3(d): data will be processed until the time required by specific obligations or applicable law.

For purposes 3(e) and 3(f): data will be processed for the period strictly necessary for ascertaining, exercising or defending a right or interest in court and/or for the completion of extraordinary corporate transactions.

6. Data protection

Your personal data is processed by the Data Controller in full compliance with current legislation. Technical and organisational measures appropriate to the risk have been adopted.

7. Rights of the data subject and withdrawal of consent

In accordance with the GDPR, where the legal requirements are met, you may request at any time access, correction, deletion, restriction of processing, or object to processing.

You may also exercise the right to data portability pursuant to Article 20 of the GDPR.

You may withdraw consent at any time pursuant to Article 7(3) GDPR. Withdrawal does not affect the lawfulness of processing before withdrawal.

Requests relating to your rights may be addressed to: Privacy.Corsoitalia@StudioDiRevisori.it

You also have the right to lodge a complaint with the competent supervisory authority (Garante per la Protezione dei Dati Personali) pursuant to Article 77 GDPR.