Website www.mugellotoscana.it Privacy Policy Notice

Articles 13 and 14 EU Regulation 2016/679 (General Data Protection Regulation )

  1. Introduction

Unione Montana dei Comuni del Mugello takes the privacy of the user seriously and is committed to respecting it. This privacy policy ("Privacy Policy") describes the processing activities of personal data carried out by Unione Montana dei Comuni del Mugellothrough this website and the related commitments made by Unione Montana dei Comuni del Mugelloin this regard. Unione Montana dei Comuni del Mugello may process the user's personal data when they visit the Website and use the services and features available on the Website. In the sections of the Website where the user's personal data are collected, a specific notice is normally published in accordance with Articles 12/14 of EU Regulation 2016/679. Where provided for by EU Regulation 2016/679, the user's consent will be required before proceeding with the processing of their personal data. If the user provides personal data of third parties, they must ensure that the communication of the data to Unione Montana dei Comuni del Mugello and the subsequent processing for the purposes specified in the applicable privacy notice comply with EU Regulation 2016/679 and applicable law.

  1. Contact details of the data controller and the data protection officer

Data controller: Unione Montana dei Comuni del Mugello
Via Palmiro Togliatti, 45 50032 Borgo San Lorenzo (Florence) Italy

E-mail: turismo@uc-mugello.fi.it

PEC: uc-mugello@postacert.toscana.it
Telephone: +39 055 84527185/6

Data Protection Officer  (DPO): Bertoli Roberto

E-mail: dpo@uc-mugello.fi.it
Telephone: +39 347 3908393

  1. Types of data processed

Visiting and browsing the Website generally does not involve the collection and processing of the user's personal data, except for browsing data and cookies as specified in the document available at the dedicated link Cookie Policy (https://www.mugellotoscana.it/it/cookie-policy.html). In addition to the so-called "browsing data," personal data voluntarily provided by the user may be processed when they interact with the Website's features or request to use the services offered on the Website.

  1. Purposes and Legal Basis

The personal data processed through:

  1. a) Contact form or via email - the provided data will be used to provide an adequate response to the received inquiry;
  2. b) Request for guides in paper format - the provided data will be used for sending the requested material;
  3. c) Subscription to the newsletter - the email address will be added to the database managed by the controller and used to provide information about events, activities, and companies in the area.
  4. d) Whatsapp Channel (subscription) - dedicated to accommodation and service structures. Subscription is free, and it is not necessary to be subscribed to request the publication of one's own advertisement on the channel. Managing the channel represents further development in collaboration with accommodation and tourism service structures. Subscription allows viewing advertisements from accommodation and service structures. Structures can contact each other directly using the contacts published in the advertisement, thus avoiding the need for additional channels of the Controller.
  5. e) Whatsapp Channel (advertisement publication) - dedicated to accommodation and service structures. Structures can request the publication of an advertisement to offer products/services to channel subscribers. The Controller will publish the advertisement, including contact details provided by the structure.
  6. f) Reserved area for tourist facilities - the collected data will be used to maintain the relationship with the structure (e.g., data of the legal representative and/or other delegated person) and for publication on the website mugellotoscana.itand connected social channels (e.g., email and phone of the structure, website internet address, etc. - data intended for dissemination). Public data may also be communicated via email to third parties requesting information about a service and/or product.

The legal basis for points a), b), d), e), and f) is found in the execution of a contract or pre-contractual measures to which the data subject is party (Article 6(1)(b) of EU Regulation 679/2016). The legal basis for point c) is found in the consent of the data subject (Article 6(1)(a) of EU Regulation 679/2016). Personal data may be processed in both paper and electronic form.

  1. Security and Quality of Personal Data

Unione Montana dei Comuni del Mugello is committed to adopting adequate security measures to protect the user's personal data and complies with security provisions provided by applicable law to prevent data loss, unlawful or unauthorized use of data, and unauthorized access to them. Additionally, the information systems and computer programs used by Unione Montana dei Comuni del Mugello are configured to minimize the use of personal and identifying data; such data are processed only for the achievement of specific declared purposes. Unione Montana dei Comuni del Mugello uses multiple advanced security technologies and procedures to promote the protection of users' personal data; for example, personal data are stored on secure servers located in places with protected and controlled access. The user can help Unione Montana dei Comuni del Mugello  keep their personal data up to date by communicating any changes to the data previously provided.

  1. Scope of Data Communication and Access

The user's personal data may be disclosed based on the data subject's own request (e.g., publication of structure data on the website, publication of advertisement on Whatsapp). If the purpose does not require data dissemination, the data will not be disseminated or communicated to persons unrelated to the purposes for which they were collected. The user's personal data will not be communicated to third countries or international organizations. The user's personal data may be communicated to:

  • our collaborators, employees, within the scope of their duties, all duly authorized and informed regarding the permitted processing;
  • external collaborators/suppliers, appointed Data Processors if necessary to achieve the purposes for which the data were collected, to fulfill subsequent regulatory obligations, or for assistance or consultancy reasons;
  • third parties for legal obligations.
  1. Data Retention Period for Personal Data

The personal data collected for the purposes outlined in:

  • 4a) they will be retained for the time necessary to formulate a response. Once the inquiry is considered closed and a reasonable period has elapsed during which there have been no further requests from the data subject, the data will be deleted or anonymized.
  • 4b) they will be retained for the time necessary to send the requested guides and for an additional period during which the user may contact us for further information. If there are no legal obligations, the data will be deleted or anonymized.
  • 4c) they will be retained until the withdrawal of consent, which can be expressed directly through a link always present in the emails we send or by contacting us and requesting deletion. In case of direct contact, it is advisable to write an email from the same registration address to obtain deletion without producing further evidence.
  • 4d) they will be retained as long as the collaboration between Unione Montana dei Comuni del Mugelloand the Structure/Person who has subscribed remains, or until we receive a request for cancellation of their number from the Whatsapp channel.
  • 4e) they are intended for publication on the Whatsapp channel dedicated to Companies operating in the tourism sector in the area and will not be deleted unless requested directly by the data subject.
  • 4f) they will be retained as long as the collaboration between Unione Montana dei Comuni del Mugelloand the tourist structure remains. If the Structure decides to remove its presence from the website or the Controller's social channels, it may request this directly from the Controller.
  1. Nature of Personal Data Provision

The provision of certain personal data by the user is mandatory to allow the Company to manage communications, requests received from the user, or to contact the user to follow up on their request. This type of data is marked with an asterisk [*], and in such cases, provision is mandatory to allow the Company to process the request, which, if not provided, cannot be fulfilled. On the other hand, the collection of other data not marked with an asterisk is optional: failure to provide them will not have any consequences for the user.

The provision of personal data by the user of their email for subscription to the newsletter is optional; choosing not to subscribe does not affect the ability to request information through the website.

  1. Rights of the Data Subject

9.1 Article 15 (Right of Access) and 16 (Right to Rectification) of EU Regulation 2016/679

The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and if so, to access the personal data and the following information:

  1. a) The purposes of the processing;
  2. b) The categories of personal data concerned;
  3. c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations;
  4. d) The envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
  5. e) The existence of the data subject's right to request from the data controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing;
  6. f) The right to lodge a complaint with a supervisory authority;
  7. h) The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

9.2 Right under Article 17 of EU Regulation 2016/679 – Right to Erasure ("Right to be Forgotten")

The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) The data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) and there is no other legal ground for the processing;
  3. c) The data subject objects to the processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. d) The personal data have been unlawfully processed;
  5. e) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;
  6. f) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of EU Regulation 2016/679.

9.3 Right under Article 18 Right to Restriction of Processing

The data subject has the right to obtain from the data controller restriction of processing where one of the following applies:

  1. a) The data subject contests the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
  2. b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
  3. c) Although the data controller no longer needs the personal data for the purposes of processing, the personal data are required by the data subject for the establishment, exercise, or defense of legal claims;
  4. d) The data subject has objected to processing pursuant to Article 21(1) of EU Regulation 2016/679 pending the verification whether the legitimate grounds of the controller override those of the data subject.

9.4 Right under Article 20 Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller.

  1. Withdrawal of Consent to Processing

The data subject has the option to withdraw consent to the processing of their personal data by sending a registered letter with return receipt or a Certified Electronic Mail (PEC) to the contacts of the Data Controller accompanied by a photocopy of their identity document, indicating the subject "withdrawal of consent to the processing of all my personal data." Upon completion of this operation, the data subject's personal data will be removed from our records as soon as possible unless they are necessary to comply with legal obligations or to protect the rights of the Data Controller, the Data Subject, or third parties.

If you wish to have more information about the processing of your personal data, you can write to the email address of the Data Controller or to the email address of the Data Protection Officer.

If you wish to exercise the rights mentioned in the preceding point 9, you can send a registered letter with return receipt or a Certified Electronic Mail (PEC) to the contacts of the Data Controller. Before being able to provide or modify any information, it may be necessary to verify your identity. A response will be provided as soon as possible.