Privacy Policy

pursuant to Regulation 2016/679/EU “European Regulation on the protection of personal data”

In accordance with Regulation EU No. 2016/679/EU – GDPR (hereinafter the “Regulation”) and with current national legislation (Legislative Decree 196/03 and subsequent amendments and integrations), Civita Sicilia Srl (the “Company”), in its capacity as “Data Controller”, wishes to provide users (the “Users” or the “User”) with information regarding the processing of their personal data. This Privacy Notice refers only to the Website www.siramuse.it (the “Website”) and not to other websites that may be accessed by the user via links. The Privacy Notice also applies to the contact center service provided by the Company to allow Users to make reservations by phone (the “Contact Center”).

DATA CONTROLLER

Pursuant to art. 4 of the Regulation, the Data Controller is Civita Sicilia Srl,
VAT No. 05668320822, whose contact details are as follows:
Registered office: 90143 – Palermo (PA), Via della Libertà 52;
Email address: privacy@civita.art

PURPOSE, LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF THE PROCESSING

The Data Controller undertakes to process the Users’ personal data only as necessary for the following purposes:

  1. to provide the services requested by the User through the Website and the Contact Center;
  2. to fulfill specific obligations arising from the law, regulations or EU legislation, to comply with requests from authorities;
  3. to carry out newsletter and marketing activities: with the User’s prior consent, the email address will be used to send newsletters promoting initiatives managed by the Company concerning current or upcoming cultural projects or events in which the User may be interested.

The processing of personal data under letter a) is legally based on art. 6 letter b) of the Regulation (performance of a contract or pre-contractual measures requested by the data subject). The processing under letter b) is based on art. 6 (c) of the Regulation (compliance with a legal obligation of the Controller). The processing under letter c) is based on art. 6 (a) of the Regulation (consent).
Providing personal data for the purposes under letter a) is necessary for the Company to provide the requested services.
Consent to processing for the purposes under letter c) is optional and does not affect access to the services. If the User does not consent to processing under letter c), the Company will not send communications regarding its initiatives and offers.
In any case, the User has the right to withdraw consent given for the processing under letter c) at any time, without affecting the use of the services or the lawfulness of processing carried out before withdrawal.

TYPES OF DATA PROCESSED

  • Identification data (first and last name);
  • Contact information (phone, email address);
  • Data required for billing, if requested.

The IT systems and software procedures used for the functioning of this Website, by their nature, collect various types of usage data whose transmission is implicit in the use of internet protocols. This information could potentially identify Users through processing and association with data held by third parties. This category includes IP addresses of computers used by Users connecting to the Website, type of browser used, operating system, date and time of visit, URLs of pages visited, and other browsing data. These data are used solely to obtain anonymous statistical information about the Website’s use, to check proper functioning, to identify anomalies and/or abuses, and are deleted after processing. Such data may be used to ascertain liability in case of hypothetical cybercrimes against the Website or third parties.

Data necessary for payment will be managed by the payment service provider and/or the bank.

PROCESSING METHODS

Data will be processed using both electronic and traditional tools.

Data processing may be carried out by staff specifically appointed for this purpose or by processor(s), where applicable.

DATA RECIPIENTS

User data may be transferred to the following categories of recipients:

  • entities or authorities to whom communication is mandatory under law, regulation, or orders of authorities;
  • parties authorized by the Company to perform activities strictly related to service provision, duly appointed as processors pursuant to art. 28 of the Regulation;
  • Consultants and professionals, including in association (ICT consultants and data protection consultants).

In relation to these categories of recipients, the Data Controller undertakes to rely only on parties that provide adequate guarantees regarding data protection.

TRANSFERS TO NON-EU COUNTRIES

User data will not be transferred to non-EU countries.

DATA RETENTION PERIOD

Data will be stored for as long as necessary to pursue the purposes for which they were collected, or until the User exercises their right to object to processing, subject to retention rights or obligations under applicable law.

RIGHT OF ACCESS TO PERSONAL DATA AND OTHER RIGHTS

In relation to the processing of personal data described above, the Regulation grants the data subject the rights set forth in arts. 15–22, in particular:

  • 15 – Right of access: the data subject has the right to obtain confirmation of whether personal data concerning them are being processed and, if so, access to the data as well as their origin, purposes, methods of processing, recipients of the data, and the logic applied in case of electronic processing.
  • 16 – Right to rectification: the data subject has the right to obtain without undue delay the rectification of inaccurate personal data concerning them;
  • 17 – Right to erasure: the data subject has the right to obtain the erasure or anonymization of personal data concerning them (where specific conditions under Art. 17 of the Regulation are met);
  • 18 – Right to restriction: the data subject has the right to restrict processing of personal data concerning them (under the conditions set out in Art. 18 of the Regulation);
  • 19 – Right to notification in case of rectification/erasure/restriction: the Data Controller is obliged to inform each recipient to whom personal data have been disclosed of any rectification, erasure, or restriction of processing carried out under Arts. 16, 17, and 18, unless this proves impossible or involves disproportionate effort;
  • 20 – Right to data portability: the data subject has the right to receive in a structured, commonly used, machine-readable format the personal data concerning them, which they have provided. When exercising the right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible;
  • 21 – Right to object: the data subject has the right to object to processing (under the conditions set out in Art. 21 of the Regulation), and the Controller must refrain from further processing unless specific conditions under Art. 21 apply;
  • 22 – Right not to be subject to automated decision-making: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

The Data Controller will respond to requests without undue delay and in any case within one month of receipt. This period may be extended by a further two months, considering the complexity and number of requests (in such cases the data subject will be duly informed).

Requests concerning these rights may be submitted in writing or electronically via the dedicated email address privacy@civita.art, and must be addressed to the Data Controller (see contact details in the “Data Controller” section).

Furthermore, under art. 7 of the Regulation, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out by the Controller before withdrawal.

RIGHT TO LODGE A COMPLAINT

If you believe that the processing carried out by the Data Controller may have infringed the provisions of the European Regulation on the protection of personal data, you have the right to lodge a complaint with the Italian Data Protection Authority pursuant to art. 77 of the Regulation.