GDPR: legal changes in protection of personal data
The EU Regulation 2016/679 (the so-called GDPR - General Data Protection Regulation and hereinafter referred as "The Regulation") of the European Parliament and Council concerning the protection of individuals regarding personal data processing, as well as the free circulation of this data came into force on 24 May 2016 and is directly applicable in all EU Member States from May 25th 2018.
What is GDPR?
The aforementioned Regulation arises from the primary need for legal certainty, harmonization and simplicity of rules concerning personal data transfer from the European Union to other parts of the world.
The same is therefore an essential step to strengthen the fundamental rights of citizens in the digital era and facilitate economic activities, simplifying rules for companies in the context of a single digital market.
To whom does GDPR apply?
The Regulation applies to any company / entity that processes personal data in the context of the business performed in the main office or in the business’ branches established in the EU (regardless of the place where data is processed) as well as to the company established outside the EU and offering goods / services or monitoring the behavior of people in the EU.
Does GDPR also apply to company data?
Data protection rules apply only to natural persons’ personal data, and not also to company data or other legal persons. However, information relating to individual companies may constitute personal data if they allow the identification of a natural person.
What is GDPR’s purpose?
The GDPR aims to provide citizens more control over their personal data so that the information is protected throughout Europe. Therefore, with its commencement, people have more rights regarding the management, storage and use of their personal data in favor of an indispensable need for transparency.
For mere example purposes, individuals have the right to obtain access to their data, to know how companies use it, to obtain their elimination as soon as they revoke their consent, or even the right rectify their own data, if obsolete, incomplete or incorrect.
In other words, therefore, the Regulation in question offers an undoubted advantage to all citizens and at the same time involves greater efforts for companies in terms of data processing.
What is the data affected by GDPR?
GDPR concerns personal data processing, ie all information regarding an identified or identifiable living person. Personal data that has been made anonymous - so that the individual is not or is no longer identifiable - is not considered personal data any more. Indeed, for data to be effectively anonymous, anonymization must be irreversible.
Furthermore, the Regulation protects personal data regardless of the technology used to process data by detecting the method of storing such data (ie computer system, video surveillance, on paper).
In any case, therefore, personal data is subject to the mandatory protection established in the Regulations and regards all data processing including the storage, modification, sending, blocking, deletion and its use.
Example of personal data:
· name and last name;
· date of birth;
· home address;
· email address;
· identity card number;
· geolocation (eg geolocation function on a smart phone);
· IP address (Internet Protocol);
· data stored in a hospital or at a doctor’s office.
What happens if GDPR is not respected?
Preliminarily it should be pointed out that, if a site does not comply with the national and European legislation on privacy, it will be liable to be exposed or questioned - as well as susceptible to spot checks by the Privacy Authority - by the user who views the site and does not find the report required by law or if it is not sent to him at the time of signing the contract.
The Regulation provides several alternatives to Data Protection Authority in the event of non-compliance with the rules regarding personal data protection: in the event of a possible violation, a warning may be issued; if instead a true and proper violation is found, a warning, a temporary or definitive ban and a pecuniary sanction up to 20 million euros, equal to 4% of the total annual worldwide turnover of the company, will be possible.
The Authority must guarantee that sanctions imposed in each individual case are effective, proportionate and dissuasive, also taking into account a series of factors such as the nature, gravity and duration of the violation, its intentional or negligent nature, any possible action undertaken to mitigate the damage suffered by the persons concerned, etc. (article 83, paragraph 2, letters from a), b), c), d), e), f), g), h), i), j ) and k) of GDPR).
Does GDPR also condition SunnySicily?
Within application of the Regulation it certainly includes our Company which complies with all the legal requirements.
Therefore, in compliance with the obligations deriving from national legislation (Legislative Decree 30 June 2003 No. 196, Code regarding the protection of personal data, and subsequent amendments) and European (European Regulation for the protection of personal data No. 679/2016) our site respects and protects the privacy of visitors and users who consult it, making every effort possible and proportional to not damage their rights.
In order to offer our booking services, we need some of your data, ensuring that we will always treat and process them in compliance with the applicable laws on personal data protection.
1. General information and data holder
Your data will be processed by SunnySicily, based in Taormina (ME) - 98030 Salita Ciampoli, 3A; Telephone: +39 318.104.22.1685; E-mail: firstname.lastname@example.org; as a data holder in accordance with GDPR and which must also be understood when using the pronoun "we".
When mentioning "SunnySicily" in this document, we refer to our website including all subpages, available content and functions (ie forums) as well as online services.
Finally, to specify, our services are destined for adult and not minor age public.
Following the site consultation, data relating to identified or identifiable persons may be processed; if the user intends to oppose the processing of his / her data for legitimate reasons, he / she is required a written notice to SunnySicily at: email@example.com.
2. Processing Legal basis
Our site treats data based on the consent, expressed explicitly and / or implicitly, by users. This provision, in fact, takes place by means of the banner placed at the bottom of the page or through the use or consultation of the site (to be intended as a conclusive behavior).
Therefore, with the use or consultation of our site, visitors and users approve this privacy statement and consent to the processing of their personal data in relation to the methods and purposes described below, including any disclosure to third parties where necessary for the provision of a service.
The provision of data and therefore the consent to the collection and processing of it is optional, in fact the user can deny consent and revoke a previously given consent (via the banner at the bottom of the page) at any time. However, denying consent may result in the inability to provide certain services and browsing experience on the site may be compromised.
3. Processing methods
The data holder processes users' personal data by taking appropriate safety measures to prevent unauthorized access, disclosure, modification or destruction of personal data.
Processing is done using IT and / or telematic tools, with organizational logic and methods strictly related to the purposes indicated.
We are also committed to protect the safety of your personal data when they are sent, using the Secure Sockets Layer (SSL) software that encrypts information in transit.
In addition to the Data holder, in some cases, categories of appointees involved in the organization of the site (ie administrative, commercial, marketing, legal, system administrators) or external parties (such as third party technical service providers, couriers postal, hosting providers, IT companies, communication agencies), also arranged- if necessary - for data processing by the Owner.
4. Processing purpose
SunnySicily offers the possibility to plan and book online private tours for Sicily, renting luxury cars (Mercedes E, S and V) with qualified and language qualified drivers, as well as intra-regional airport transfers.
Data processing collected by our site - in addition to the related purposes, helpful and necessary for services provision - is also aimed to the following purposes:
Statistics: collection of data and information in an exclusively aggregated and anonymous form in order to verify the correct functioning of the site (consent is not required). None of this information is related to the user-natural person who is visiting our site and does not allow it to be identified in any way;
Security: data and information collection in order to protect the site safety (ie antispam filters, firewalls, virus detection) and of users as well as to prevent or detect fraud and abuse to the detriment of the site itself.
The data is automatically recorded and may also include personal data (such as the IP address) that could be used - in compliance with the law - in order to block attempts to damage the site or cause damage to other users, or in any case harmful activities or constituting a crime (consent is not required).
These data is not used to identify or profile the user and are periodically deleted;
Ancillary activities: such as communicating data to third parties that perform functions necessary for the service to operate in such a way as to allow them to perform helpful activities on our website.
Providers have access only to personal data necessary for their tasks in compliance with the current industry regulations and they undertake not to use them for different purposes.
5. Type of data collected
While users are browsing the SunnySicily website, the following information is automatically collected and stored in the server's log files (hosting) on the site:
- internet protocol address (IP);
- browser type;
- device’s connection parameters;
-internet service provider (ISP);
- date and time of visit;
- mobile device ID;
- origin and exit visitor’s web page;
- possibly the number of clicks.
These data are used for statistical and analytical purposes, in an exclusively aggregated form.
The IP address is used exclusively for security purposes and is not cross-referenced with any other data.
Furthermore, our site may collect other data (ie name, surname, email address, telephone number) in case of users voluntary services usage, such as communication services, comments (ie forms for contacts, comments box) that will be used exclusively for the requested service provision.
6. Processing place
Data is processed at the data holder’s headquarters (better specified above) and in any other place where the parties involved in the service are located. For more information, contact the owner.
7. Data retention period
The data collected by SunnySicily is processed and stored for the time required according to the purposes for which it was collected. Once the need for preservation has ceased they will be canceled or anonymized, unless there are other purposes for storing them, without prejudice to the user's right to request the processing interruption cancellation of his / her data at any time.
8. Collected data transfer to third parties
Data collected from our site is generally not provided to third parties, except in specific cases: legitimate request by the judicial authority and only in the cases provided for by law; if it is necessary for the provision of a specific service requested by the user; for the execution of security checks or site optimization.
9. Transfer of data to non-EU countries
SunnySicily may share some of the data collected with services located outside the EU. In particular with Google, Facebook, Linkedin through social plugins and the Google Analytics service. The transfer is authorized based on specific decisions of the European Union and the Guarantor for the protection of personal data, in particular the decision n. 1250 of 2016 (available at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/6109035) for which no further consent is required.
In other words, cookies keep track of the actions taken by those who visited the site and are used in order to verify the correct operation, improving functionalities and customizing the pages’ content based on the type of browser used.
Our site uses the following types of cookies:
Technical cookies: used for the sole purpose of carrying out the transmission of an electronic communication, to ensure the correct display of the site and navigation within it. Some of these cookies are deleted when the browser is closed (cookie session), others have a longer duration (ie the necessary cookies to retain the user's consent in relation to cookies use which lasts one year). This cookie category does not require user consent;
Analytics cookies: used directly by the site manager to collect information in aggregate form regarding the number of users and how they visit the SunnySicily website;
Profiling and marketing cookies: used exclusively by third parties other than SunnySicily owner to collect information on user behavior during browsing, interests or consumption habits as well as to provide targeted and personalized advertising on their preferences.
By clicking "OK" on the banner present at the first access to SunnySicily or browsing the site itself, the visitor expressly consents the cookies use.
In any case, the user can refuse the cookie use at any time revoke an already given consent. Furthermore, since cookies are connected to the browser used, they can be disabled directly from the browser or via the banner at the bottom of the page.
However, disabling cookies may prevent the correct use of some functions of the site (ie YouTube videos, Google maps).
The user can find information on how to manage cookies with some of the most popular browsers at the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Internet Explorer.
11. Third-party cookies
Our site also acts as third-party cookies intermediary (ie social networks buttons), used to provide additional services and features to users and to simplify the site use, or even to provide personalized advertising.
However, SunnySicily has no control over their cookies - entirely managed by third parties - and has no access to the information collected through these cookies.
Information on the use of these cookies and on the purposes of the same, as well as on the methods for disabling them, are provided by third parties (ie Facebook, Instagram).
Note that tracking users do not entail their identification, unless the user is already registered with the service and also logged in; in which case it must be understood that the user has already expressed his consent directly to the third party at the time of registration to the relevant service (ie Facebook).
Google Analytics: serves to analyze the utilization of our site by users, compile reports on site activity and user behavior, check how often users visit the site, how this is tracked and which pages are visited most frequently. The information is combined with information collected from other sites in order to create a comparative picture between one site and other sites in the same category.
Data collected: browser identifier, date and time of interaction with the site, page of origin, IP address.
The data collected does not allow users’ personal identification and is not crossed with other information relating the same person. They are also handled in a consolidated form and in anonymity.
Google AdWords and Google Remarketing: our website could use the Google Adwords program and Google Remarketing technology.
Google AdWords is an Internet advertising service that allows advertisers to display ads on the Google search engine and Google network.
Both are operated by Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
Google DoubleClick: a service that mainly sells online marketing solutions for advertising agencies.
12. Other services used by SunnySicily
We use Google Maps to view maps. The integration requires that Google gets the users’ IP address needed to send the content to their browser.
TripAdvisor is an online service that provides users with tips for hotels, b & bs, resorts, rooms, travel guides, and more.
We do not know in detail which of your data will be transmitted to TripAdvisor or for what purpose will the data be used for. This data includes your IP address, information about the site you visited, the date and time, and other information about the browser. To know the purpose of processing and the subsequent use of data by Tripadvisor, as well as your rights and setting options for the protection of your privacy, please read carefully the instructions regarding this subject on TripAdvisor.
For antispam protection on the contact and availability request forms we use a third party component, in other words Google reCaptcha of Google Inc.
The information that can be obtained from the cookies installed by Google reCaptcha will be transmitted by the user's browser to Google Inc. Disabling Google cookies reCaptcha the contact information / availability request forms may not be viewable.
For more information, we invite you to visit the related page on the Google Inc. website.
13. Social Network Plugins
SunnySicily also incorporates plugins and / or buttons in order to allow easy sharing of content on your favorite social networks.
When you visit a SunnySicily page that contains a plugin, your browser connects directly to the social network servers from where the plugin is loaded, which server can track your visit to our website and, if appropriate, associate it with your social account, particularly if you are connected at the time of the visit or if you have recently browsed one of the websites containing social plugins.
If you do not want social network recording data related to your visit to our website, you must leave your social account and delete the cookies that the social network has installed in your browser.
14. Paid service providers
In the event that you use a paid service or purchase something through our website, we offer different payment methods. If you decide to use one of these payment service providers, at the "click" time you will leave the SunnySicily website and all data will be collected and processed by this payment service provider.
SunnySicily does not receive any personal data, in particular no bank nor credit card data, only the information relating to the correct payment.
The following payment service providers are available:
We have integrated the PayPal payment option into our website.
PayPal is an online payment service provider of PayPal (Europe) S.à.rl & Cie. SCA, 22-24 Royal Boulevard, 2449 Luxembourg. Payments are made through so-called PayPal accounts, ie private or virtual company accounts. Furthermore, PayPal has the ability to process virtual payments via credit cards if a user does not manage a PayPal account. A PayPal account is managed through an e-mail address, which is why there is no classic account number. PayPal allows you to initiate online payments to third parties or to receive payments.
If the interested party selects "PayPal" as a payment option during the order process on our website, the data of the interested party will be automatically transmitted to PayPal. By selecting this payment option, the interested party consents to transfer the necessary personal data to process the payment.
The personal data transmitted to PayPal are generally name, surname, address, e-mail address, IP address, telephone number, mobile number or other data required for processing the payment.
The interested party has the possibility to revoke the consent to process personal data against PayPal at any time.
Stripe is an external online payment platform that allows our website to accept payments by debit card, prepaid card or credit card. It is a safe and fast solution and payments are processed instantly.
It is not necessary to have any Stripe account to make purchases, but a valid credit card, debit card or prepaid Visa or Mastercard is enough.
Stripe prevents fraudulent activity by detecting any suspicious activity, such as transactions related to new orders equal to the previous ones that are, therefore, denied.
Stripe implies the PCI standard for which level 1 has been certified, currently the strictest one in the payment field. This standard is also guaranteed to the company that uses the service thanks to the native STRIPE.JS library. Through this feature, the online shop will not manage cards sensitive data that will be transferred to the secure Stripe server without intermediate "passages".
15. Users' rights
According to the European Regulation 679/2016 (GDPR) the subject to which personal data refers can, according to the methods and within the limits provided for by the current legislation, exercise the following rights:
- Oppose to processing of personal data for the purpose of sending advertising materials or direct sales or, for carrying out market research or commercial communication. Further details on the opposition right are indicated in the section below;
- revoke the consent previously expressed at any time;
- access their data, as well as the right to obtain information on the data processed by the Owner and receive a copy of the data processed;
- verify and request update, rectification, integration, deletion, transformation into anonymous and removal of data processed violating the law, including those no longer necessary to achieve the purposes for which they were collected ;
- obtain a processing limitation of their data;
- get information about the processing logic, methods and purposes;
- receive intelligible communication;
- in the case of consent-based processing, receive personal data in a structured format, commonly used and readable by an automatic device and, where it is technically possible, transfer it without obstacles to another holder;
- the right to raise a complaint with the competent authority for the protection of personal data or act in court;
- and, in general, to exercise all the rights that are recognized by the current legal provisions.
15-bis. Details about the right to oppose
When personal data is processed in the public interest, implies exercise of public powers where the Owner belongs to or to pursue a legitimate interest of Owner, users have the right to oppose the data processing for reasons connected to their particular situation.
Users are reminded that, if their data is processed for direct marketing purposes, they may oppose without giving any reasons.
15-ter. How to exert rights
To exert their rights, users can send a request to the Owner’s contact details indicated above.
Requests are filed free of charge and processed by the data holder as soon as possible, in any case within one month.
16. Defense in court
User’s personal data can be used for defense - by the Owner in court or in the stages leading to its possible establishment - from abuses of its usage or the connected services by the user himself.
The user is aware of the possibility that the data holder may be asked to disclose the data upon request from the public authorities.
17. Legal compliance
The Owner reserves the right to access, store and share information with regulatory bodies, law enforcement agencies or other parties in the following cases:
In response to a legal request, in terms of good faith and within the terms imposed by the law;
For all cases in which it is necessary to detect, prevent and resolve unauthorized use of Products and Services supplied or sold by our site, in order to detect any violations of our contractual or regulatory conditions;
In order to detect harmful or illegal activities, to protect the business developed, in protection of the business owner, the user and / or third parties.
The data collected can be consulted and stored for a prolonged period of time when they are subject of a legal proceeding or obligation, a government investigation or investigations concerning possible violations of our conditions or regulations or, again, to avoid damage.
We can also keep the data for at least one year in order to avoid improper use or other condition violations.
For any clarification or information concerning data processing on this site, please contact the following address: firstname.lastname@example.org.
Changes to this privacy statement
SunnySicily reserves the right to modify this data privacy statement in order to constantly adapt it to current industry regulations.
Last updated 10 September 2019.