Circolo Golf e Tennis Rapallo preserves the confidentiality of personal data and ensures appropriate security against any circumstances that could involve risk of personal data breach. As required by art.13 of GDPR, we communicate you (Data Subject) the information provided by the law regarding processing personal data.
SECTION I: Identity of the Controller and the categories of personal data processed (art.13, par.1, lett. A, art.15, lett. B GDPR)
Given that our company/organization deals with tourist and sport accommodation connected to golf and tennis:
Circolo Golf e Tennis Rapallo in the person of its current legal representative, registered office in Rapallo, acts Data Controller and can be contacted by these addresses: pec email@example.com email firstname.lastname@example.org . In its quality of Data Controller, Circolo Golf e Tennis Rapallo collects and/or receives the information concerning data subject, as
|Category of data
|Exemplifying data types
|Name, surname, address, nationality, telephone/mobile number, fax, tax code, email address
|IBAN and/or banking postal data (except the number of credit card)
|Telephone traffic data
|Log, IP address
We provide to keep on safe client’s data putting them in the center of our data management.
Circolo Golf e Tennis Rapallo doesn’t require the data subject to supply us sensitive data ex.art. 9 GDPR, that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a personal sex life or sexual orientation.
In the event the service requested to Circolo Golf e Tennis Rapallo requires the processing of this data, you will first receive specific notification with a request for your consent.
If processing involves sensitive data:
|Category of sensitive data
|Exemplifying data types
Health and risk card and employee medical examination
|il risultato di test genetici o di ogni altra informazione che, indipendentemente dalla
tipologia, identifica le caratteristiche genotipiche di un individuo trasmissibili
nell'ambito di un gruppo di persone legate da vincoli di parentela
|A biometrical recognition system is a particular computerized system which has the function and the purpose of identify a person on the base of one or more biological and/or behavioral characteristics (biometrics), comparing them with the data. These data are previously acquired and in the system database, through algorithms and input data acquisition sensors
|Data subject’s information that reveals the existence in the individual concerned of certain judicial proceedings or his quality as a defendant or suspect
|Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
Personal data concerning sensitive data will be object of processing too. They include personal data as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and data concerning health or natural sexual life.
Section II: The purposes of the processing personal data of data subject (art.13, par.1 GDPR)
Personal data are necessary to Data Controller to succeed the registration request and the supply contract of the chosen service, and/or supply of purchased product. Processing deals with services like assistance, management and execution of contract request, as well as being compliance with the legal obligations provided for the Data Controller. In no case, Circolo Golf e Tennis Rapallo will sell the Data Subject’s data to third parties or process them for undeclared purposes.
- Registration and requests for contact and/or information material Processing Data Subject’s personal data is provided to succeed the preliminary and consequent activities like request for registration, management of requests for information and contact and/or sending of informative material, as well as the fulfillment of obligation arising. The legal basis of processing is the fulfillment of services connected to the request of registration, information and contact and/or sending informative and compliance with legal obligations.
- The management of the contractual relationship
Processing personal data of the data subject is required to the preliminary and consequent following activities: purchase of a Service and /or a Product, management of the relative order, the provision of the Service itself and / or the production and / or shipment of the Product purchased, the related billing and payment management, the processing of complaints and / or reports to the assistance service and the provision of the assistance itself, the prevention of fraud as well as the fulfillment of any other obligation established by the contract.
The legal basis of the processing is fulfilling obligations under contract and other regulatory provisions.
- Legitimate interest pursued by data subject or by third parties
Data subject's personal data are processed on the base of the legitimate interest. The processing of the information is fairly and lawfully according to the principles of data protection provided by the GDPR n. 679/2016. The legal basis of the processing is fulfilling obligations under contract and other regulatory provisions.
- Promotional activities on Services or Products like those purchased by the data subject (Cons. 47 GDPR)
For the purpose of direct sale of its services/products, data subject could process the personal data of data subject without his/her consent too. That processing is performed limited to the case in which they are services/products like those objects of the sale Data subject may object expressly to that processing.
- Commercial promotion activities on Services/Products different from those purchased by marketing data subject
Data controller provides services for purposes like commercial promotion, surveys and market research about services/products. Personal data of data subject may be processed for these purposes only if data subject gives his consent and doesn't oppose to it. The processing of personal data by automated means may be taken place by following ways: e-mail; SMS; phone call, and it can be performed in these cases:
- when data subject didn't withdraw his consent before the processing;
- When processing is made through the phone by the operator, and the data subject doesn’t submit/sign the “do not call” registry as provided by D.P.R. n. 178/2010.
- Hosting business/accommodation facilities;
- Airlines / shipping companies; railway company, road freight transport
- Travel agencies and Network of travel agencies
As provided by cons. 49 of GDPR, Data Controller process data through its suppliers too (third parties and/or recipients).
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of store or transmitted personal data.
Data Controller provides for communication of a personal data breach to a data subject, without prejudice to the obligations established by art. 33 of GDPR with regard to the notification of personal data breach.
The legal basis of the processing is the respect of law dispositions and the legitimate interests pursued by the Data Controller. Processing is made according to the purposes of protection of company assets and security of offices and systems of Circolo Golf e Tennis Rapallo.
Personal data shall be processed for profiling purposes too (analysis of data transmitted and selected services/products, advertising messages and/or commercial proposal according to the choices of data subject) exclusively when data subject gave his specific consent.
The legal basis of such processing is the consent given by data subject before the processing. The data subject shall have the right to withdraw his or her consent at any time (section III).
- The Protection of Children
Services/products of Data Controller are reserved to persons legally able to conclude contractual obligations, according to the national legislation of reference. In order to prevent illegitimate access to its services, Data Controller implements preventive measures to protect its legitimate interest, such as: the control of the tax code and/or other checks, when It's necessary for specific services / products, the correctness of the identification data of the identity documents issued by the competent authorities
Commercial partners concern these followings product categories:
Section III: Communication to third parties and categories of recipients (art.13, par.1 GDPR)
The communication of personal data of data subject is made to third parties and/or categories of recipients. This activity is necessary to the execution of services connected to the legal relationship and legal obligations established by the law provisions:
|Categories of recipients
|AAdministrative, accounting and contractual obligations provided by the law regulation
|Administrative, accounting and contractual obligations established by the law regulation.
|Third party suppliers of CSA
|Provision of services (assistance, maintenance, delivery/shipment of products, provision of additional services, providers of electronic networks and services, internal cloud) connected to the requested service.communications
|Credit and digital payment institutions, Banking /postal institutions
|Management of collections, payments, reimbursements related to the contractual performance.
|External specialists/ consultants and consulting companies
|Execution of legal obligations and right of action to court
|Financial administration, public bodies, Judicial Authorities, Supervisory Authority and control
|Execution of legal obligations, defense of rights, lists and registers kept by public Authorities or similar bodies based on specific legislation, regarding to the contractual performance
|Formally delegated subjects or having a legal capacity recognized
|Legal representatives, trustees, guardians, etc.
|Italian Golf Federation and Tennis/Media/Sponsor of golf competitions or partners of the club Non-profit associations
|Concerning sports activity.
ATTENTION: Data controller requires that suppliers and data processors make use of the security measures equal to those adopted against the data subject. This implies the definition of limits of data processor to the processing related to the requested service. Data controller doesn't transfer your personal data to third countries that didn't adopt the GDPR (countries out of the European Union) except different specific indications according by which you will be prior informed and, if necessary, your consent will be requested.
The legal basis of such processing is: fulfill obligations concerning legal relationship; compliance with legal; the legitimate interest of Circolo Golf e Tennis Rapallo to carry out necessary processing for these purposes.
Personal data not provided by data subject as a requirement necessary to enter required service (art. 13, par.2, let.e GDPR)
The personal/ sensitive data not provided are not compulsory, but any refusal could make it impossible or extremely difficult to provide the requested services.
Missed authorization or consent to processing personal data for marketing activities on Services/Products different by purchased
In the event data subject doesn't give his consent to process personal data for these purposes,
such processing will not be executed on the same purposes. The absence of consent produces effect on the provision of the services and, where requested, for those for which he has already given his consent.
In the case that data subject withdraws his consent or objects the processing concerning commercial promotion activities, your data will no longer be processed for these activities, without this entailing consequences or detrimental effects for the data subject and for the services requested.
Processing data of Data Subject
Data Controller adopts adequate security measures in order to preserve the confidentiality, integrity and availability of personal data of data subject. Moreover, it's expressly requests third party suppliers and managers adopt similar security measures.
Where the data of data subject are processed
Personal data of data subject are stored in
- Paper archives at the head office
- Computer systems located at the head office
Time storage of personal data
The legal basis of processing imposes specific time storage for the exclusive purpose
of ensuring specific obligations, typical of some supply services, for the fulfillment of obligations (for example: tax and accounting; courses and work safety tests; documents concerning evaluation of risk ex. art. 17 D.lgs.n. 81/2008 e smi; safety in the work places advice; data protection advice). These obligations remain after the termination of the contract too (art. 2220 Italian civil code): therefore, for these purposes the Data Controller will keep only the data necessary for the relative pursuit. Except the case that data subject withdraws his/her consent, by specific communication, personal data of data subject will be kept if are necessary according to the legitimate interest for which they were collected. In particular, personal data are kept for the entire duration of your registration and, in any case,
no later than a maximum period of 12 (twelve) months of your inactivity or, eventually, within this period, they are not associated with the services and/or purchased products through the registry itself.
In case of specific consent, data are kept for a maximum period of 24 (twenty-four) months or, within this period, they are not associated with the Services and / or purchased products through the registry itself, or in the case of a service assistance contract, up to 6 months beyond the expiry date of the contract itself not renewed, unless the consent given is revoked. In the case of data provided to the Data Controller for the purposes of commercial promotion for services different than those already acquired by the data subject, for which he initially gave consent, these will be kept for 24 months, unless the consent given is revoked. In the case of data provided to the Data Controller for profiling purposes, these will be kept for 12 months, unless data subject revokes the consent given.
In the case that data subject provides not necessary or not required data to Circolo Golf e Tennis Rapallo in order to perform the requested service or to provide a service strictly connected to it, Circolo Golf e Tennis Rapallo cannot be considered the owner of these data. Therefore, they will be cancelled as soon as possible.
Except the cases of legitimate interest, in which the rights deriving from the contract and/or from the registration of the personal data should be asserted in court, personal data of data subject, exclusively those necessary for these purposes, will be processed for the time necessary for their pursuit.
Section IV: Data subject's rights
Art. 15 (right of access), art. 16 (right to rectification) of Reg. EU 2016/679
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
- Art. 17 of Reg. EU 2016/679 - Right to erasure ('right to be forgotten')
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed.
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) GDPR, or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
- the data subject objects to the processing pursuant to Article 21(1) GDPR land there are no overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21 (2) GDPR.
- the personal data have been unlawfully processed.
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- the personal data have been collected in relation to the offer of information society
services referred to in Article 8(1) GDPR.
- Art. 18 Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling
the controller to verify the accuracy of the personal data.
- the processing is unlawful, and the data subject opposes the erasure of the personal data
and requests the restriction of their use instead.
- the controller no longer needs the personal data for the purposes of the processing, but
they are required by the data subject for the establishment, exercise or defence of legal
- the data subject has objected to processing pursuant to Article 21 (1) GDPR pending the
verification whether the legitimate grounds of the controller override those of the data
- Diritto di cui all'art.20 Diritto alla portabilità dei dati
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
To exercise this right you can send communication by means of
To exercise this right you can send communication by means email@example.com pec: firstname.lastname@example.org to: Fabrizio Pagliettini