Information on the processing of personal data ex art. 13 EU Regulation 2016/679 (GDPR)
Dear User,
the company Coast Edutainment S.p.A., hereby communicates to you, below, the information, referred to in Article 13 EU Regulation 2016/679 (GDPR), regarding the processing of personal data to be released during registration to the website https://www.lecaravelle.com/ (hereinafter for brevity also referred to as just "Website") and during the subsequent purchase, receipt and enjoyment of the products and services marketed through it.
Such processing of your personal data may also take place by means of computer and electronic tools.
Data controller
The data controller of personal data is Costa Edutainment S.p.A. P.IVA 03362540100, with registered office in Riccione (RN), Via Ascoli Piceno n. 6, c.a.p. 47838 (RN) in the person of its legal representative pro tempore (hereinafter referred to as "Society" o "Holder“).
Contact details of the Data Protection Officer
The Data Protection Officer (DPO) or Data Protection Officer can be reached at e-mail: dpo@costaedutainment.com or by regular mail by writing to the Company's administrative office located in Genoa, Porto Antico Area - Ponte Spinola Ambrogio sn, c.a.p. 16128 (GE), to the attention of the same.
Categories of data being processed
The Controller will process, but not limited to, the following categories of personal data you provide during registration with the Site, when purchasing products and services, and when fulfilling your order and providing the services you have purchased:
- Biographical data (e.g., first name, last name, date of birth, social security number, residential address);
- Contact information (e.g., phone number, e-mail address);
- credentials to access the personal area formed as a result of registration on the Site (e.g., username and password);
- Data related to the products or services purchased;
- Data on the payment system used;
- Data acquired by the Owner during the execution of a product purchase contract;
- Data acquired by the Owner in the process of providing the purchased service;
- the result of your profiling based on your purchase history, where you have given consent to such processing.
Purpose of data processing
Your personal data will be processed by the Data Controller for the following purposes:
- to enable you to register on the Site and take advantage of services related to your registration such as a personal space where you can check your orders, the purchases you have made, express your satisfaction with the services offered by the Owner and access the provision of additional services offered by the Owner;
- to enable you to proceed with the purchase of products and services offered by the Owner by means of the Site;
- to enable the Owner to handle any claims, which may have occurred to you while using the services, or your claims, if any;
- to enable the Controller to send you communications about activities and promotions relating to the same or similar services or products as those already enjoyed and/or pertaining to offers or promotions related to them, limited to the use, for this purpose, of the personal data represented by your e-mail address that you provided when concluding the contract;
- to send you, subject to your consent, commercial information, including by newsletter, regarding products and/or services offered by the Holder, also using contact data other than your e-mail address (e.g., cell phone number, residential or home address);
- for profiling and/or market analysis purposes, so that the Controller can create, with your consent, a profile of you in order to send you selected commercial communications based on your preferences, or other behavioral aspects, as revealed by the profiling activity;
- so that the Controller may communicate your personal data to third parties, with your consent, so that they can send you commercial information related to their products or services. The third parties to which your data may be disclosed are the Controller's subsidiaries, affiliates or investees or other third-party companies operating in the entertainment sector marked by the qualitative use of leisure time, combining culture, science, education, entertainment and nature;
- for the Holder to send you a notice of "reminder" for the purpose of notifying you of the impending deletion of your account and the data you saved by means of it, a circumstance that will result in the need for a new registration to access related services;
- so that the Holder can protect its rights both in and out of court;
- To enable the Owner to fulfill its legal obligations to which it is subject.
Legal basis for processing
The legal basis on which your personal data is processed for the purpose mentioned above 1) Is the execution of the contract for registration to the Site.
The legal basis on which your personal data is processed for the purpose mentioned above 2) is the execution of the contract for the purchase of the good or service or the execution of pre-contractual measures taken at its request.
The legal basis on which your personal data is processed for the purpose mentioned above 3) is the legitimate interest of the Data Controller in the management of any claims occurring during the use of the service, or any claims related to the products or services marketed by it. In the event that the management of the claim involves the processing of its particular data (e.g., data relating to health), the legal basis will be represented by the need for the Controller to ascertain, exercise or defend a right of its own in court.
The legal basis on which your personal data is processed for the purpose mentioned above 4) Is as provided in Art.130 paragraph 4 Dl.gs 196/2003 as amended and supplemented.
The legal basis on which the processing of your personal data for the purposes mentioned above is based 5), 6) e 7) Is your consent. The provision of consent for these purposes is optional, in the sense that failure to provide it will not limit in any way the registration to the Site, nor the purchase of products and services or the enjoyment of them. It is specified that failure to provide the requested consents, or their subsequent revocation, will not allow the Data Controller to implement the processing activities for which such consents are requested.
The legal basis on which your personal data is processed for the purposes set forth in the preceding paragraph. 8) is the legitimate interest of the Data Controller in ensuring that the account on which the loyalty relationship with the user is based is not deleted, balanced against the user's interest in continuing to benefit from the services connected to it, without having to provide a further subsequent registration and in not losing the data previously saved by means of their account, an interest that is considered overriding with respect to the consequent compression of their rights that such processing entails.
The legal basis on which your personal data is processed for the purpose mentioned above 9) is the legitimate interest of the Controller in the protection of its rights both in and out of court on the occasion of any breach of contract by you or damage caused by you to the Controller's property or to third parties or third parties' property. Where the protection of your right by the Controller involves the processing of your particular data (e.g., health-related data), the legal basis will be the need for the Controller to ascertain, exercise or defend a right of its own in court.
The legal basis on which your personal data is processed for the purpose mentioned above 10) is the need for the Owner to fulfill legal obligations to which it is subject.
Consequences of not providing data
The provision of your personal data is necessary to enable your registration on the Site, and subsequent purchase, through the Site, of the products and services of the Owner. Failure to provide your personal information will not allow you to proceed with your registration on the Site and subsequent purchase of products or services marketed by the Owner.
Period of data retention
Your personal data processed for the purpose stated in. 1) will be kept for the duration of your registration to the Site. It should be noted that, in any case, 6 years after the last purchase made by you to your account, it will be automatically deactivated with the consequent cancellation of the same and the data associated with it. You will be sent before the expiration of the term of the effective cancellation of your account, a notice of "reminder" for the purpose of maintaining active registration on the Site.
Your personal data processed for the purpose stated in. 2) will be kept for the duration of the procedure of purchasing the good and service and, thereafter, until the complete fulfillment of the order or use of the service.
Your personal data processed for the purpose stated in. 3) will be retained for as long as the claim or complaint is handled and until it is settled.
Your personal data processed for the purposes set forth in paras. 4), 5), 6) 7) e 8) will be retained for the duration of your registration to the Site subject to your express request for deletion of the data exercisable at any time according to the procedures set out in the paragraph of this policy dedicated to the exercise of your rights.
It should be noted that, in any case, 6 years after your last purchase, your account will be automatically deactivated resulting in the deletion of it and the data associated with it.
Your personal data processed for the purpose stated in. 9), and in particular data related to the conclusion and execution of contracts with the Controller, will be retained for the duration of 10 years from the conclusion of the relevant contract. After this period has elapsed, they may be further retained in the event that they are needed as part of legal proceedings that are still in progress.
Your personal data processed for the purpose stated in. 10) will be retained for as long as necessary so that, by means of them, the Controller can fulfill legal obligations to which it is subject (e.g., 10 years with respect to data contained in accounting records).
Data recipients
Your personal data may be disclosed to third-party companies that offer or manage, on behalf of the Controller, services to support the online sales activity of the Controller's products or services.
Your personal data may be disclosed, with your consent, to other third parties so that they may send you commercial information regarding their products or services. The third parties to which your personal data may be disclosed are companies related to, participated in and/or controlled by the Data Controller, third party companies operating in the entertainment sector oriented to the qualitative use of leisure time, combining culture, science, education, entertainment and nature, as well as the companies controlled or participated in by the Data Controller.
Your personal data may, in addition, be disclosed to additional third parties, such as lawyers, consultants, insurance company.
Your personal data may be accessed by third party companies that offer or manage, on behalf of the Data Controller, services related to the management of the website, registration to the same and companies providing CRM or similar applications, limited to these purposes and subject to their appointment as data processors, ex art 28 EU Regulation 2016/679.
The list of personal data controllers, which by its nature is changeable, can be requested from the Controller at any time by writing to privacy@costaedutainment.com .
They can, also, have access to your personal data, the employees of the Company, defined as data processors, if the task of these employees requires it. Each processor is specifically identified, authorized and trained, and acts on the basis of specific instructions provided by the Company regarding the purposes, methods of such processing and the security measures to be taken for the protection of personal data.
Rights of the Interested Party
The Data Controller informs you that you, as a Data Subject, have the right, pursuant to Art. 15 et seq. EU Regulation 2016/679, and within the limits prescribed therein, to:
- Obtain data and information about the processing, particularly in relation to the type of personal data processed, the purposes for which the personal data are processed, the period of processing, and the parties to whom the data are disclosed (c.d. right of access);
- Obtain rectification or supplementation of inaccurate personal data concerning you (c.d. right of rectification);
- Obtain the deletion of personal data concerning you in the following cases: (i) the personal data are no longer necessary for the purposes for which they were collected; (ii) you have withdrawn your consent to the processing of personal data, if they are processed on the basis of such consent; (iii) you have objected to the processing of personal data concerning you if they are not processed for a legitimate interest of the Controller; (iv) the processing of personal data does not comply with the law. However, the retention of your personal data by the Controller is lawful if it is necessary to enable the Controller to comply with a legal obligation or to establish, exercise or defend a right in court (c.d. right of cancellation);
- obtain that the personal data concerning you be only retained without any other use of them in the following cases: (i) you contest the accuracy of the personal data, for the period necessary to allow the Controller to verify the accuracy of such personal data; (ii) the processing of the personal data is unlawful you object, however, to the deletion of the personal data by the Controller; (iii) the personal data are necessary for the establishment, exercise or defense of a legal claim; (iv) you object to the processing and are awaiting verification as to whether the Controller's legitimate grounds for processing, if any, prevail over yours (c.d. right of limitation);
- Submit opposition at any time to the processing of personal data personal data and in particular to the processing of data processed for marketing purposes and for the purpose of profiling (c.d. right of objection);
- Receive in a commonly used, machine-readable and interoperable format the personal data concerning you, if they are processed under a contract or on the basis of your consent, and/or request to transmit the data to another data controller, if feasible (c.d. right to portability);
- revoke consent at any time to the processing for which it is requested. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to withdrawal;
- ask, at any time, to the Controller that you no longer be sent commercial information regarding the same or similar services as those already used and/or concerning offers or promotions related to them (so-called "soft spam" referred to in Art. 130 paragraph 4 of Legislative Decree No. 196 of June 30, 2003).
The above rights may be exercised by you by writing to the Holder by e-mail at the address dedicated to privacy@costaedutainment.com or by writing by mail to the administrative headquarters of Costa Edutainment S.p.A., located in Genoa, Area Porto Antico - Ponte Spinola Ambrogio sn, c.a.p. 16128 (GE).
You have, in addition, the right not to be subjected to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or that significantly affects you in a similar way and also the right to request, on any automated decision, including profiling, human intervention by the Controller on the automated intervention performed by the latter, express your opinion and to challenge the decision.
Right of complaint
If you believe that the processing of your personal data by the Data Controller occurs in violation of the provisions of the EU Regulation 2016/679, you have the right to lodge a complaint with the Office of the Privacy Guarantor, as provided for in Article 77 of the EU Regulation 2016/679 (by e-mail, at: garante@gpdp.it, or by mail, to the Guarantor for the Protection of Personal Data, located in Rome (Italy), Piazza Venezia 11 Scala B, zip code 00187), or to take appropriate legal action, as provided for in Art. Art. 79 of EU Regulation 2016/679.
The Data Controller
Costa Edutainment S.p.A.
