Pursuant to article 13 of Regulation (EU) 2016/679 (hereinafter, the “GDPR”), the Joint Controllers -as better identified below- hereby provide you with this privacy policy containing information regarding the processing of personal data in relation to bookings and purchases made through one of the following websites: www.destinationveronagarda.travel, www.visitverona.it and www.lagodigardaveneto.com.

Which data do the Joint Controllers process?..........................................1
How are my data processed?...................................................................1
Are data shared with other subjects?....................................................... 2
What are my rights?..................................................................................2
Where are my data stored?.......................................................................3
How will I be informed of any changes to this Policy?.............................. 3

Which data do the Joint Controllers process?

Personal data: 
- identification data (first name, last name, date and place of birth, residence, tax code/id number),
- contact details,
- financial data (for example, credit/debit card, payment method).

How are my data processed?

Below, the Joint Controllers will indicate the purposes for which your personal data will be processed. 
For each purpose for which the Joint Controllers process your personal data, there is a legal basis that legitimizes the processing, as further specified below. 
For each processing activity, the Joint Controllers have identified a retention period for the personal data. At the end of the retention period, the personal data will be irreversibly deleted.

Are data shared with other subjects?

Your personal data may be processed by the staff of the Joint Controllers, specifically appointed, trained and instructed pursuant to Article 29 of the GDPR.

Your personal data may be processed, to the extent necessary, by third parties, as data processors, for the purposes indicated above. The data processors are:
-    the tourist information and reception offices (in italian these offices are called Informazione e Accoglienza Turistica-IAT) of the Municipality with territorial competence, to support the Joint Controllers in managing event and service bookings and in the execution of service sales;
-    providers of services supporting the management and sending of the newsletter;
-    entities appointed to provide IT hardware and software, as well as maintenance activities;
-    entities appointed to support the Joint Controllers in ensuring proper compliance with applicable regulations (for example, accountants, lawyers, consultants, etc.)
The updated list of data processors can always be requested from the Joint Controllers, using the contact details provided at the beginning of this privacy policy.

Your personal data may be processed, to the extent necessary, by third parties, as independent data controllers, for the purposes indicated above. The independent data controllers may include:
-    Entities that organise the booked or the purchased event and entities that sell the product or provide the purchased service (for example, hotels, restaurants, theme parks, event and congress service companies, etc.) (purposes nn. 1 and 2);
-    Tax or accounting authorities, for the fulfilment of obligations incumbent on the Joint Controllers (purpose n. 3);
-    Judicial authorities, for the establishment/exercise/defence of a right, or for compliance with related requests (purposes nn. 4 and 5).

What are my rights?

As a data subject, you have the right to:
- request information about the personal data processed and obtain a copy in a structured and readable format;
- not be subject to automated decisions, unless you consent to them;
- request the rectification of inaccurate data relating to you, their erasure, or their use only for certain purposes.

Please note, however, that in some limited cases we may not be able to fulfil your requests, such as when we are prohibited from doing so by law or by order of an Authority.
Your requests must be addressed to one of the Joint Controllers, using the contact details provided at the beginning of this privacy policy.

You also have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data is contrary to the applicable legislation.

Where are my data stored?

Your data will only be processed within the European Economic Area. It is possible that some of our suppliers, in their capacity as Data Processors, also store data in third countries, which, however, guarantee an adequate level of protection of the rights of the Data Subject by virtue of compliance with one or more of the conditions set out in Articles 45-47 of the GDPR. Data collected through third-party cookies may be transferred to third countries in accordance with what is indicated in our Cookie Policy [https://www.lagodigardaveneto.com/en/cookies] and in the privacy policies of the third parties. We acknowledge, however, that in cases where the service providers are US companies, US government authorities may have access to such data, if the conditions provided by law are met.

How will I be informed of any changes to this Policy?

The Data Controller will update this Policy when it considers it necessary. If there are material changes, in particular with respect to the purposes for which we use your personal data, we will notify you by e-mail, to the address you may have provided, or by means of a notice on the Site.