Privacy Policy

The 3 Zinnen Dolomites Consortium, with registered office at Schattenweg 2/F, San Candido (BZ) - 39038, VAT number IT01150180212 (hereinafter referred to as “the Data Controller” or “the Controller”), is committed to protecting the online privacy of natural persons while they browse and use the services on the website https://www.dreizinnen.com (hereinafter referred to as the “Portal” or “Website”).

This document outlines all aspects of personal data processing of website users (hereinafter “the data subject”) carried out through the website in accordance with Article 13 of Regulation (EU) No. 2016/679 (hereinafter “the Regulation”). According to the Regulation, processing is carried out by the Controller through the website in accordance with the principles of lawfulness, fairness, transparency, purpose limitation and data retention, data minimization, accuracy, integrity, and confidentiality.

The controller of the data processing carried out through the Portal is the 3 Zinnen Dolomites Consortium as indicated above and can be contacted through the means specified in the “Contacts” section (see Article 10).

Navigation / Usage Data:
Information collected during the user’s visit to the website (e.g., IP address, URI notation addresses, browser history, data on interactions with the website, data about the user’s computing environment, browser type and language, operating system, location, date and time of the request). This information is not collected to be associated with identified individuals, but due to its nature and potential linking with third-party data, could allow identification.

Data Voluntarily Provided by the User:
Personal data voluntarily submitted through specific forms on the website (e.g., registration, contact, comments, reviews, posts, etc.). This information may include: identification data (first name, last name, tax ID number, username, user ID, password, place and date of birth, etc.), profile photo, contact and location details (home address, email address, phone number, postal address, etc.).

Business Data:
Information necessary for fulfilling financial and tax obligations related to the provision of website services (e.g., payment information, VAT number, purchase history, product or service usage data, credit and billing information, support requests, etc.).

Sensitive Data:
So-called “special categories of personal data” under Article 9 of the Regulation, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data regarding a person’s sex life or sexual orientation.

Localization or geolocation data (or mobility data):
Information indicating the geographical location (latitude, longitude, altitude, direction of movement, time of location recording) of the end device (e.g., smartphone, PC) used by a user of the website service.

Data from online forms
Various online forms are provided on the portal, for example for registering for special events or for non-binding inquiries about stays and accommodations. Below we inform you about their functionality and data protection framework:

a) Purpose and functionality
The forms provided are used solely to forward your inquiry directly to the respective local tourism association ("TV").

b) Roles of the parties involved
The 3 Zinnen Dolomites Consortium provides the technical infrastructure (website, form backend) and acts solely as an intermediary or hosting provider in this context.
The respective addressed TV is solely responsible for processing the data you submit (e.g., handling the inquiry, sending offers, booking processing).

c) No access by the Consortium
The Consortium does not have access to the content of the data you enter. After successful transmission, this data is neither stored nor otherwise used.

d) Legal basis and information obligations of the TV
Your data will be processed by the respective TV based on its own privacy policy. This will be provided to you by the TV upon receipt of your inquiry and includes all relevant information in accordance with Art. 13 of the GDPR.

e) Your data subject rights
To request information, rectification, deletion, or to object to the processing of the transmitted form data, please contact the responsible TV directly. Their contact information is included in the response email.

f) Tourism associations
You can find the contact information of the tourism associations here:

Tourism Association Innichen
Pflegplatz 1
I-39038 Innichen – Hochpustertal
Dolomites - South Tyrol – Italy
Tel. +39 0474 913149
info@innichen.it

Tourism Association Sexten
Dolomitenstraße 45
I-39030 Sexten - Hochpustertal
Dolomites - South Tyrol – Italy
Tel. +39 0474 710310
info@sexten.it

Tourism Association Toblach
Dolomitenstr. 3
I-39034 Toblach - Hochpustertal
Dolomites - South Tyrol – Italy
Tel. +39 0474 972132
info@toblach.info

Tourism Association Niederdorf
Bahnhofstr. 3
I-39039 Niederdorf - Hochpustertal
Dolomites - South Tyrol – Italy
Tel. +39 0474 745136
info@niederdorf.it

Tourism Association Prags
Außerprags 78
I-39030 Prags - Hochpustertal
Dolomites - South Tyrol – Italy
Tel. +39 0474 748660
info@pragsertal.info

Provision of the service:
Responding to information requests received via the website; providing content and services that are the subject of the website; sending notifications and updates related to the requested service to the user.

Payment and invoicing:
Managing the economic and tax aspects related to the sale of products/services via the website.

Ensuring security, preventing misuse and fraud, error tracking:
Monitoring and preventing fraudulent activities and ensuring that systems and processes function properly and securely.

Legal protection:
Allowing the controller to protect or exercise a right in court.

Legal obligation:
Fulfillment of a legal obligation to which the controller is subject.

• Contract / Pre-contractual measures:
  The processing of personal data is based on Art. 6(1)(b) GDPR (“[…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”).
• Consent of the data subject:
  The processing is based on Art. 6(1)(a) GDPR (“[…] the data subject has given consent to the processing of their personal data for one or more specific purposes”).
  Consent is given freely and voluntarily by the user and does not affect the use of other services on the website. It may be revoked at any time via the cookie preference selection form or by contacting the controller at the address listed in the [Controller Contact] section.
• Legitimate interests of the controller:
  The processing is based on Art. 6(1)(f) GDPR (“[…] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”).
• Legal obligation:
  The processing is based on Art. 6(1)(c) GDPR (“[…] processing is necessary for compliance with a legal obligation to which the controller is subject”).
• Protection of vital interests:
  Based on Art. 6(1)(d) GDPR (“[…] processing is necessary in order to protect the vital interests of the data subject or of another natural person”).
• Public interest task:
  Based on Art. 6(1)(e) GDPR (“[…] processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”).

Processing is carried out by manual and/or automated means, including with the help of IT and telematic technologies (e.g., CRM, management software, mailing list services), subject to the implementation of appropriate technical and organizational security measures to ensure the security, integrity, and confidentiality of personal data, in order to minimize the risks of destruction, loss, unauthorized access, alteration, and disclosure in accordance with Articles 6 and 32 of the GDPR.

The controller does not intend to transfer personal data to countries outside the European Union. However, if necessary for organizational or production reasons (for example, but not limited to, using providers and/or cloud services that require data transfer abroad), appropriate safeguards will be established. These may include: verification of the existence of adequacy decisions by the European Commission, signature of standard contractual clauses and/or binding corporate rules, or implementation of additional measures as per EDPB Recommendation 01/2020.

Personal data will only be stored for as long as is strictly necessary to fulfill the purposes specified in this document or as required by applicable regulations.

Specifically:

• Data processed for the purpose of “provision of the service” will be stored for a maximum of 10 years.
• Data processed for the purpose of “payment and invoicing” will be stored for up to 10 years (Art. 2220 Italian Civil Code).
• Data processed for direct marketing purposes will be stored for up to 2 years, or until the user revokes their consent.
• The duration of each cookie can be found in the “Cookie Policy.”
• Regardless of the above, the controller reserves the right to retain personal data for the duration permitted under Italian law for the purpose of “legal protection” of its own interests (Art. 2946 and 2947 paragraphs 1 and 3 of the Italian Civil Code).

After the expiry of the retention periods, the personal data will be deleted or anonymized unless retained for other purposes based on appropriate legal grounds.

The personal data collected by the controller may be communicated or made accessible to the following categories of recipients for the purposes mentioned above:

• Employees and collaborators who assist the controller in processing, subject to express authorization and possible confidentiality agreements.
• Parties acting as data processors on behalf of the controller: providers of cloud-based IT services, professionals, companies or firms providing assistance and consultancy, or entities responsible for hosting and technical maintenance, including software, network devices, and electronic communication networks.
• Independent controllers who must receive the data in order to provide the service requested by the data subject.
• Independent controllers pursuing their own purposes (subject to the data subject’s consent).
• Authorities where such disclosure is required by law.

After the expiry of the retention periods, personal data will be deleted or anonymized unless retained for other purposes based on appropriate legal grounds.

The data subject may access their data at any time and request correction, deletion, restriction of processing, and data portability. They may also object to processing in whole or in part and have the right not to be subject to a decision based solely on automated processing — including profiling.

To exercise the rights provided under Articles 15–22 of the GDPR, the data subject can contact the controller using the details provided in the “Contact” section (see Article 10).
The controller is required to respond within 1 month or notify of delays in processing (not exceeding 2 months in total) in the case of numerous and/or complex requests.
The data subject also has the right to lodge a complaint with the competent supervisory authority (data protection authority) in accordance with Article 77 of the Regulation if they believe the processing of their data violates applicable law.

For further information on the processing of personal data in the context of contract fulfillment or to exercise your rights, you can contact the controller at the following email address: info@dreizinnen.com