In accordance with the legislation indicated, this processing will be based on the principles of correctness, lawfulness, transparency and protection of your confidentiality and rights. Pursuant to Article 13 of GDPR 2016/679, we therefore provide you with the following information:

A – Le informazioni personali (quali il nome, il cognome, i dettagli del documento di identità e una copia dello stesso, il numero di telefono, l’indirizzo email, ecc.) saranno richieste al momento della sua adesione, in base al tipo di associazione che richiede. In conformità con l’articolo 28 del Regolamento Generale sulla Protezione dei Dati (GDPR) 2016/679, il Responsabile del trattamento dei dati relativi alle prenotazioni effettuate tramite il sito web ufficiale dell’azienda, utilizzando la piattaforma https://woocommerce-1403055-5448302.cloudwaysapps.com/ , è rappresentato dalla società San Siro Benessere srl a Socio Unico.

The Company, as the controller of your personal data, provides you with information on the use of such data and your rights, so that you can knowingly give your consent, if necessary, and assert your rights under the General Data Protection Regulation (European Regulation 679/2016, hereinafter: "the Regulation").

Your personal data (provided by you, by third parties or collected, within the limits of the law, from public sources) may be processed for the following explicitly stated purposes: fulfilment of a contract, fulfilment of an obligation outside the contract, fulfilment of a legal obligation, protection of your own rights or those of third parties. The legal basis for the processing may be:

• A - Obligation by law or regulation,
• B - Contract with the person concerned or performance of contracts,
• C - Legitimate interest of the controller or a third party,
• D - Vital and urgent interest of the person concerned
• E - Explicit consent of the person concerned
• F - Performance of a task in the public interest.

Below, we explain in detail the meaning of the different purposes:

1. Legal purposes: this category includes the fulfilment of obligations laid down by law, regulations, European Union legislation and the provisions of legally authorised authorities or competent supervisory or control bodies (in these cases, your consent is not required as the processing of the data is linked to the fulfilment of such obligations/provisions). The data processed for legal reasons include those related to tax regulations and anti-money laundering registers.
2. Contractual and administrative-accounting purposes: this type of processing concerns the fulfilment of obligations arising from contracts to which you are party or the execution of specific requests made by you prior to the conclusion of the contract. This may include the use of distance communication techniques, such as a dedicated telephone call centre. In these cases, your consent is not required as the processing of your data is for the purpose of managing the relationship or executing your requests. These processing operations also include the mutual protection of interests in legal disputes, tax purposes and other legal obligations, such as anti-money laundering record keeping, if applicable.
3. Direct commercial purposes: this type of processing concerns the sending of information and informative, commercial and advertising material on products, services or initiatives of the company, in order to promote them, carry out direct sales, conduct market research and verify the quality of the products or services offered. Data may be processed with your voluntary consent or on the basis of the legitimate interest of the company, provided that it does not conflict with your rights.
4. Profiling: the purpose of this processing is to optimise commercial offers, carry out targeted commercial communications, conduct statistical research and create profiles based on your personal preferences, behaviour and attitudes, in order to make appropriate commercial decisions or analyse and predict your preferences for commercial purposes. In these cases, your consent is optional and does not affect your relationship with the company.
5. Indirect commercial purposes: this category includes the sharing of your data with third parties who carry out autonomous commercial activities, as described in the previous section. Again, your consent is optional and does not affect your relationship with the company.
6. Post-commercial purposes: this processing relates to the investigation of the reasons for the termination or revocation of relations with the company, after they have ended. Again, your consent is optional and does not affect your relationship with the company.

Particular data,' also known as 'sensitive data' are personal data that may reveal ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify an individual, data relating to a person's health, sex life or sexual orientation (Art. 9 of the Regulation), or data relating to criminal convictions and offences or related security measures (Art. 10 of the Regulation). This data can only be processed with your explicit written consent or if one of the reasons listed in Art. 9 para. 2 and Art. 10 of the Regulation is applicable. Consent is optional, but refusal to give consent could jeopardise the performance of one or more activities required of the company, which specifically concern matters requiring the processing of such data.

Consent to the processing of your data may be binding for the conclusion of contracts with the Controller or third parties. Only data whose processing is essential for the conclusion of the contract are binding for the conclusion of the contract, whereas you can freely give or withhold consent for non-essential data, in particular for profiling, commercial communications and marketing purposes.

The Data Controller collects and processes your data in order to protect your vital interests if you are under 18 and over 14 years of age. Your data will be treated with the utmost confidentiality and only for the time strictly necessary to provide the requested services to the Controller, excluding any other purpose beyond the ongoing relationship between you and the Controller.

Your data may be shared with third parties for the purposes stated by the Controller. In particular, it may be transferred to third countries subject to an adequacy finding or, failing that, subject to your explicit consent.

B - DATA PROCESSING METHODS.

Your data is processed by means of manual/paper filing and electronic and automated means, in accordance with the above-mentioned purposes. If you have given your consent, the processing may include profiling or comparison of data. The Company has implemented technical and organisational measures to prevent and limit the risk of loss, deterioration or theft of your data, and to ensure timely recovery in the event of a data breach.

The processing is designed to ensure the security, protection and confidentiality of your data. Within the company, staff responsible for or in charge of the processing may have access to your personal data, including employees, managers, directors or partners of the company who occupy administrative, collaborative or commercial positions with self-employment contracts within the company structure. These persons have received the appropriate training from the Company to ensure the storage, updating and security of your data, so consent is not required from these individuals, as it is required by law.

Outside the company, your data may be processed by collaborators with self-employment contracts operating outside the company's structures, as well as by consultants of various kinds (lawyers, accountants, tax consultants, etc.) who work with the company. Again, external parties have received the appropriate training to ensure the storage,updating and security of your data, and the company has taken contractual and organisational measures to ensure that the data is processed in accordance with GDPR 2016/679.

The company may use third-party service providers to carry out certain activities involving the processing of your data. However, these providers act exclusively on behalf of the company and follow the instructions provided by the latter, ensuring maximum data security and confidentiality. External providers may be subject to specific rules and regulations, ensuring an adequate level of data protection.

C - DATA RETENTION PERIOD.

Your personal data will be kept for the period necessary to achieve the purposes for which it was collected. The retention period may vary depending on the purpose of the processing. For example:

• Contractual and administrative-accounting purposes: data will be kept for the duration of the contract and for the subsequent period required by law to fulfil tax and accounting obligations.
• Direct business purposes: data will be retained as long as your consent is in force or until you exercise your right to object.
• Profiling: data will be retained as long as your consent is in force or until you exercise your right to object.
• Indirect commercial purposes: data will be retained as long as your consent is in force or until you exercise your right to object.
• Post-commercial purposes: data will be retained as long as your consent is in force or until you exercise your right to object.

In some cases, the company may be obliged to retain the data for a longer period based on regulatory requirements or to protect its interests in the event of legal disputes.

D - RIGHTS OF THE DATA SUBJECT.

As a data subject, you have the right to obtain confirmation as to whether or not personal data concerning you exists, even if it has not yet been recorded, and its communication in intelligible form. You have the right to be informed:

• the origin of personal data;
• the purposes and modalities of the processing;
• the logic applied in the event of processing carried out with the aid of electronic instruments;
• the identification details of the holder, the persons responsible and the representative designated pursuant to Article 5(2);
• of the entities or categories of entity to whom or which the personal data may be communicated or who or which may become aware of them in their capacity as designated representative(s) in the territory of the State, data processor(s) or person(s) in charge of processing.

He is entitled to obtain:

• updating, rectification or, when interested, integration of the data;
• the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
• certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.

You have the right to object, in whole or in part:

• for legitimate reasons to the processing of personal data concerning you, even if they are relevant to the purpose of collection;
• the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.

You have the right to data portability, i.e. the right to receive personal data concerning you in a structured, commonly used and machine-readable format, and you have the right to transmit such data to another data controller without hindrance. Furthermore, he has the right to withdraw his consent at any time without affecting the lawfulness of the processing based on the consent given before the withdrawal.

E - WAYS OF EXERCISING RIGHTS.

You may assert your rights at any time by writing to the Controller by registered letter with acknowledgement of receipt at the company's registered office or by email at info@demontel.it. The Controller shall respond to your request without undue delay and, in any case, within one month of receipt thereof. Scuderie De Montel - Terme di Milano srl a Socio Unico Registered office: Largo A. Ildefonso Schuster 1 - 20122 Milan

F - REQUEST FOR CONSENT AND REVOCATION.

Consent to the processing of data is optional. However, failure to provide consent for the processing of the data strictly necessary for the conclusion and execution of the contract may result in the impossibility of proceeding with the contractual relationship or failure to fulfil contractual obligations.

The provision of consent for the purposes of profiling, commercial communications, marketing and the sharing of data with third parties for indirect marketing purposes is optional and does not affect the conclusion of the contract. You may revoke your consent at any time without affecting the lawfulness of the processing based on the consent given prior to revocation. Withdrawal of consent means that the company cannot pursue the purposes for which consent is required.

G - COMPLAINT TO THE SUPERVISORY AUTHORITY.

In any case, you have the right to lodge a complaint with the competent supervisory authority (Garante per la protezione dei dati personali) if you consider that the processing of your personal data is contrary to the applicable legislation.

H - DATA CONTROLLER.

The Data Controller is San Siro Terme, with registered office in Scuderie De Montel - Terme di Milano srl a Socio Unico Registered office: Largo A. Ildefonso Schuster 1 - 20122 Milan Tax code and VAT number: 11763560965. The Data Controller may appoint, if necessary, one or more data processors, specifying them in this notice or communicating them to the data subject at a later date.

I - UPDATES.

This policy may be subject to updates. Any future changes will be published on the company's website and, if relevant, communicated directly to the person concerned.

Please read this policy carefully and contact us if you have any questions or require further information.

• [Representative]: Not applicable.
• [Responsible persons]: The CEO and department heads.
• [RDP/DPO]: Luca Rampazzo.
• Ways to Exercise Your Rights:
  You can make written requests by sending them to the company address, Largo A. Ildefonso Schuster 1 - 20122 Milan - or by e-mail to privacy@demontel.it. Alternatively, if available, you can do this yourself in the personal online area using a unique identifier.