Privacy Policy
Lanzo Valleys Tourist Operators Consortium
(Information pursuant to Articles 13 and 14 of EU Regulation 2016/679 – GDPR)
Last updated: May 14, 2026
1.1 Identity and Contact Details of the Owner
The Data Controller of the personal data collected through this website is:
Consorzio Operatori Turistici Valli di Lanzo, with registered office in Fraz. Fé 2 – 10070 Ceres (TO), VAT no. IT08207460018, can be reached at the following addresses:
- E-mail: info@turismovallidilanzo.it
- PEC: consorzio.operatorituristicivallidilanzo@pec.it
- Tel. +39 389 8379177
For any requests regarding the processing of your personal data, the interested party may contact the Data Controller at the contact details above.
1.2 General Principles of Processing
The Data Controller processes personal data in compliance with the principles established by art. 5 of the GDPR:
- Lawfulness, fairness, and transparency: data is processed lawfully, fairly, and transparently with respect to the data subject.
- Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Data minimization: The data collected is adequate, relevant, and limited to what is necessary for the purposes of the processing.
- Accuracy: The data is accurate and, where necessary, updated.
- Storage limitation: Data is stored in a form that permits identification of data subjects for a period of time no longer than is necessary for the purposes for which it was collected.
- Integrity and confidentiality: data is processed in a manner that ensures adequate security.
1.3 Types of Data, Purposes and Legal Bases
A) Browsing data
During normal navigation of the site, the computer systems and software procedures automatically acquire some personal data whose transmission is implicit in the use of Internet communication protocols.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address, browser, operating system, domain, pages visited, time | Site operation and security | Legitimate interest of the Data Controller (Article 6, paragraph 1, letter f), GDPR) | 7 days |
B) Contact form
The site provides a contact form through which users can send requests for information, quotes, or communications to the Consortium.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Name, email, telephone number (optional), subject, message text | Management and response to information requests | Implementation of pre-contractual measures taken at the data subject’s request (Article 6, paragraph 1, letter b), GDPR) | 24 months from the closure of the case |
C) Newsletter Subscription
The Consortium offers the opportunity to subscribe to a newsletter containing information about the activities, events, and tourist offers of the Lanzo Valleys.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Sending of informational and promotional communications (newsletter) | Free, specific, and unambiguous consent of the data subject (Article 6, paragraph 1, letter a), GDPR | Until consent is withdrawn |
The data subject may withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, by clicking the unsubscribe link included in every communication or by contacting the Data Controller. Following withdrawal, the data will be deleted pursuant to Art. 17 of the GDPR.
1.4 Data Recipients
Personal data will not be disclosed to third parties for their own commercial purposes. However, it may be shared with:
- Technical suppliers who provide services essential to the operation of the site (hosting, technical assistance, newsletter sending), appointed as Data Processors pursuant to Art. 28 GDPR;
- Google LLC (United States of America), for the Google Analytics and Google reCAPTCHA services integrated into the site (see the Cookie Policy for details);
- Competent authorities (judicial, police or supervisory authorities) in cases provided for by law.
1.5 Transfer of Data to Third Countries
Using Google Analytics and Google reCAPTCHA services involves the transfer of personal data to the United States of America.
Legal basis for the transfer: The transfer is primarily based on the European Commission (EU) Adequacy Decision 2023/1795 of July 10, 2023, which established the EU-U.S. Data Privacy Framework (DPF). This decision establishes that U.S. organizations adhering to the DPF guarantee a level of protection essentially equivalent to that of the European Union, pursuant to Article 45, paragraph 1, GDPR and Article 1 of Decision (EU) 2023/1795.
The Data Controller has verified Google LLC’s active DPF certification on the official portal of the U.S. Department of Commerce. If, for any reason, Google LLC is not or ceases to be certified under the DPF, the transfer will be based on the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46, paragraph 2, letter c), GDPR, supplemented where necessary by additional security measures.
For further information on the transfers and guarantees adopted, the data subject may contact the Data Controller at the contact details indicated in section 1.1, as indicated in Article 13, paragraph 1, letter f), GDPR.
1.6 Consent of Minors
Pursuant to Article 2-quinquies of Legislative Decree 196/2003 (Privacy Code), consent to the processing of personal data of minors is valid from the age of 14. The Data Controller does not intentionally collect data from individuals under this age. Should it become aware of such data, it will promptly delete it.
1.7 Rights of the interested parties
The data subject has the right to exercise, at any time, the following rights pursuant to Articles 15–22 GDPR:
| Right | Legislative Reference | Description |
|---|---|---|
| Access | Art. 15 GDPR | Obtain confirmation of processing and a copy of your data |
| Rectification | Art. 16 GDPR | Correct inaccurate or incomplete data |
| Erasure (“right to be forgotten”) | Art. 17 GDPR | Obtain the erasure of your data, even if you withdraw your consent |
| Restriction of processing | Art. 18 GDPR | Temporarily block processing |
| Portability | Art. 20 GDPR | Receive your data in a structured format |
| Objection | Art. 21 GDPR | Objection to processing, especially for direct marketing |
| Withdrawal of Consent | Art. 7, par. 3, GDPR | Withdraw your consent at any time |
How to exercise your rights: The interested party may send their request via email or certified email to the addresses indicated in section 1.1.
Response times: The Data Controller will respond within 30 days of receiving the request, unless a justified extension of 60 days is requested in the event of complexity, pursuant to Art. 12, paragraph 3, GDPR.
Right to lodge a complaint: The data subject has the right to lodge a complaint with the competent supervisory authority, namely the Italian Data Protection Authority (www.garanteprivacy.it).