INFORMATION ON THE PROCESSING OF PERSONAL DATA
Art. 13 of Regulation (EU) 2016/679

Pursuant to and for the purposes of (i) Legislative Decree No. 196 of 30 June 2003, the "Privacy Code", (ii) EU Regulation 2016/679 on the"protection of individuals with regard to the processing of personal data and on the free movement of such data", ", the "GDPR", Articles. 13 and 14, rules also jointly referred to as the 'Privacy Regulations', a number of obligations are laid down for the data controller -  - "the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use , communication by transmission, dissemination or otherwise making available, comparison, interconnection, restriction, erasure or destruction' ” -(hereinafter the 'Processing') of information concerning an identified or identifiable natural person“(the 'Data Subject').).

Carosello 3000 s.r.l. C.F. and P.I. 92007680140, with registered office in Via Saroch 316, 23030 Livigno (SO) (the "Company") wishes to inform you, in the following sections, about the methods and purposes of the processing of your personal data.

A) Data Controller and Data Protection Officer

The Data Controller is the entity that determines the purposes and means of the processing of personal data (the “Controller") ”) and is identified in CAROSELLO 3000 S.r.l.

The Data Controller may be contacted by mail at the address of the registered office: Via Saroch 316, 23030 Livigno (SO), or by e-mail at: info@carosello3000.com. info@carosello3000.com.

The Data Protection Officer is Seneca S.r.l. and may be contacted by post at the registered office address: Via Piccinini 2, 24122 Bergamo (BG), or by e-mail at: dpo@carosello3000.it.

B) Method of collecting data from the data subjectdell’Interessato

The Controller may become aware of your data in the following circumstances:

  • in the event of contact requests made via the company's websites, by e-mail or by telephone, in order to request information on the products and services offered by the company;
  • during the performance of a contract (purchase of a good or service) or the use of services offered to the public, including pre-contractual negotiations;
  • where you provide your data during the recruitment and selection process;
  • where you provide your data in order to receive commercial communications, newsletters newsletterand/or to be updated on events organised and marketing initiatives undertaken by the Company;
  • where you provide your data for the use of the wi-fi network;
  • where you provide your data for the use of the MY3000 application;
  • where you authorise the use of your data to enable the company to carry out market analysis and surveys;
  • where you provide your data by interacting with the Company'ssocial channel;
  • where business partners of the Company have legitimately disclosed your personal data.

C) Categories of data subject to processing

The following categories of personal data concerning you exemplify the types of data that may be collected through the various services and contact channels described in this document:

Identifying data – name, address, e-mail address, telephone number, gender, date of birth, ID, social security number, images (photo/video).

Financial Data – bank details and IBAN.

Biographical data – education, professional experience, continuing education, public social media profile, hobbies and interests.

Profiling data – demographic, behavioural, interaction, usage, consumption data collected via cookies, pixel tags and other technologies, IP address and geolocation.

(the “Data")

D) Purpose of Processing

Your personal data will be processed, mainly with IT tools, for the purposes described below:

  1. Responding to specific requests: Your Identifying Data will be used to provide a specific response or service you have requested through the Controller's communication and contact channels (e-mail, websites, telephone).
    You must provide the data marked with an asterisk in the online forms in order to complete the request.
    Legal basis: to implement pre-contractual measures or a contract to which you are a party (Art.6 par.1 letter b of the GDPR).
    Retention policy: Data will be retained for the time strictly necessary to pursue the purposes for which it was collected and in any case no longer than ten years from receipt of the request.
  2. Establishment of the relationship and execution of the contract: Your Identifying and Financial Data will be used to respond to all your commercial requests, to acquire any other preliminary information necessary for the establishment of the relationship, or for the execution of the contract with you. The provision of Data is mandatory as it is required for the fulfilment of legal and contractual obligations. Any refusal to provide them or any subsequent opposition to their processing may result in the impossibility for the Data Controller to carry out contractual relations.
    Legal basis: to implement pre-contractual measures or a contract to which you are a party (Art.6 par.1 lett.b of the GDPR).
    Retention policy: Data provided in the context of your request will be retained for a maximum of five years. Data processed to execute a contract may be kept for the entire duration of the relationship as well as for ten years from the date of its termination.
  3. Fulfilment of legal obligations: your Identifying and Financial Data, provided in the context of the Purposes referred to in point b) above, may be used to fulfil any civil, administrative, fiscal, accounting obligation required by law, regulation, European legislation or an order of the Authority and deriving from the relationship(s) with you. Legal basis: to execute the relationship to which you are party (Art. 6 par. 1 lett. b of the GDPR), to fulfil a legal obligation to which the Controller is subject (Art. 6 par. 1 lett. c of the GDPR. Retention policy: Data may be retained for as long as necessary to fulfil legal obligations and, in any case, for the entire duration of the contract, as well as for ten years after the end of the fiscal year following the relevant one.
  4. Selection of candidates : your Identifying and Biographical Data communicated during the selection process and contained in your curriculum vitae will be used to assess your skills, experience and qualifications, in order to select the most suitable profiles for open positions, as well as to contact you for further interviews or to inform you about the outcome of the selection process.
    Legal basis: to implement pre-contractual measures or a contract to which you are a party (Art.6 par.1 lett. b of the GDPR).
    Retention policy: Data will be retained for the time strictly necessary to pursue the purposes for which they were collected and in any case no longer than six months after the conclusion of the selection.
  5. Customer retention and marketing: Your Identifying Data will be used to provide you with news and offers - by automated means of contact (such as e-mail, sms) and/or traditional means (such as paper mail) relating to the services offered by the Company - and/or invitations to events and shows organised by the Company.
    The provision of Data is optional and failure to provide it or failure to authorise its processing will result in the impossibility of carrying out the activities indicated therein.
    Legal basis: consent given by you as a Data Subject (Art. 6 para. 1 lett. a of the GDPR).
    Retention policy: the Data may be processed until your freely given consent is revoked. When each communication is sent, you will be informed of the possibility to object to the Processing at any time, easily and free of charge.
  6. Sending of communications for products or services similar to those requested: your Identifying Information, provided (in particular your e-mail address) in the context of a commercial transition, may be used to send promotional communications relating to products or services similar to or in any case inherent to those being sold (e.g. notices for tests and promotions of mountain sports equipment manufacturers)..
    Legal basis: for the pursuit of a legitimate interest of the Data Controller consisting in promoting its products or services similar to those previously purchased by the Data Subject (Art. 6 para. 1 lett. f of the GDPR).
    Retention policy: Data may be retained until the right to object to the processing is exercised. When each communication is sent, you will be informed of the possibility of objecting to the Processing at any time, easily and free of charge.
  7. Carrying out market studies and detecting the degree of satisfaction: your Identifying Data, provided within the scope of the Purposes referred to in point b) , may be used for sending questionnaires, carrying out market studies and/or detecting your degree of satisfaction.
    Legal basis: for the pursuit of a legitimate interest of the Data Controller consisting in understanding customer preferences, market trends and enabling the Company to improve the services offered (Art. 6 par. 1 letter f of the GDPR).
    Retention policy: Data may be retained until the right to object to the processing is exercised. When each communication is sent, you will be informed of the possibility of objecting to the Processing at any time, easily and free of charge.
  8. Profiling: Your Identifying and Profiling Data may be used in aggregate form to assess personal aspects, analyse or predict aspects of consumer preferences, through data analysis models, statistical algorithms and predictive models.
    Legal basis: for the pursuit of a legitimate interest of the Data Controller consisting in understanding customer preferences, market trends and enabling the Company to improve the services offered (Art. 6 par. 1 letter f of the GDPR).
    Retention policy: Data may be retained for as long as strictly necessary and in any case for a period not exceeding 24 months.
  9. Social Network Interactions: Your Identifying Information collected from interactions, such as private messages and comments posted on our Socialchannels, may be used to improve our understanding of your needs, preferences and interests.
    Legal basis: to execute pre-contractual measures or a contract to which you are party (Art.6 par.1 lett. b of the GDPR).
    Retention policy: Data collected through the private messaging of Social the Social channel will be kept for the time strictly necessary to pursue the purposes for which it was collected . The Data that you communicate publicly, via comments, are subject to the retention period defined by the policies of the Social channel that you use to interact with the Company.
  10. Use of the wi-fi network: your Identifying Data provided during registration to the wi-fi system made available by the Company will be used to allow you to use the service. Any refusal to provide them or any subsequent opposition to their processing may make it impossible for the Data Controller to provide the service.
    Legal basis: to implement pre-contractual measures or a contract to which you are a party (Art.6 par.1 lett. b of the GDPR).
    Retention policy: Data may be retained for the time strictly necessary for the provision of the service and in any case for a period not exceeding 24 months.
  11. Use of MY3000 Application: Your Identifying and Profiling Data will be processed to allow you to use the services of the MY3000 Application developed and provided by the Company.
    Any refusal to provide them or any subsequent objection to their processing may make it impossible for the Data Controller to provide the service.
    Legal basis: to implement pre-contractual measures or a contract to which you are a party (Art.6 par.1 lett. b of the GDPR).
    Retention policy: Data may be retained until the right of deletion is exercised.
  12. Video-surveillance: photographic images and recordings concerning you may be processed via the video-surveillance system installed at the Company's premises, for the purpose of protecting the Company's assets and the safety of persons in accordance with the 8/4/2010 Order of the Supervisory Authority for the Protection of Personal Data.
    Legal basis : pursuit of a legitimate interest of the Data Controller (art. 6 par.1 lett. f) of the GDPR) coinciding with the safeguarding and protection of the company's assets for the protection of the vital interests of the data subject or another natural person (art.6 par.1 lett.d) of the GDPR);
    Storage Policy : Your Data will be stored on the company servers for 24 (twenty-four) hours, subject to special requirements for further storage in connection with holidays or extended shutdowns, as well as at the request of the Judicial and/or Civil Protection Authorities.
      or in the use of data related to the employment relationship including the exercise of disciplinary power.
  13. Promotion of the Company's core and events : in order to promote the Holder's activities, at events organised by the Company or when you use the services made available by the Holder, such as restaurants, ski slopes, trails or other facilities, etc. , images of you may be collected and published in brochures, on the website, social channels and/or in any other form or means of transmission, whether existing or to be invented in the future.
    Legal basis of the processing : freely expressed consent to the processing of data (Art. 6 para. 1 lit. a) of the GDPR). The stay in the place where the event will take place and in the places where the services will be enjoyed will be considered as consent to the audiovisual collection and possible subsequent dissemination.
    Retention policy: Images will be retained in the Company's archives until consent is revoked, subject to publication in printed catalogues or other media.

E) Methods of data processing

In relation to the aforementioned purposes, the Company carries out Data Processing, in compliance with the security measures set out in Article 32 of the GDPR, by means of manual, computerised and telematic tools, designed to store, manage and transmit the Data, solely for the purpose of pursuing the purposes for which they were collected and, in any case, in such a way as to guarantee their security and confidentiality, as well as compliance with the principles of correctness, lawfulness and transparency.

The Data Controller carries out Processes consisting of automated decision-making processes on the Data processed.

F) Scope of data communication

Your data may be made accessible to:

  • employees and collaborators of the Company in their capacity as persons authorised and/or designated for the Processing and/or system administrators;
  • consultants and suppliers who - on behalf of the Controller - perform administrative, accounting, tax or legal activities in outsourcing;
  • IT service providers offering services related to information technology and IT infrastructure any cloud providers and management software for managing the booking, checking availability, confirmation and payment of the stay;
  • marketing agencies to manage advertising campaigns;
  • Health authorities for the rescue service;
  • Supervisory Bodies, Judicial Authorities as well as to all Institutional Bodies to which communication is mandatory by law for the fulfilment of the said purposes;
  • other third parties in order to perform the services specifically requested. These third parties are only provided with the information necessary to perform the relevant functions.

All parties outside the organisation are authorised and instructed to process your Data in accordance with Article 28 of the GDPR.

G) Transfer of data to a third country or international organisation

The Data are processed within the European Union and stored on servers located there. It is in any case understood that the Data Controller, should it become necessary, shall have the right to transmit such data to a third country or international organisation and/or move the servers also outside the EU. In this case, the Data Controller guarantees as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, as per Art. 44 of the Privacy Code and Art. 46 et seq. of the GDPR.

H) Rights of the Data Subject

Lastly, the Company informs you that, pursuant to current legislation on the protection of personal data, you may exercise specific rights at any time - as set out in Articles 15-22 of the GDPR - and in particular you may ask the Data Controller:

  1. the right of access, i.e. the possibility to obtain from the Controller confirmation as to whether or not personal data are being processed and, if so, to obtain access to one's personal data;
  2. the right to rectification, , including the integration of incomplete personal data ;
  3. the right to the deletion of data without delay at the request of the data subject, and compulsorily if:
    • personal data are no longer necessary in relation to the purposes of the Processing;
    • the consent on which the Processing is based is revoked and there is no other legal basis for the Processing;
    • personal data have been unlawfully processed;
    • personal data must be deleted to fulfil a legal obligation under EU or Member State law.
    • the Data Subject objects to the Processing and there is no overriding legitimate reason to proceed with the Processing, or when the Data Subject objects to the Processing in the cases provided for in Article 21(2) of the GDPR (personal data processed for direct marketing purposes);
  4. the right to restriction of processing in cases where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the Processing is unlawful and/or the Data Subject has objected to the Processing and requested its restriction;
  5. the right to the portability of personal data as the right to receive personal data from the Controller in a structured, commonly used and machine-readable format and to transmit such data to another controller, only in cases where the Processing is based on consent and only for data whose Processing is carried out by automated means ;
  6. the right to object to the Processing of one's personal data, without prejudice to the right of the Data Controller to demonstrate the existence of legitimate grounds for processing nonetheless;
  7. the right to revoke consent at any time, if the Processing is based on your explicit consent, without prejudice to the lawfulness of the Processing carried out until such revocation is exercised ;
  8. the right to lodge a complaint with the Data Protection Authority , which can be contacted garante@gpdp.ito mediante il sito http://www.gpdp.it.

If you wish to obtain further information on the Processing of your personal data and to exercise the rights indicated above, you may send a written request using the contact details provided in the "Data Controller" section of this notice. In the event of a request from you for information regarding your data, the Data Controller will reply as soon as possible - unless this proves impossible or involves a disproportionate effort - and in any case no later than thirty days from the request. Any impossibility or delay on the part of the Controller in fulfilling requests will be adequately justified.

Last updated:November 2024

Follow Us
DISCOVER Carosello 3000
The best tips for your Mountain escape. Via email, when you need them.
DISCOVER Carosello 3000
The best tips for your Mountain escape. Via email, when you need them.
DISCOVER Carosello 3000
The best tips for your Mountain escape. Via email, when you need them.
Livigno Nino Negri Scuola Sci Centrale Livigno Outventure Livigno
MY3000 APP
Discover all the features of our mobile app.
MY3000 APP
Discover all the features of our mobile app.
MY3000 APP
Discover all the features of our mobile app.
MY3000 LIVE
-9°
Weather
Livigno Weather Forecast
Open
Snow
38 cm
Webcam
Live
Ski Lifts
0/6
Map
Open
Hours
8:30AM - 4:30PM
AVALANCHE RISK
3
#TheMountainIsFreedom
X