Privacy Policy Rentals

Gestione Governativa Navigazione Laghi, headquartered in Milan, Via Lodovico Ariosto 21, VAT no. 00802050153, in its capacity as Data Controller (hereinafter also referred to as “GGNL” or the “Controller”), informs you that your personal data (hereinafter the “Data”) will be processed in accordance with the provisions of the General Data Protection Regulation (EU Regulation 2016/679, “GDPR”), data protection laws, and as set out in this Privacy Notice.

1.PURPOSE OF DATA PROCESSING

The personal data covered by this notice fall into the following categories:

• Personal data, including general information such as identification data, contact details, and tax-related data.

2.PURPOSES AND LEGAL BASES FOR PROCESSING

Your personal data will be processed for the following purposes and on the following legal grounds:

a) To perform the contract entered into with the Controller. The legal basis is the performance of a contract or pre-contractual measures pursuant to Article 6(1)(b) of the GDPR;

b) To comply with legal obligations, including obligations established by national and EU regulations or imposed by competent authorities. The legal basis is compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR;

c) To pursue the Controller’s legitimate interests, specifically the prevention and suppression of unlawful conduct, the exercise of legal rights in judicial proceedings, and the management of disputes.

3. METHODS OF PROCESSING

All data are stored on GGNL servers using automated, electronic, IT, or telematic tools, as well as non-automated and paper-based systems. Data may also be stored on the servers of external service providers or business partners appointed as Data Processors. Data are accessed and managed according to stringent security standards and policies (or equivalent standards for our third-party partners).

4. DATA RETENTION

Personal data will be retained for no longer than necessary to fulfill the purposes for which they were collected or subsequently processed, and in accordance with applicable legal, fiscal, and civil obligations, including those related to dispute resolution.

5. PROVISION OF DATA

Providing personal data is mandatory. Failure to provide the requested data may result in the inability to initiate or continue the contractual relationship.

6. DATA DISCLOSURE

Personal data may be disclosed to the following:

• Employees and collaborators of the Controller, who are duly trained and authorized to process data under Articles 29 of the GDPR and Article 2-quaterdecies of Legislative Decree 196/2003;

• Third parties formally appointed as Data Processors pursuant to Article 28 of the GDPR for purposes strictly related to contract execution or compliance with legal obligations (e.g., IT, accounting, tax, legal service providers, etc.).

You may request the updated list of Data Processors from the Controller at any time.

7. DATA TRANSFER

Your personal data may be transferred to a third country or international organization for the purposes set out above, based on an adequacy decision under Article 45 of the GDPR or subject to appropriate safeguards as provided by Article 46 of the GDPR.

8. DATA SUBJECT RIGHTS

As a data subject, and unless otherwise restricted by law, you have the right to:

• Obtain confirmation of the existence of your personal data, even if not yet recorded, and access such data in an intelligible format;

• Obtain information and, where applicable, a copy of:
  
  a) the origin and categories of the data;
  
  b) the logic applied in case of processing with electronic tools;
  
  c) the purposes and methods of processing;
  
  d) the identity of the Controller and Data Processors;
  
  e) the recipients or categories of recipients to whom data may be disclosed, including third countries or international organizations;
  
  f) the retention period or the criteria used to determine it;
  
  g) the existence of automated decision-making processes and related logic, significance, and expected consequences;
  
  h) the appropriate safeguards in the event of data transfers outside the EU;

• Obtain without undue delay the rectification of inaccurate data or the completion of incomplete data;

• Withdraw any previously given consent at any time, easily and without hindrance, preferably using the same channels through which it was originally provided;

• Request the erasure, anonymization, or blocking of data if:
  
  a) unlawfully processed;
  
  b) no longer necessary for the purposes for which it was collected;
  
  c) based on consent that has been withdrawn without any other legal basis;
  
  d) processing is objected to and there are no overriding legitimate grounds to continue;
  
  e) necessary to comply with legal obligations;
  
  f) related to minors.
  
  The Controller may deny deletion only where:
  
  a) exercising the right of freedom of expression and information;
  
  b) compliance with legal obligations or performance of a task in the public interest;
  
  c) reasons of public health;
  
  d) public interest archiving, scientific or historical research, or statistical purposes;
  
  e) exercise or defense of legal claims;

• Request the restriction of processing in the following cases:
  
  a) contesting the accuracy of the data;
  
  b) unlawful processing where erasure is opposed;
  
  c) need to retain data for legal claims;
  
  d) pending verification of overriding legitimate interests;

• Receive your data in a structured, commonly used, machine-readable format, and transmit them to another controller or—if technically feasible—have them transferred directly;

• Object, in whole or in part, for legitimate reasons related to your specific situation, to the processing of your personal data;

• Lodge a complaint with the Italian Data Protection Authority.

In applicable cases, the Controller will notify third parties to whom data have been disclosed of your request to exercise these rights, unless such notification proves impossible or requires disproportionate effort.

If you believe your rights have been infringed, you have the right to lodge a complaint.

For further information, visit the Italian Data Protection Authority’s website at: www.garanteprivacy.it, which contains a dedicated section on your rights.

9. HOW TO EXERCISE YOUR RIGHTS

You may exercise your rights at any time by:

• Sending a registered letter with return receipt to the Controller’s address;

• Sending an email to: privacy@navigazionelaghi.it