Privacy Policy

Gestione Governativa Navigazione Laghi

In accordance with Article 13 of Regulation (EU) 2016/679 regarding the protection of personal data (GDPR).

Gestione Governativa Navigazione Laghi, headquartered in Milan, Via Lodovico Ariosto 21, VAT No. 00802050153, acting as the Data Controller (hereafter “GGNL” or “Controller”), processes personal data collected through its website https://www.navigazionelaghi.it/ (“Website”) and the “Dream Lake” Application (“App”), fully compliant with applicable data protection and privacy legislation.

GGNL has appointed a Data Protection Officer (hereafter “DPO”), who can be contacted via email at privacy@navigazionelaghi.it or preferably at dpo@navigazionelaghi.it.

Unless otherwise specified, the information within this policy pertains to personal data processed during the use of the Website and the App. Processing of personal data for purposes other than those listed below is governed by separate privacy notices relevant to each specific service.

1. Types of Personal Data

“Personal data” refers to any information relating to an identified or identifiable natural person (hereafter “Data Subject”). The personal data collected and processed include:

• Identification data: first name, surname, address.
• Contact data: telephone number, email address, workplace.
• Navigation data: implicit data from the use of the Website and App (e.g., IP address).

2. Purposes and Legal Basis for Processing

We process your personal data for the following purposes and under these legal bases:

• Fulfillment of contractual and pre-contractual obligations (Art. 6.1.b GDPR), specifically to:
  • Create and manage the User’s account.
  • Manage store purchases, especially tickets and subscriptions.
  • Download files from the Website such as brochures, travel flyers, competition summaries, etc.
  • Receive SMS notifications regarding potential service disruptions or updates.
  • Handle User requests (e.g., manage general contact requests and/or information requests).
  • Manage forms for feedback and complaints.
  • Administer the electronic invoicing portal for travel documents.
• With explicit User consent (Art. 6.1.a GDPR), the Controller processes your data to:
  • Send newsletters regarding GGNL’s activities, initiatives, projects, offers, and general marketing communications and related activities.
• Compliance with legal obligations (Art. 6.1.c GDPR), imposed by applicable national or EU regulations or competent authorities.
• Pursuit of the Controller’s legitimate interests (Art. 6.1.f GDPR), such as:
  • Sending commercial information to the address provided during registration regarding similar products or services previously purchased by clients.
  • Customer satisfaction, expressed through star ratings on the App (data is not combined with the user’s personal data).
  • Defending a right before judicial or administrative authorities.
  • Managing the Website and operational functions, monitoring correct operation, enhancing service quality, and optimizing Website functionality.
  • Managing the App and its operational functions, monitoring correct operation, enhancing service quality, and optimizing App functionality.
  • Ensuring the security of GGNL’s Website and App, including prevention and detection of fraudulent activities or harmful misuse; the Controller’s legitimate interest is real and current, aimed at preventing harm from unlawful actions.
  • Managing responses and informational exchanges following social media interactions (Twitter, LinkedIn, Facebook, YouTube, etc.).

Providing personal data for the purposes listed under letter a) is mandatory; this data is necessary for establishing and maintaining relations with the Controller. Without this data, GGNL services described above cannot be provided.

Providing personal data for the purposes listed under letter b) is entirely optional; failing to provide this data does not prevent the use of the Controller’s services.

3. Methods of Processing

All data is stored on GGNL’s secure servers using automated, electronic, computerized, telematic, or non-automated methods, as well as on paper, or on servers of suppliers or business partners appointed as Data Processors. These are accessible and usable according to strict security standards and policies (or equivalent standards applied by our suppliers or business partners).

4. Data Retention Period

Personal data collected will be processed by GGNL for the time strictly necessary to achieve the purposes outlined in paragraph 2, with an additional retention period as required by specific legal provisions or to assert or defend a legal right. For instance, data may be retained for:

• 10 years from collection for contractual and pre-contractual obligations;
• The duration required by applicable regulatory provisions for compliance with the Controller’s legal obligations.

5. Data Sharing and Transfer

Personal data may be accessed by:

• Employees and collaborators of the Controller, properly instructed and authorized to process data according to articles 29 GDPR and 2-quaterdecies of Legislative Decree 196/2003;
• Third parties expressly appointed as Data Processors pursuant to article 28 GDPR for purposes strictly related to the execution of the contract or legal obligations (e.g., IT service providers, accountants, fiscal and legal consultants).

When located in third countries, these providers operate under standard contractual clauses or an adequacy decision pursuant to article 45 GDPR, or in compliance with the safeguards specified in Chapter V GDPR. Such entities receive only the personal data necessary to perform their duties and may use this data solely to provide these services on our behalf or to comply with legal provisions. For further information on transfers to third countries, contact us at privacy@navigazionelaghi.it.

6. Rights of the Data Subject

The Controller informs you that, as a data subject, you can exercise your rights as per articles 15 to 22 of the GDPR by contacting privacy@navigazionelaghi.it or by registered letter addressed to the Controller. Specifically, you have the right to:

• Confirm whether your personal data exists and access it in a comprehensible form;
• Obtain information and, where applicable, copies of data regarding:
  • Origin and category of personal data;
  • Logic involved in automated processing;
  • Purposes and methods of processing;
  • Identification details of the Controller and processors;
  • Subjects or categories to whom data may be communicated;
  • Data retention periods or criteria;
  • Automated decision-making processes, and their logic and consequences;
  • Adequate safeguards in case of data transfers outside the EU;
• Request immediate updating, rectification, or completion of data;
• Withdraw previously granted consents at any time easily and without hindrance;
• Obtain deletion, anonymization, or blocking of data processed unlawfully or no longer necessary;
• Limit processing under specific conditions;
• Receive personal data in a structured, common, and machine-readable format for portability purposes;
• Object wholly or partially to processing for legitimate reasons;
• Lodge a complaint with the Data Protection Authority (Garante Privacy) if processing violates GDPR provisions (www.garanteprivacy.it).