Information Notice pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)

Pursuant to EU Regulation No. 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data, we inform you that the personal data you provide and that are acquired will be processed in accordance with the provisions of the aforementioned Regulation, particularly with reference to the resulting rights and obligations.

1. Data Controller

Data Controller: Azienda di Promozione e Formazione della Valtellina (hereinafter APF Valtellina), headquartered in Sondrio, Via Carlo Besta 3 (VAT no. 00867240145), represented by its legal representative pro tempore.

2. Categories of Data Processed

“Common” personal data: voluntarily provided by users to request the “Pilgrim’s Credential”: age group, email address, postal code/foreign nationality.

Browsing data: collected through the use of electronic tools and website traffic analytics.

  • Technical cookies: used for proper website functionality; they do not record user data in any way.
  • Third-party cookies: Google Analytics used for anonymous statistical analysis of website access.

3. Purpose of Processing

Data processing, including by electronic means, is carried out for the following purposes:

  • a. To register and issue the “Pilgrim’s Passport” by generating a PDF document with a progressive number, to be downloaded and printed before departure;
  • b. To fulfil institutional, legal, civil, tax, and commercial obligations;
  • c. To control authorized access systems and monitor data security;
  • e. To exercise the rights of the Controller, such as the right of defense in legal proceedings.

4. Legal Basis for Processing and Data Provision

The legal bases for the aforementioned processing are:

  • Art. 6, letter b) GDPR: performance of contractual or pre-contractual measures to which the data subject is a party;
  • Art. 6, letter c) GDPR: compliance with legal obligations;
  • Art. 6, letter f) GDPR: legitimate interest of the Controller.

The provision of personal data is mandatory: failure to provide such data will prevent the completion of registration and issuance of the Pilgrim’s Passport.

5. Data Processing Methods

Data will be processed on both paper and electronic media, using properly configured systems that ensure data confidentiality and minimize the risk of unauthorized access, data theft, or tampering, in accordance with Art. 32 of the GDPR. No automated decision-making process is involved (Art. 22, para. 1 of the GDPR).

6. Data Communication and Disclosure

Data may be communicated to:

  • Employees and collaborators authorized to process data;
  • Service providers (e.g., data backup, email, newsletter, network monitoring);
  • Accommodation facilities that have signed a commitment letter with the Controller and to whom the user has requested availability;
  • Entities and associations for compiling statistics on users requesting the credential;
  • Authorities or bodies competent to defend rights in court, based on the legitimate interest of the Controller;
  • Public Administration, authorities, and supervisory bodies in compliance with legal obligations.

The entities performing the above activities will process the data as independent Data Controllers or Data Processors pursuant to Art. 28 of the GDPR. A list of external Data Processors is available upon request via email to the Data Controller.

7. Data Retention Period

In accordance with the principles of lawfulness, purpose limitation, and data minimization under Art. 5 of the GDPR, data will be retained for the period necessary to achieve the stated purposes and, in any case, in accordance with the law. After this period, data will be anonymized or deleted where technically possible.

8. Data Transfer to Third Countries

The Controller undertakes to limit the circulation and processing of personal data (e.g., storage or cloud services) to countries within the European Union. Transfer to non-EU countries is prohibited unless they provide an adequate level of protection or appropriate safeguards under the GDPR.

9. Data Subject Rights

The data subject may exercise the following rights at any time:

  • Access their personal data (Art. 15);
  • Rectification (Art. 16);
  • Erasure (Art. 17);
  • Restriction of processing (Art. 18);
  • Objection to processing (Art. 21);
  • Data portability (Art. 20);
  • Withdrawal of consent at any time without affecting the lawfulness of processing based on prior consent.

To exercise these rights, contact:

  • Certified email (PEC): This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Registered mail: Azienda di Promozione e Formazione della Valtellina, Via Carlo Besta 3, 23100 Sondrio (SO)
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

10. Complaint

Pursuant to Art. 77 of the GDPR, the data subject has the right to lodge a complaint with the Supervisory Authority in the event of a breach of personal data protection regulations.