Logo
My vouchers

PRIVACY POLICY

Statement on the processing of personal data under Articles 13 and 14 of the European Data Protection Regulation 2016/679 (hereinafter referred to as the GDPR).
In compliance with the provisions of the GDPR, we are providing you with the necessary information regarding the various personal data processing operations that QC Terme S.r.l. may carry out in its capacity as Data Controller. The specific purposes of the processing to which you must refer with regard to the data concerning you as Data Subject are set out individually in section 3 below. This statement does not apply to other websites that may be consulted via links on the website of the Data Controller, who is in no way responsible for the websites of third parties.

 

1. Who is the Data Controller – Contact details

The Data Controller is QC Terme S.r.l. (hereinafter referred to as the “Data Controller”), who may potentially be a joint controller, within the meaning of Article 26 of the GDPR, with each of the companies of the QC Terme Group listed below, should you wish to make a booking and/or use one of the services provided by the centres of the following companies: TERME DI PRÉ SAINT DIDIER S.R.L and QC TERME CHAMONIX S.A.R.L.
To contact the Data Controller:
Email address: [email protected]
Head office address: Viale Certosa 144, 20156, Milan (Milan)

 

2. The Data Protection Officer – Contact details

The Data Protection Officer (DPO), appointed pursuant to Articles 37–39 of EU Reg. 2016/679, for the companies QC TERME S.R.L., TERME DI PRÉ SAINT DIDIER S.R.L. and QC TERME CHAMONIX S.A.R.L, can be contacted at the following email address: [email protected] 

 

3. Purposes of processing, type of data, legal basis, storage period and provision of data

Purpose A)
Browsing of the qcterme.com website: the computer systems and software procedures used to operate the website acquire, during their normal operation, certain personal data that is automatically transmitted during the use of Internet communication protocols. This information is not collected with the intention of being associated with identified data subjects; however, by its very nature, it could, through processing and association with data held by the Company or by third parties, allow users of the website to be identified. The collection of browsing data is strictly necessary for the operation of the website and for browsing purposes.

  • TYPE OF DATA: browsing data: the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment, and cookies.
  • LEGAL BASIS: the processing is necessary for the pursuit of the legitimate interests of the Data Controller or of third parties.
  • DATA STORAGE PERIOD: browsing data will be retained for the duration of the website session. For cookies, please refer to the storage periods indicated in the cookie policy.
  • NATURE OF DATA PROVISION: With the exception of the specifications regarding browsing data (which is necessary in order to allow the website to be navigated), the user is free to provide personal data.

 

Purpose B)
Newsletter and Marketing – sending of advertising and promotional material, statistical data, market surveys.

  • TYPE OF DATA: first name, last name, date of birth, country and province, email, gender, cookies.
  • LEGAL BASIS: consent of the Data Subject.
  • DATA STORAGE PERIOD: the data will be processed until whichever of the following events occurs first:
    – the consent is revoked by the Data Subject (opt-out);
    – the end of the maximum storage period provided for each of the further purposes set out in points D), E), F), G), H), if the Data Subject provided their personal data for one of said purposes at the time that they gave consent for purpose B). This maximum storage period is calculated from the last activity by/interaction with the Data Subject related to one of the aforementioned further purposes.
  • NATURE OF DATA PROVISION: for this purpose, consent is voluntary, but without said data we will not be able to provide newsletter subscriptions, to send our exclusive promotions and benefits, or to provide information about new services and products.

 

Purpose C)
Profiling: sending customised commercial proposals based on the preferences of the Data Subject.

  • TYPE OF DATA: personal data of the user with reference to preferences, personal interests, purchasing habits, geographical location, etc.
  • LEGAL BASIS: consent of the Data Subject.
  • DATA STORAGE PERIOD: the data will be processed until whichever of the following events occurs first:
    – the consent is revoked by the Data Subject (opt-out);
    – the end of the maximum storage period provided for each of the further purposes set out in points D), E), F), G), H), if the Data Subject provided their personal data for one of said purposes at the time that they gave consent for purpose C). This maximum storage period is calculated from the last activity by/interaction with the Data Subject related to one of the aforementioned further purposes.

 

Purpose D)
Booking of services offered: confirmation and management of the booking of services chosen by the user, including using vouchers; accounting, tax and administrative activities; management of clientele; management of booking-related activities; fulfilment of legal obligations. In the context of customer care, telephone conversations with the customer care team may be recorded, exclusively for quality control purposes.

  • TYPE OF DATA: first name, last name, postcode, place of residence, identity document details, email address, phone number and gender of the person making the booking and other guests of the same booking; payment data, voice recordings of telephone conversations with the customer care team.
  • LEGAL BASIS: execution of pre-contractual and contractual measures to confirm and manage the booking of services chosen by the Data Subject, and to manage customer activities; legal obligations for fiscal, accounting, and administrative activities related to service bookings, and to comply with the requirements set forth by the Italian Consolidated Legislation on Public Security; for the recording of telephone conversations, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, point f) of the GDPR.
  • DATA STORAGE PERIOD: 10 years after the service booking; telephone conversation recordings are stored for a maximum period of 6 months from the call date.
  • NATURE OF DATA PROVISION: the provision of data is compulsory for contractual purposes and those deriving from legal obligations. Any refusal to provide such data, in whole or in part, may thus make it impossible to perform the contract or the booking request and to correctly comply with all related requirements. Call recording, when activated, is optional: the user has the option of not continuing the call and opting for alternative modes of communication.

 

Purpose E)
SHOP: purchases of our products, after-sales service, customer management, accounting, tax and administrative activities. In the context of customer care, telephone conversations with the customer care team may be recorded, exclusively for quality control purposes.

  • TYPE OF DATA: first name, last name, email address, phone number, shipping address, billing address, payment data, browsing data, voice recordings of phone conversations with the customer care team.
  • LEGAL BASIS: execution of pre-contractual and contractual measures for the purposes set out under point E), excluding tax, accounting and administrative measures for which there is a legal obligation; for telephone conversation recordings for quality purposes, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, point f) of the GDPR.
  • DATA STORAGE PERIOD: 10 years from the purchase; telephone conversation recordings are stored for a maximum period of 6 months from the call date.
  • NATURE OF DATA PROVISION: the provision of data is compulsory for contractual purposes and those deriving from legal obligations. Any refusal to provide such data, in whole or in part, may thus make it impossible to perform the contract or any requests received and to correctly comply with all related requirements.
    Call recording, when activated, is optional: the user has the option of not continuing the call and opting for alternative modes of communication.

 

Purpose F)
Quotation requests for B2B/B2C relations; Management of company quotation data: data entry for quotation requests for meetings and events.

  • TYPE OF DATA: first name, last name, email address, phone number, company name.
  • LEGAL BASIS: execution of pre-contractual and contractual measures for the purposes described in point F).
  • DATA STORAGE PERIOD: 1 year from the request for a quotation only; 10 years from the signing of the relevant contract.
  • NATURE OF DATA PROVISION: the provision of data is necessary for contractual purposes. Any refusal to provide such data, in whole or in part, may thus make it impossible to fulfil the request received and comply with all related requirements.

 

Purpose G)
Registration for MY QC: account creation, access to exclusive services and benefits (creating personalised wish lists, extending the validity of vouchers, etc.), management of orders placed (return status, billing history), management of requests received via email by contacts in the various sections of the website, management of requests received for special arrangements.
In the context of customer care, telephone conversations with the customer care team may be recorded, exclusively for quality control purposes.

  • TYPE OF DATA: First name, last name, date of birth, email address, telephone number, shipping address, browsing data, data provided when purchasing/booking services and/or products, voice recordings of telephone conversations with the customer care team.
  • LEGAL BASIS: execution of pre-contractual and contractual measures for MY QC registration activities; for telephone conversation recordings for quality purposes, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, point f) of the GDPR.
  • DATA STORAGE PERIOD: up to 10 years after the last activity by/interaction with the Data Subject; telephone conversation recordings are stored for a maximum period of 6 months from the call date.
  • NATURE OF DATA PROVISION: the provision of data is compulsory for contractual purposes and those deriving from legal obligations. Any refusal to provide such data, in whole or in part, may thus make it impossible to perform the contract or the request received and to correctly comply with all related requirements.
    Call recording, when activated, is optional: the user has the option of not continuing the call and opting for alternative modes of communication.

Purpose H)
Registration for the SHOP: access to exclusive services and benefits, extending the validity of vouchers, management of orders placed (status, returns, billing history), after-sales service, accounting, tax and administrative activities. In the context of customer care, telephone conversations with the customer care team may be recorded, exclusively for quality control purposes.

  • TYPE OF DATA: first name, last name, date of birth, email address, telephone number, shipping address, billing address, browsing data, payment data, voice recordings of telephone conversations with the customer care team.
  • LEGAL BASIS: execution of pre-contractual and contractual measures for the purposes set out under point H) and legal obligations for the tax, accounting and administrative activities only; for telephone conversation recordings for quality purposes, the legal basis is the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, point f) of the GDPR.
  • DATA STORAGE PERIOD: up to 10 years after the last activity by/interaction with the Data Subject; telephone conversation recordings are stored for a maximum period of 6 months from the call date.
  • NATURE OF DATA PROVISION: the provision of data is compulsory for contractual purposes and those deriving from legal obligations. Any refusal to provide such data, in whole or in part, may thus make it impossible to perform the contract or the request received and to correctly comply with all related requirements.
    Call recording, when activated, is optional: the user has the option of not continuing the call and opting for alternative modes of communication.

 

Purpose I)
Management of claims and disputes: the data provided for the purposes described in points A), B), C), D), E), F), G), and H) will also be used for the management of any claims and/or disputes that may arise from activities related to each purpose.

  • TYPE OF DATA AND NATURE OF PROVISION: all personal data previously collected for all the above-listed purposes and provided on a voluntary or mandatory basis according to the services requested.
  • LEGAL BASIS: legitimate interest of the Data Controller.
  • DATA STORAGE PERIOD: for 5 years from its acquisition for purposes D) and E), and for 5 years after the last contact/interaction for purposes A), B), C), F), G) and H), or, for all the above purposes, for as long as is necessary to handle any claims and until the conclusion of any disputes, and for as long as is required by law for the preservation of the documentation produced following the conclusion of such dispute.

 

4. Recipients: to whom the personal data collected will be communicated

The personal data provided will be shared with parties who will process the data in their capacity as data processors (Article 28 of the GDPR) and/or in their capacity as natural persons acting under the authority of the Data Controller and Data Processor (Article 29 of the GDPR and Article 2-quaterdecies of Italian Legislative Decree 196/2003) for the purposes listed above.
More specifically, the data will be shared with:

  • parties who provide services for the management of the computer system and telecommunications networks used by the Data Controller, including email, newsletters and website management; freelancers, firms or companies in support and consulting roles;
  • competent authorities for the fulfilment of legal obligations and/or provisions of public bodies, on request (e.g. communicating to the police headquarters the data required for public safety purposes in the case of hotel bookings).
    The list of Data Processors is constantly updated and available by writing to [email protected] or the Data Controller’s contact address.

 

5. Does QC Terme transfer data outside the EEA?

The personal data provided will not be transferred outside the EEA.
It is, however, possible that certain entities acting on behalf of the Data Controller may have databases in countries outside the European Economic Area (EEA); in this case, the Data Controller will ensure that these entities take the appropriate contractual measures to guarantee that the data is adequately protected, including by means of agreements based on the standard contractual clauses (SCC) adopted by the European Commission.

 

6. Processing methods: How does QC Terme process data?

Processing of data for the purposes set out above takes place using both automated methods, on electronic or magnetic media through the use of booking and management software shared by QC Terme Group companies, and non-automated methods, on paper, in compliance with the rules of confidentiality and security required by law, consequent regulations and internal provisions.

 

7. The rights of the Data Subject: what they are and how they can be exercised

The Data Subject may assert their rights, as expressed in Articles 15 et seq. of the GDPR, by making a request using the contact details of the Data Controller or DPO indicated in this document. Requests are submitted free of charge and processed by the Data Controller as quickly as possible, and in any event within a month.
The Data Subject has the right, at any time, to ask the Data Controller for access to, rectification, deletion and portability of their personal data, as well as to restrict processing.
Furthermore, the Data Subject has the right to object, at any time, to the processing of their personal data, on grounds relating to their particular situation, pursuant to Article 6(1)(e) or (f) of the GDPR, and to processing for direct marketing purposes.
In order to no longer receive marketing communications (e.g. emails), it is sufficient to use the cancellation systems described in the communication itself.
Without prejudice to any other administrative and jurisdictional recourse, for any processing deemed to be in breach of the GDPR, a complaint may be lodged with the Data Protection Authority by consulting the website at http://www.garanteprivacy.it/.

 

8. Further information

The Data Controller reserves the right to change, update, add or remove parts of this privacy statement at its discretion and at any time.