DATA PROTECTION INFORMATION
1. General definitions
We process personal data in accordance with the General Data Protection Regulation (GDPR). For the terms used in the following (including data controller, consent, data processing), we refer to the GDPR.
2. Details about the data controller and hosting
The beach bar Baia Blu Beach is operated by the Pareus Service GmbH (Bolzano).
In terms of the GDPR, the data controller is
Pareus Service GmbH
39100 Bolzano / ITALY
President: Konrad Palla
Vice President: Johannes Palla
Member: Guido Küther
Telefon: +39 0421 1830 350
Adress Baia Blu Beach:
Baia Blu Beach Bar
Via degli Usignoli, 150
30021 Caorle (VE) / Italy
Telefon: +39 0421 1830 361
If you have any questions about data protection, please contact us at firstname.lastname@example.org at any time.
In accordance with Art. 28 GDPR, a data processing contract has been concluded with a hosting company.
3. Data processing as part of the booking and during your stay for the use of our services (esp. beach loungers)
When it comes to making your booking, you have the following options:
- Booking through the service provider www.spiagge.it via the online booking system
- Booking by telephone
- Booking by email
- Booking in person at the resort
Extent, purpose and legal basis: When handling your booking, we only process the data that we need to process your booking and that you provide to us or that we receive from our partner www.spiagge.it, via which you can make your booking. We process your data on the basis of Art. 6 (1) lit. b GDPR for the purpose of initiating and/or fulfilling the contract. This is also the purpose of the processing.
Recipients of your data: As part of the booking process, we use the service provider:
Via Marecchiese 48
We have concluded a data processing contract with Spiagge SRL in accordance with Art. 28 GDPR.
For internal administrative purposes and also on the basis of Art. 6 (1) lit. f GDPR, employees of the parent company of Pareus Service GmbH also receive access to your data. This company is:
Habona Invest GmbH
D-60327 Frankfurt am Main
If you do not wish your data to be passed on to these two recipients, you will not be able to book a stay with us.
Reporting obligation: We are also legally obliged to report the data of guests staying with us to the local police authority for security reasons. The following data are reported: First and last name, date of birth and place. The legal basis is Art. 6 (1) lit. c GDPR.
Video surveillance system: For the protection of persons, property and possessions, a video surveillance system is used in certain areas of the Pareus holiday resort (e.g., pool area, technical rooms, entrances and exits). These areas are marked accordingly. The recordings are limited to the site of the Bai Blu Beach Bar. The recordings are limited to the time during the night after the end of the operational period and before the start of the operational period. Data processing takes place exclusively on the data controller’s systems and the recordings are only accessible via the intranet (no use of cloud service providers). We carry out the video surveillance on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f GDPR, as we would like to protect our guests and employees from possible theft and vandalism, amongst other things. The recorded videos are deleted after 48 hours. If the recordings become the subject of an investigation, they may be stored for longer. In this case, the recordings can also be passed on to the investigating authorities.
Storage duration: We store your personal data as long as this is necessary for the purpose of collecting it, and at least until the end of your stay at Pareus Resort. In addition, we store your data within the scope of the statutory storage obligations, especially to comply with our accounting and fiscal obligations
4. Automatic processing of personal data when visiting the website
All access to this website is recorded in log files. The IP address, the time of access, the amount of data transferred, the message as to whether the access was successful, the browser used and the operating system used on the accessing end device are stored in these files.
In addition, the address of the websites from which you have accessed our website is stored as well as the websites that you access from our website.
This data cannot be assigned to a specific person. It is also not in our interests to personally identify users. Nevertheless, this data is considered personal data in accordance with the provisions of the GDPR, as it would at least theoretically be possible, with the cooperation of your internet provider, to determine the owner of the internet connection from which our site is accessed by means of the transmitted IP address.
The temporary storage of the IP address is necessary to enable delivery of the website to your computer. For this purpose, your IP address must be stored in the log files for the duration of the session. In addition, we store the log files for one month and reserve the right to check them retrospectively if we become aware of concrete indications of unlawful use or in order to ward off attacks and enable the prosecution of hackers. This is in our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in providing a functional and secure website.
5.1 Consent banner
To obtain your consent, we use a consent banner that is loaded when you access our website. Before you can enter our website, you must use this consent banner to select which cookies or cookie categories you wish to accept or reject. You can accept all cookies, reject all (non-essential) cookies, or make a partial selection. The consent banner is designed so that this decision must be made by each user before they can access our website. You can edit your individual cookie settings later at any time via the link in the footer.
5.2 Essential cookie
Essential cookies are required for viewing our website on your computer. The data collected by these essential cookies is not used to create user profiles.
We use the following essential cookies on our website:
- Session cookie: Used to store information during a session, e.g., the language settings. It is deleted after the browser session is closed.
- Consent banner cookie: Used to store the (individual) cookie settings you selected in the consent banner. It is stored for 7 days for verification purposes.
- Contao cookie: Used to protect the CMS system from attacks.
The legal basis for the processing of personal data using essential cookies is our legitimate interest in providing a user-friendly website pursuant to Art. 6 (1) lit. f GDPR.
5.3 Use of non-essential cookies
5.4 Your revocation options
You can also prevent the storage of cookies by configuring your browser accordingly. However, if you configure your browser to reject all cookies, this may result in limited functionality on this and other websites.
6. Data transfer to the USA
Both for the implementation of our online marketing activities, for the integration of external content, and for sending out our newsletter, we always obtain your consent in accordance with Art. 6 (1) lit. a GDPR. In this context, we also work with service providers located in third countries, e.g., in the USA. You can find out which individual companies these are in the corresponding sections.
In the event of a transfer of your data to the USA, we will also obtain your consent in accordance with Art. 49 (1) lit. a GDPR and inform you about the possible risks of such a data transfer without the existence of an adequacy decision and without appropriate safeguards.
Possible risks of transmitting data to the USA
The European Court of Justice is of the opinion that the level of data protection in the USA does not meet EU requirements. The European Court of Justice has declared the EU-US Privacy Shield (an adequacy decision under Art. 45 GDPR) invalid. A transmission of personal data on the basis of the EU-US Privacy Shield to the USA is therefore not possible.
There is a possible risk that your data will be used for purposes other than those originally intended. In particular, your data may be accessible by US authorities for surveillance purposes, with no possibility for you to enforce your rights as a data subject under data protection law. For example, the ECJ states, amongst other things, that “the surveillance programmes based on US legislation are not limited to what is strictly necessary” and, furthermore, data subjects are not granted any “rights which can be enforced against the US authorities by judicial process.”
For these reasons, our website only loads US services and therefore transmits your personal data (such as IP address) once you have expressly consented to their use.
7. The personal data that is processed when using our forms
In principle, we process your personal data exclusively for the purposes stated in the following. As a matter of principle, we do not transmit personal data that you provide to us via forms to third parties unless this is expressly stated in the following.
7.1 Verification of your email address before sending advertising
Note on the need for verification: With a few exceptions, companies require consent from the data subject to carry out advertising by email.
Since it is not certain whether the owner of a email address has actually entered his or her data him or herself (and not, for example, a third party) in an online form, verification measures are first necessary before promotional measures can be initiated. With these, we can check if someone, for whatever reason, has entered an incorrect email address.
Calls for promotional purposes: In some forms on this website, you have the option of giving us your consent to promotional calls on a voluntary basis. For this purpose, you can enter your telephone number and, if applicable, a desired date and time for a call in the respective form.
In the promotional calls you will receive information about Pareus holiday properties in a personal conversation. The calls may also be made by third parties that have been commissioned by us. These are employees of Habona Invest GmbH, Westhafenplatz 6-8, 60327 Frankfurt.
Verification of your email address: We are required to verify your telephone number before making the first promotional call. For this purpose, you will first be contacted by us once and briefly so that we can confirm the details we have received via the form. This verification is separate and independent from the subsequent promotional call.
Verification of your email address: Verification of your email address is done with the help of a double opt-in email. In this you will receive a code or a link with which you can confirm your email address.
7.2 Processing of data when using our form for general enquiries
Extent and purpose of data processing, deletion periods: If you use the form for general enquiries, we collect the data necessary for this purpose.
We store your data until it is no longer required for the purpose for which it was collected and, in addition, for up to three years to defend any claims that may be made against us. Depending on the content of your enquiry, longer storage periods may also apply.
We will store your data and answer your enquiry on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR.
If you have given us your telephone number, we will also contact you on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR. We will only call you at your request to discuss the concern you have raised. Depending on the content of your request, the call may also serve to initiate a contract in accordance with Art. 6 para. 1 lit. b GDPR (e.g. table reservation). We will not use your telephone number for advertising purposes.
Newsletter: You have the option to subscribe to our newsletter via the form. (For more information about our newsletter, please see the next section 6.3).
Revocation option: You can revoke your consent to the processing of your personal data at any time with future effect. To exercise this revocation right, simply send an informal email to email@example.com.
You can subscribe to our newsletter on our website. The newsletter is published approximately weekly during the high season. The newsletter provides regular updates by email about the events at the Baia Blu as well as special promotions, such as competitions.
Overview of processed personal data: Provision of your email address is required for sending out the newsletter (mandatory field). If you also provide us with your name and first name, we can address you personally. We process data to measure opening and click rates in order to evaluate reading behaviour. We also store the date and time of your subscription to the newsletter for documentation purposes.
Analysis of reading behaviour: We collect statistical data from our dispatch service provider to evaluate your reading behaviour. This information helps us provide you with a personalised newsletter that is tailored to your interests.
The data is collected by integrating tracking pixels into the newsletter emails. These are small image files which can help us determine whether an email has been opened.
The click tracking has the effect that a user who clicks on a link in the newsletter email is forwarded to the intended target website via the servers of our dispatch service provider. These clicks are logged.
Using these methods, the following data is collected:
- If and at what time you open a newsletter
- Which links you click on in the newsletter
- How often and at what time you click on these links
- Which browser and which email programme you use
- Your IP address.
Legal basis: We process your personal data on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR to the sending of the newsletter, which we obtain from you during the registration process. The analysis of reading behaviour cannot be separately deselected. If you prefer not to have this tracking, you will unfortunately not be able to receive the newsletter. We store the date and time of your registration on the basis of our legitimate interest according to Art. 6 (1) lit. f GDPR to be able to prove at a later date that consent was once given.
Revocation option: You can revoke your consent to the sending of the newsletter at any time with future effect via the following link,which you will find in every issue of the newsletter. You can also send an informal email to firstname.lastname@example.org to revoke your consent.
Storage duration: Your data will be stored as long as you do not revoke the consent you have given us. However, we may store unsubscribed email addresses and telephone numbers for up to three years before deleting them in order to be able to prove that consent was once given to us. In this case, the processing of this data is limited to the purpose of a possible defence against claims.
We use MailChimp because, in our view, this service provider is a particularly user-friendly and secure mailing system. We have entered into a processing contract with MailChimp in accordance with Art. 28 (3) sentence 1 GDPR. This contract also includes the EU standard contractual clauses. We classify the protection requirements of the data sent to MailChimp as normal. Transfer to the USA only takes place after your consent and after being informed about the associated risks. More information is available in the above section 6 “Data transfer to the USA” and in the consent banner.
8 Processed personal data as part of our online marketing activities
8.1 Google Analytics and Google Ads
Legal basis: If you have given your consent in our consent banner, Google Analytics and Google Ads will be used on this website. The legal bases are Art. 6 (1) lit. a GDPR and Art. 49 (1) lit. a GDPR.
Extent of the data processing:
We use Google Signals. This captures additional information in Google Analytics about users who are logged in to Google and have enabled personalised advertisements (interests and demographics). Advertisements can then be presented to these users as part of cross-device re-marketing campaigns.
We use the ‘anonymiseIP’ (IP masking) function: Due to the activation of IP anonymisation on this website, your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be transmitted to a Google server in the USA and truncated there.
Among other things, the following data will be collected when you visit the website:
- The pages you visit, your “click path”
- Achievement of “website goals” (conversions, e.g., newsletter sign-ups)
- Your user behaviour (e.g., clicks, length of stay, bounce rates)
- Your approximate location (region)
- Your IP address (in truncated form)
- Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- Your internet provider
- The referrer URL (via which website/advertising medium you arrived at this website)
Data collected by Google Analytics will also be merged with Google Ads.
Google Ads is used to place advertisements in the Google advertising network. The Google advertising network covers all places where advertisements can appear (e.g., Google websites or websites of other partners in the advertising network). This way, users see advertising that is tailored to their interests.
We only analyse aggregated data, e.g., the frequency with which a particular advertisement was viewed.
Purposes of processing: On our behalf, Google will use this information for the purpose of evaluating your use of the website and compiling reports on website activity. The reports created by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns.
Data collected by Google Analytics is also shared with Google to help improve other products and services, such as Google Ads.
Revocation option: In the case of Google Analytics (in addition to the revocation options described under 4.4), you can also download and install the browser add-on to deactivate Google Analytics here.
As a logged-in Google user, you also have the option to object to the display of personalised advertising directly in your Google account under the menu item “Data & Personalisation”.
Recipient: The responsible service provider in the EU and recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The parent company based in the USA is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We have entered into a processing contract with Google Ireland Limited in accordance with Art. 28 GDPR https://privacy.google.com/businesses/processorterms/.
Transfer to third countries: US authorities may be able to access the data stored by Google. We describe the risks associated with this in section 5 “Data transfer to the USA”.
Storage period: The data sent by us to Google and linked to cookies is automatically deleted after 14 months. A deletion of data that has reached the end of its storage period is carried out automatically once a month.
8.2.1 Processing of personal data on our Facebook page
Responsibility: We process personal data as part of our presence on Facebook.
We have entered into a joint processing agreement with Facebook Ireland Ltd. (hereinafter “Facebook”), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (in accordance with Art. 26 GDPR). The joint processing agreement provided by Facebook is available at the following link: https://www.facebook.com/legal/controller_addendum
In particular, the agreement regulates the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and that Facebook has agreed to fulfil data subject rights (i.e. users can, for example, address information or deletion requests directly to Facebook). If you submit an enquiry to us regarding the data processed as part of the operation of our Facebook page, we will also forward this enquiry to Facebook in accordance with our joint processing agreement.
Where Facebook provides us with analytics on the use of our Facebook page based on aggregated data, this processing is carried out on the basis of a processing agreement and not on the basis of joint processing. The data processing conditions are available at https://www.facebook.com/legal/terms/dataprocessing).
Facebook also processes personal data under its own responsibility, especially to promote the safety and quality of its products and for research and development purposes.
Data processing information: Facebook provides us with aggregated data that helps us analyse the use of our Facebook page. This includes, for example, the number of page views, “Like” clicks, information about the reach of our posts and also information about the age, gender and end device used by our visitors. You can find more information about the data collected via the following link https://www.facebook.com/legal/terms/information_about_page_insights_data.
We cannot identify you personally with the data we receive from Facebook and this is not in our interests. However, if you “Like” or comment on posts, we can see the information you share with us on Facebook.
Purpose of data processing and legal basis: We operate this Facebook page to present our company in a contemporary way in social media, to reach out to potential customers and to draw attention to our products. This is also our legitimate interest and the legal basis for data processing pursuant to Art. 6 (1) lit. f GDPR.
Your rights as a data subject: You can exercise your rights under the GDPR both against us and against Facebook (see section 9).
8.2.2 Use of the Facebook Pixel on this website
Use of the Facebook Pixel falls under the joint processing agreement we have with Facebook.
The Facebook Pixel is a Java Script code in connection with an invisible 1×1 pixel that is embedded on our website. Using this pixel, we can measure the success of advertising campaigns that are displayed on Facebook. With the help of the Facebook Pixel, target groups for advertisements are determined so that advertisements are only displayed to users who are interested in them.
For example, we can track how a user arrived at our website from an advert on Facebook and how they then used our website. We are unable to personally identify the user and this is not in our interests. However, the data collected may be linked to your Facebook account.
Legal basis: We use the Facebook Pixel exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR, which you can give us via the consent banner (see section 4.1). If data transfer to the USA takes place, we will also obtain your consent pursuant to Art. 49 (1) lit. a GDPR (see section 5).
Revocation option: You can revoke your consent to the use of the Facebook Pixel at any time, as described in section 4.4.
9. Integration of external media
We include third-party features on our website, which are mentioned in the following sections.
Legal basis: We therefore use functions of these third-party providers exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR, which you can give us via the consent banner (see section 4.1) and, if data transfer to the USA takes place, at the same time on the basis of your consent to the data transfer to the USA pursuant to Art. 49 (1) lit. a GDPR (see section 5).
Revocation option: You can revoke your consent to the use of third-party functions at any time, as described in section 4.4.
We use YouTube to embed video content.
The recipient of your data is the provider of YouTube, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and its parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Revocation option: In addition to revoking your consent to the use of YouTube (section 4.4), as a logged-in Google user you have the option to object to the display of personalised advertising directly in your Google account under the menu item “Data & Personalisation”.
We use Vimeo to embed video content.
The recipient of your data is Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA.
10. Your rights as a data subject
Right of access to personal data: Pursuant to Art. 15 GDPR, you have the right to request confirmation from us as to whether the personal data concerning you is being processed by us and, if this is the case, the right to obtain information about this data, further information and a copy of the data.
Right to rectification: Pursuant to Art. 16 GDPR, you have the right to correct inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed.
Right to deletion: Pursuant to Art. 17 GDPR, you have the right to request that the personal data concerning you be deleted without delay.
Right to restriction of processing: Pursuant to Art. 18 GDPR, you have the right to demand that we restrict the processing of your personal data.
Right to information: If you have exercised your right to a rectification, deletion or restriction of processing against the data controller, we are obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification, deletion or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients (pursuant to Art. 19 GDPR).
Right to portability: Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and you have the right to request that this data be transferred to another data controller.
Right to make a complaint to a supervisory authority: If you consider that the processing of personal data concerning you infringes the GDPR, you have the right to make a complaint to a supervisory authority, without prejudice to any other administrative or judicial remedy.
Revocation right for consent: You have the right to revoke any consent you have given at any time.
|Right to object: Pursuant to Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which we process in the context of our overriding legitimate interest pursuant to Art. 6 (1) lit. f GDPR; this also applies to profiling based on these provisions. If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.|