Privacy Policy
The following paragraphs explain how your personal data is processed when you browse the website of the restaurant Anton1929, Hotel Touring Dolomites (Santa Cristina Val Gardena) and when you use the services offered. In order to provide you with all services on our site (e.g., booking a table at the restaurant, requesting information, subscribing to the newsletter), it is necessary to process some of your personal data. “Processing of personal data” means any operation or set of operations performed, with or without automated means, such as collection, recording, organisation, storage, consultation, use, disclosure, erasure and destruction. These operations are carried out lawfully, fairly and transparently and in accordance with current legislation, including Regulation (EU) 2016/679 (GDPR). This notice explains which data we collect, why processing is necessary and what rights you have.
​
Data Controller
The controller (titolare) of the personal data collected through this site is Hotel Touring KG di Senoner Ivo, Str. Dursan 17, 39047 S. Cristina (BZ), Alto Adige, Italy, VAT No. IT02738760210. For any information or to exercise the rights listed below you can contact us at:
Phone: +39 0471 793 119
E-mail: info@hoteltouring.bz
A Data Protection Officer (DPO) has not been appointed, as there are no legal conditions requiring such appointment.
GDPR analysis & compliance: this section clearly identifies the controller, providing name, address and contact details (phone, email) as required by Art. 13(1)(a) GDPR (see, e.g., agendadigitale.eu). Not appointing a dedicated DPO is lawful because it is not mandatory for this type of activity; the controller is correctly identified and the contacts are provided, allowing data subjects to get in touch easily to exercise their rights. This meets the GDPR requirements on transparency.
​
Purposes of Processing
We process your personal data for the following specific purposes:
• Compliance with legal obligations: to comply with laws, regulations or orders issued by authorities (Legal basis: Art. 6(1)(c) GDPR – legal obligation).
• Performance of contractual obligations: to manage and fulfil contractual relationships with you, including the provision of services you request (Legal basis: Art. 6(1)(b) GDPR – performance of a contract).
• Provision of information and requested services: to answer questions, provide quotes or pre‑contract information and deliver agreed services, e.g., confirm reservations and hospitality (Legal basis: Art. 6(1)(b) GDPR – pre‑contract measures and contract).
• System efficiency analysis: to monitor and verify the proper operation of our website and IT systems to improve performance and security (Legal basis: Art. 6(1)(f) GDPR – controller’s legitimate interest in technical management and system security).
• Marketing and promotional activities: to send newsletters, commercial communications and advertising material, and to carry out market research to gauge customer interest in our services (Legal basis: Art. 6(1)(a) GDPR – consent of the data subject). Such communications are sent only with your explicit consent, which you may withdraw at any time.
• Protection of obligations and rights: to ensure the fulfilment of contractual obligations by customers, e.g., manage due payments, prevent fraud and protect our rights in the event of non‑performance (Legal basis: Art. 6(1)(b) and (f) GDPR – performance of a contract and legitimate interest in protecting our rights).
• Customer satisfaction and service improvement: to detect customer satisfaction regarding the quality of products and services offered in order to improve our offer. For example, we may analyse reviews voluntarily published by customers on Google, TripAdvisor or other third‑party platforms, or invite you to provide feedback after using our services (Legal basis: Art. 6(1)(f) GDPR – legitimate interest in improving services based on customer feedback).
Note: where we process special categories of personal data (Art. 9 GDPR) — for example health information on food allergies you may provide for a reservation — such data will be processed exclusively to meet your specific request (e.g., adapt the service to your needs) and only with your explicit consent (Additional legal basis: Art. 9(2)(a) GDPR).
GDPR analysis & compliance: this section lists all processing purposes with the corresponding legal basis, fulfilling the information duty in Art. 13(1)(c) GDPR (see agendadigitale.eu). We have included new purposes relevant to the site’s actual activities (online table booking, analytics and marketing tools, review collection, etc.), clearly indicating the legal basis for each processing. We also specify our legitimate interests where applicable, under Art. 13(1)(d) GDPR (agendadigitale.eu). A clarification on the processing of any sensitive data (e.g., allergy information) has been added, requiring explicit consent under Art. 9 GDPR. This structure ensures the notice covers all envisaged purposes, providing transparency about why we collect data.
​
Types of Processing
Your personal data are processed both manually and by means of IT and telematic tools. We use automated means and processes, relying on databases and IT platforms managed by us or by contracted third parties, in line with the purposes described above. In any case, we adopt procedures that ensure the confidentiality and security of the data processed.
When you browse our website, certain technical data essential to the operation of the site are collected automatically by our systems and stored in specific databases or log files on the server. These data include, for example: the type and version of browser used, the device operating system, the referring website, the pages visited on our domain, the date and time of the visit, the IP address of the device and other similar technical information. Where possible, such information is collected anonymously or in aggregated form and is initially used for statistical purposes to analyse site usage and subsequently to improve the level of security and protection of the system.
The legal basis for this technical processing is our legitimate interest (Art. 6(1)(f) GDPR) in ensuring the correct operation and security of the website and, with regard to elements necessary to provide the requested service (e.g., the IP address to display pages), the performance of pre‑contractual measures at the request of the data subject (Art. 6(1)(b) GDPR). Providing these data is inherent to the use of Internet communication protocols: without them, the site cannot deliver the requested pages.
When you connect to our site, IT systems automatically record these technical details; the processing is not used to identify the user but to enable access to online content and ensure security. We do not carry out profiling or personalised analysis based on such technical data, except as described in the “Profiling” section below and in our Cookie Policy.
GDPR analysis & compliance: this section transparently describes how data are processed (methods) and which categories of technical data are collected automatically during browsing. This meets the requirement to inform the data subject about processing methods and categories of data processed (see agendadigitale.eu). We clarify that browsing data (technical logs) are collected for operation and security purposes, specifying the appropriate legal basis (legitimate interest and contractual necessity). We also state that these data are not used for further purposes (individual profiling) without consent, preventing ambiguity.
​
Data Retention Period
We retain personal data only for as long as necessary to achieve the purposes for which they were collected, in compliance with the GDPR principles of storage limitation and data minimisation. In particular, different retention periods apply depending on the type of processing:
• Information requests and general contacts: data are kept only for the time strictly necessary to handle the request and provide a full response, then deleted unless further contractual or legal obligations arise.
• Online reservations via the site: data are kept for the time necessary to manage and fulfil the booking (e.g., until the reservation date and service completion). Afterwards, they may be kept for an additional period if needed to protect rights (e.g., handle claims) or to comply with legal obligations (e.g., accounting records relating to the deposit), always within applicable statutory terms.
• Website browsing data: technical information collected during browsing (see “Types of Processing”) is kept for the time necessary to perform aggregated analysis and improve security, generally for a limited period (e.g., a few months) unless further retention is required for the investigation of cyber‑attacks.
• Legal, tax and administrative obligations: personal data used to fulfil legal obligations (e.g., data contained in accounting documents, invoices, administrative records) are stored for the mandatory period set by applicable law. In Italy, documents relevant for tax and civil purposes (such as invoices and accounting records) are normally kept for 10 years or for any other period required by law.
• Litigation management: in case of disputes, complaints or legal actions, necessary data are retained for as long as strictly necessary to defend our rights in court, and in any case no longer than the applicable statutory limitation periods.
• Marketing and profiling purposes: data processed for sending commercial communications (newsletters, promotional offers) or for profiling are retained until you withdraw consent or object to processing. In any case, consistently with the guidance of the Italian DPA, we will not keep such data for more than 24 months from the last interaction for marketing, nor for more than 12 months for profiling, unless they are kept further only in aggregated or anonymous form (see roedl.it). After these terms, data will be deleted or anonymised permanently.
At the end of the above periods, personal data will be deleted or irreversibly anonymised, unless there is a further legal basis justifying continued storage (e.g., a subsequent legal obligation), of which the data subject will be informed.
GDPR analysis & compliance: this section fulfils the requirement to indicate how long (or according to which criteria) personal data will be stored, as per Art. 13(1)(e) GDPR (see agendadigitale.eu). We have specified distinct retention periods by type/purpose, including marketing and profiling cases, aligned with the guidance of the Italian DPA (e.g., 24 months and 12 months respectively; see roedl.it).
​
Use of Cookies
To improve your browsing experience on our website we use cookies. Cookies are small text files that the site—or third‑party services connected to it—place on your device via your browser when you visit our site. This information is then sent back to the site at each subsequent connection, allowing users to be recognised and certain preferences to be stored.
We use both technical cookies (necessary for the operation of the site and the provision of services you request) and third‑party cookies for statistics and marketing. In particular, we may use external services such as Google Analytics, Google Ads and Meta Pixel (Facebook/Instagram) which set cookies to collect information on browsing behaviour and to deliver personalised content. Such tools are used only after obtaining your consent through the cookie banner, which allows you to accept or refuse the different categories of non‑essential cookies.
You can always manage and disable cookies through your browser settings. You may delete cookies stored on your device at any time and set your browser to prevent future installation. Please note that disabling essential technical cookies may impair some site features and the provision of certain services (for example, the online booking system may not function correctly without cookies). For more details about the cookies used and how to manage them, please see our dedicated Cookie Policy, where you will find up‑to‑date information on cookie types, purposes, durations and settings.
GDPR analysis & compliance: this section informs users about cookie usage, meeting the requirements of GDPR and ePrivacy rules and the guidelines of the Italian DPA on cookies (2021). We explicitly mention the use of third‑party tools such as Google Analytics, Google Ads and Meta Pixel, and the consent mechanism (banner) with ‘accept’/‘reject’ options (see gdprlab.it).
​
WhatsApp Contact
If you contact us on WhatsApp at +39 0471 793119, we process your phone number and the content of your messages to handle your request. The service is provided by WhatsApp/Meta, acting as an independent controller for its own purposes under its privacy notice. We retain conversations only for as long as necessary to handle the request and according to our retention schedules.
​
Contact Form
If you decide to contact us via the contact form on our website, you will be asked for certain personal data (e.g., first name, last name, email address and other contact details) necessary to receive and manage your request. Fields marked with an asterisk (or other indication) are mandatory, as failure to provide such essential information may prevent us from replying or providing the requested service. Entering additional personal data (not mandatory) or special category data (such as health information, opinions, etc.) is optional and at your sole discretion: we advise you to provide such additional data only if strictly necessary for the nature of your request. In any case, any sensitive information you enter will be processed solely to fulfil the specific request and, where necessary, only with your explicit consent.
Sending a communication through the contact form implies awareness and acceptance of the processing of the personal data provided for purposes connected with handling the request. Data transmitted via the form will be used exclusively to answer your message and for closely related activities (e.g., follow‑up clarifications) and will be kept for the time necessary to fully process the request, as indicated in the “Data Retention Period” section. Once those purposes are completed, the data will be deleted, unless further storage is required by law or for different purposes (in which case you will be given further information).
GDPR analysis & compliance: the Contact Form section clarifies whether data are mandatory or optional and the consequences of not providing them (see agendadigitale.eu), in line with Art. 13(2)(e) GDPR. It also reminds users to avoid providing unnecessary sensitive data and references retention, ensuring internal consistency.
​
Online Reservations (Restaurant Service)
Our website provides an online table‑booking system for the restaurant. This service is implemented through an external platform (Wix Bookings), which acts as our technical provider. To make a reservation you will be asked for personal data such as first and last name, phone and/or email, as well as booking details (date, time, number of guests and any special requests). In some cases, to secure your reservation, we may ask for credit‑card details for pre‑authorisation or payment of a deposit: this electronic payment process is handled securely via Wix Payments, without our organisation storing your full card details. Payment data are transmitted using encrypted protocols to the payment processor and handled under high security standards; we only receive confirmation of the transaction outcome and a reference (token) to link it to your booking.
Using the booking system is optional: you can always contact us by phone or email to reserve a table. However, if you choose to use the online form, providing the requested data is necessary to process the reservation. Refusing to provide mandatory information (such as contacts) or payment details (when a deposit is required) will make it impossible to complete the online booking. When submitting the reservation request, you will be asked to confirm that you have read this privacy notice and, by confirming, you consent to the processing of data for the purpose of managing the reservation.
We use the data collected to: enter your details in our booking system, correctly reserve your table for the requested date and time, possibly send you confirmation or reminder communications (by email or SMS), and manage the deposit (with capture only in the event of no‑show, according to the terms communicated at the time of booking).
Data relating to online bookings are retained for the period indicated in the “Data Retention Period” section (in short: for as long as necessary to manage the reservation and the service provided, and possibly longer only if required by law—e.g., for tax purposes—or to protect our rights in case of disputes). Such data will not be used for other purposes (e.g., marketing) without your specific consent.
GDPR analysis & compliance: this section details the data processing related to the booking system, clarifies the role of Wix as processor and anticipates potential transfers outside the EU (developed further in the “Third‑country transfers” section), in line with transparency requirements (see agendadigitale.eu).
​
Profiling
Under the GDPR, profiling means any form of automated processing of personal data to evaluate or predict certain personal aspects of a natural person—particularly to analyse or predict preferences, interests, behaviour and the like. Within our activities, any profiling is limited to marketing and carried out only with your consent. For example, we may process data relating to your bookings or interactions with our site (such as pages visited or services used) to infer possible interests in order to offer tailored promotions.
To conduct such targeted marketing we may use specialised third parties (e.g., advertising platforms such as Google or Meta) that support us with analyses. In such cases, we protect users’ privacy by applying minimisation and security techniques: if, for example, we share customer lists with external partners for promotional campaigns (such as targeted messages on social networks), personal identifiers (emails, phone numbers) are encrypted or pseudonymised in advance using technologies such as hashing. This ensures that third parties cannot reconstruct the original data and use them only for the agreed purposes and in accordance with our instructions.
Automated decisions: we do not adopt fully automated decision‑making processes that produce legal effects or similarly significantly affect you, pursuant to Art. 22 GDPR. Any profiling we carry out aims only to personalise marketing (e.g., sending promotions aligned with expressed preferences) and is performed only with your consent, which you may refuse or withdraw at any time. In any case, you have the right to obtain human intervention, express your opinion and contest any decision based on profiling, as detailed in the “Data Subject Rights” section.
GDPR analysis & compliance: this section explains potential automated processing and confirms that no decisions with legal or similarly significant effects are made without human involvement, in line with Art. 13(2)(f) GDPR (see agendadigitale.eu).
Cooperation with Third Parties
We use trusted third‑party providers to deliver our services and have signed agreements to ensure they apply security and privacy standards equivalent to ours. These parties mainly act as processors under Art. 28 GDPR, committing contractually to process personal data only for agreed purposes and not for their own unauthorised purposes.
We may share user data, for example, with:
• IT providers and web platforms: e.g., Wix.com Ltd., provider of our online booking and hosting, which manages booking and payment data on our behalf; cloud or database services where collected data may be stored.
• Online analytics and marketing services: e.g., Google LLC (Google Analytics and Google Ads) and Meta Platforms, Inc. (Facebook/Instagram – Meta Pixel), which provide tools for statistical analysis and targeted advertising. These companies may process some browsing data (with consent, via cookies) to provide us with aggregated reports or targeting services. Shared information is limited to what is necessary (e.g., pseudonymous online identifiers) and, where possible, safeguards such as pseudonymisation or IP anonymisation for Google Analytics are applied.
• Payment services and banks: e.g., the Wix Payments gateway (which may use sub‑processors or networks such as Stripe) for credit‑card transactions related to bookings, or banks with which we maintain commercial relationships to manage receipts and payments. These entities process financial data as independent controllers or processors, as applicable.
• External consultants and professionals: legal, tax, accounting or auditing advisers (e.g., law firms, accountants, labour consultants) who may access user data where necessary and always under confidentiality and specific instructions.
All such third parties are bound by confidentiality and security requirements. Through adequate Data Processing Agreements or contractual clauses, we ensure they do not use the data for their own purposes and protect them according to legal standards. For advertising partners like Google or Meta, we adhere to their business terms, including EU‑approved Standard Contractual Clauses for international transfers (see below). In some cases, providers may be located outside the EEA or store data on international servers; the next paragraph explains how we ensure protection in such circumstances.
GDPR analysis & compliance: this section explicitly lists recipients/categories in accordance with Art. 13(1)(e) GDPR (see agendadigitale.eu) and outlines contractual safeguards and roles (controllers/processors), enhancing transparency.
​
Disclosure of Data
Personal data collected are not subject to indiscriminate dissemination. However, in specific cases data may be communicated to identified recipients, such as:
• External technical or commercial parties (as detailed in “Cooperation with Third Parties”).
• Public authorities and administrations: supervisory bodies or judicial authorities, but only where disclosure is required by law or order.
• Banks and financial intermediaries: to execute transactions (e.g., deposit charge or refunds).
• Professional advisers or other private entities for legitimate interest: e.g., lawyers to manage litigation, debt‑collection agencies, insurers, etc.
We always comply with the minimisation principle: only the data strictly necessary for the specific purpose of the transmission will be communicated. Absent a legal obligation or your specific consent, personal data will not be disseminated or communicated to parties other than those indicated in this notice.
GDPR analysis & compliance: this section clarifies that data are not publicly disseminated and summarises potential recipients, in line with Art. 13 GDPR and Italian DPA guidance.
​
Data Subject Rights
As a data subject you may exercise the rights provided for in Articles 15–22 GDPR at any time, free of charge, by contacting us at the above addresses (preferably by email at info@hoteltouring.bz, or by written request to the registered office). We will respond without undue delay and in any case within the maximum term set by the GDPR. In some cases we may need to verify your identity before fulfilling the request to ensure data are not disclosed to unauthorised persons.
• Right of access: to know whether your personal data are being processed and, if so, to access them along with related information (Art. 15 GDPR).
• Right to rectification: to have inaccurate personal data corrected or incomplete data completed without undue delay (Art. 16 GDPR).
• Right to erasure (“right to be forgotten”): to have your personal data deleted in the cases set out in Art. 17 GDPR (e.g., data no longer necessary, consent withdrawn, unlawful processing).
• Right to restriction of processing: to obtain restriction in certain circumstances (Art. 18 GDPR), e.g., when contesting accuracy or pending legal claims.
• Right to data portability: for automated processing based on consent or a contract, to receive the personal data you provided in a structured, commonly used and machine‑readable format and to have them transmitted to another controller where technically feasible (Art. 20 GDPR).
• Right to object: to object at any time, on grounds relating to your particular situation, to processing based on legitimate interests; and to object at any time to processing for direct marketing, including related profiling (Art. 21 GDPR).
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time; this does not affect the lawfulness of processing before withdrawal (Art. 7(3) GDPR).
• Right not to be subject to automated decision‑making: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not use such processes without human intervention; should they be introduced, you will be guaranteed the safeguards in Art. 22 GDPR.
In addition, you always have the right to lodge a complaint with a Supervisory Authority if you believe that processing violates applicable law. In Italy the authority is the Garante per la protezione dei dati personali (Piazza Venezia 11, 00187 – Rome, www.garanteprivacy.it).
GDPR analysis & compliance: this section satisfies Art. 13(2)(b)-(d) GDPR by detailing rights and the right to complain to the supervisory authority.
​
Place of Processing and Extra‑EEA Transfers
Processing mainly takes place at our operating premises and in EU/EEA Member States. However, some of our external providers may be located or use servers outside the EEA (so‑called ‘third countries’). For example, Wix.com is based in Israel, Google and Meta are based in the United States.
Whenever it is necessary to transfer personal data to a third country, we will ensure that one of the conditions in Chapter V GDPR (Arts. 44 et seq.) applies to guarantee an adequate level of protection. Transfers may take place to countries covered by an adequacy decision (e.g., Israel) or be governed by the EU Standard Contractual Clauses with any necessary supplementary measures. In some cases, we may ask for your specific informed consent where no other safeguards apply.
We monitor regulatory developments (e.g., ‘Schrems II’) and will adapt contracts and technical measures to maintain EU‑level protection. For more information (including copies of SCCs), please contact us.
GDPR analysis & compliance: this section meets Art. 13(1)(f) GDPR by informing about international transfers and safeguards (e.g., adequacy decisions, SCCs).
​
Security Measures
We attach great importance to the security of your personal data. We have implemented appropriate technical and organisational measures to protect data against unauthorised access, disclosure, alteration or destruction. Our website uses HTTPS/SSL; servers are protected by firewalls, antivirus and monitoring systems; access is limited to authorised, trained personnel and necessary providers under confidentiality agreements.
We have internal procedures for handling personal‑data breaches: where an incident entails high risk to individuals, we will notify the Italian DPA and, if necessary, the data subjects, in line with Arts. 33–34 GDPR. We periodically review our policies and measures to keep protection up to date with evolving technology and threats.
While absolute security cannot be guaranteed, we take all reasonable steps in line with Art. 32 GDPR to safeguard your data.
GDPR analysis & compliance: although not strictly required to be detailed in the notice, communicating our protection standards increases transparency and confidence.
​
Minors
Services offered through our site (such as reservations, newsletter subscriptions, information requests) are intended for users aged over 14. Under Italian law, a minor under 14 cannot on their own provide valid consent for data processing in the context of information‑society services. We do not knowingly collect personal data of children under 14 without verifiable parental consent. If we become aware that we have inadvertently collected such information, we will promptly delete it.
For minors aged 14 to 18, we recommend using our services with the involvement and supervision of a parent/guardian, especially for marketing subscriptions or bookings.
GDPR analysis & compliance: this section aligns with Art. 8 GDPR and Italian law (minimum age 14).
​
Updates to this Notice
This privacy notice is reviewed periodically. We reserve the right to make changes or updates at any time, if our processing activities change or to reflect regulatory updates. The updated notice will be published on this page with the date of last update. If changes are significant or require new consent, we will notify you via available contact channels.
This Privacy Notice is governed by Italian law. For any dispute arising from or related to it, the Court of Bolzano (Italy) shall have exclusive jurisdiction. In the event of discrepancies between language versions, the Italian version shall prevail.