Privacy notice for the processing of personal data on the website shop.luganoregion.com

Introduction

The purpose of this page (hereinafter the "Notice") is to inform the user about the processing of personal data carried out within the site shop.luganoregion.com and related online resources such as the contact form, email, newsletter, social media accounts, and e-commerce platform (hereinafter collectively referred to as the "Site").

Paragraphs A and B specify the ownership of the Site and the contacts, as well as describe the mechanism for accepting and reviewing the Notice. Information on personal data processing activities and cookies is specified in paragraph C. The rights of the data subjects are listed in paragraph D. Finally, paragraph E governs the applicable substantive law to the legal relationship between the parties and establishes the competent court in the event of a dispute related to such a relationship.

A. Site Owner and Communications

The data controller as the owner of the Site's content and the entity that determines the purpose and means of the processing of personal data is the Ente Turistico del Luganese, Via Giovanni Nizzola 2, 6901 Lugano (www.luganoregion.com) (hereinafter the "Controller").

Attention: as filters are in use to protect the security of the Controller and users, an email communication is considered received only if there is a response or confirmation of receipt. Otherwise, the user should consider the communication as not delivered.

Contacts:

• Ente Turistico del Luganese, Via Giovanni Nizzola 2, 6901 Lugano
• Email: privacy@luganoregion.com
• Tel: +41 58 220 65 00

B. Notice Acknowledgment │ Acceptance │ Changes

The reference Notice is the one in force at the time of accessing the Site. The most updated version can be viewed by clicking on the appropriate link at the bottom of each page of the Site (link). It is the user's responsibility to carefully check the status of the Notice before using the Site, as the Controller reserves the right to update the Notice at any time, particularly in response to the evolution of applicable law, functionalities, and services and products made available to the user.

C. Personal Data Processing and Cookies

Legal Framework and General Concepts

Applicable Law

The processing of personal data through the Site is governed by Swiss federal data protection law (hereinafter "LPD").

Definition of "personal data" according to the LPD

This includes all information relating to an identified or identifiable natural person such as name, surname, address, date of birth, consumption data, email, phone number, IP address (what is it?), personal preferences and interests, purchases made, web pages visited, geolocation data, etc.

Definition of "particularly sensitive data" according to the LPD

This includes highly sensitive personal data: (i) data regarding religious, philosophical, political, or union opinions or activities, health, intimate sphere, or racial or ethnic origin (ii) genetic data (iii) biometric data that uniquely identify a natural person (iv) data concerning administrative and criminal prosecutions and sanctions (vi) data concerning social assistance measures.

Definition of "profiling"

This is the automated processing of personal data consisting of using the same to evaluate certain personal aspects of a natural person, particularly to analyze or predict aspects concerning job performance, economic situation, health, preferences, interests, reliability, behavior, location, and movements of such person.

Definition of "high-risk profiling"

This is profiling that poses a high risk to the personality or fundamental rights of the data subject, as it involves linking data that allows evaluating essential aspects of a natural person's personality.

User's obligation to protect access credentials and personal devices

The use of the Internet and email is exposed to security risks. The user has the duty to ensure the security of their devices and passwords (particularly those related to the Site and their email) through appropriate technical and organizational measures. User's obligation to provide correct data and any changes to personal data. The user is responsible for the accuracy of the personal data provided to the Controller. They must also spontaneously and promptly communicate any changes to personal data to keep the records constantly updated.

Legal basis for personal data processing

A personal data processing is unlawful when it constitutes a violation of personality rights. This can be justified based on the data subject's consent, a prevailing public or private interest, or the law. A prevailing private interest exists particularly if the processing is necessary for the provision of goods and/or services requested by the customer. Where required by law, for example, in the case of certain marketing or advertising activities involving user profiling or the adoption of automated decisions or the processing of particularly sensitive personal data, the Controller will request informed consent from the user through electronic channels (online or email) or analog channels (postal mail). Disclaimers. Given the nature of the Internet as an "open network," the Controller does not guarantee that the data provided by the user cannot be intercepted or acquired by unauthorized third parties. The user is also solely responsible for choosing their email service provider and for the proper and secure handling of their personal data outside the Site. Specialized service providers contracted with personal data. The Controller uses external IT service providers to ensure the proper functioning of the Site. These providers have access to the data only to the extent strictly necessary for their tasks and are subject to strict confidentiality and non-use obligations concerning personal data. They must also be established in Switzerland or (where strictly necessary) in foreign countries benefiting from an adequacy decision by the Federal Council. The complete and updated list of providers is available for viewing at the Controller's headquarters. For data and IT system security reasons, some information may be anonymized or masked.

Relationship with European Personal Data Protection Law

Switzerland is not a member state of the European Union (EU), so European law is not directly applicable. Article 3 paragraph 2 of the General Data Protection Regulation (EU) 679/2016 (hereinafter "GDPR") specifies that the regulation applies to entities established outside the EU in the case of data processing related to: (i) offering goods or services to individuals in the EU, or (ii) monitoring the behavior of individuals in the EU. The Controller does not direct its activities towards the EU nor monitor the behavior of those located in the EU, so the GDPR does not apply.

Swiss law provides adequate personal data protection as confirmed by the European Commission on July 26, 2000 (the adequacy decision is downloadable here). In the exceptional case of GDPR applicability, this document serves as notice under Articles 13 and 14. In addition to benefiting from all protections provided by the GDPR, the user can exercise the rights as expressed in Articles 15, 16, 17, 18, 19, 20, 21, 22 GDPR by contacting the Controller.

The user has the right at any time, within the limits and conditions set by the GDPR, to request access to their personal data, rectification, deletion, restriction of processing, or to object to processing, as well as to exercise the right to data portability. If the processing is based on Article 6 paragraph 1 letter a) or Article 9 paragraph 2 letter a) GDPR, the user has the right to withdraw consent at any time.

They also have the right to lodge a complaint with the competent supervisory authority. In case of a data portability request, the Controller provides in a structured, commonly used, and machine-readable format the personal data concerning the user, subject to paragraphs 3 and 4 of Article 20 GDPR. Subject to any other administrative and judicial remedy, if the user believes that the processing of personal data concerning them violates the GDPR, they have the right to lodge a complaint with the competent Data Protection Supervisory Authority (EU: list of national authorities).

In no case should references to the GDPR be understood as voluntary submission to this regulation or to the supervision and/or decision-making power of any foreign authority (with respect to Switzerland).

 

Informazioni di dettaglio sulle attività di trattamento di dati personali

1. Browsing the Site

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: enabling the use of the website;
• Categories of personal data processed: (i) IP address of the device used by the user; (ii) pages visited by the user;
• Recipients or categories of data recipients: no recipient;
• Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) however, we do not collect personal data, web analytics are processed with Shopify;

2. Shopify

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) tourism promotion through the free distribution of informational material; (iv) statistical purposes;
• Categories of personal data processed: (i) email address; (ii) user's IP address (what is it?); (iii) name and surname of the data subject; (iv) language; (v) interests and activities;
• Recipients or categories of data recipients: Shopify;
• Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify;

2.1. Shopify Plugins

2.1.1 - Translate & Adapt

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) none;
• Recipients or categories of data recipients: (i) Shopify; (ii)Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.2 - Point of Sale

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) name; (ii) email address; (iii) phone number; (iv) user's IP address; (v) geolocation; (vi) browser and operating system;
• Recipients or categories of data recipients: (i) Shopify; (ii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.3 - Geolocation

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) user's IP address; (ii) geolocation;
• Recipients or categories of data recipients: (i) Shopify; (ii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy)
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.4 - Social Media Icons Ultimate

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) none;
• Recipients or categories of data recipients: (i) Shopify; (ii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): data transfer in accordance with the developer's policy (https://kilatechapps.com/iconbar/policy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.5 - Evey Events & Tickets

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) name; (ii) email address; (iii) phone number; (iv) user's IP address; (v) geolocation; (vi) browser and operating system;
• Recipients or categories of data recipients: (i) Shopify; (ii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): data transfer in accordance with the developer's policy (https://staytuned.digital/privacy-policy/);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.6 - T Lab Translate

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) none;
• Recipients or categories of data recipients: (i) Shopify; (ii) Developer; (iii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): data transfer in accordance with the developer's policy (https://sherpas.design/blogs/news/privacy-policy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.7 - RT: Terms and Conditions Box

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) none;
• Recipients or categories of data recipients: (i) Shopify; (ii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): data transfer in accordance with the developer's policy (https://haloroar.com/privacy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1.8 - Wallee

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) name; (ii) email address; (iii) phone number; (iv) user's IP address; (v) geolocation; (vi) browser and operating system;
• Recipients or categories of data recipients: (i) Shopify; (ii) Controller;
• Transfers abroad and protection measures adopted (with respect to Switzerland): data transfer in accordance with the developer's policy (https://en.wallee.com/legal/privacy-policy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

3. User Area

• Identity and contact details of the data controller: see paragraph A above;
• Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;
• Categories of personal data processed: (i) email address; (ii) user's IP address; (iii) name and surname of the data subject; (iv) language; (v) interests and activities;
• Recipients or categories of data recipients: Shopify;
• Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy);
• Rights of the data subject: see paragraph D below;
• Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

Use of cookies and their management

What are cookies? Cookies are small text files deposited in the user's system by servers during web browsing. Thanks to cookies, servers can recognize the user's browser during the current session and in case of a subsequent visit.

Types of cookies

Cookies are divided into various types:

• When the entity that deposits the cookie on the user's system coincides with the visited site, the cookie is called "first-party." Otherwise, it is called "third-party."
• "Session" cookies are automatically deleted when the user closes the browser, while "persistent" cookies remain stored until their expiration date. "Technical" cookies make safe and smooth web browsing possible, as well as the provision of services and content requested by the user.
• "Analytical-statistical" cookies are assimilated to technical cookies when they are used directly by the site to collect aggregated information on the number of users and how they interact with the site.
• "Tracking" / "profiling" cookies are generally third-party cookies used to detect and analyze the user's online behavior, specifically to show them personalized advertisements.

What cookies does the Site implement?

The detailed and constantly updated list of cookies in use with the related privacy notice is visible by activating the following link: shop.luganoregion.com/pages/cookies.

The Controller reserves the obligation to inform about the processing activities carried out in its role as Data Controller with the data collected through cookies (see previous paragraphs).

Chance of deactivating/deleting cookies

The user has the option to choose freely which cookies to authorize and which to refuse through the cookie management plug-in present on the home page of the Site. There is the possibility to deny consent to non-essential cookies (including analytical-statistical cookies) with one click, keeping technical cookies active. The user can also set their browser to inform them about the receipt of cookies or block cookies (generally or by cookie type or by origin site). The general blocking of cookies, as it also applies to technical cookies, may result in limitations in the use of the Site. It is recommended to manually delete cookies from the browser memory as well as to set the browser to automatically delete cookies when closing the program.

By default, browsers generally accept cookies. Instructions for deactivating or deleting cookies are available on the browser developer's website (referenced). There are other ways to reduce the risk of online tracking (usable cumulatively):

• activate the DoNotTrack option on the browser (if available);
• use the private or anonymous browsing functionality of the browser (if available), which prevents cookies from being stored after browsing;
• install privacy plug-ins such as uBlock Origin, Privacy Badger, or Ghostery on the browser;
• exercise the right to be excluded from specific behavioral advertising schemes (e.g., DAA Consumer Opt-Out Page; NAI Consumer Opt-Out Page).

Use of social media "plug-ins" and "widgets"

What are social media "plug-ins" and "widgets"?

Social plug-ins are optional software that connect sites to social media to allow users to interact easily with online content (e.g., "Like" or "Share" on Facebook).

Social plug-ins include so-called "widgets," graphic command elements inserted into the corresponding sections of the site to allow the user to access social plug-in functionalities.

With a simple click on the widget, the user can, for example, share content within their preferred social media. If the user activates the social plug-in, the browser makes a direct connection to the social plug-in provider's servers (e.g., Facebook). For this reason, certain personal information such as the IP address and visited pages are transmitted to the social plug-in provider.

List of active social media plug-ins/widgets with respective provider and link to the specific provider's data processing notice. The Site currently implements the following social media plug-ins/widgets governed by their respective privacy notices::

• Facebook: politica protezione dei dati e privacy: privacy policy; cookie
• Instagram: politica protezione dei dati e privacy: privacy policy; cookie
• YouTube: politica protezione dei dati e privacy: privacy policy; cookie
• TikTok: politica protezione dei dati e privacy: privacy policy; cookie 
• LinkedIn: politica protezione dei dati e privacy: privacy policy; cookie

The Controller reserves the obligation to inform about the processing activities carried out in its role as Data Controller with the data collected through the respective social media (see previous paragraphs).

D. Rights of Data Subjects

Legitimacy and exercise

The data subject can exercise their rights in writing through a motivated request to be sent by ordinary or electronic mail to the Controller (for contacts see paragraph A above) attaching the necessary documents along with proof of identity and legitimacy.

Response timing

The Controller undertakes to respond to the request without delay but in any case, except for exceptional circumstances, within 30 days from receipt of the same complete with all necessary information.

Specific rights

According to the provisions of federal data protection law (LPD), under the conditions established by law, the data subject has the following rights concerning their personal data:

• to obtain the rectification of inaccurate or outdated personal data;
• to obtain written and free confirmation whether personal data concerning them is being processed or not;
• to revoke previously given consent to data processing;
• to prevent the disclosure to third parties of particularly sensitive personal data;
• to express their opinion on an automated individual decision or to request that it be reviewed by a natural person;
• to obtain the delivery of their personal data or to demand their transmission to third parties;
• to request that data processing be blocked, that communication to third parties be prevented, or that personal data be rectified or destroyed;
• to request that a specific data processing be prohibited, a particular communication of personal data to third parties be prohibited, or personal data be deleted or destroyed;
• if neither the accuracy nor the inaccuracy of personal data can be proven, to request that a note be added to the data indicating its contested nature;
• to request that the rectification, deletion, or destruction, blocking particularly communication to third parties, as well as the note of contested nature or judgment be communicated to third parties or published;
• to ascertain the unlawfulness of personal data processing.

Advice and request for information

Any questions regarding the rights of data subjects concerning personal data processing and their exercise in the municipal and cantonal public sector can also be directed to the Cantonal Data Protection Officer using the following contacts: Office of the Cantonal Data Protection Officer, Via Canonico Ghiringhelli 1, 6501 Bellinzona; tel. +41 91 814 45 00; online form (link). In the private sector, the Federal Data Protection and Information Commissioner (FDPIC) can be contacted for information and advice through the online form (link).

E. Applicable Law and Jurisdiction

The legal relationship between the user and the Ente Turistico del Luganese concerning access and use of the Site (and related resources) is governed by Swiss substantive law with reservation for applicable cantonal law, excluding international private law rules.

The parties choose the court competent for the matter for the District of Lugano as the exclusively competent court in case of a dispute arising from or simply connected with the use of the Site (and related resources), subject to any imperative law norms imposing a different forum. The Ente Turistico del Luganese reserves the right to bring the matter before the court competent at the user's registered office, branch, or domicile.

 

Vers-01 / Effective Date: 23.05.2024