Privacy Notice concerning the processing of personal data at www.luganoregion.com and related online resources

Introduction

The purpose of this document (hereinafter, the 'Privacy Notice') is to inform the User about the processing of personal data carried out on the website www.luganoregion.com and related online resources, such as the contact form, e-mail, newsletter, social media accounts and e-commerce platform (hereinafter, globally, the 'Website'). 

Paragraphs A and B specify the controller and contact details and describe the mechanism for accepting and reviewing the Privacy Notice. Information on personal data processing activities and cookies are specified in paragraph C. The rights of data subjects are listed in paragraph D. Finally, paragraph E governs the substantive law applicable to the legal relationship between the parties and establishes the competent court in the event of a dispute related to that relationship.

A. Data Controller and contact

Ente Turistico del Luganese, Via Giovanni Nizzola 2, 6901 Lugano (www.luganoregion.com) is the owner of the Website's contents and as Data Controller determines the purpose and the means of processing personal data (hereinafter, the 'Data Controller').

Please note

since filters are used to protect the security of the Data Controller and Users, a communication by e-mail is only deemed to have been received if there is a reply or confirmation of receipt. Otherwise, the User must consider the communication as undelivered.

Contacts

B. Acknowledgement of Policy │ Acceptance │ Amendments

The relevant Privacy Notice is the one in force at the time of access to the Website. The latest version can be viewed by clicking on the appropriate link at the bottom of each page of the Website. It is the User's responsibility to carefully check the status of the Privacy Notice prior to using the Website, as the Data Controller reserves the right to update the Privacy Notice at any time, particularly in accordance with changes in applicable law, features, services and products made available to the User.

C. Processing of personal data and cookies

Legal framework and general terms

Applicable law

The processing of personal data through the Website is governed by the Cantonal Act on Data Protection (hereinafter, 'LPDP') in relation to activities involving the performance, directly or on behalf of third parties, of public tasks established by cantonal or municipal law. On the other hand, where the processing of personal data is of an economic nature and does not derive from a sovereign power, such processing is governed by the Swiss Federal Act on Data Protection (hereinafter, 'FADP').

Definition of 'personal data' according to the LPDP

Personal data means any indication or information that directly or indirectly allow the identification of a person, whether a natural person or a legal entity.

Definition of 'personal data' according to the FADP

Personal data means any information relating to an identified or identifiable natural person, such as name, surname, address, date of birth, consumption data, e-mail, telephone number, IP address (What it is about?) personal preferences and interests, purchases made, web pages visited, geolocation etc.

Definition of 'sensitive personal data' under the LPDP

This refers to information on religious, philosophical or political opinions or activities, intimate, psychic, mental or physical state, as well as crimes committed, sanctions and measures taken.

Definition of 'sensitive personal data' under the FADP

Sensitive personal data means: (i) data relating to religious, philosophical, political or trade union-related views or activities, health, the private sphere or affiliation to a race or ethnicity, (ii) genetic data, (iii) biometric data that uniquely identifies a natural person, (iv) data relating to administrative and criminal proceedings or sanctions, (vi) data relating to social assistance measures.

Definition of 'profiling'

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Definition of 'high-risk profiling'

High-risk profiling means profiling that poses a high risk to the data subject’s personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person.

User's obligation to protect access credentials and personal devices

The use of the Internet and e-mail is exposed to security risks. The User must take appropriate technical and organisational measures to ensure the security of his or her devices and passwords (in particular, passwords to the Website and to his or her e-mail).

User's obligation to communicate correct data as well as any changes to personal data

The User is responsible for the correctness of the personal data communicated to the Data Controller. The User must likewise spontaneously and promptly communicate any changes in personal data so that the records can be kept constantly up-to-date.

Grounds for justification of personal data processing

The processing of personal data is unlawful when it constitutes a breach of personality. A breach of personality may be justified by the consent of the data subject, by an overriding public or private interest, or by the law. There is an overriding private interest, in particular, if the processing is necessary with a view to the provision of goods and/or services requested by the customer. Where required by law, e.g. in the case of certain marketing or advertising activities involving the profiling of the User or the adoption of automated decisions or the processing of sensitive personal data, the Data Controller shall submit an informed consent request to the User via electronic (online or by e-mail) or analogue (regular mail) channels.

Exclusions of liability

Given the nature of the Internet as an "open network", the Data Controller does not guarantee that the data provided by the User cannot be intercepted or acquired by unauthorised third parties. The User is solely responsible for his or her choice of e-mail service provider and for the proper and safe handling of his or her personal data outside the Website.

Specialised service providers in contact with personal data

The Data Controller makes use of external service providers in the field of information technology to ensure the proper functioning of the Website. These providers only have access to the data to the extent strictly necessary for the performance of their tasks, subject to strict obligations of confidentiality and non-use in relation to personal data. They must also be established in Switzerland or (where strictly necessary) in foreign countries subject to an adequacy decision by the Federal Council. The complete and up-to-date list of suppliers is available for viewing at the Data Controller’s headquarters. For reasons of data security and computer systems, certain information may be anonymised or masked out.

Relationship with European data protection law

Switzerland is not a Member State of the European Union (EU), so European law is not directly applicable. Article 3(2) of the General Data Protection Regulation (EU) 679/2016 (hereinafter "GDPR") specifies that the Regulation applies to entities not established in the Union, where the processing activities are related to: (i) the offering of goods or services to data subjects in the Union or (ii) the monitoring of their behaviour within the Union.

The Data Controller does not direct business to the Union, nor does it monitor the behaviour of data subjects who are in the Union, so the GDPR is inapplicable. Swiss law offers adequate protection of personal data, as determined by the European Commission on July 26, 2000 (the adequacy decision can be downloaded here).

In the (exceptional) case of being subject to the GDPR, this document is valid as Privacy Notice pursuant to and for the purposes of Articles 13 and 14. In addition to benefitting from all the protections provided for by the GDPR, the User may assert his or her rights as expressed in Articles 15, 16, 17, 18, 19, 20, 21, 22 GDPR, by contacting the Data Controller. The User has the right, at any time, within the limits and under the conditions established by the GDPR, to request access to his or her personal data, rectification, erasure of personal data, restriction of processing concerning him or her or to object to processing as well as the right to data portability. If the processing is based on Article 6(1)(a) or Article 9(2)(a) GDPR, the User has the right to withdraw consent at any time. The User also has the right to lodge a complaint with the competent supervisory authority. In the event of a request for data portability, the Data Controller shall provide, in a structured, commonly used and machine-readable format, the personal data concerning the User, subject to paragraphs 3 and 4 of Article 20 GDPR.

Without prejudice to any other administrative or judicial appeal, should the User consider that the processing of his or her personal data violates the provisions of the GDPR, he or she has the right to lodge a complaint with the competent Data Protection Supervisory Authority (EU: list of national authorities). 

Under no circumstances are references to the GDPR to be understood as voluntary subjection to such legislation, respectively to the supervision and/or decision-making power of any foreign authority (with respect to Switzerland).

Detailed information on personal data processing activities

1. Navigating the Website

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): to enable the use of the Website;
  • categories of processed personal data: (i) IP address of the device used by the User (What it is about?); (ii) pages visited by the User;
  • recipients or categories of recipients of personal data: no recipients;
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no data transfer abroad;
  • rights of the data subject: see paragraph D. below;
  • complements in support of the transparency principle: (i) you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) we do not collect personal data in any case, web analyses are processed with Matomo, a tool that anonymises all User data (Matomo's FADP); (iii) server-side saved IP addresses are deleted every 28 days.

2. Live Chat

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): (i) to enable the use of the online tool; (ii) to identify the User; (iii) to verify the legitimacy of the User's request; (iv) to correspond with the User; (v) to follow up the User's request; (vi) to retain data concerning the transaction for contractual, commercial, tax, accounting and administrative purposes;
  • categories of processed personal data: (i) the IP address of the device used by the user (What it is about?); (ii) the User's name; (iii) the User's email address; (iv) other means of communication to correspond with the User (e.g. telephone number);
  • recipients or categories of recipients of personal data: we have delegated the processing of personal data within the scope of the provision of the Live Chat tool to the following IT service provider: USERLIKE (https://www.userlike.com):
    • USERLIKE provides and manages the Live Chat tool that the User uses when submitting his or her request; USERLIKE collects the following personal data: IP address of the device used by the User; User's name; User's email address; other means of communication to correspond with the User (telephone number);
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no third parties, with the exception of USERLIKE (as Data Processor), limited to the data specified in the previous paragraph; destination country Germany (country with an adequate level of data protection under the Swiss Federal Act on Data Protection);
  • rights of the data subject: see paragraph D. below;  
  • complements in support of the transparency principle: you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com.

3. Marketplace

4. E-Shop 

  • identity and contact details of the Data Controller: see paragraph A above;
  • purpose of processing and grounds for justification: (i) identifying the user; (ii) sales purposes; (iii) tourism promotion through the free distribution of informational material; (iv) statistical purposes;
  • categories of processed personal data: (i) email address; (ii) user's IP address (what is it?); (iii) name and surname of the data subject; (iv) language; (v) interests and activities;
  • recipients or categories of recipients of personal data: Shopify;
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the LPD (https://www.shopify.com/it/legal/privacy);
  • rights of the data subject: see paragraph D. below; 
  • complements in support of the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the personal data collected is used solely for the sale of the requested products and is not used for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

5. Contact form

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): (i) to enable the use of the Online Form; (ii) to identify the User; (iii) to verify the legitimacy of the User's request; (iv) to correspond with the User; (v) to follow up on the User's request; (vi) to retain data concerning the transaction for contractual, commercial, tax, accounting and administrative purposes; (vii) to send newsletters to customers (for similar products and services) and non-customers (subject to consent to be included in the mailing list);
  • categories of processed personal data:
    • personal data processed on a compulsory basis: (i) IP address of the device used by the User (What it is about?); (ii) personal data required by the Online Form (marked with an asterisk*) and entered by the User; (iii) services and products provided to the User;
    • personal data processed on an optional basis: personal data required by the Online Form (without an asterisk*);
  • recipients or categories of recipients of personal data: we have delegated the processing of personal data in the context of making the Online Form available to the following IT service provider: JOTFORM (https://www.jotform.com):
    • JOTFORM provides and manages the Online Form that the User fills out when submitting his or her request; JOTFORM collects the following personal data: IP address of the device used by the User; personal data entered by the User in the online Form;
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no third parties, with the exception of JOTFORM (as Data Processor), limited to the data specified in the preceding paragraph; destination country Germany (country with an adequate level of data protection under the Swiss Federal Act on Data Protection);
  • rights of the data subject: see paragraph D. below;
  • complements in support of the transparency principle: you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com.

6. Newsletter

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): (i) to enable the use of the newsletter; (ii) to identify the User; (iii) for statistical purposes;
  • categories of processed personal data: (i) e-mail address; (ii) User's IP address (What it is about) (iii) data subject's first and last name; (iv) language; (v) interests and activities;
  • recipients or categories of recipients of personal data:
    • Data Controller: Ente Turistico del Luganese, with explicit consent, the Newsletter is set up to track the recipient's usage behaviour, in particular for profiling purposes, thus we collect information regarding the opening of the e-mail, the time or duration of reading and also the links activated;
    • third parties who process personal data on our behalf: we manage the Newsletter via the platform of a specialised service provider, Salesforce, SFDC Ireland Limited, Dublin - Ireland (https://www.salesforce.com); 
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): data are stored in data servers in Ireland and are not transferred to the USA;
  • rights of the data subject: see paragraph D. below;
  • complements to support the principle of transparency: (i) you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) the Newsletter is a free and optional service for information on Lugano Region activities; (iii) it is possible to unsubscribe from the mailing list at any time and with immediate effect by clicking on the "Unsubscribe from this newsletter" link at the bottom of each e-mail; (iv) the Newsletter is set up to track the recipient's usage behaviour, in particular for profiling purposes, thus we collect information about the opening of the e-mail, the time or duration of reading and also the links activated.

7. Contest

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): (i) to enable participation in the contest; (ii) to select the winner in the manner provided for in the contest; (iii) to notify the winner of the outcome of the contest (by private message); (iv) to mail or send the winner the prize or the representative title thereof; (v) to communicate the winner’s identification data to the party offering the prize upon its request (e.g. hotel, event organiser, restaurant, cinema, theatre, etc.); (vi) to store data relating to the contest for tax, accounting and/or administrative purposes;
  • categories of processed personal data: (i) data relating to the participant’s profile (first name, surname, pseudonym, nickname, social media affiliation); (ii) data relating to the contest (social media, title of the post, date and period of publication), data relating to the activity requested (e.g. comment to the post, date and time of the activity); (iii) data relating to the winner (first name, surname, date of birth, identity card, address, telephone number and e-mail address);
  • recipients or categories of recipients of personal data: none, except for the party offering the prize (limited to data concerning the prize and the winner);
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no data transfer abroad;  
  • rights of the data subject: see paragraph D. below;
  • retention: (i) within 30 days of the award date, personal data are destroyed or anonymised; (ii) data relevant for accounting purposes are retained for 10 years from the end of the relevant accounting year;
  • complements to support the principle of transparency: (i) further information on the terms and conditions of participation in the contest at the following link; (ii) you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com.

8. Direct marketing with prior consent

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): commercial communication through which our organisation communicates directly with specific contacts, including on a one-to-one basis and without the use of intermediaries, specifically in the following two ways: - offline: (i) promotional postcards; (ii) informative phone calls; - online: (i) Google ADS; (ii) e-mail marketing; (iii) social campaigns;
  • categories of processed personal data: (i) first name surname; (ii) e-mail address; (iii) telephone number; (iv) address; (v) data provided by the User in connection with direct marketing activities;
  • recipients or categories of recipients of personal data: Users who have subscribed to our direct marketing campaigns after accepting the relevant processing;
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no data transfer abroad;
  • rights of the data subject: see paragraph D. below;
  • complements to support the principle of transparency: (i) you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com; (ii) processing constituting direct marketing only with the prior User's consent.

9. Profiled marketing

  • identity and contact details of the Data Controller: see paragraph A. above;
  • purpose of processing and grounds for justification (where the LPDP applies): to inform Users about the activities of Ente Turistico del Luganese only after explicit consent; 
  • categories of processed personal data: (i) e-mail address; (ii) User's IP address (What it is about?); (iii) data subject's first and last name; (iv) language; (v) interests and activities; (vi) country;
  • recipients or categories of recipients of personal data: Ente Turistico del Luganese, with explicit consent, the communication is set up to track the recipient's usage behaviour;
  • cross-border disclosure of personal data and protection guarantees adopted (in relation to Switzerland): no data transfer abroad;
  • rights of the data subject: see paragraph D. below;
  • complements in support of the transparency principle: you may request detailed information on the personal data retention policy within a specific processing by writing to privacy@luganoregion.com

Use of cookies and their management

What are cookies?

Cookies are small text files stored on the User's system by servers during web browsing. Thanks to cookies, the servers are able to recognise the User's navigator (browser) during the browsing activity and on subsequent visits. 

Types of cookies

Cookies are divided into various types. 

  • When the party depositing the cookie on the User's system coincides with the website visited, the cookie is called a 'first party' cookie. Otherwise, it is called a 'third-party' cookie.
  • 'Session' cookies are automatically deleted when the User closes the browser, while 'persistent' cookies are stored until their expiry date. 'Technical' cookies are used to browse the web safely and easily and provide User with the services and content requested.   
  • 'Analytical-statistical' cookies are assimilated to technical cookies when they are used directly by the Website to collect information, in aggregate form, on the number of Users and how they interact with the Website. 
  • “Tracking / profiling” cookies are cookies, generally third-party cookies, used to track and analyse the User's online usage behaviour, in particular for the purpose of serving him or her personalised advertisements.

What cookies does the Website implement? 

The detailed and constantly updated automated list of cookies in use, together with the corresponding privacy notice, can be viewed by clicking on the following link

The Data Controller’s obligation to inform about the processing activities carried out in its capacity as Data Controller with the data collected via cookies is reserved (see previous paragraphs).

How to disable/delete cookies?

The User may, through the cookie management banner on the home page of the Website, freely choose which cookies to authorise and which to reject. It is possible to refuse consent to cookies that are not strictly necessary (including statistical-analytical cookies) with one click, while keeping technical cookies active. The User also has the opportunity to manage cookie blocking through his or her browser’s set-up (generally or by type of cookie or by website of origin) or set his or her browser so that he or she will be advised of the receipt of cookies. It is important to know, however, that by disabling cookies generally, as this also applies to technical cookies, some of the features of the Website may not be applicable. We recommend deleting the cookies from the browser when closing the program, either manually or automatically through the browser set-up options.

By default, browsers automatically accept cookies. Instructions for disabling or deleting cookies can be found on the website of the browser’s developer (to which we refer).

There are additional methods to reduce the risk of online tracking (which can be used cumulatively):

Use of social media 'plug-ins' and 'widgets'

What are social media 'plug-ins' and 'widgets'?

Social plug-ins are optional software that link Websites to social media to allow the User to easily interact with online content (e.g. "Like" or "Share" in Facebook). Social plug-ins include so-called 'widgets', graphical command elements that are placed in the corresponding sections of the Website to allow the User to access the social plug-in functionality. With a simple click on the widget, the User is able, for instance, to publish an online content on his or her favourite social media. If the User activates the social plug-in, the browser makes a direct connection to the servers of the provider of the social plug-in (e.g. Facebook). For this reason, certain personal information, such as the IP address and the pages visited, are transmitted to the provider of the social plug-in.

List of active social media plug-ins/widgets, with the respective provider and link to the privacy notice of the specific provider 

The Website currently implements the following social media plug-ins/widgets which are governed by the respective privacy notices:

The Data Controller’s obligation to inform about the processing activities carried out in its capacity as Data Controller with the data collected through the social media of reference is reserved (see previous paragraphs).

 

D. The rights of the data subjects

Legitimation and exercise

The data subject may exercise his or her rights in writing by means of a reasoned request to be sent by ordinary mail or electronically to the Data Controller (for contact details, see section A above), enclosing the necessary supporting documents, as well as proof of identity and legitimation.

Timing of execution

The Data Controller shall undertake to follow up swiftly the request but, in any event, save in exceptional circumstances, within 30 days of receipt thereof complete with all necessary information. 

Rights in the public sector

If subject to the provisions of cantonal data protection law (LPDP), on the conditions set by the law, the data subject has the following rights in relation to his or her personal data (see Art. 22 et seq. LPDP):

  • to consult the register of each responsible body and/or the central register of data files;
  • to obtain from the responsible body information regarding the possible processing of personal data concerning him or her;
  • unless important reasons prevent it, upon request, to directly consult his or her data;
  • where there is an overriding interest, to obtain from the responsible body the correction of inaccurate personal data;
  • to stop, at any time, data being transmitted; 
  • where there is an overriding interest, to request the responsible body to ensure that unlawful processing of personal data is discontinued, that personal data unlawfully collected, stored or used is destroyed, or that the consequences of unlawful processing are eliminated;
  • to request that any correction, deletion or destruction, prohibition of processing or disclosure to third parties, marking as disputed or judgment be communicated to third parties or be published.

Rights in the private sector

If subject to the provisions of federal data protection law (FADP), on the conditions set by the law, the data subject has the following rights in relation to his or her personal data:

  • to request correction of inaccurate or outdated personal data:
  • to obtain confirmation in writing and free of charge as to whether or not personal data concerning him or her are being processed;
  • to revoke previously given consent to data processing;
  • to prevent the disclosure to third parties of sensitive personal data;
  • to express his or her point of view on an automated individual decision or to request that the automated individual decision be reviewed by a natural person;
  • to request delivery of his or her personal data or transfer of his or her personal to third parties;
  • to request that data processing be discontinued, that disclosure to third parties be prevented, or that personal data be corrected or destroyed;
  • to request that a certain data processing be prohibited, that a certain disclosure of personal data to third parties be prohibited, or that personal data be deleted or destroyed;
  • if neither the accuracy nor the inaccuracy of the relevant personal data can be established, to request that the data be marked as being disputed;
  • to request that any correction, deletion or destruction, prohibition of processing or disclosure to third parties, marking as disputed or judgment be communicated to third parties or be published;
  • to request the establishment of the unlawfulness of the processing of personal data.

Advice and enquiries

Questions about the rights of data subjects regarding the processing of personal data and the exercise of the rights in the municipal and cantonal public sector may also be addressed to the Cantonal Data Protection Commissioner, using the following contact details Ufficio dell’Incaricato cantonale della protezione dei dati, Via Canonico Ghiringhelli 1, 6501 Bellinzona; tel. +41 91 814 45 00; online form (link). In the private sector, the Federal Data Protection and Information Commissioner (FDPIC) can be contacted for information and advice using the online form (link).

E. Applicable Law and Jurisdiction

With respect to accessing and using the Website (and the linked resources), the relationship between the User and Ente Turistico del Luganese is governed by Swiss substantive law, subject to cantonal law where applicable, excluding private international law.

Any dispute arising from or simply related to using the Website (and the linked resources) is subject to the exclusive jurisdiction of the competent court for the District of Lugano, subject to any mandatory law provisions imposing a different jurisdiction. Ente Turistico del Luganese reserves the right to refer the dispute to the competent Court where the registered office, the branch or the User’s domicile is located.

Vers-03 / Effective date: 19.06.2024

Informative sul trattamento dei dati personali e cookie policy archiviate

Cookie Policy 01.01. 2022 - 31.08.2023 Download
Privacy Policy 01.01. 2022 - 31.08.2023 Download
Privacy Policy – Vers01 LPD – 01.09.2023 - 09.11.2023 Download
Privacy Policy – Vers02 LPD – 09.11.2023 - 19.06.2024 Download