Privacy Notice on the processing of Personal Data for www.ascona-locarno.com and related resources

INTRODUCTION

Browsing the website http://www.ascona-locarno.com and using the resources indicated therein, such as e-mail addresses (notably: [email protected], [email protected] and [email protected]), the virtual assistant (chatbot), telephone numbers (notably: 0848 091 091), and the Newsletter (hereinafter collectively referred to as the “Website”), entails the collection and processing of information concerning the user (hereinafter “Personal Data”) by the Organizzazione turistica Lago Maggiore e Valli, a public-law corporation pursuant to Article 3 of the Tourism Act of the Republic and Canton of Ticino (LTur) (hereinafter the “Tourist Organisation”).

By providing Personal Data and/or using the Website (including the contact resources indicated therein), the user (hereinafter the “User”) acknowledges that Personal Data will be processed in accordance with the law and for the purposes and by the means set out or implied in this document (hereinafter the “Privacy Notice”).

The purpose of this document is to inform the User about the Personal Data collected, the processing activities carried out in connection with the Website and related resources, the purposes pursued, the recipients of the Personal Data and any transfer abroad.

The Privacy Notice is divided into a general section containing information applicable to the use of the Website and related resources, and special sections containing information applicable to the use of specific resources.

Aspects relating to the processing of Personal Data connected to the provision of goods and/or services are governed by law and/or any contracts entered into by the parties, or are subject, where necessary, to special notices made available to the User via appropriate digital channels (Website and e-mail) or in paper form (sent by post or available at the physical counters listed in the “Contacts” section).

The e-commerce site accessible via the “SHOP” icon on the Website is available at https://shop.ascona-locarno.com/en/. It does not fall within the scope of this Privacy Notice. Users are therefore referred to the Privacy Notice and legal and contractual terms published on the shop homepage.

 

CONTROLLER OF THE WEBSITE │ CONTACT DETAILS

The controller of the Website, as the entity entitled to the content and determining the purposes and means of processing Personal Data, is the Organizzazione turistica Lago Maggiore e Valli Tourist Organisation, a public-law corporation under Ticino law.

Important Notice: As security filters are in place to protect the Tourist Organisation and its staff, an electronic communication shall be deemed received only upon a reply or confirmation of receipt. Otherwise, the User must consider the communication as undelivered.

Contacts:

• Postal address: Via Luigi Lavizzari 10c, Casella Postale, 6601 Locarno (Svizzera) (office and info point)
• E-mail addresses:
  • General enquiries: [email protected]
  • Digital matters: [email protected]
  • Privacy matters: [email protected]
• Telephone: 0848 091 091
• Physical counters (opening hours: Contacts | Ascona-Locarno):
  • Via Bartolomeo Papio 5, 6612 Ascona
  • Piazza Stazione / Stazione FFS, 6600 Locarno-Muralto
  • Via Leoncavallo 25, 6614 Brissago
  • Centro Punto Valle, Via Vallemaggia 10
  • Via Brere 3, 6598 Tenero
  • Via Cantonale 29, 6574 Vira Gambarogno

 

OUR APPROACH TO THE PROCESSING OF PERSONAL DATA

The Tourist Organisation collects and uses Personal Data to manage the Website and related resources securely and efficiently, and to fulfil the statutory tasks assigned to regional tourist organisations under Article 14 of the Tourism Act of the Republic and Canton of Ticino (LTur).

Personal Data may be processed for statistical purposes (aggregated and anonymised) and, subject to explicit consent, for behavioural advertising.

The Tourist Organisation does not sell, rent, trade or lend Personal Data to third parties.

To expand and improve the services and products offered, the Tourist Organisation analyses the use of the Website and the resources indicated therein in an aggregated manner, thereby ensuring the anonymity of Users, except for personal data provided when subscribing to the Newsletter. Personalised analysis of User behaviour is subject to the prior consent of the User concerned.

The Tourist Organisation prioritises, where permissible and necessary (particularly in the absence of a legal basis authorising the processing of personal data), the explicit consent of the data subject as the justification for processing and delegates the execution of processing only to carefully selected suppliers of goods and services, particularly IT providers, who have undertaken appropriate obligations regarding personal data protection.

In the event of subscription to services, profiling activities, inclusion in databases, management systems and similar, or submission of forms – for example, when subscribing to the newsletter or to Pardy initiatives – the Tourist Organisation, where processing is not prescribed or authorised by law, obtains the consent of the data subjects via the Website and sends an e-mail confirming the consent given (double opt-in system).

Consent may be withdrawn at any time, either generally or specifically, by clicking, where possible, on the content received (e.g. “Unsubscribe from this list” at the bottom of the Newsletter), by managing privacy preferences via the Panel on the Website homepage (cookies and other tracking tools), or by writing to [email protected].

Finally, the Tourist Organisation prioritises the localisation of processing in Switzerland. Processing carried out abroad is limited to States with legislation that adequately protects personal data according to the determinations of the Federal Council as set out in Annex 1 of the Federal Council Ordinance on Data Protection (OPDa).

 

ACKNOWLEDGEMENT OF THE PRIVACY NOTICE │ ACCEPTANCE │ AMENDMENTS

The applicable Privacy Notice is that in force at the time of accessing the Website or using the resources indicated therein. The most up-to-date version can be viewed by clicking on the relevant link located at the bottom of each page of the Website. Since amendments are published online only, it is the User’s responsibility to carefully check the status of the Privacy Notice prior to using the Website or the contact resources indicated therein, without prejudice to the Tourist Organisation’s right to update the Privacy Notice at any time, particularly in line with developments in applicable law, functionalities, as well as the services and products made available to the User.

 

RELATIONSHIP WITH EUROPEAN PERSONAL DATA PROTECTION LAW

Switzerland is not a Member State of the European Union (EU); consequently, EU law is not directly applicable. Article 3 (2) of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (the GDPR) provides that the Regulation applies to controllers or processors not established in the EU where the processing activities relate to: (i) the offering of goods or services to natural persons in the EU, or (ii) the monitoring of the behaviour of natural persons within the EU.

The Tourism Organisation does not direct its activities towards the EU through the content of the Website, nor does it monitor the behaviour of individuals located in the EU. In this respect, it merely collects anonymous or pseudonymised data (without access to the re-identification key) for the purpose of producing aggregated statistics. Accordingly, the GDPR does not apply. The adequacy of Swiss law in relation to EU law has been confirmed by the European Commission by means of the decision of 15 January 2024 (adequacy decision).

In the (exceptional) event that the GDPR were to apply, this document shall constitute a privacy notice for the purposes and effects of Articles 13 and 14 GDPR. In addition to benefiting from all safeguards provided for by the GDPR, the User may exercise the rights set out in Articles 15, 16, 17, 18, 19, 20, 21 and 22 GDPR by contacting the Tourism Organisation. At any time, within the limits and under the conditions laid down by the GDPR, the User has the right to request access to their Personal Data, rectification, erasure thereof, restriction of processing concerning them, or to object to such processing, as well as to exercise the right to data portability. Where processing is based on Article 6(1)(a) or Article 9(2)(a) GDPR, the User has the right to withdraw consent at any time. The User also has the right to lodge a complaint with the competent supervisory authority. In the event of a request for data portability, the Tourism Organisation shall provide the User’s Personal Data in a structured, commonly used and machine-readable format, without prejudice to paragraphs 3 and 4 of Article 20 GDPR.

Without prejudice to any other administrative or judicial remedy, where the User considers that the processing of Personal Data relating to them infringes the GDPR, they have the right to lodge a complaint with the competent supervisory authority for the protection of personal data (EU: list of national authorities).

Under no circumstances shall references to the GDPR be understood as voluntary submission to that regulation, or to the supervision and/or decision-making authority of any foreign authority (in relation to Switzerland).

 

LEGAL FRAMEWORK │ GENERAL CONCEPTS │ USER OBLIGATIONS │ SUPPLIERS

Applicable law. The processing of personal data via the Website and the contact resources indicated therein is, as a matter of principle, governed by cantonal data protection law (LPDP). Federal data protection law (FADP) remains reserved insofar as personal data are processed in the context of an economic activity not deriving from the exercise of sovereign powers.

What is meant by personal data under the LPDP? This refers to indications or information which, directly or indirectly, allow a person - whether a natural or a legal person - to be identified.

What is meant by personal data under the FADP? This refers to all information relating to an identified or identifiable natural person, such as first name, surname, address, date of birth, e-mail address, telephone number, IP address, personal preferences and interests, purchases made, websites visited, geolocation and movement data, etc.

What is meant by a data subject? This refers to the natural person whose personal data are being processed.

What is meant by personal data deserving of particular protection under the LPDP? This refers to information concerning religious, philosophical or political opinions or activities, the intimate sphere, psychological, mental or physical health, as well as data relating to offences committed, penalties imposed and measures adopted. Taking into account the ongoing legislative revision, this definition is likely to be extended as follows: (a) religious, philosophical, political or trade union opinions or activities; (b) racial or ethnic origin; (c) physical, mental or psychological health; (d) the intimate sphere; (e) genetic data; (f) biometric data; (g) data relating to administrative, criminal and civil proceedings, prosecutions and sanctions; (h) data relating to social assistance measures.

What is meant by personal data deserving of particular protection under the FADP? This refers to particularly sensitive personal data: (i) data relating to religious, philosophical, political or trade union opinions or activities; (ii) data concerning health, the intimate sphere or racial or ethnic origin; (iii) genetic data; (iv) biometric data uniquely identifying a natural person; (v) data relating to administrative and criminal prosecutions and sanctions; (vi) data relating to social assistance measures.

What is meant by profiling? This refers to any form of automated processing of personal data consisting in the use of such data to evaluate certain personal aspects of a natural person, in particular to analyse or predict aspects concerning professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

What is meant by high-risk profiling? This refers to profiling that entails a high risk to the personality or fundamental rights of the data subject, as it involves linking data that allows essential aspects of a natural person’s personality to be assessed.

Obligation to protect access credentials and personal devices. The use of the Internet and e-mail is exposed to security risks. The User is obliged to ensure the security of their devices and confidential data (such as username, password and access PIN) in an appropriate manner, by implementing the security recommendations of specialists. The User shall indemnify and hold the Tourism Organisation harmless from any damage and/or prejudice arising therefrom.

Obligation to provide accurate data and to notify changes to personal data. The User is responsible for the accuracy of the Personal Data communicated to the Tourism Organisation. The User must also notify, spontaneously and without delay, any changes to their Personal Data (via counter service, ordinary mail or by telephone, avoiding e-mail as far as possible where confidential information is concerned), so that the registers and databases of the Tourism Organisation may be kept constantly up to date. Statutory obligations to notify and to file official documents remain reserved and shall prevail.

Legal basis for the processing of personal data. The processing of personal data is unlawful where it constitutes an infringement of fundamental rights and freedoms or of personality rights. Depending on the circumstances, such infringement may be justified on the basis of the data subject’s consent, the necessity for the performance of a public task, an overriding public or private interest (where the FADP is applicable), or by law (for example, in the case of systematic processing of personal data governed by the LPDP). Where permitted and/or required by law - such as, by way of example, in the context of marketing or advertising activities governed by the FADP that involve profiling of the User, the adoption of automated decisions, or the processing of personal data deserving of particular protection - the Tourism Organisation shall request the User’s informed consent via electronic channels (online or by e-mail) or analogue means (ordinary mail).

General exclusion of liability │ User obligations regarding electronic communications. Given the nature of the Internet as an “open network”, the Tourism Organisation does not guarantee that data provided by or received from the User cannot be falsified, intercepted or accessed by unauthorised third parties. The User undertakes to verify by telephone all electronic communications and documents received from the Tourism Organisation (including electronic communications and invoices) which are not validly signed by means of a qualified electronic signature or electronic seal attributable to the Tourism Organisation or its staff, insofar as they provide for the payment of sums of money, the execution of instructions or the transmission of confidential documents, before acting upon such requests. The User is solely responsible for the choice of their e-mail service provider and for the correct and secure processing of their Personal Data outside the Website.

Authorisation to use e-mail. The User is informed that the use of e-mail does not ensure the confidentiality, authenticity or integrity of data in transit; unauthorised third parties may therefore gain access to the information and potentially alter its content or otherwise manipulate it. Users are accordingly advised not to send confidential information and data by e-mail. In any event, by providing their e-mail address and unless expressly instructed otherwise, the User authorises the Tourism Organisation to transmit, by uncertified and unencrypted e-mail and at the User’s own risk, the requested documents and information, including any Personal Data and confidential or secret information.

Retention period of personal data. The Tourism Organisation retains Personal Data for as long as their retention is necessary in view of the purposes for which the data were collected (e.g. in the context of tourism promotion and destination marketing), or to the extent that a legal obligation or right of retention exists. Once the purpose of data collection has lapsed, or once the statutory obligation or right of retention has expired, the Tourism Organisation shall, without delay, delete the data or render them irreversibly anonymous, subject to any contractual obligations or rights of retention granted to the Tourism Organisation in non-sovereign economic contexts. Personal Data relating to the Newsletter are retained until the User unsubscribes. The User may request detailed information on the personal data retention policy in relation to a specific processing activity by writing to the Tourism Organisation.

Suppliers of goods and services receiving personal data. In managing the Website and related resources (in particular administration, management systems, e-mail, chatbots, telephony, web design, maintenance and hosting), the Tourism Organisation makes use of suppliers of goods and services. Such suppliers have access to data only to the extent strictly necessary for the performance of their tasks and are bound, by agreement, by appropriate confidentiality and non-use obligations with regard to the Personal Data. Personal Data and suppliers may be located exclusively in Switzerland or, where permitted, in foreign States benefiting from an adequacy decision of the Federal Council (cf. Annex 1 to the Federal Council Data Protection Ordinance (DPO)). The complete and up-to-date list of suppliers is available for inspection at the offices of the Tourism Organisation. For reasons of data and IT system security, certain information may be anonymised or masked.

 

DETAILED INFORMATION ON PERSONAL DATA PROCESSING ACTIVITIES

Browsing on www.ascona-locarno.com

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of Personal Data may be summarised as follows:

• Personal Data processed: (i) the User’s device IP address; (ii) pages viewed by the User; (iii) settings and characteristics of the browser (name, language, installed plug-ins); (iv) approximate location based on the IP address (generally corresponding to the location of the Internet access provider); (v) cookies / chatbot conversations / form contents (see dedicated sections).
• Purposes: (i) enabling browsing of the Website; (ii) carrying out technical diagnostics/monitoring, analyses and aggregated statistics on the use of the Website for the purposes of verifying and optimising security, usability and the quality of services and content, as well as introducing new content, products, services, functions and interfaces.
• Recipients: the Website hosting service provider.
• Transfers abroad: none.
• Further information for transparency: (i) Users’ IP addresses are automatically and permanently deleted upon expiry of a 30-day period; (ii) the Website hosting service is provided by a Swiss company based in the Canton of Ticino with redundant data centres located in Switzerland, and the hosting service is configured so that data are stored in Switzerland; (iii) the Tourism Organisation is not able, by means of the IP address, to identify the User.

E-mail (various e-mail addresses published on the Website)

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of Personal Data may be summarised as follows:

• Personal Data processed: (i) the sender’s e-mail address / telephone number; (ii) the sender’s identity; (iii) the content of the communication; (iv) the User’s device IP address; (v) telecommunications data and metadata.
• Purposes: (i) correspondence with the User; (ii) filing where required to fulfil a legal or contractual obligation (including attachments); (iii) archiving; (iv) accounting support where correspondence has fiscal or accounting relevance.
• Recipients: the Tourism Organisation’s e-mail service is managed in (public) cloud; the relevant Personal Data are accessible to the cloud service provider as required for the provision of the e-mail service, as well as to two primary companies based in Switzerland responsible for administration and maintenance of the service.
• Transfers abroad: none.
• Further information for transparency: (i) messages are stored in Switzerland; (ii) the e-mail service is provided by a US-based group enrolled in the US–Swiss Privacy Framework, operating in Switzerland via an affiliated company based in Dublin (Ireland) and with redundant data centres located in Switzerland; (iii) backups are performed and managed in encrypted form by an IT company based in Ticino on servers located in Switzerland; deletion from backups occurs within 18 months.

Virtual assistant (chatbot):

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of Personal Data may be summarised as follows:

• Personal Data processed: (i) the User’s device IP address; (ii) telecommunications data and metadata, including the date and time of each question and the number of sessions; (iii) browser and browser language; (iv) Personal Data entered by the User into the virtual assistant; (v) chat contents (input and output).
• Purposes: (i) provision of the virtual assistance service to the User; (ii) analyses and statistics regarding use and risks, quality control and service improvement, reporting.
• Recipients: the virtual assistant is a (public) cloud service provided by a US-based group enrolled in the US–Swiss Privacy Framework, operating in Switzerland via an affiliated company based in Dublin (Ireland) and with redundant data centres located in Switzerland; in addition, three primary companies based in Switzerland responsible for evaluation, administration and maintenance of the service also have access to the data.
• Transfers abroad: none.
• Further information for transparency: (i) employees of the Tourism Organisation, the cloud service provider, Swisscom and IT/support service providers have access to the content of the (anonymous) chats; (ii) the User using the assistant is neither identified nor identifiable, save where the User provides information in the chat that renders them identifiable; (iii) data are stored in Switzerland; (iv) chats are automatically deleted after 6 months; (v) data (in particular, chats) are not used for training the artificial intelligence model.

Various online modules and forms:

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of Personal Data may be summarised as follows:

• Personal Data processed: (i) Personal Data requested in the online module or form; (ii) content of the communication; (iii) the User’s device IP address; (iv) telecommunications data and metadata.
• Purposes: (i) identification of the sender; (ii) communication/interaction with the User; (iii) verification of the User’s authority/entitlement; (iv) filing where required to fulfil a legal or contractual obligation (including attachments); (v) archiving; (vi) subscription to the Newsletter, subject to the User’s express consent where required by law; (vii) accounting support where correspondence has fiscal or accounting relevance.
• Recipients: (i) bodies and authorities responsible for tourism promotion and the performance of related tasks under cantonal law, in particular via the cantonal tourism information-sharing platform (and related database); (ii) the online modules and forms are services integrated into the Website provided by the following processors: (i) Salesforce – SFDC Ireland Limited, Dublin (Ireland), in relation to modules and forms managed through the eponymous platform (www.salesforce.com/eu/ch), namely: https://www.ascona-locarno.com/en/newsletter and https://www.ascona-locarno.com/en/newsletter/newsletter-myhome; (ii) Jotform – Jotform Ltd UK, in relation to modules and forms managed through the “Jotform” platform (www.jotform.com), namely: all others.
• Transfers abroad: Germany (EU) (Jotform); Ireland (EU) (Salesforce).
• Further information for transparency: only fields marked with an asterisk (*) are mandatory.

Newsletter:

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of personal data may be summarised as follows:

• Personal Data processed: (i) e-mail address, first name and surname; (ii) children’s names and dates of birth (in the case of the “Pardy” form); (iii) language; (iv) telecommunications data and metadata; (v) information relating to e-mail opening, time, reading duration and activation/viewing of contents.
• Purposes: (i) sending the Newsletter to the User; (ii) managing consents and refusals relating to sending; (iii) statistical analyses on the use of the Newsletter and the Website in order to optimise security, usability and the quality of services and content, and to introduce new content, products, services, functions and interfaces; (iv) behavioural advertising and profile-based marketing.
• Recipients: Salesforce – SFDC Ireland Limited, Dublin (Ireland), acting as processor, as provider of the customer relationship management (CRM) platform and Newsletter delivery.
• Transfers abroad: Ireland (EU).
• Further information for transparency: (i) information relating to e-mail opening, time, reading duration and activation/viewing of contents is collected and analysed on a personalised basis only upon the granting of express consent to the processing of Personal Data for behavioural advertising and profile-based marketing purposes; (ii) the Newsletter is a free and optional service providing updates on Ascona-Locarno activities; (iii) unsubscribing from the mailing list is possible at any time with immediate effect by clicking the “You can unsubscribe from this list” link at the bottom of each e-mail; (iv) data relating to minors provided by the subscriber in connection with subscription to the “Pardy” Newsletter (name and date of birth) are not used for direct and profile-based marketing activities and are automatically deleted upon reaching 18 years of age, as well as upon unsubscription; the Newsletter will continue to be sent to the address provided by the subscriber until unsubscription.

Online games and competitions:

Where the User participates in a competition published by the Tourism Organisation on social media, the Tourism Organisation has no control over the processing of personal data carried out by the relevant social media platform to which the User is subscribed; accordingly, it performs no checks and assumes no obligations or liability in this respect. It is the User’s sole duty to inform themselves about the processing activities by consulting the relevant social media privacy notice before participating in the competition.

Conversely, as organiser of the competition - whether via social media or on the Website - the Tourism Organisation carries out the following processing of personal data. Any special notice communicated to participants via a link at the bottom of the post announcing the competition remains reserved and shall prevail.

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of Personal Data may be summarised as follows:

• Personal Data processed: (i) participants’ profile data (first name, surname, pseudonym, nickname, relevant social media platform); (ii) competition-related data (social media platform, post title, publication date and period), and data relating to the required activity (e.g. comment on the post, date and time of the activity); (iii) winner’s data (first name, surname, date of birth, address, telephone number and e-mail address, language).
• Purposes: (i) enabling participation in the competition; (ii) selecting the winner in accordance with the competition rules; (iii) notifying the winner of the outcome (via private message); (iv) dispatching or sending the prize or documentary evidence thereof; (v) communicating the winner’s identifying data to the party offering the prize at the latter’s request (e.g. hotel, event organiser, restaurant, cinema, theatre, etc.); (vi) archiving competition data for fiscal, accounting and/or administrative purposes.
• Recipients: none, save for the party offering the prize (limited to data relating to the prize and the winner).
• Transfers abroad: none.
• Further information for transparency: (i) source of the data: the data subject; the participant’s public profile on the relevant social media platform; (ii) automated individual decision-making: none; (iii) within 30 days from the prize award date, personal data are destroyed or anonymised; data relevant for accounting are retained for 10 years from the close of the relevant financial year.

Telephone call records (contacts on the Website):

Subject to processing of Personal Data required by law and to any exceptions, derogations and restrictions to the information duty, the processing of Personal Data may be summarised as follows:

• Personal Data processed: (i) mobile or landline telephone number; (ii) time and duration of the call; (iii) caller location (dialling code/roaming); (iv) telecommunications data and metadata.
• Purposes: (i) communication with the User (including the ability to return the call disclosing one’s identity/calling number to the other party); (ii) filing where required to fulfil a legal or contractual obligation; (iii) archiving; (iv) compiling statistics on call-centre activity.
• Recipients: as this is a virtual switchboard service hosted in (public) cloud, Personal Data are accessible to the cloud service provider as well as to two primary companies based in Switzerland responsible for administration and maintenance of the service; moreover, telephone numbers, call times and durations are regularly extracted from the cloud-based virtual switchboard and processed for statistical purposes relating to call-centre activity via the QueueMetrics platform (www.queuemetrics.com), administered by a company based in Switzerland.
• Transfers abroad: none.
• Further information for transparency: (i) call records (subject to statutory retention obligations) are destroyed within 45 days from the date of the call; (ii) the virtual switchboard is hosted in cloud and provided by a US-based group enrolled in the US–Swiss Privacy Framework, operating in Switzerland via an affiliated company based in Dublin (Ireland), with redundant data centres located in Switzerland; (iii) data (including those entered into the QueueMetrics platform) are stored in Switzerland; (iv) calls are not recorded.

General marketing and advertising communications

Within the limits permitted by applicable law, the Tourism Organisation uses Personal Data to send generic marketing and advertising communications where the User has given the relevant consent, without prejudice to the Tourism Organisation’s right to send advertising communications and offers within the framework of existing or prior contractual relationships relating to its own similar goods, works or services, in compliance with statutory requirements.

• Personal Data processed: (i) first name/surname; (ii) postal address; (iii) e-mail address; (iv) telephone number; (v) the User’s device IP address.
• Purposes: (i) carrying out direct marketing activities, manual and automated, by sending informational and advertising materials, surveys, events and initiatives relating to products and/or services, including promotional postcards; (ii) opening a personal record in an IT management system (CRM).
• Communication channels: Website, SMS, chat, telephone calls with or without an operator, postal mail and e-mail.
• For the rest, reference is made to the information provided in relation to the specific product, service or tool used by the User which gave rise to the collection of Personal Data (see special sections).

Marketing and advertising communications generated on the basis of automated analysis of the User’s behaviour (profile-based marketing)

Within the limits permitted by applicable law, the Tourism Organisation uses Personal Data for profile-based marketing purposes where the User has given the relevant (express) consent, without prejudice to the Tourism Organisation’s right to send advertising communications and offers within the framework of existing or prior contractual relationships relating to its own similar goods, works or services, in compliance with statutory requirements.

• Personal Data processed: those collected within the framework of the underlying relationship with the User (see special sections), including in particular: (i) first name/surname; (ii) postal address; (iii) e-mail address; (iv) telephone number; (v) IP address; (vi) data provided by the User; (vii) products and services purchased (including those of third parties), activities carried out; (viii) stay-related information (hotel, travel/movements, family composition, duration, period, type of stay, etc.); (ix) websites visited; (x) Newsletter links clicked; (xi) country of origin, nationality, age, profession, marital status.
• Purposes: profile-based marketing and behavioural advertising, in an automated manner, through: (i) sending informational and advertising materials, surveys, events and initiatives relating to products and/or services; (ii) analyses and statistics aimed at optimising consumption, usability and the quality of products, services and content, as well as introducing new providers, competitions, products, services and content (in particular via the Newsletter and cookies; see special sections); (iii) opening a personal record in an IT management system (CRM).
• For the rest, reference is made to the information provided in relation to the specific product, service or tool used by the User which gave rise to the collection of Personal Data (see special sections).

 

LINKS TO THIRD-PARTY RESOURCES

The Website may contain links to websites, services and other Internet resources operated by third parties. The Tourism Organisation accepts no responsibility whatsoever for the content, security or usability of such websites and resources; in particular, the Tourism Organisation does not review their policies nor does it provide any guarantees with regard to the protection of privacy and personal data by such third parties.

 

SECURITY

The Tourism Organisation implements security measures that are reasonably required by the circumstances and proportionate to protect against unauthorised access to, use, transmission, alteration, loss or destruction of personal data. Such measures include technical, physical and organisational safeguards. However, given the nature of the Internet as an “open network”, the Tourism Organisation cannot and does not guarantee that data will not be intercepted or accessed by unauthorised third parties.

 

USE OF COOKIES AND RELATED MANAGEMENT

What are cookies? Cookies are small text files placed on the User’s system by servers during web browsing. By means of cookies, servers are able to recognise the User’s browser during the current browsing session and upon subsequent visits. Cookies help to improve the User’s online experience, for example by storing the User’s preferences over time or by preventing the User from having to log in again each time a page is changed. Cookies may also be used to track the User online, which has an impact on the User’s privacy.

Types of cookies. Cookies are divided into various categories:

• Where the entity placing the cookie on the User’s system coincides with the website visited, the cookie is referred to as a first-party cookie; where it is placed by a third-party website/server (hosted by the visited website), it is referred to as a third-party cookie.
• Session cookies are automatically deleted when the User closes the browser, whereas persistent cookies remain stored until their expiry date.
• Technical cookies enable safe and convenient web browsing and the provision of the services and content requested by the User. They pursue no other purposes.

Such cookies do not require the User’s consent, as they are necessary to ensure the secure functioning of the Website.

• Advertising cookies and, respectively, analytics, tracking and/or profiling cookies are used to detect and analyse the User’s online behaviour (for example: websites and pages visited, source and destination websites, duration of browsing, links clicked, language and characteristics of the browsing software, User location, etc.), generally for the purpose of generating or delivering personalised advertising.

Such cookies require the prior consent of the data subject, as the processing of personal data entails an infringement of personality rights.

Which cookies are implemented by the Website? The Website uses the cookies listed in the special notice, which is automatically updated and displayed when the User accesses the Website. The detailed and automatically updated list of cookies in use, together with the relevant detailed information, is also available by activating the following link: link.

From the Tourism Organisation’s perspective, the information derived from cookies is anonymous, as the Tourism Organisation is not able to associate cookies with the identity of the User.

In order to protect the User’s privacy, advertising and, respectively, analytics, tracking and/or profiling cookies are blocked by default; their activation therefore requires the User’s express and informed consent.

Options to block or delete cookies, withdrawal of consent, technical consequences. Through the panel available on the Website’s home page, the User may express their preferences regarding the processing of personal information, review and modify their choices at any time (withdrawal of consent), and freely choose which cookies to authorise and which to refuse (including the option to refuse all cookies, with the exception of those classified as “necessary”). The User may also configure their browser to notify them when a cookie is received or to block cookies (globally, by category, or by originating website). Generalised blocking of cookies, as it also applies to technical cookies, may result in serious limitations in the use of the Website. The User may manually delete cookies from the browser’s memory, as well as configure the browser to automatically delete cookies upon closing the program (recommended option). By default, browsers generally accept cookies. Instructions on how to disable or delete cookies can be found on the website of the relevant browser developer; reference is made, in particular, to the instructions for the most common browsers: Microsoft Internet Explorer and Edge; Google Chrome; Apple Safari; Mozilla Firefox and Opera.

Other methods to reduce the risk of online tracking include:

• enabling the DoNotTrack option in the browser (if available);
• using the browser’s private or anonymous browsing function (if available), which prevents cookies from being retained on the device after browsing.

 

USE OF SOCIAL MEDIA PLUG-INS, WIDGETS AND OTHER TRACKING TOOLS

What are social media plug-ins and widgets? Social plug-ins are optional software components that link websites to social media platforms in order to allow the User to interact easily with online content (for example, “Like” or “Share”). Social plug-ins include so-called widgets, i.e. graphical control elements embedded in the relevant sections of a website that enable the User to access the functions of the social plug-in. By simply clicking on a widget, the User may, for example, disseminate content within their preferred social media platform. If the User activates a social plug-in, the browser establishes a direct connection with the servers of the social plug-in provider. As a result, certain personal information, such as the IP address and the pages visited, is transmitted to the social plug-in provider.

Active social media plug-ins / widgets. The Website currently does not implement any such tools: the graphical social media icons located at the bottom of the Website’s pages are merely simple hyperlinks redirecting to the Tourism Organisation’s social media profiles.

 

THE USER’S RIGHTS IN THE CONTEXT OF PERSONAL DATA PROTECTION

Where the processing of personal data is subject to cantonal data protection law (LPDP), namely processing carried out within the framework of the public-law relationship between the User and the Tourism Organisation, the User’s rights are set out in Articles 22 et seq. LPDP, to which reference is expressly made.

Where the processing of personal data is subject to federal data protection law (FADP), namely processing carried out in the context of an economic activity not deriving from the exercise of sovereign powers, the User enjoys, within the limits and under the conditions laid down by law and subject to the restrictions provided therein, in particular the following rights in relation to their Personal Data (non-exhaustive list):

• to obtain the rectification of inaccurate or outdated personal data;
• to be informed in writing and free of charge as to whether personal data concerning them are being processed;
• to withdraw consent previously given to the processing of data;
• to prevent the disclosure to third parties of personal data deserving of particular protection;
• to express their view on an automated individual decision or to request that such decision be reviewed by a natural person;
• to obtain delivery of their personal data or to require their transmission to third parties;
• to request that the processing of data be blocked, that disclosure to third parties be prevented, or that personal data be rectified or destroyed;
• to request that a specific processing of personal data be prohibited, that a specific disclosure of personal data to third parties be prohibited, or that personal data be erased or destroyed;
• where neither the accuracy nor the inaccuracy of the personal data can be established, to request that a note be added to the data indicating that they are contested;
• to request that the rectification, destruction or blocking - particularly blocking of disclosure to third parties - as well as the note indicating the contested nature of the data or the judgment, be communicated to third parties or published;
• to have the unlawfulness of the processing of personal data established.

 

Standing and exercise of rights. The User may exercise their rights, save in cases of urgency (in which case the Tourism Organisation may be contacted by telephone), in writing by submitting a reasoned request by ordinary or electronic mail to the Tourism Organisation, enclosing the necessary supporting documents as well as proof of identity. The User is also free to lodge a complaint regarding the processing of their data with the Federal Data Protection and Information Commissioner (FDPIC) (private sector) or, as the case may be, with the Cantonal Data Protection Commissioner (public sector).

Time limits for response. The Tourism Organisation undertakes to comply with the request without delay and, in any event, save in exceptional circumstances, within 30 days of receipt of the request complete with all necessary information.

Advice and information requests. In order to promote transparency and a relationship of trust with users, the Tourism Organisation has appointed an internal data protection contact person responsible for responding to information requests and for handling the exercise of rights. The internal data protection contact person may be reached by e-mail at [email protected] or by telephone on +41 (0)848 091 091 (information desk). Any questions regarding the rights of data subjects in relation to the processing of personal data and their exercise in the municipal and cantonal public sector may be addressed to the Cantonal Data Protection Commissioner, who may be contacted via the online form (link). Any questions regarding the rights of data subjects in relation to the processing of personal data and their exercise in the private sector may be addressed to the Federal Data Protection and Information Commissioner (FDPIC), who may be contacted via the online form (link).

 

APPLICABLE LAW AND JURISDICTION

The legal relationship between the User and the Tourism Organisation with regard to access to and use of the Website (and related resources) is governed by substantive Swiss law, subject to applicable cantonal law, to the exclusion of private international law rules.

The parties designate the District Court (Pretura) of Locarno (Canton of Ticino) as the court of exclusive jurisdiction for any dispute arising out of or in connection with the use of the Website (and related resources), subject to any mandatory statutory provisions requiring a different forum. The Tourism Organisation reserves the right to bring proceedings before the competent court at the User’s place of seat, branch or domicile.

 

ENGLISH TRANSLATION FOR LEGAL CLARIFICATION
This language version is provided for guidance purposes only; the Italian text is the sole legally binding version.

 

Date of entry into force: 15.10.2025