Skip to main content Enquire

Legal

Privacy Policy
Information about the processing of personal data.

Privacy Policy

1. Controller

Controller within the meaning of Art. 4(7) GDPR:
Garni Steffi, Schlossweg 7, I-39050 Völs am Schlern (BZ)
Email: info@garni-steffi.it

2. General

We treat personal data confidentially and in accordance with the GDPR (Regulation (EU) 2016/679), Italian data protection law (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018) and the guidelines of the Garante Privacy.

3. Legal Bases (Art. 6 GDPR)

  • Consent (lit. a)
  • Performance of a contract and pre-contractual measures (lit. b)
  • Legal obligation (lit. c)
  • Legitimate interests (lit. f)

4. Server Log Files

Each time the website is accessed, technically necessary data is stored: IP address (truncated/anonymised), date and time, page accessed, browser, operating system, referrer. Purpose: technical provision and security (Art. 6(1)(f)). Retention: max. 14 days.

5. Cookies and Tracking

For details, see the separate Cookie Policy. Cookies that are not technically necessary are only set after explicit consent.

6. Contact Form and Email

When you contact us via form, email or telephone, we process the data you provide (name, email, phone, enquiry content) to handle your request (Art. 6(1)(b) or (f)). Retention: until final processing, then deletion — unless statutory retention obligations apply.

7. Contract and Billing Data

When a contract is concluded, we process master data, contract data and billing data for contract performance and invoicing. Retention: 10 years (mandatory Italian tax and accounting law, Art. 2220 c.c.).

8. Integrated Third-Party Services

The following services are used on our website (where active):

  • Google Analytics 4 (Google Ireland Ltd., IP anonymised, US transfer via DPF/SCC)
  • Google Maps (Google Ireland Ltd.)

A complete, up-to-date list can be found in our cookie banner under “Show details”.

9. Third-Country Transfers

Data transfers to third countries (in particular the USA) are only carried out on the basis of the EU-U.S. Data Privacy Framework (DPF), Standard Contractual Clauses (SCC, EU 2021/914) or your explicit consent (Art. 49 GDPR).

10. Retention Periods (Overview)

  • Server logs: 14 days
  • Contact enquiries: until completion + 6 months
  • Contract and accounting data: 10 years (mandatory)
  • Cookie consents: 6 months (then re-consent)

11. Your Rights (Art. 15–22 GDPR)

Access, rectification, erasure, restriction, data portability, objection, withdrawal of consent. Requests to: info@garni-steffi.it.

12. Right to Complain

You have the right to lodge a complaint with the Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome, www.garanteprivacy.it.

13. Security

We use TLS encryption, access restrictions, regular backups and continuously review our security measures.

14. Minors

This website is not directed at persons under 16 years of age.

15. Changes

This policy may be updated to reflect changes in law or services. The current version is always available here.

Last updated: May 2026

16. Security and Protection of Your Personal Data

We consider it our primary duty to maintain the confidentiality of the personal data you provide to us and to protect it from unauthorised access. We therefore apply the utmost care and state-of-the-art security standards to ensure maximum protection of your personal data.

As a private law entity, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the provisions of the Federal Data Protection Act (BDSG). We have taken technical and organisational measures to ensure that data protection regulations are observed both by us and by our external service providers.

17. Definitions

The legislator requires that personal data be processed lawfully, fairly and in a manner that is transparent to the data subject (“lawfulness, fairness, transparency”).

Personal data: Any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

Processing: Any operation performed on personal data, such as collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure or destruction (Art. 4(2) GDPR).

Controller: The natural or legal person which determines the purposes and means of the processing (Art. 4(7) GDPR).

Processor: A natural or legal person which processes personal data on behalf of the controller (Art. 4(8) GDPR).

Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes (Art. 4(11) GDPR).

18. Lawfulness of Processing

The processing of personal data is only lawful if there is a legal basis. Legal bases pursuant to Art. 6(1)(a)–(f) GDPR may include:

  • The data subject has given consent;
  • Processing is necessary for the performance of a contract;
  • Processing is necessary for compliance with a legal obligation;
  • Processing is necessary to protect vital interests;
  • Processing is necessary for a task carried out in the public interest;
  • Processing is necessary for legitimate interests.

19. Collection of Personal Data When Visiting Our Website

When using the website for informational purposes only, we collect only the personal data that your browser transmits to our server (legal basis: Art. 6(1)(f) GDPR):

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Amount of data transferred
  • Referring website
  • Browser
  • Operating system and interface
  • Language and version of browser software

20. Use of Cookies (Detailed)

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files stored on your hard drive and assigned to the browser you use. Cookies cannot execute programs or transmit viruses to your computer.

This website uses the following types of cookies:

  • Transient cookies are automatically deleted when you close the browser. These include in particular session cookies.
  • Persistent cookies are automatically deleted after a predetermined duration, which may differ depending on the cookie.

You can configure your browser settings according to your preferences, e.g. refuse the acceptance of third-party or all cookies.

21. Further Functions and Offers of Our Website

In addition to the purely informational use of our website, we offer various services that you may use if interested. To do so, you generally need to provide further personal data.

We partly use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.

22. Google Analytics

Google Analytics 4 is loaded on this website only after you have consented to the optional “Statistics” category in the cookie banner. The measurement ID used is G-BBCMEDYN91.

This website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses “cookies”. The information generated by the cookie is usually transferred to a Google server in the USA. We have activated IP anonymisation.

The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other data held by Google.

You can prevent data collection by Google by downloading the browser plug-in: https://tools.google.com/dlpage/gaoptout?hl=en

Legal basis for the use of Google Analytics is Art. 6(1)(f) GDPR.

Third-party provider information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

23. Integration of Google Maps

On this website we use Google Maps to display interactive maps.

By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. This occurs regardless of whether Google provides a user account.

Further information: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA.

24. Processors

We use external service providers (processors) e.g. for sending emails or payment processing. Separate data processing agreements have been concluded to ensure the protection of your personal data.

25. Detailed Rights of the Data Subject

(1) Withdrawal of consent: You have the right to withdraw your consent at any time.

(2) Right to confirmation: You have the right to request confirmation as to whether personal data is being processed.

(3) Right of access: You can request information about your personal data and processing purposes at any time.

(4) Right to rectification: You have the right to request rectification of inaccurate personal data.

(5) Right to erasure (“right to be forgotten”): You have the right to request deletion of your personal data where one of the statutory grounds applies.

(6) Right to restriction of processing: You have the right to request restriction of processing.

(7) Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format.

(8) Right to object: You have the right to object to processing at any time.

(9) Automated decisions including profiling: You have the right not to be subject to a decision based solely on automated processing.

(10) Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority.

(11) Right to an effective judicial remedy: You have the right to an effective judicial remedy.

26. Conditions — Südtirol Alto Adige Guest Pass

Upon completion of the accommodation contract, the guest receives the Südtirol Alto Adige Guest Pass (hereinafter Guest Pass), which, in accordance with South Tyrolean provincial government resolution No. 732/2022, is valid for the entire duration of the stay and from 00:00 on the day of arrival until 24:00 on the day of departure.

The Guest Pass includes the use of all public transport within the Südttirolmobil network area as well as additional services. Detailed information can be found at: suedtirol-guestpass.info

27. Data Protection — Südtirol Alto Adige Guest Pass

Purpose

The personal data transmitted is forwarded to the unified coordination office of the Guest Pass in order to enable the creation and use of the Guest Pass and to provide the associated services.

Recipient

In connection with the issuance of the Guest Pass, your data is transmitted to the Mobility Consortium with VAT No. 02735170215. For further information: privacy@moko.bz.it

Legal Basis

The legal basis for processing is Art. 6(1)(b) GDPR.

→ Cookie Policy → Imprint → Accessibility