Piazza della Libertà, 28 — Portofino 0185 269 039
info@garageportofino.it WhatsApp
GDPR · Reg. UE 2016/679

Privacy Policy

Last updated: 03 May 2026

This document describes how personal data collected through the website https://www.garageportofino.it are processed, pursuant to Articles 13 and 14 of EU Regulation 2016/679 (hereinafter "GDPR") and applicable Italian law (Legislative Decree 196/2003 as amended).

Table of Contents

  1. Data Controller
  2. Personal Data Collected
  3. Purposes and Legal Bases for Processing
  4. Recipients of Personal Data
  5. Data Location and Transfers Outside the EU
  6. Retention Period
  7. Rights of the Data Subject
  8. Security and Processing Methods
  9. Cookies and Trackers
  10. Changes to this Policy

1. Data Controller

The Data Controller is Garage Portofino S.R.L., with registered office at Piazza della Libertà, 28 — 16034 Portofino (GE), VAT / Tax Code 02845960992.

Contact details for exercising your rights:

Email: info@garageportofino.it

PEC: garageportofinosrl@pec.it

Phone: +39 0185 269 039

The Data Controller has not appointed a Data Protection Officer (DPO) as the mandatory conditions set out in Article 37 GDPR do not apply.

2. Personal Data Collected

2.1 Browsing data

The computer systems and software procedures used to operate this website automatically acquire, in the course of normal operation, certain data whose transmission is inherent to Internet communication protocols: IP addresses, browser type and operating system, pages visited, request timestamps, and any error codes. These data are used solely to ensure the correct functioning of the website, monitor its security, and generate anonymous usage statistics. They are retained for a maximum period of 30 days, unless longer retention is required by law.

2.2 Data voluntarily provided via the booking form

By completing the form on the Contacts and Reservations page, the user voluntarily provides the following personal data:

  • Personal and contact details (required): first name, last name, email address, mobile phone number with international dialling code.
  • Stay details (required): arrival and departure date and time at the garage.
  • Vehicle details (required): make, model, and licence plate of the vehicle.
  • Preferred language for communications (Italian, English, or French).
  • Optional data: company name, free-text message (max 1,000 characters).

When the form is submitted, technical anti-spam protection measures are applied that do not involve the processing of additional personal data and do not install cookies.

2.3 Data collected during booking confirmation

If the availability request is accepted by the Data Controller and the user proceeds to confirm, the confirmation form will request additional data to guarantee the booking: credit card details (network, number, cardholder, expiry date) or confirmation of cash payment. No charge is made to the credit card at the time of booking, except in cases of no-show or late cancellation, in accordance with the conditions communicated to the customer.

3. Purposes and Legal Bases for Processing

The data collected are processed for the following purposes, with the corresponding legal basis:

a) Managing bookings and contractual relationships

Processing of booking data to provide the parking service, communicate with the customer, confirm availability, and where applicable, perform the contract.
Legal basis: performance of a contract or pre-contractual measures at the request of the data subject (Art. 6.1.b GDPR).
Provision: mandatory; refusal makes it impossible to complete a booking.

b) Website security and anti-spam protection

Adoption of technical measures to filter automated form submissions and protect the website and the Data Controller's systems from abuse. These measures do not install cookies, do not profile the user, and do not transfer data to third parties.
Legal basis: legitimate interest of the Data Controller in protecting its IT systems (Art. 6.1.f GDPR).

c) Compliance with legal obligations

Retention of booking and billing data for the periods required by tax and civil law.
Legal basis: legal obligation (Art. 6.1.c GDPR).

d) Interactive map (Google Maps)

Display of the garage location via the official Google Maps iframe.
Legal basis: explicit consent (Art. 6.1.a GDPR), withdrawable at any time via the "Cookie Preferences" icon at the bottom right of the website.

4. Recipients of Personal Data

The data collected may be disclosed to the following categories of recipients:

  • Authorised company personnel of the Data Controller, expressly designated and adequately trained in data processing (Art. 29 GDPR).
  • Amazon Web Services EMEA SARL (AWS), acting as Data Processor (Art. 28 GDPR), for website and database hosting services. Data are hosted in the eu-central-1 region (Frankfurt, Germany data centres).
  • Aruba S.p.A. (an Italian company based in Bibbiena, AR) as the email/SMTP service provider used to transmit confirmation emails and communicate with customers. Data transit and are stored on servers located in Italy.
  • Google Ireland Limited for the Maps service, where the user has given consent.
  • Tax advisor and accountant of the Data Controller, for tax-related obligations arising from the booking.
  • Competent authorities in the event of legal obligations, investigative requests, or judicial protection.

Personal data are not sold to third parties for marketing purposes nor publicly disclosed.

5. Data Location and Transfers Outside the EU

The personal data collected are physically hosted within the European Union, specifically in Amazon Web Services data centres in the Frankfurt region (Germany, eu-central-1).

Some Data Processors are, however, companies headquartered in the United States of America or European companies belonging to US-based groups. For such transfers, even where only potential, the safeguards provided under Chapter V of the GDPR apply:

  • Amazon Web Services EMEA SARL — hosting provider headquartered in Luxembourg, belonging to the Amazon group (USA). Data are hosted exclusively in European data centres. The transfer is based on the EU-U.S. Data Privacy Framework (Amazon is certified) and on Standard Contractual Clauses included in the AWS Data Processing Addendum. Additional technical measures are also in place (encryption at rest and in transit) to mitigate the risk of access by US authorities (CLOUD Act).
  • Google LLC (USA) — Maps service. The transfer is based on the EU-U.S. Data Privacy Framework (adequacy decision of 10 July 2023) and on Standard Contractual Clauses approved by the European Commission.

The updated list of Google and AWS sub-processors is available on their respective official websites.

6. Retention Period

  • Browsing data: maximum 30 days from collection.
  • Booking and contact data: for the time necessary to manage the request and up to 10 years from the last interaction, in compliance with statutory document retention obligations for tax purposes (Art. 2220 of the Italian Civil Code, Presidential Decree 633/1972).
  • Payment data (credit card): deleted at the end of the validity of the pre-authorisation and in any case upon completion of the booking. They are not stored in plain text in the Data Controller's systems beyond the strictly necessary time.
  • Cookies and online identifiers: as set out in the Cookie Policy.

After these periods, data will be deleted or irreversibly anonymised, unless retention is required by legal obligations, pending disputes, or actions to protect the Data Controller's rights.

7. Rights of the Data Subject

At any time and in accordance with Arts. 15–22 GDPR, the user has the right to:

  • Access their personal data and obtain a copy thereof (Art. 15);
  • Request rectification of inaccurate data or completion of incomplete data (Art. 16);
  • Obtain erasure of data (right to be forgotten), in the cases provided for by Art. 17;
  • Restrict processing in the cases provided for by Art. 18;
  • Receive data in a structured, commonly used format (portability — Art. 20);
  • Object to processing based on legitimate interest (Art. 21);
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent given before its withdrawal (Art. 7);
  • Lodge a complaint with the Italian Data Protection Authority (Art. 77).

To exercise these rights, simply send a request to info@garageportofino.it or to the PEC address garageportofinosrl@pec.it. The Data Controller will respond within 30 days of receipt.

8. Security and Processing Methods

Processing is carried out by electronic and paper-based means, with technical and organisational measures appropriate to ensure a level of security commensurate with the risk (Art. 32 GDPR), including:

  • Transmission of data over HTTPS with TLS encryption;
  • Encryption of data at rest (encryption-at-rest) on AWS servers;
  • Hosting in data centres certified to ISO 27001, SOC 2 Type II and GDPR-compliant (AWS Frankfurt, eu-central-1);
  • Access to systems restricted to authorised personnel only, using individual credentials;
  • Periodic data backups with encrypted storage;
  • Technical anti-spam protection measures and CSRF protection for operations that modify system state;
  • Data breach response procedures pursuant to Arts. 33–34 GDPR.

10. Changes to this Policy

The Data Controller reserves the right to update this policy at any time to reflect changes in legislation, organisational structure, or technology. Updated versions will be published on this page, with the date of last update indicated. Users are invited to check this page periodically.