Last Update: 02/07/2025
1. Introduction to GDPR Compliance
OpinSpire S.r.l. (“we,” “us,” or “our”) is fully committed to compliance with the General Data Protection Regulation (GDPR) and protecting the fundamental rights and freedoms of individuals regarding the processing of their personal data.
This document provides detailed information about your rights under GDPR, our compliance measures, and procedures for exercising your data protection rights.
1.1 GDPR Overview
The General Data Protection Regulation (EU) 2016/679 is a comprehensive data protection law that:
- Protects EU residents’ personal data rights
- Applies to all organizations processing EU residents’ data
- Establishes strict requirements for data processing
- Provides individuals with enhanced control over their personal data
1.2 Our Commitment
As a platform serving the tourism industry across Europe, we ensure:
- Full GDPR compliance in all our operations
- Transparent data processing practices
- Respect for individual rights and preferences
- Continuous monitoring and improvement of our compliance measures
2. Data Controller Information
2.1 Data Controller
OpinSpire S.r.l.
- Legal Entity: Italian Limited Liability Company
- Address: Via Vogelweide, 22 – 39012 – Merano (BZ)
- Country: Italy
- Email: privacy@opinspire.com
2.2 Data Protection Officer (DPO)
Contact Information:
- Email: dpo@opinspire.com
- Role: Oversight of GDPR compliance and data protection practices
- Availability: Monday-Friday, 9 AM – 6 PM CET
- Response Time: Maximum 30 days as required by GDPR
2.3 EU Representative
As an EU-based company, OpinSpire S.r.l. serves as its own representative for GDPR matters.
3. Types of Personal Data We Process
3.1 Account and Profile Data
- Identity Information: Name, surname, date of birth
- Contact Information: Email address, phone number (optional)
- Account Credentials: Username, encrypted password
- Profile Settings: Language preferences, notification settings
3.2 Employment and Verification Data
- Current/Former Employers: Company names, locations
- Job Information: Titles, roles, employment dates
- Industry Details: Tourism sector, specific job categories
- Verification Documents: Employment contracts, pay stubs (when required)
3.3 Review and Content Data
- Written Reviews: Text content, ratings, opinions
- User-Generated Content: Comments, responses, interactions
- Premium Content: Photos, enhanced reviews (paid users)
- Engagement Data: Likes, shares, saves, report actions
3.4 Technical and Usage Data
- Device Information: Browser type, operating system, device ID
- Network Data: IP address, location (country/region level)
- Usage Analytics: Pages visited, time spent, click patterns
- Performance Data: Load times, error reports, feature usage
3.5 Payment and Subscription Data
- Billing Information: Credit/debit card details, billing address
- Transaction Records: Payment history, subscription status
- Financial Data: Processed securely by third-party payment providers
- Refund Records: Customer service interactions and resolutions
4. Legal Basis for Data Processing
4.1 Legitimate Interest (Article 6(1)(f) GDPR)
Platform Security and Integrity:
- Fraud prevention and detection
- Spam and abuse prevention
- System security monitoring
- Review authenticity verification
Service Improvement:
- Analytics and performance optimization
- User experience enhancement
- Platform development and testing
- Quality assurance and debugging
4.2 Contractual Necessity (Article 6(1)(b) GDPR)
Core Service Delivery:
- User account creation and management
- Review platform functionality
- Premium feature access
- Customer support services
Payment Processing:
- Subscription billing and management
- Payment verification and processing
- Refund and cancellation handling
- Financial record keeping
4.3 Consent (Article 6(1)(a) GDPR)
Optional Services:
- Marketing and promotional communications
- Social media integration and sharing
- Advanced analytics and personalization
- Third-party service integrations
Special Categories:
- Enhanced profile information
- Optional demographic data
- Preference-based recommendations
- Targeted content delivery
4.4 Legal Obligation (Article 6(1)(c) GDPR)
Regulatory Compliance:
- Financial record keeping (7 years)
- Anti-money laundering compliance
- Tax reporting requirements
- Law enforcement cooperation
4.5 Vital Interests (Article 6(1)(d) GDPR)
Emergency Situations:
- Preventing serious harm or illegal activity
- Protecting platform users from danger
- Responding to emergency law enforcement requests
- Safeguarding public safety
5. Your GDPR Rights
5.1 Right of Access (Article 15 GDPR)
What it means:
- Request confirmation of data processing
- Obtain copies of your personal data
- Receive information about processing purposes
- Learn about data retention periods
How to exercise:
- Email: privacy@opinspire.com
- Subject: “GDPR Data Access Request”
- Response time: 30 days maximum
- Free of charge for reasonable requests
5.2 Right to Rectification (Article 16 GDPR)
What it means:
- Correct inaccurate personal data
- Complete incomplete information
- Update outdated information
- Amend incorrect employment details
How to exercise:
- Account settings (direct update)
- Email request for complex changes
- Provide evidence for factual corrections
- Immediate updates for account information
5.3 Right to Erasure (Article 17 GDPR)
What it means:
- Request deletion of personal data
- “Right to be forgotten” in certain circumstances
- Removal when data no longer necessary
- Withdrawal of consent-based processing
Limitations:
- Reviews may remain anonymized for platform value
- Legal record keeping requirements
- Fraud prevention necessities
- Legitimate interest overrides
How to exercise:
- Account deletion through settings
- Email: privacy@opinspire.com
- Specify data to be deleted
- Confirmation within 30 days
5.4 Right to Restrict Processing (Article 18 GDPR)
What it means:
- Limit how we use your data
- Temporary suspension of processing
- Alternative to deletion
- Maintain data without active use
When applicable:
- Accuracy of data is contested
- Processing is unlawful
- Legal claims require data preservation
- Objection to processing is pending
5.5 Right to Data Portability (Article 20 GDPR)
What it means:
- Receive your data in structured format
- Transfer data to another service
- Machine-readable format provided
- Your own content and provided information
What’s included:
- Account and profile information
- Review content you’ve written
- Employment verification data
- Usage preferences and settings
5.6 Right to Object (Article 21 GDPR)
What it means:
- Object to processing for legitimate interest
- Opt-out of direct marketing
- Stop profiling for marketing purposes
- Challenge necessity of processing
How to exercise:
- Direct marketing: unsubscribe links
- General objection: privacy@opinspire.com
- Specific processing activities
- Grounds for objection required
5.7 Right to Withdraw Consent (Article 7(3) GDPR)
What it means:
- Remove previously given consent
- Stop consent-based processing
- No penalty for withdrawal
- Easy as giving consent
How to exercise:
- Account settings toggle
- Email notification
- Consent management platform
- Immediate effect upon withdrawal
6. Data Processing Procedures
6.1 Data Collection
Minimization Principle:
- Collect only necessary data
- Specific purpose for each data point
- Regular review of collection practices
- User control over optional data
Transparency Measures:
- Clear collection notices
- Purpose specification at collection
- Easy-to-understand language
- Prominent privacy information
6.2 Data Storage and Security
Technical Safeguards:
- Encryption at rest and in transit
- Access controls and authentication
- Regular security audits and testing
- Incident detection and response
Organizational Measures:
- Staff training on data protection
- Role-based access controls
- Confidentiality agreements
- Data protection impact assessments
6.3 Data Retention
Retention Principles:
- No longer than necessary
- Specific retention periods
- Regular deletion schedules
- User control over retention
Retention Periods:
- Active accounts: Duration of relationship
- Inactive accounts: 2 years then deletion
- Financial records: 7 years (legal requirement)
- Security logs: 5 years
- Marketing data: Until consent withdrawal
6.4 Data Sharing and Transfers
Third-Party Sharing:
- Service providers with data processing agreements
- Payment processors for subscription billing
- Analytics providers for platform improvement
- Cloud hosting for secure data storage
International Transfers:
- Adequacy decisions (EU-approved countries)
- Standard Contractual Clauses
- Binding Corporate Rules
- User consent for specific transfers
7. Children's Data Protection
7.1 Age Verification
Minimum Age: 16 years (aligned with employment eligibility)
- Age verification during registration
- Parental consent for users 16-18
- Enhanced protections for minor users
- Special deletion procedures
7.2 Enhanced Protections
For Users Under 18:
- Restricted data collection
- Additional consent requirements
- Limited profile visibility
- Enhanced deletion rights
8. Data Breach Procedures
8.1 Breach Detection
Monitoring Systems:
- Automated threat detection
- Regular security assessments
- Staff incident reporting
- User breach notifications
8.2 Breach Response
72-Hour Notification Rule:
- Supervisory authority notification
- Risk assessment and classification
- Immediate containment measures
- Investigation and remediation
User Notification:
- High-risk breaches communicated
- Clear description of incident
- Steps taken to address breach
- Protective measures recommended
8.3 Breach Prevention
Preventive Measures:
- Regular security training
- System updates and patches
- Access control reviews
- Incident simulation exercises
9. Supervisory Authority Information
9.1 Italian Data Protection Authority
Garante per la protezione dei dati personali
- Website: garanteprivacy.it
- Role: National supervisory authority for Italy
- Powers: Investigation, enforcement, penalties
- Contact: Available on official website
9.2 Complaint Rights
Right to Lodge Complaint:
- Free of charge
- No requirement to contact us first
- Available to any EU resident
- Independent investigation process
9.3 Enforcement Actions
Potential Consequences:
- Administrative fines up to €20 million or 4% of global turnover
- Processing bans and restrictions
- Certification withdrawal
- Public warnings and reprimands
10. Cross-Border Data Processing
10.1 EU Data Processing
Primary Processing Locations:
- EU-based servers and infrastructure
- GDPR-compliant service providers
- Adequate country transfers only
- Strong contractual safeguards
10.2 International Service Providers
Due Diligence:
- Privacy certification verification
- Standard Contractual Clauses implementation
- Regular compliance audits
- Breach notification procedures
11. Tourism Industry Specific Compliance
11.1 Seasonal Worker Protections
Special Considerations:
- Temporary employment verification
- Limited data retention for seasonal roles
- Enhanced deletion rights
- Flexible consent management
11.2 International Worker Rights
Multilingual Support:
- Privacy notices in multiple languages
- Culturally appropriate communication
- Home country law considerations
- Accessible rights exercise procedures
11.3 Employer Relations
Data Protection:
- Strong anonymization practices
- Anti-retaliation policies
- Professional standard maintenance
- Industry-appropriate handling
12. Exercising Your Rights
12.1 Contact Methods
Primary Contact:
- Email: privacy@opinspire.com
- Subject: “GDPR Rights Request”
- Include: Specific right, clear identification, detailed request
Data Protection Officer:
- Email: dpo@opinspire.com
- For complex or sensitive matters
- Independent oversight and guidance
12.2 Verification Process
Identity Verification:
- Account-based requests: automatic verification
- External requests: government ID required
- Third-party requests: legal authorization needed
- Fraud prevention measures applied
12.3 Response Timeline
Standard Timeline:
- Initial acknowledgment: 3 business days
- Complete response: 30 days maximum
- Complex requests: 60 days (with notification)
- Free of charge for reasonable requests
12.4 Appeal Process
If Dissatisfied:
- Internal appeal to DPO
- Supervisory authority complaint
- Legal action availability
- Independent dispute resolution
13. Regular Compliance Reviews
13.1 Internal Audits
Compliance Monitoring:
- Quarterly compliance assessments
- Annual comprehensive reviews
- Incident-triggered evaluations
- Third-party compliance audits
13.2 Policy Updates
Continuous Improvement:
- Legal development monitoring
- Best practice implementation
- User feedback incorporation
- Technology advancement adaptation
13.3 Training and Awareness
Staff Education:
- Regular GDPR training sessions
- Role-specific privacy training
- Incident response drills
- Compliance culture development
Contact Information:
- General GDPR Inquiries: privacy@opinspire.com
- Data Protection Officer: dpo@opinspire.com
- Emergency Contact: Available 24/7 for data breaches
This GDPR Compliance document demonstrates our commitment to protecting your fundamental rights and ensuring transparent, lawful processing of personal data in accordance with EU data protection law.