The Science of Thermalism

Privacy policy

Dear Data Subject,
we would like to inform you that the ‘European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (hereinafter, ‘GDPR’) provides that the protection of personal data relating to individuals is to be regarded as an individual’s fundamental right. Therefore, pursuant to Article 13 of the GDPR, we hereby provide the following information.

This notice describes the methods for processing the personal data of users visiting the websites of the facilities belonging to the company Terme di Sirmione S.p.A., more specifically:

  • Terme Virgilio;
  • Terme di Sirmione online store;
  • Terme di Sirmione blog;
  • Grand Hotel Terme;
  • Hotel Acquaviva del Garda;
  • Hotel Sirmione e Promessi Sposi;
  • Hotel Fonte Boiola;
  • Aquaria Thermal SPA;
  • Online Newsletter subscription;

This information does not concern other sites, pages or online services that can be reached through hypertext links that may be published on the sites but that refer to resources outside the domain of Terme di Sirmione S.p.A. 

The Data Controller (hereinafter referred to as the ‘Data Controller’) is Terme di Sirmione S.p.A., with its registered office at Piazza Virgilio 1, 25019 Sirmione (BS), and can be contacted via the following e-mail address

In accordance with the provisions of Article 37 of Regulation (EU) 2016/679, the Data Controller has appointed a Data Protection Officer (DPO) who can be contacted at the above addresses.

The personal data in the Data Controller’s possession is collected primarily from the data subject. More specifically, the Data Controller will process the personal data provided by you (hereinafter jointly referred to as ‘data’), such as:
– identifying and non-particular data, including but not limited to: name, surname, date of birth, e-mail, telephone number;
– payment information;
– data expressing your purchasing preferences;
– other information provided voluntarily (the optional, explicit and voluntary submission of personal data by the user on the registration forms on the websites for the individual facilities listed above; this is necessary for the provision of the requested service);
– browsing data – Cookies
The computer systems and software procedures used to operate this website acquire certain personal data during the course of their normal operation, the transmission of which is implicit in the use of internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by those connecting to the site, the URI (Uniform Resource Identifier) numbering addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check it is working correctly, and is deleted immediately after processing.

The processing of your data has the performance of the contract (point a.), your consent (points b. and c.), and the Data Controller’s legitimate interest (points d. and e.) as its legal basis and will be carried out:
a. for the management of the contract and pre-contractual communications between the user and the Data Controller;
b. for sending automated newsletters relating to the Data Controller’s activities;
c. for profiling activities;
d. in order to comply with obligations laid down by law, a regulation, EU legislation or an order of the Authority;
e. to exercise the Data Controller’s rights, such as the right of defence in court.

Apart from what is specified for browsing data, the data subject is free to provide their personal data or not. However, failure to provide it may result in it being impossible to obtain what has been requested.

The processing of your personal data is carried out by means of the operations indicated in Art. 4 no. 2) GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of the data.
Your personal data will be processed both on paper and electronically; the processing of your data will be automated with particular reference to sending regular newsletters, provided that you have given your consent to receive them.

The data collected will be retained for a period of time not exceeding the fulfilment of the purposes which they were collected and processed for (‘retention limitation principle’, Art. 5, GDPR) or in accordance with the deadlines stipulated by legal regulations.
More specifically, the data collected for the purpose of sending commercial communications will be kept for 5 (five) years from the last transaction you made, while data collected for profiling purposes will be kept for 5 (five) years from the last transaction you made. Checks on the obsolescence of stored data in relation to the purposes which they were collected for are carried out periodically by the Data Controller.

The data collected may be transferred or communicated to other companies for activities strictly connected with and instrumental to the operation of the service, such as the management of computer systems. The personal data provided by users who request for informative material to be sent (brochures, material, etc.) is used for the sole purpose of performing the service or provision requested and is passed onto third parties only if necessary for that purpose (companies that provide enveloping, labelling, or mailing services). Beyond these cases, the personal data will not be disclosed unless provided for by contract or law, or unless specific consent is requested from the person concerned.
In this sense, the personal data may be passed on to third parties, but only and exclusively in the event that:

  • there is explicit consent to share the data with third parties;
  • there is a need to share information with third parties in order to provide the requested service;
  • this is necessary to comply with requests from the Judicial or Public Security Authorities.

The data may be sent to the Data Controller’s suppliers in order to comply with the purposes set out in this policy, and to optimise the browsing services on the websites belonging to the companies linked to the Data Controller.

The data subject, as provided for in EU Regulation 679/2016 has the right to obtain the following from the Data Controller at any time: confirmation that the data exists and communication of it; its updating, rectification, integration, cancellation, transformation; the blocking of data processed in violation of the law; the data subject may object to their personal data being processed by sending a registered letter to the Data Controller’s head office, or an email to

The Data Controller hereby informs you that the personal data collected is processed lawfully and fairly, is collected and recorded for the stated purposes, and is used in other operations that are compatible with those purposes. The Data Controller undertakes to adopt appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of the data subject’s personal data.
The personal data is processed on paper and/or by automated means; specific security measures are observed to prevent any loss, including accidental loss, alteration, misuse, illegal or incorrect use and unauthorised access.
The Data Controller shall not be held liable for any untruthful information sent directly by the site user to the addresses listed there (e.g. the accuracy of e-mail address or credit card or postal address details), as well as information concerning them that was provided by a third party, albeit fraudulently.

You have the right to lodge a complaint with the supervisory authority (for Italy, the body to be addressed is the Garante della Privacy, at any time if you believe that your data is being processed in an unorthodox way; data subjects may alternatively apply to the supervisory authority of their country of residence, or the country where the data subject works, or where the breach occurred.

Pursuant to Article 13 of the EU Regulation 2016/679, the Data Controller would also like to inform you that, in the context of the provision of telephone booking services via the booking offices (e.g: Contact centre, Groups and Events Office, etc.), callers’ personal data is processed for the following purposes:

  • handling requests for information, reservations and providing any further necessary support to the customer;
  • ensuring the highest standards of service by recording telephone communications with customer service.

The personal data provided directly by the caller is processed to handle requests and does not require any disclosure to third parties. Instead, telephone calls are recorded in order to analyse the quality and effectiveness of processes, products and services at the time of customer service delivery through telephone contact. Recording telephone calls is inherent to the provision and management of the activities provided by the customer service and is of interest to customers; their confidentiality is protected by appropriate technical measures in order to allow for orderly processing. The telephone call is recorded by means of a computerised device. The call recording is not passed onto third parties.
The personal data of callers making requests is processed to the extent necessary so as to handle them. Further information is then made available when using the services through which the caller requests information and makes reservations. Instead, the recording is kept for as long as necessary to pursue the above-mentioned purposes and then permanently deleted.

Pursuant to EU Regulation 679/2016, we would like to inform you that, following your subscription to the newsletter, your personal data will be processed by Terme di Sirmione S.p.A., in its capacity as Data Controller.

a. Purpose
The data will be processed, only if you give your consent in relation to the individual purposes, to:
1. send the Terme di Sirmione S.p.A. newsletter and further promotional material on the services provided by Terme di Sirmione S.p.A. including discounts, vouchers, product samples both through traditional channels (e.g. telephone calls with operator and paper mail), and through automated channels such as e-mail, SMS, communications through social media (Facebook, Instagram, etc…), as well as to inform you of purchasing opportunities and promotions of products and services provided by partner companies, to which, however, your data will NOT be passed on/delivered;
2. send promotional and informative material in line with your preferences, habits and consumption choices.
We would like to inform you that when you receive communications by e-mail, certain information relating to receiving these communications or opening the links contained there will be collected by means of anonymous statistical tracking and for the sole purpose of optimising the submission system.

b. Legal basis for processing
Processing personal data for these purposes is free. Refusal to provide personal data or refusal to give consent shall only result in you not being able to receive promotional communications from the Data Controller.

c. Processing method and the possible communication of data
Processing will be carried out on the personal data provided directly by you by means of: filling in forms; front desk forms at the Data Controller’s individual facilities; or, if you give your consent for purpose 2, on additional personal data inferred from your habits, consumer choices, purchases, etc.
The processing will be done manually and by means of computerised devices, with organisational methods and logic strictly related to the indicated purposes. The personal data will therefore be stored for a period of time consistent with the objectives pursued in carrying out the company’s promotional activities, taking into account any expressed opposition. The aforementioned purposes may also be achieved by passing on and communicating data to third parties, understanding third parties as those authorised to process the data themselves, insofar as they are entrusted with carrying out or providing specific services which are strictly functional to the performance of the contractual relationship, such as suppliers of products and services related to the pursued purposes. Your personal data will not be disseminated.
In order to achieve the purposes set out in point 2(a) of this Article, the personal data may be sent to third countries, in particular to your CRM application provider and External Data Processor. The Data Controller will check that these data recipients comply with the provisions of Articles 44 and 49 of the GDPR. In the absence of an adequacy decision pursuant to Article 45(3) or adequate safeguards pursuant to Article 46, including Binding Corporate Rules and pursuant to Article 49 of the GDPR, the Data Controller requests you provide for the possibility of sending personal data to a third country or an Organisation after obtaining your specific consent.


a. What are Cookies?

Cookies are small text files that Terme di Sirmione websites can create on the device you are using to browse. The purpose of cookies in general is to store and transport information. This is useful both for companies who can, for example, measure how users visit their sites, and for site users, allowing them to set their own personal browsing preferences (e.g. language choice).
The Data Controller uses cookies on its sites mainly to improve browsing, such as maintaining customisation for visits after the first one, or once articles have been placed in the shopping cart, finding them again on the next visit after having had to leave the session or switch off the computer. This is possible thanks to a cookie. The Data Controller cannot use cookies to retrieve your personal information such as name, surname or email address, unless you provide it directly. The Data Controller makes use of different types of cookies. Some of these are essential for the site to function, others are not. In any case, you have the possibility to set your computer browser to accept all cookies, only some, or to reject them completely at any time.

b. Which cookies do we use?
The cookies used by the Data Controller can be distinguished according to the length of time they remain on the device you use to browse, where they come from and what purpose they serve.

f. Length of preservation
Session (or temporary) cookies: these are deleted and disappear from your device when you leave the website and close your browser.
Persistent cookies: they remain on your device even after you leave the website until you delete them or until their expiry date is reached.
The Data Controller’s sites create this type of cookie and store it on the user’s device so that it can be read on subsequent visits to our sites. This allows, for example, previously set preferences (e.g. wish lists) to be retrieved.

g. Origin
First-party cookies: these are cookies issued by the website you are visiting; the website is the one corresponding to the address you typed in (website displayed in the URL window).
Third-party cookies: these are cookies issued by a website other than the one you are visiting (e.g. those used by our business partners or service providers such as Facebook or Google Analytics).

h. Purpose
Strictly necessary or ‘technical’ cookies: these cookies are essential for browsing the site you are visiting and using some of its functionalities. Without these cookies some online services that you may require cannot be provided. With this type of cookie we do not collect any of your personal information and therefore the Data Controller can never in any way identify you.
Performance cookies: these cookies collect anonymous information and help the Data Controller to understand how users interact with its sites. For example, they inform you which pages are visited most, the time spent on the site, any error messages, etc. The performance cookies that the Data Controller uses only collect information on an aggregate and anonymous basis, and serve to improve site operation and your browsing experience.
Functionality cookies: these cookies allow the site to remember the choices you make (such as the font size of displayed text, language preference, the country you are in, etc.) and to provide you with the personalised features you have selected. In some cases, these cookies may also be used to offer online services (e.g. offering a live chat service) or to avoid re-proposing services or messages that you have already refused in the past. The sites in question release this type of cookie on your device in a completely anonymous manner without giving the Data Controller the possibility of identifying you. Please note that if you delete this type of cookie, the preferences and/or settings you have selected will not be stored for your future visits.
Promotional or targeting cookies: promotional cookies are used to collect information about your browsing habits in order to provide you with advertisements that are as relevant as possible to you and your interests. This means that the Data Controller also uses them to limit the number of times it displays a particular advertisement. For the Data Controller, the aim is therefore to communicate more effectively; for you, it is to receive advertising that is less invasive and closer to your preferences. While you are browsing the Terme di Sirmione websites, promotional cookies allow the Data Controller to confirm that you are viewing our advertisements and to show you promotional content that we believe may be of interest to you based on what you have previously visited. While you are browsing other sites, these cookies also allow us to show you content that you have recently viewed on Terme di Sirmione sites for promotional purposes. Our sites use promotional cookies on an anonymous basis only: We offer you targeted advertising but we do not know who you are. The promotional cookies we use are permanent, although they remain on your device for a limited time, and can be first and third party cookies. You can find out how to delete or manage performance cookies in the section below.

i. Do you want to refuse and block cookies?
Most internet browsers are initially set to accept cookies automatically. This means that you have the possibility to set your browser to accept all cookies, only some, or to reject them by disabling their use by the sites at any time. You can also normally set your browser preferences so that you are notified whenever a cookie is stored on your computer. At the end of each browsing session, you can delete the cookies collected from your device’s hard disk. If you wish to delete the cookies installed in the cookie folder of the browser you are using, please remember that each browser has different procedures for managing settings.
By clicking on the links below, you can obtain specific instructions for some of the major browsers.

j. Cookie features in use
For the and websites, please refer to the icon on the webpage. For the and websites, please refer to the following pages:
For all other web platforms used by the Data Controller, the cookies in use can be found in the document available at the following link: .

Pursuant to articles 13 and 14 of GDPR 2016/679, Terme di Sirmione S.p.A., as the Data Controller, hereby informs you that it will process your data in the following ways and for the following purposes.

a. Categories of processed data
For the purposes described below, the Data Controller has installed a continuous video surveillance system at its facilities. The Data Controller processes your personal data through the video surveillance system consisting of the images found there. Any existing facilities and equipment will not film places reserved exclusively for employees.

b. The purpose of the processing and legal bases
The personal data will be processed for the following purposes: protection of company assets; safety in the workplace; organisational and production requirements.
The legal basis for the processing is the Data Controller’s legitimate interest.

c. Types of processed data
In relation to the purposes of the data processing referred to in the preceding paragraph, only personal data from the video surveillance system, i.e. images from the aforementioned circuit, will be processed. Please note that the provision of data is necessary insofar as it is strictly instrumental to accessing company premises. Failure to do so will make it impossible for the Data Controller to grant you access to the premises. In relation to the provisions of the Order of the Supervisory Authority on video surveillance of 8 April 2010 for the pursuit of the purposes of protecting corporate assets and the protection and safety of persons, consent of those concerned is not required.

d. Data processing methods and storage
The on-site video surveillance system is equipped with:
(a) fixed orientation cameras;
(b) a monitor for real-time image display;
(c) protected recording equipment.
The monitor and video recorders are located on the Data Controller’s premises, in technical rooms with limited and controlled access, exclusively by appointed and authorised personnel.
The video surveillance system allows for images to be viewed in real time and for them to be recorded. Images captured through the video surveillance system are only viewed by the Data Controller or those specifically instructed by them in writing.
Video surveillance areas are signposted with the appropriate signs.
With regard to retention times, data is kept for a maximum of 7 days, unless we have to comply with a specific investigative request from the Judicial Authority or the Judicial Police. At the end of the period, the images are automatically deleted by overwriting the oldest ones.

e. Dissemination and categories of data recipients.
Data transfer. Data collected through the video surveillance system will not be disseminated. The data may be communicated to third parties contractually bound to the Data Controller and exclusively for the achievement of the purposes expressed or in order to comply with contractual or legal obligations belonging to the following categories: external subjects entrusted with the management/maintenance/administration of the video-surveillance system, subjects entrusted with the concierge and surveillance service, subjects entrusted with the security service, any professionals who support the company with consultancy or legal activities. The images can also be provided to the police and/or judicial authorities if requested. The list of any those responsible is constantly updated and available at the Data Controller’s premises.

f. Sending personal data to third countries
The data controller does not transfer your personal data to third countries. The entirety of the personal data processing actually takes place within Italy, or in some limited cases within the European Union.

g. The data subject’s rights
If the conditions laid down in the GDPR are met, you may exercise the rights provided for in Articles 15 et seq. of the GDPR regarding the Data Controller and, more precisely, the right to access your personal data, to the rectification, to the erasure (‘right to be forgotten’), to the restriction of processing, to data portability and to object at any time to the processing of the personal data concerning you.
To exercise these rights, please send your request to
You have the right to lodge a complaint with the supervisory authority (for Italy it is the Garante della Privacy, at any time if you believe that your data is being processed in an unorthodox way; data subjects may alternatively apply to the supervisory authority of their country of residence, or the country where you work or where the breach occurred.  

The full text is available at the reception desk