Statement pursuant to Art. 13 Reg. EU 2016/679 (GDPR) (Web policy)
Pursuant to Art. 13 of Reg. EU 2016/679, therefore, we provide the following information to you:
1. DATA CONTROLLER, DATA PROCESSORS AND PERSONS APPOINTED
The Data Controller, pursuant to Art. 4 and 24 of Reg. EU 2016/679, is IL CIOCCO S.P.A., with registered office in Barga (Lucca Province), Frazione Castelvecchio Pascoli, recorded in the Register of Companies of Lucca, REA no. LU85934, Tax Code and VAT no. 00202750469. The Data Controller can be contacted at the following e-mail address: firstname.lastname@example.org. The updated list of Data Processors and persons appointed for the processing is available at the registered office of the Company.
2. DATA PROTECTION OFFICER (DPO)
The Data Protection Officer has not been appointed. The Company does not fall within the cases envisaged by Art. 37 Reg. EU 2016/679 and, therefore, is not obliged to the mandatory designation of this figure.
3. TYPES OF DATA PROCESSED
- Navigation data (e.g. IP addresses or domain names of computers and terminals employed by users);
- Data communicated by the user: identification data and contact data (including of minors), personal codes/passwords and other data provided by the Data Subjects in the free fields;
- Cookies and other tracking systems: cookies are not used for user profiling, nor are other tracking methods used.
4. PURPOSES, LEGAL BASIS AND LAWFULNESS OF THE PROCESSING
The legal basis that legitimizes the processing is the execution of a contract, of a service requested or the execution of pre-contractual provisions and, in those cases expressly provided for, the consent freely expressed by the Data Subject. The Company informs you that it will process your personal and contact details in compliance with the conditions of lawfulness provided for by Art. 6 Reg. EU 2016/679 and to the extent strictly necessary to fulfil the following purposes:
- navigation and use of services on this website;
- to give a response to a request for information/estimates addressed to the Data Controller. The optional, explicit and voluntary sending of messages to the address of the Data Controller involves the acquisition of the sender's contact details necessary for the response, as well as all the personal data included in the communications;
- only in the case of specific and explicit consent, for marketing activities through the sending of e-mails or newsletters of an advertising nature.
5. PERSONAL DATA RECIPIENTS OR CATEGORIES OF RECIPIENTS
The collected data may be communicated to recipients, designated as per Art. 28 Reg. EU 2016/679, that will process the data as external Data Processors and/or as natural persons acting under the authority of the Data Controller and the Data Processor. Specifically, the data may be disclosed to the following parties: - companies providing services for the management/maintenance of the IT system, the communication networks and the web platform; - partner companies or companies belonging to the Group; - Supervisory Bodies pursuant to Decree Law 231/2001; - competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request.
6. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR TO INTERNATIONA ORGANIZATIONS
Data of a personal nature provided to the Company will not be transferred abroad, neither inside nor outside the European Union.
7. RETENTION PERIOD OR CRITERIA USED TO DETERMINE THIS PERIOD
The processing will be carried out using computerized and manual methods and instruments aimed at ensuring maximum security and confidentiality, by parties specifically authorized to do so. In compliance with the provisions of Art. 5 Reg. EU 2016/679 and the principle of minimization, the collected data will be stored on protected IT systems or in paper form with methods that allow the identification of the Data Subjects for a period of time not exceeding the achievement of the purposes for which the personal data was collected, until the revocation of consent and in any case no longer than 24 months from the date of collection. Navigation data is not stored for more than 7 days and is deleted immediately after its aggregation. After these time limits, the data will be destroyed or rendered anonymous. If for any reason you feel the purpose of the processing has been satisfied (before the aforementioned time limit) you should notify the Company of such in writing; the latter will then effect the immediate deletion of the collected data.
8. RIGHTS OF THE DATA SUBJECTS AND METHODS OF EXERCISING THE SAME
As a Data Subject you will be able to assert your rights as per Section III (Art. 15-22) of Reg. EU 2016/679 by contacting the Data Controller by e-mail at the address email@example.com, by registered letter with acknowledgement of receipt - c/o the address of the Company's registered office - or by means of paper delivery. Note that in the absence of a prompt response by the Data Controller, you have the right to lodge a claim before the Data Authority or make a legal complaint.
The rights you enjoy, pursuant to Reg. EU 2016/679, are specifically the following:
• to obtain confirmation of the existence, or otherwise, of personal data that concerns you, even if not yet registered, and its communication in intelligible form (right of access). In particular, the Data Subject has the right to access the following information: a) purposes of the processing; b) categories of personal data in question; c) parties or categories of parties to which the personal data may be disclosed; d) the period of retention of personal data or the criteria used to determine that period; e) the existence of the right of the Data Subject to ask the Data Controller to correct or delete personal data concerning them or to oppose its processing; f) the right to bring a complaint to the supervisory authority; g) information about the source of the data, if not collected from the Data Subject; h) the existence of an automated decision-making process, including profiling, and in such cases at least the logic used; i) the right to be informed of the existing safeguards where personal data is transferred to a third country; j) the right to obtain a copy of the personal data being processed;
• to obtain: a) the correction or, when necessary, the addition of data (right of correction); b) the deletion of personal data concerning them without unjustified delay (right to be forgotten); c) the limitation of the processing (right of limitation of processing); d) the certification that the above operations have been brought to the attention, including with regard to their content, of those to whom the data has been communicated or disclosed, except in the case in which this obligation proves impossible or entails disproportionate effort;
• to receive your data in a commonly used structured format and digitally readable in order to reuse it for other purposes and for various services and the right to transmit your data to another Data Controller without impediment (right to portability);
• to oppose at any time, for reasons connected with your particular situation, the processing of personal data concerning you, including profiling. Where personal data is processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of their personal data for such purposes (right of objection).
• the right not to be subjected to a decision based solely on automated processing (including profiling) which produces legal effects concerning them or which significantly affects their person in a similar way;
• to withdraw the consent at any time, without prejudice to the lawfulness of the treatment based on the consent given before the revocation, if the processing is based on Art. 6 para. 1, letter a) Reg. EU or on Art. 9 para. 2, letter a) Reg. EU;
• in certain situations, the right to receive communications regarding the violation of their personal data.
9. METHODS OF DATA PROCESSING
The personal data you provide will be recorded, processed, managed and stored in paper form and/or with the help of electronic computer instruments and in any case in such a way as to ensure the security and confidentiality of the same. The processing of personal data takes place without the intervention of automated systems or processes and there is no provision for profiling.
10. NATURE OF THE DATA PROVISION AND CONSENT
The provision of personal data for the purposes referred to in point 3 is optional. Any partial or total failure to provide data will result in partial or total inability to use the services offered by the Data Controller, for example to receive a response to a request for information submitted. Failure to consent to the use of data for marketing activities does not prevent the use of other services offered by the site. Consent given may be revoked at any time in the manner specified in point 7.
11. DATA DISCLOSURE
The personal data collected will not be in any case and in any way disclosed to unauthorized third parties by the Data Controller and may be displayed only upon request of the Judicial, Financial and Data Protection Authorities, as well as to all other parties to which communication is obligatory by law for the accomplishment of the said purposes.