Pursuant to the combined provisions of Legislative Decree 30 June 2003, no. 196 containing "Code regarding the protection of personal data" (Consolidated Law on Privacy)
and of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
relating to the protection of individuals with regard to the processing of personal data
as well as the free circulation of such data henceforth also only "GDPR"
that the GDPR, published in the Official Journal of the European Union (GUUE) L. 119 of 4 May 2016 and, pursuant to art. 99 of the GDPR, entered into force on 25 May 2016 and will compulsorily apply in each Member State starting from 25 May 2018;
that, until the issuing of measures aimed at adapting the national regulatory framework to the provisions of EU Regulation no. 679/2016 (GDPR), it is also necessary to apply the Privacy Code (Legislative Decree 196/2003), even if, within the limits of what this will not be incompatible with the provisions contained in the GDPR itself;
that, therefore, without prejudice to what is already provided and governed by Legislative Decree 196/2003, the GDPR, with the exceptions provided for in Article 2, applies to the fully or partially automated processing of personal data and to the non-automated processing of personal data contained in an archive or intended to appear therein;
which, according to the provisions ofart. 5 GDPR ("Principles applicable to the processing of personal data"), The personal data of the interested party are processed according to the principles of
of lawfulness that is, compliance with the rules; of correctness that is, compliance with non-codified ethical and deontological rules; and of transparency or guarantee of awareness of the interested party, traceability of the data e disclosure at any time at the request of the interested party (letter a);
of "purpose limitation"Or collected for specific, explicit and legitimate purposes as well as subsequently processed in ways that are not incompatible with these purposes (letter b);
of "data minimization"Or collected in an adequate, relevant and limited way to what is necessary with respect to the purposes for which the same data are processed (letter c);
of "accuracy"Or collected exactly and, if necessary, updated as well as deleted or corrected in the event of their ascertained inaccuracy (letter d);
of "limitation of conservation"Or stored in a form that allows the identification of the data subjects for a period of time not exceeding that functional to the achievement of the purposes for which the same data are processed (letter e);
of "integrity and confidentiality"Or processed in such a way as to guarantee adequate security of personal data, including their protection through appropriate technical and organizational measures, from unauthorized or illegal processing or from accidental loss, destruction or damage (letter f);
that, in particular, the processing is "lawful"If, and to the extent that, cf. art. 6 GDPR ("Lawfulness of processing") At least one of the following conditions is met:
the interested party has given consent to the processing of their personal data for one or more specific purposes (letter a);
the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same (letter b);
the processing is necessary to fulfill a legal obligation to which the data controller is subject (letter c);
the processing is necessary for the protection of the vital interests of the data subject or of another natural person (letter d);
the processing is necessary for the execution of a task of public interest or connected to the exercise of public authority of which the data controller is invested (letter e);
the processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail, in particular if the data subject is a minor (letter f).
all the foregoing, in compliance with the regulatory provisions referred to inart. 13 ("Information to be provided if personal data are collected from the interested party") - Section 2 ("Information and access to personal data") Of the GDPR, and referred to inart. 13 ("Disclosure") Of Legislative Decree 196/2003
Identification of the "Data Controller"
(see definition "Holder of the treatment"Point 7 - art. 4 "Definitions" GDPR: "natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data"And definition"Holder"Letter f) - art. 4 "Definitions" Legislative Decree 196/2003: "the natural person, the legal person, the public administration and any other body, association or body, to which they are responsible, also jointly with another owner, the decisions regarding the purposes, methods of processing personal data and the tools used, including the security profile"):
Object and method of processing:
(see definition "Treatment"- art. 4 "Definitions" GDPR: "any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication through transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction"And definition"Treatment"- letter a) art. 4, Legislative Decree 196/2003: "any operation or set of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison , the use, interconnection, blocking, communication, dissemination, cancellation and destruction of data, even if not registered in a database"Cf. definition of "Personal Data" point 1 - art. 4 "Definitions" GDPR: "any information concerning an identified or identifiable person ("interested party") considering "identifiable" the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data , an online identifier or one or more characteristic elements of its physical, physiological, generic, psychic, economic, cultural or social identity"); and definition "Personal Data"- letter b), art. 4, Legislative Decree 196/2003: "any information relating to a natural person, legal person, organization or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number";
The owner processes the personal identification data provided by the interested party.
The processing of personal data is carried out on the basis of the operations indicated in article 4, n.2), GDPR and by art. 4, letter a), Legislative Decree 196/2003 and precisely: collection, also, through the aid of electronic and automated tools; registration for specific, explicit and legitimate purposes and use in further processing operations, however, compatible with these purposes; organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
The data will be processed in compliance with the necessary security and confidentiality and will be subjected to both paper and electronic and / or automated processing.
The Data Controller will process personal data for the time necessary to fulfill the aforementioned purposes, taking care to keep them, however, within the limits specified below.
Purpose of the processing for which the personal data are intended:
The data is collected and processed here:
without express consent (see Article 24, Legislative Decree 196/2003 and see Article 6 of the GDPR), for the following Service purposes:
conclude the contracts for the services of the Owner
fulfill the pre-contractual, contractual and tax obligations deriving from existing relationships with the interested party;
fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority;
prevent or discover fraudulent activities or abuses harmful to the website;
exercise the rights of the owner, for example the right to defense in court.
only with specific and distinct consent (see art.7 GDPR), for the following Marketing purposes:
send via e-mail, post and / or text message and / or telephone contacts, newsletters, commercial communications and / or advertising material on products or services offered by the Data Controller and detection of the degree of satisfaction with the quality of the services offered, indicating that, where the 'interested were already our customer, we will be able to send commercial communications relating to services and products of the Data Controller similar to those which the interested party has already used, except for opposition (see Article 21 of the GDPR);
send by e-mail, post and / or text message and / or telephone contacts, commercial and / or promotional communications from third parties (for example: business partners, insurance companies, etc.);
Clarifications regarding the treatment for "Marketing purposes" and of "Profiling"
For the benefit of the interested party, the following is specified:
The personal data collected will also be processed to pursue commercial promotion, advertising communication, solicitation of purchasing behavior, market research, surveys (including telephone, online or through forms), statistical processing (in identification form), other research. marketing samples in a broad sense of products and / or services referable to the Company (hereinafter, collectively, "Treatment for Marketing Purposes") Both through" generic "marketing and"profiled" that is consequent to the "profiling activities"(cf. definition "Profiling"- art. 4 "Definitions": "any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person [...] ")
In any case, even where the interested party has given consent, he will still remain free at any time revoke it, by changing the consent settings in the "Communication and Privacy"Of the site. Following the receipt of this request by opt-out, the Data Controller will promptly remove and delete the data from the databases used for the "Treatment for Marketing Purposes" and of "Profiling"And will inform any third parties to whom the data have been communicated for the same cancellation purposes.
If an indication of the telephone number of the interested party is required - for the purposes illustrated above - and the latter has given the optional and specific consent (which also covers the processing of such personal data) for the purposes of commercial promotion, marketing and profiling illustrated above, the Data Controller informs the interested party that he will be able to legally process the telephone user for marketing and profiling purposes even if it is registered in the Public Register of Oppositions, as it is drawn from a source other than public telephone directories and covered by specific consent, without prejudice to the right of opposition subsequent to processing where consent is formally revoked.
We inform you specifically and separately, as required by art. 21 of the GDPR that the interested party has the right to object at any time to the processing of personal data concerning him carried out for these purposes and that if the interested party objects to the processing for direct marketing and profiling purposes, the personal data will not be able to can be processed for these purposes.
Rights of the interested party:
In compliance with the provisions of art. 7, Legislative Decree 196/2003 and GDPR, the interested party may exercise the following rights
ask the data controller foraccess to personal data in order to be able to confirm whether or not personal data concerning him is being processed and, in this case, to obtain all the necessary information as best provided and governed by thearticle 15 "Right of access by the interested party"GDPR, and article 7, paragraph 1, Legislative Decree 196/2003;
ask the data controller for the rectification of personal data inaccuracies concerning him as well as the integration of incomplete ones as best provided for and governed byarticle 16 "Right of rectification"GDPR and article 7, paragraph 3, letter a), Legislative Decree 196/2003;
ask the data controller for the deletion of personal data concerning him in the event that the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed (letter a); the interested party has revoked the consent or there is no legal basis for the processing (letter b); the interested party has opposed the processing pursuant to art. 21, paragraphs 1 or 2, and there are no overriding reasons for proceeding, in any case, with the processing (letter c); the processing is unlawful (letter d); the deletion of data constitutes fulfillment of the legal obligation to which the data controller is subject (letter e); where the hypothesis envisaged by article 8, paragraph 1 (letter f) exists, all - in any case - according to what is better provided for and governed byarticle 17 "Right to erasure ("right to be forgotten") GDPR and article 7, paragraph 3, letter b), Legislative Decree 196/2003;
obtain from the data controller the limitation of processing the same when: the data subject disputes the accuracy of the personal data (in this case within the limits of the time necessary to verify the accuracy of such data - letter a); in the event of unlawful processing, the interested party opposes - however - the cancellation of the data, requesting, instead, that its use be limited (letter b); regardless of the fact that the data controller no longer needs it for the purposes of the processing itself, the data subject needs to keep the data for the purposes of assessment, exercise or defense in court (letter c); the interested party has opposed the processing pursuant to art. 21, paragraph 1, pending verification of the possible prevalence of the legitimate reasons of the owner with respect to those of the interested party (letter d), all - in any case - as best provided for and governed byarticle 18 "Right to limitation of treatment";
at any time, for reasons connected with your particular situation, oppose the treatment of personal data concerning him, pursuant to article 6, paragraph 1, letters e) or f), including the profiling on the basis of these provisions, as well as in the case of data processing for marketing purposes including, in this case, profiling to the extent that it is connected to such direct marketing. All this, in any case, according to what is best provided for and governed byarticle 21 "Right to object"GDPR and article 7, paragraph 4, letters a) and b), Legislative Decree 196/2003;
get the data portability as best provided and governed byarticle 20 "Right to data portability";
at any time, withdraw your consent to the processing of data without this affecting the lawfulness of the treatment based on consent before revocation. All this, in any case, according to what is best provided for and governed byarticle 7 "Conditions for consent".
propose a complaint to a supervisory authority with the task of monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of individuals with regard to the processing of personal data. All this, in any case, according to what is best provided for and governed by the articles 51 et seq. "Supervisory authority";