1. Data Controller
The data controller is Giovanni Bozzetto S.p.A., with registered office in Via Provinciale 12, 24040 Filago (Bg), Italy, tax code IT 04218720961, and it can be contacted by email at the following email address: firstname.lastname@example.org (hereinafter, the “Data Controller”).
2. Processed data
The personal data being processed through the Website are the following:
- navigation data: when you access the Website the computer systems and software procedures provided for the functioning of the Website, during the course of their normal operation, acquire certain personal information, the transmission of which is implicit in the use of internet communication protocol. Such information is not collected to be associated with identified data subjects, but it could be used, when processed and/or matched it, with third-party data, to identify the users. In this data category are included IP address or domain names of the computers used by users connecting to the Website, URI address (Uniform Resource Identifier) of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numeric code indicating the status of the answer given by the server (successful submission, failure, etc.) and other parameters related to the operating system and to the computer environment. Such data are used for the sole purpose of obtaining anonymous statistical information about the use of the Website, to check its proper functioning, to identify anomalies and/or violations; in any case they are deleted immediately after processing. The data could be used for the assessment of liability in case of any cybercrime, if any, against the Website or third parties.
3. Purposes of the processing
Your personal data will be processed, with your consent where necessary, for the following purposes:
allow the navigation of the Website and offer the services you requested through the Website;
fulfill any legal obligation provided for by applicable laws, GDPR or European legislation, or comply with any request from the Authorities;
send you informative corporate and marketing communications, including newsletters and market analysis, about the products and activities promoted by the Data Controller, through automated (sms, email, fax) and not automated means (paper mail, phone call), if you have consented to it. Please note that a single consent is collected for the abovementioned marketing purposes (according to the “Guidelines regarding promotional activity and anti-spam” dated July 4, 2013 issued by the Personal Data Protection Authority). You can revoke your consent at any time through sending an email to email@example.com;
send you communications by e-mail relating to products similar to those purchased, in compliance with the art. 130, paragraph 4 of legislative decree 196/2003 (“Privacy Code”), unless you have communicated that you do not want to receive such communications;
communicate your personal data to other companies of the Group in order for them to send their business and marketing communications, including the sending of newsletters and market research, through automated (sms, email, fax) and non-automated means (paper mail, phone with operator);
for statistical purposes, in which case, it will not be possible to trace your identity.
4. Legal basis of the processing
Your personal data are processed by the Data Controller:
(i) for the purposes referred to in art. 3, point 1, in compliance with the art. 6, paragraph 1, lett. b) of the GDPR ([…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), as the processing is necessary to answer your question or provide assistance with regard to our products. The submission of personal data for these purposes is optional, but in case of failure to provide such data it would make it impossible to respond to your request or to provide you with the required services;
(ii) for the purposes referred to in art. 3, point 2, according to art. 6, paragraph 1, lett c) of the GDPR ([…] processing is necessary for compliance with a legal obligation to which the controller is subject). Once you provide personal data, in fact, the processing is necessary to comply with legal obligations to which the Data Controller is subject;
(iii) for the purposes referred to in art. 3, points 3 e 5, under art. 6, paragraph 1, lett. a) of the GDPR ([…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes). The provision of your personal data for marketing purposes is not mandatory and does not affect our ability to provide you with information on our products or services;
(iv) for the purposes referred to in art. 3, point 4, pursuant to the art. 130, paragraph 4 of the Privacy Code, according to which Data Controller may use the email address provided by you when purchasing a product, without asking any expressed consent, provided however, that the communication regard the products that are similar to those you purchased and you have not indicated that you do not want to receive such communications;
(v) for the purposes referred to in art. 3, point 6, the processing is not executed on personal data and therefore, can be freely carried out by the Data Controller.
5. Processing period
Personal data relating to the purposes of art. 3, point 1, will be retained for the time strictly necessary to achieve those same purposes (for example providing the required information, products or services). In any case, since data are being processed for the provision of services, the Data Controller will keep the personal data for the period of time required and admitted by Italian law to protect its own interests (Art. 2946 c.c. and ss.).
Personal data relating to the purposes of art. 3, point 2 will be retained until the time required by the specific requirement or applicable law.
Personal data relating to the purposes of art. 3, points 3 and 5 for a period of no more than 24 months from your consent.
The personal data for the purposes referred to in art. 3, point 4, will be processed until you have objected to the processing or revoked your consent. After the time periods above indicated the data will be deleted.
6. Processing of personal data
Data will be processed and filed only for the purposes aforementioned, saved in servers and processed with suitable instruments able to guarantee the integrity, security and privacy of data, in accordance with the GDPR. In order to guarantee the level of protection of data required by the GDPR all the appropriate technical and organizational measures will be adopted. The access will be granted only to the persons authorized to the processing of personal data by the Data Controller.
7. Communication to third parties
Personal data could be transferred to third parties which operate typically in their capacity as data processor according to art. 28 of the GDPR (es. advisors, technical maintenance or mailing list service providers, server hosting providers); to institutions or authorities to whom the Data Controller is under obligations to report the data in accordance with law or orders of the Authorities; and for the purpose exposed in art. 3 point 5, to the companies of the group.
8. Data transfer
Data will be processed and transferred mostly in Italy and in any case within the European Union. If, for reasons strictly related to the IT system’s operativity or for purposes aforementioned, it is necessary to make use of subjects which process data outside the European Union, the Data Controller will ensure that they provide appropriate safeguards for the protection of the privacy of personal data processed (Standard Contractual Clauses).
9. Rights of the data subjects
According to Chapter 3 of the GDPR, the data subjects has the right in every moment to access his personal data, to request the amendment or the deletion of the data; the right to request the limitation of the processing in all the cases granted by art. 18 of the GDPR, where it is technically possible, also the right to obtain the data in a structured format, commonly used and machine-readable, in the cases provided for by art. 20 of the GDPR and also the right to object to the processing provided for by art. 21 of the GDPR.
The rights above could be exercised sending a request to the Data Controller through the following email without any formality: firstname.lastname@example.org. The Data Controller will reply without delay.
In any case the data subject has the right to lodge a complaint with the Data Protection Authority, according to art. 77 of the GDPR.