Privacy Policy

This privacy policy document, updated with the EU Regulation (GDPR) 2016/679 on the processing of personal data;as well as with D.Lgs 181/18 ;amending D.Lgs 196/2003;regulates how data collected by a website during navigation by the user is processed.

It has the specific purpose of informing you about the processing of your personal data in accordance with the provisions of the law and the recently amended EU Regulation 679/2016.

A website must have a data controller (Data Controller). The data controller is the one who has decision-making and organizational power over the processing, as well as deciding how the data are to be processed, and is the person responsible to the privacy guarantor. Two or more joint controllers may also be appointed. In this case, it is mandatory that the user knows what the competences of each co-owner are, through a link indicating the agreement between them.

The data controller, is supported by the Data Processor. This figure is the one who processes data on behalf of the data controller. This means, that he/she will be a person close to the owner, from whom he/she receives directives on how to handle the data. The Data Processor must be a competent figure who can fully satisfy the security put in place by the Data Controller.

Translated with DeepL.com (free version)

In addition to these two figures, there is also the Data Protection Officer (DPO),who, despite being appointed directly by the owner, is still an entity independent of the owner. The DPO, previously only optional, is now a sometimes mandatory figure under Article 37 of Regulation (EU) 679/2016. This article outlines those who are obligated and those who are exempt. In any case, the DPO, called DPO in Italian, is an independent entity and processes data with autonomy. In addition, he is directly responsible and communicates with the privacy guarantor. Ultimately, the designation of the DPO reflects the new approach of the GDPR, toward an empowerment of data processing,being aimed at facilitating the implementation of the regulation by the owner and the responsible party. The DPO's role is to protect personal data not the interests of the data controller.

Thus, while the Data Processor is a figure close to the Controller, the DPO is a much more independent figure who cannot nor should receive orders from the Controller on the effective protection of data.

Translated with DeepL.com (free version)

Returning to the notice, the ;place where the data will be processed must also be indicated, which coincides with the location of the data controller.

Crucially, the purpose of data processing must also be included. In fact, according to the new legislation, the data must be kept for a period suitable for the achievement of the purposes set by the site, and then deleted. Therefore, it is mandatory that the purposes be stated clearly and concisely within the information notice.

The document must also state the types of cookies that are used on the web page. Cookies are short pieces of information that can be saved on the user's computer when the browser calls up a particular website. With them, the server sends information that will be re-read and updated whenever the user returns to the site.

There are various types of cookies:

  • Technical cookies: in accordance with the law, are those used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service." They are not used for any further purposes and are normally installed directly by the website owner or operator.
  • Third-party cookies are when a third party places cookies on an Internet page. In this case, the user must be informed that there will be cookies from other parties in addition to those on the web page. Typical third-party cookies are those from social networks
  • Profiling cookies are aimed at creating profiles related to the user and are used in order to send advertising messages in line with the preferences expressed by the user when browsing the web. According to the Privacy Guarantor these can be:of advertising profiling, collecting and processing user data for advertising purposes (e.g., to pass them on to Advertising Dealers);
  • of retargeting activities, consisting of forms of online advertising chosen based on the user's previous web actions or searches (e.g., Google AdWords);set by social networks;
  • of statistical activities, managed by third parties (e.g. Google Analytics).

The document should also indicate whether the site allows social network plug-ins and any transfer of data to companies located in non-continental nations.

It is also important to mention what are the new rights of the data subject under the new European legislation, such as the right to data deletion,data updating or to object to any data transfer.

How to use the document?

Through this document you will be able to:

  • Indicate website for which you use the following document;
  • Indicate the owner of the data and the place where the data will be processed;
  • Indicate whether there is more than one data controller;
  • Indicate the responsable data controller (DPO);
  • State what the purpose of the data processing is, and how long it will take the site to be able to use the data;
  • Establish what cookies will be used by the site, whether only technical cookies, third-party cookies and/or profiling cookies;
  • Indicate whether the site uses social network plug-ins;
  • Indicate whether the user will receive notifications for any updates to the site.

Once you have the document, it should be placed on the web page of the site and made available to the user.

Reference legislation

REGULATION (EU) 2016/679 of the European Parliament and Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Legislative Decree 181/18 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)" amending Legislative Decree 196/2003, "Code on personal data protection."

Provision of the Privacy Guarantor No. 229/2014, on "Identification of simplified methods for information and acquisition of consent for the use of cookies."