This Policy concerns those who connect to the Website www.515grammi.it (hereinafter the "Site"), and is rendered in accordance with articles. 13 and 14 of GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), on the protection of the fundamental rights and freedoms of natural persons and applies to the processing of personal data wholly or partly by automatic means and to the nonautomatic processing of personal data contained in a filing system or intended to be contained therein.
The term "personal data" means any information that allows the direct identification of the User (so-called personally identifiable information) or that can be linked to the User indirectly by linking it to personally identifiable information.
The purpose of this document is to describe how we process the personal data of any User who accesses the Site after registering, or who simply consults it while surfing the Internet, with the aim of providing him/her with a clear picture of the use of his/her personal data, of our commitment to protect its confidentiality, of the rights and options available to him/her under current legislation.
In general, the personal data provided by the User is used to make our services available to him/her and to guarantee him/her a better browsing experience on the Site.
This Policy applies exclusively to this Site and not to any other websites or platforms that may be consulted by the User via links.
Owner of the User's personal data processing (hereinafter referred to as "Owner")
The Holder is:
ESTHER BURTON di Sara Pallavicini
legal headquarter in Via Privata Antonio Meucci 49, 20128, Milan (Italy)
administrative headquarter in Via Ilarione Rancati 33, 20127, Milan (Italy)
P.IVA 02980900134 | C.F. PLLSRA77M49E507P
Responsible for the Processing of Users' Personal Data (hereinafter referred to as "Hoster")
The Hoster is:
TYPES OF DATA COLLECTED
The personal data collected on the Site, independently or through third parties, are: cookies, usage data, email, name and surname.
Personal data can be freely provided by the User or, in the case of usage data, collected automatically during the use of the Site.In general, the personal data requested on the Site are mandatory: if the User refuses to provide them, it may be impossible for the Owner to provide its Services.For any kind of doubt about whether or not the personal data requested is mandatory, the User is invited to contact the Owner in advance by writing to email@example.com.
The User assumes responsibility for the personal data of third parties obtained, published or shared through this Site and guarantees to have the right to communicate or disseminate them, freeing the Owner from any liability towards third parties.
Users are informed that the Owner does not collect and does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data aimed at uniquely identifying a natural person, data relating to the health or sexual life or sexual orientation of the person, nor personal data relating to criminal convictions and crimes committed by Users.
PURPOSE AND LEGAL BASIS
The User's personal data are collected directly from the interested party with the precise purpose of allowing the Owner to:
- provide him/her with his/her Services (see the respective list in the chapter "Scope of application of the processing");
- improve its Services: the data are analyzed in order to improve our Services or to develop new ones.
- communicate with its Users and Customers: thanks to the data collected, we can respond to Users and Customers who contact us and we are able to offer them the content that best suits their needs.
The processing of personal data is based on the User's prior, explicit and separate consent, freely given and in any case revocable at any time (see the paragraph "Right to deletion" contained in the chapter "Rights and control mechanisms of the User").
On the Site there are two different and separate requests for the expression of consent by the User:
Users are invited to read the chapter "Scope of application of the processing", which lists all the Services offered by the Site, with further detailed information on the purposes of processing and personal data actually relevant to each Service.
The User's personal data may be used by the Owner in court or in the preparatory stages to its possible establishment for the defense against abuse in the use of the Site or the Services offered by the Site by the User. Finally, the User must be aware that the Owner may be required to disclose his personal data by order of the Authority, in the manner to be determined from time to time by the same Authority.
In accordance with the provisions of art. 6 of the Legislative Decree implementing the GDPR, a child over the age of fourteen may consent to the processing of his/her personal data in relation to the direct offer of information society services. Therefore, a minor who has reached the age of 14 years at the time of publication in the Official Gazette of the above mentioned Enforcement Decree (which has not yet been approved), may autonomously use the other Services of the Site for which it is not necessary to have the capacity to act (e.g. request for information by filling in the appropriate Form, ordinary navigation on the Site -visitation).
Until D. Legislative Decree of execution of GDPR will not be approved, the minimum age required by GDPR to express consent to the processing of personal data in relation to the direct offer of information society services is 16 years.
Consequently, with regard to minors under the age of 16 (up to the time of approval of the Executive Decree to GDPR), or minors under the age of 14 (from the time of entry into force of the aforementioned Executive Decree), it is necessary that consent to the processing of personal data is given or authorized by those who exercise parental responsibility.
Should the Data Controller, for any reason relating to the situation in question, have any doubts about the age of the User, he or she may request that he or she provide appropriate documentation proving the age required to access the services of the Site and in the event of refusal or in any case in the event of failure to reply by mail, his or her personal data will be deleted by the same Data Controller.
PLACE AND PERIOD OF STORAGE
Users' personal data are processed at the operating offices of the Data Controller, as well as at the operating offices of third party primary service providers (see also the chapter "Recipients of personal data").
Users are informed that their personal data collected on the Site is stored on the physical server owned by the Data Controller, which is located in Nuremberg (Germany) at Hoster's headquarters.
To obtain further information on the location of the processing of their personal data, the User may refer to the chapter "Scope of processing", in which the purpose of the processing in relation to the Services offered on the Site by the Data Controller is indicated.
For any further clarification, or to obtain further information on the place of processing, the User can always contact the Data Controller by writing an email to firstname.lastname@example.org.
Users' personal data are processed and stored for the time required by the purposes for which they were collected. Therefore:
The personal data provided by Users when registering with the Site, are generally kept until the User requests the Owner to cancel the personal Account. However, the Owner reserves the right to delete such data if the User does not access his/her account for a period of three consecutive years since the last access. In such cases, the Owner shall inform the User before cancelling the Account, who may ask him/her not to cancel the Account.
Personal data collected for purposes related to the execution of a contract that may be stipulated not through this website, but directly between the Owner and the User, who in this case will also become a Customer of the Owner, will be retained until the execution of the contract is completed. Obviously, before proceeding with the deletion of such data, any terms relating to the guarantees provided by the Owner on the goods purchased by the Users (terms that must be included in the period of retention of the User's personal data by the Owner) must also be taken into account, as well as the obligation to retain the accounting records, in relation to which, even after the execution of the contract, the Owner must retain the User's data contained in the corporate tax for the term of the Law (the retention of accounting records is regulated in the Civil Code by art. 2220, according to which must be kept for 10 years from the date of the last registration, the active and passive invoices, letters sent and received and telegrams sent and received. In addition, art. 22, paragraph 2, Presidential Decree no. 600/1973, provides that the mandatory accounting records must be kept "until the assessments relating to the corresponding tax period are defined, even beyond the deadline established by art. 2220 of the Civil Code or other tax laws") .
Personal data collected in relation to the Newsletter Service are stored and processed for two years from their collection.
At the end of the storage period indicated above, the personal data of the Users will be permanently deleted by the Owner. Therefore, at the end of this period, the rights of access, deletion, rectification, limitation of processing and the right to data portability (see chapter "User rights and control mechanisms") can no longer be exercised by the Users against the Owner.
PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
Users' personal data are processed by the Owner using manual, computerized and telematic, automated and electronic tools and, in some cases, using documentary means.
The Owner also processes anonymous data in aggregated or non-aggregated form in order to analyse and produce statistics on the habits, methods of use and demographic information of the Users. Such anonymous data does not allow the identification of the Users to whom it refers.
The Owner, according to current legislation, has the right to disclose anonymous data to third parties, both in aggregate and non-aggregated form.
The Owner undertakes to process personal data in a lawful, correct and transparent way towards the interested party (User) and to collect them for the specific, explicit and legitimate purposes, and subsequently to process them in a way that is not incompatible with such purposes. It also undertakes to verify that the personal data collected are adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed, and that they are accurate and, if necessary, updated.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed.
All personal data shall be processed in such a way as to guarantee adequate security, including protection, through appropriate technical and organisational measures, against unauthorised or unlawful processing and against accidental access, disclosure, alteration, loss, destruction or damage.
Remaining on the subject of the security and protection measures adopted on the Site, the Owner hopes to do what is pleasing to the interested parties, informing them that all personal data of Users and Customers collected on the Site are protected by an encryption key assigned exclusively to the Site itself, the name SSL Certificate (SSL or "Secure Sockets Layer") which is a protocol designed to allow applications to transmit information in a safe and secure manner. Applications using SSL Certificates are able to manage the sending and receiving of security keys and to encrypt/decrypt the information transmitted using the same keys.
Furthermore, the Owner informs the interested parties that all personal data of Users and Customers received on the Site are saved through daily back-up, stored for 30 days by Hoster.
Although the Data Controller adopts the most appropriate security and protection measures for the personal data of the parties concerned, in order to prevent its loss, destruction or dissemination, at the same time it cannot exclude the security risks that are naturally associated with online data transmission. The User accepts the risks inherent to the provision of personal information on the Internet and cannot hold the Owner liable for any security breaches, unless such breaches are due to gross negligence or wilful misconduct on the part of the Owner himself.
RECIPIENTS OF PERSONAL DATA
Only the authorized employees of the Owner and Hoster, in their capacity as appointees on behalf of the Owner (as far as the Owner's employees are concerned; Users are informed that each employee who for any reason will process or in any case view the Users' personal data, has signed a confidentiality agreement -N.D.A.-. with the Data Controller), or as persons appointed on behalf of Hoster (as regards Hoster's employees; users are informed that each employee who for any reason will process or in any case view the personal data of the Users, has signed a confidentiality agreement -N.D.A.- with Hoster), have access to the personal data of the Users relating to the activities of the Site.
In particular, the Owner's employees are in charge of:
- contact the User, in relation to the relevant Service;
- keep the company accounts, which in turn will be transmitted to the Accountant in order to comply with tax regulations.
- adapt the functionality of the Site in relation to the regulations in force;
- choose the hosting service and manage the contract with the Hoster (the entity that "hosts" and therefore receives all navigation data and operations carried out on the Site), which, for completeness, in turn has been appointed as the data controller (by the same Owner), in relation to the personal data of Users that it receives, keeps in the archives and stores with daily back up activities.
The Data Controller transfers the personal data of the interested parties only to the third party primary service providers listed below, which in turn operate as subjects in charge of data processing, so that they can carry out the commercial operations and tax activities necessary to fulfil their contractual obligations. The Data Controller undertakes to ensure that all third parties in charge apply their best practices in the sector to protect the personal data of its Users and its Customers, while guaranteeing maximum confidentiality on the personal data received, as well as the commitment not to use the personal information for purposes other than those agreed with the Data Controller.
In particular, the Owner shares the Customers' personal data (please note that through this Site it is not possible to directly enter into a contract with the Owner) with the following subject, third party primary service provider:
Paola Palazzi, at Studio Palazzi, via Dante Alighieri 7, 22071, Cadorago - Como (Italy), which is in charge of the tax fulfilments on behalf of the Owner and of the company accounting, aimed at filling in the tax return and drawing up the Owner's financial statements.
Users may request from the Owner an updated list of the subjects involved in the processing of their personal data relevant to the activities of the Site by writing an email to email@example.com.
SCOPE OF TREATMENT
Below is a list of the Services offered by the Owner on this Site (you can click on each single item in the list to obtain further detailed information on the purposes of the processing and on the personal data concretely relevant to each Service):
Contact the user
The Owner will contact the User upon his or her express request:
Contact form on the Site
Personal data collected: name and surname, email, telephone number.
Sending of emails by the User
Obviously, the User, in addition to using the contact form on the Site, can also send an email directly to the Owner, with the same purposes (requests for information, quotes, or any other nature indicated by the User).
Personal Data collected: email, in addition to other personal data directly provided by the User and contained in the email sent by the User to the Owner.
Sending Whatsapp messages by the User
The User, in addition to using the contact form on the Site and the email address, can also send a message directly through the Whatsapp application to the Owner, with the same purposes (requests for information, quotes, or any other nature indicated by the User).
Personal Data collected: telephone number, in addition to other personal data directly provided by the User and contained in the email sent by the User to the Owner.
The service allows the Data Controller to monitor and analyse traffic data and serves to keep track of the User's behaviour and to compile reports on Site activities and to provide the Data Controller with other services relating to Site activities and Internet use.
Users are informed that Google Analytics is used anonymously on this Site and therefore no personal data about the User will be sent to the Owner by Google Inc.; consequently, the IP addresses of Users visiting the Site are abbreviated and only in exceptional cases the full IP address may be transferred to a Google server in the United States, while the Owner is always provided with the abbreviated IP address.
Therefore, since this is not, in the most absolute terms, a profiling activity of the User, according to the regulations in force it is not necessary to obtain his/her consent from the Owner.
In any case, the User can prevent Google, Inc., from collecting the data generated by cookies related to the use of the Site and refuse its processing by downloading and installing the browser plug-in from the following link: http://tools.google.com/dlpage/gaoptout?hl=it.
Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. ("Google"). Google uses the personal data collected for the purpose of tracking and evaluating your use of this website, compiling reports on website activity and sharing them with other services provided by Google.Google may use the data collected about you to contextualize and personalize the ads on its advertising network.
Personal data collected: Cookies and usage data.
VIEWING CONTENT FROM EXTERNAL PLATFORMS
This type of service allows you to view content hosted on external platforms directly from the pages of this Site and to interact with them. If a service of this type is installed, it is possible that, even if Users do not use the service, it will collect traffic data relating to the pages where it is installed.
Fonts.com Web Fonts (Monotype Imaging Holdings Inc.)
Google Fonts (Google Inc.)
Widget Instagram (Instagram, Inc.)
REMARKETING E BEHAVIORAL TARGETING
Questo tipo di servizio consente all’Utente, attraverso questo Sito ed ai suoi partner (nella fattispecie Facebook, Inc. e Google, Inc.) di comunicare, ottimizzare e servire annunci pubblicitari basati sull’utilizzo passato di questo Sito da parte dello stesso Utente.
Inoltre, in aggiunta alle possibilità di effettuare l’opt-out offerte dai servizi di seguito riportati, l’Utente può optare per l’esclusione rispetto alla ricezione dei cookie relativi ad un servizio terzo, visitando la pagina di opt-out del Network Advertising Initiative.
Facebook Remarketing (Facebook, Inc.)
Facebook Remarketing è un servizio di remarketing e behavioral targeting fornito da Facebook, Inc. che collega l’attività di questo Sito con il network di advertising Facebook.
Dati personali raccolti: Cookie e dati di utilizzo.
USER RIGHTS AND CONTROL MECHANISMS
In relation to his/her personal data, the User enjoys the rights listed below, in relation to which the Owner provides the requested information (or satisfies the right exercised by the User) without undue delay and in any case within one month of receipt of the User's request. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests made. In any case, within one month from the request of the interested party, the Owner shall inform him/her of this extension and the reasons for the delay.
Below is a list of Users' rights:
- Right of access
The User has the right to obtain confirmation from the Owner (by writing an email firstname.lastname@example.org) whether or not personal data concerning him/her are being processed. If so, the User has the right to access his/her personal data stored by the Data Controller, being able to request information on the purpose of the processing, on the categories of personal data in question, on the recipients or categories of recipients to whom the personal data have been or will be communicated, on their storage, his right to ask the Data Controller to rectify, erase or limit the processing of personal data, the right to lodge a complaint with a supervisory authority and the existence of an automated decision making process, including profiling, with significant information on the logic used, as well as the importance and the expected consequences for the data subject.
In case of exercise of the right of access, the Owner provides the User with a copy of the personal data being processed, unless the request is detrimental to the rights and/or freedoms of others. If the request for access is manifestly unfounded or excessive (for example if the User continuously exercises the right of access), the Data Controller reserves the right to charge a reasonable cost to the User (in view of the administrative costs necessary to provide the information, communications or to perform the necessary action) or to refuse to comply with the request received.
- Right of rectification
The Data Controller endeavours to implement appropriate measures to ensure that Users' personal data are accurate and up-to-date for the purposes for which they are collected. The User has the right to obtain from the Owner, also by providing a supplementary statement, the rectification of personal data concerning him/her without undue delay. Therefore, if the Users' personal data is inaccurate or incomplete, it is possible, for each User, to modify the information provided through their Account (only for registered Users), or by writing an email to the Owner at email@example.com.
In the event of rectification of the data, the Data Controller will promptly communicate the rectified data to the recipients to whom the personal data are transmitted (See chapter "Recipients of personal data").
- Right to deletion
The User may revoke at any time the consent to the processing of their personal data previously expressed, without prejudice to the lawfulness of the processing based on the consent given before the revocation, by writing an email to the Owner at firstname.lastname@example.org.Inoltre, registered Users may also ask the Owner to delete their Account.
In case of deletion of the data, the Owner will promptly communicate it to the recipients to whom the personal data are transmitted (See chapter "Recipients of personal data").
- Right of Restriction of processing
Users have the right to request the Owner to limit the processing (by writing an email to email@example.com) of their personal data in the following cases:
- when the User has contested the accuracy of their personal data, for the period necessary for the Owner to verify the accuracy of such data;
- if the processing is unlawful and the User opposes the deletion of his/her personal data and asks instead that its use be limited (since the processing is based exclusively on consent, it is highly unlikely that the present normative hypothesis will exist in practice);
- when the Data Controller no longer needs to process the User's personal data, but such data is still used by the User for the purpose of ascertaining, exercising or defending a right in court. The interested party must submit the request before the Owner has provided for the deletion of personal data no longer necessary for the purposes for which they were collected.
When the processing is limited, personal data are processed only with the consent of the interested party, except for the conservation of the same.
The User who has obtained the limitation of the treatment is informed by the Owner before the limitation is revoked. The limitation is also promptly communicated by the Owner to the recipients to whom the personal data are transmitted (See chapter "Recipients of personal data").
- Right to data portability
By writing an email to the Data Controller at firstname.lastname@example.org, the User has the right to receive his or her personal data in a structured, commonly used and readable format, when the processing is carried out by automated means. In addition, when technically feasible, the User has the right to obtain the transfer without hindrance to another data controller.
- Right of opposition
Since the processing is based exclusively on the User's consent, there are no hypotheses on the basis of which Users may object to the processing of their personal data, freely given to the Owner. Users are reminded, however, that since the processing of their personal data is based on prior and explicit consent, which can be revoked at any time, they can request the Owner to delete their personal data.
- Right to lodge a complaint
The User who believes that the processing concerning him/her is in breach of the legislation in force, has the right to lodge a complaint with a Supervisory Authority (notably in the Member State where he/she habitually resides, works or the place where the alleged breach occurred), without prejudice to any other administrative or judicial remedy.
ANY CHANGES TO THIS POLICY
Personal data is any information which, directly or indirectly, even in connection with any other information, including a personal identification number, makes a natural person identified or identifiable.
This is the information automatically collected through the use of this Site (also from integrated third party applications) by Users, including: the anonymous IP addresses, the domain names of computers, tablets and smartphones used by the User, the addresses in URI (Uniform Resource Identifier) notation, the time of the request, the method used to forward the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.. ) the country of origin, the characteristics of the browser and operating system used by the visitor, the various temporal connotations of the visit (e.g. the time spent on each page) and details of the itinerary followed within the Application, with particular reference to the sequence of pages consulted, the parameters relating to the operating system and the User's computer environment.
The individual who uses the Site and who generally coincides with the Interested Party. The User who enters into a contract with the Owner (a contract that will be stipulated and perfected outside of this Website) will be referred to as the "Customer".
The natural person to whom the personal data refer.
Data Controller (or Owner)
The natural or legal person, public authority, service or other body that, individually or together with others, determines the purposes and means of the processing of personal data and the instruments adopted, including the security measures relating to the operation and use of the Site.
The Holder is:
ESTHER BURTON di Sara Pallavicini
legal headquarter in Via Privata Antonio Meucci 49, 20128, Milan (Italy)
administrative headquarter in Via Ilarione Rancati 33, 20127, Milan (Italy)
P.IVA 02980900134 | C.F. PLLSRA77M49E507P
Users are informed that the Owner is also the owner of the Site.
Responsible for the Treatment (or Hoster)
Site (or Application)
The hardware or software tool through which Users' personal data are collected and processed.
The Services provided to Users by the Owner through the Site.
Small portion of data stored inside the User's device.