INFORMATION ON PROCESSING OF PERSONAL DATA
This information is provided under Article 13 of the European Parliament Regulation 2016/679 and of the Council of the 27 April 2016 relating to the protection of individuals with regard to the processing of personal data, and on the free movement of such data ( the “General personal data protection Regulation” or “GDPR”) and the legislative Decree nr. 196/2003, as amended and supplemented by the legislative Decree nr. 101/2018 (“Codex regarding the protection of personal data” or the "Privacy Code") by:
► C.A.C Soc. Coop. Agr. having its registered office in 47521 – Cesena, street Calcinaro, 1450, Tax Code 00144040409, in the person of Legal Representative;as Data Controller (hereinafter referred to as “Controller”).
The Controller, aware of the importance of guaranteeing the personal data security, in accordance with the applicable European and Italian legislations, and referring to the principle of transparency laid down in the Article 12 of the GDPR, provides the following information in order to make the customer more aware of the features and the methods of the processing of the personal data.
The Controller processes the user’s personal data acquired during the use of the website and/or after the registration on it. The Controller processes in particular: i. personal identifying data not sensitive (for example, name, surname, tax code, VAT number, e-mail, telephone number – hereinafter, “personal data” or “data”) provided when registering to the website; ii. data not directly provided by you – and, in any case, acquired in compliance with Article 14, paragraph 5 of GDPR – which transmission is connected to the use of the internet communication protocols (for example, visits to the page, amount of data transferred, Status message on access, session ID, IP and URL addresses, etc.).
Legal basis and purposes
Your personal data are processed:
a) without your express consent (Article 6 (b) of the GDPR) with the following purposes:
i. to make usable the website functionalities after the user’s access;
ii. to perform the customer relationship activities according to the pre-contractual and/or contractual agreements;
In this case, the performance of a contract of which you are a party or the implementation of pre-contractual measures taken in response to your request, provides a legal basis for processing.
Furthermore, your personal data can be processed without your express consent ( Article 6 (b), (c), (d), (e), (f) ) with the following purposes:
i. to fulfil the administrative, accounting and fiscal obligations arising from the existing contractual relationship;
ii. to comply with obligations of laws, regulations, Community legislation or as ordered by an authority;
iii. to protect the vital interests of the data subject or of another natural person;
iv. to perform the public interest tasks or related to the exercise of official authority by the Controller;
v. to pursue a legitimate interest by the Controller or third party in compliance with Article 6 (f) of the GDPR;
vi. to exercise the Controller’s rights (including without limitation, his rights of defence).
a) Only with your specific and irrevocable consent (Articles 6 (a) and 7 of the GDPR), with the following purposes:
i. to send by e-mail any newsletter, commercial communication and/or promotional material on products and/or services offered by the Controller.
In that case, your consent provides a legal basis for processing.
2. Provision of personal data
The provision of data for the purposes laid down in Article 2 (A) is necessary, since any refusal to supply the required personal data would imply the unfulfillment of legal and/or contractual obligations, preventing the conclusion and/or the performance of the contract and the website functionality.
The provision of data for the purposes laid down in Article 2 (B) is optional and the non-conferment of data would imply the impossibility to receive email newsletter, commercial communication and/or promotional material on products and/or services offered by the Controller.
3. Methods of data processing
The processing of your personal data is carried out by means of the procedures as mentioned in Article 4, paragraph 1, n. 2 of the GDPR, namely any operation or set of operations which is performed upon any personal data or set of personal data whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. The processing of your personal data shall be based on the principles of correctness, lawfulness and transparency and may be carried out electronically to store, manage and transfer them; it will be carried out using instruments which are, mutatis mutandis and according to the state of the art, suitable to guarantee the security and the confidentiality and procedures suitable to prevent the risk of loss, the unauthorized access, the illicit use and the dissemination of data. Data is processed using mainly electronic and computerised instruments both on IT and paper supports or any other suitable supports.
4. Retention period of data
The Controller will process your personal data as long as to fulfil the purposes mentioned above, in accordance with the principles of data minimisation and limitation of the retention of data laid down in the Article 5, paragraph 1, (c), (e) of the GDPR.
5. Data access
The personal data processed by the Controller won’t be disseminated or give access to undetermined people in any form, including their public disclosure or their merely consultation. Your data may, however, be disclosed to the Controller’s employees and/or collaborators and to certain external parties providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of the provisions adopted pursuant to the GDPR and ensure the protection of the rights of the data subject.
Your data may be made accessible to: i. the Controller’s employees and associate workers in their capacity as internal managers, as delegated, designated and authorised data processors and/or as system administrators; ii. third parties (including but not limited to, credit institutions, professional firms, consultants, insurances companies, etc.) performing outsourcing activities on the Controller’s behalf, in their capacity as external managers.
6. Disclosure of data
Your data may be disclosed, within the limits strictly necessary, to third parties which, with the purpose of orders delivery or other demands or provision of service related to or the contractual relationship with the Controller, shall provide goods and/or services on the Controller’s behalf. Finally, the data may be made accessible to persons eligible pursuant to any legal provisions, regulations and Community legislations, to the judicial authority and to any subjects to whom communication is obligatory by law.
7. Data transfer
The data will be managed and stored on the Controller’s server and/or the third-party companies’ server - involved and duly named as data controllers – which are located within the European Union, in accordance with the Article 45 and followings of the GDPR.
The server is currently located in Italy. Your data won’t be transferred outside the European Union. It is understood in any case that, if it shall become necessary to move the location of the server to Italy and/or to the European Union and/or to countries outside the European Union, this shall be always take place in accordance with the Article 45 and followings of the GDPR. In such a situation, however, the co-controllers ensure that the data transfer outside the European Union will take place in accordance with the applicable law, also, if necessary, entering into agreements in order to guarantee an adequate data protection level and/or adopting the European Commission’s standard contractual clauses.
8. Navigation data
The IT systems and software procedures for the functioning of the website may acquire , during the normal course of operation, some personal data whose transmission is implicit in the communication protocols of the Internet.
This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI/URL addresses (“Uniform Resource Identifier” and “Uniform Resource Locator”) of requested resources, the time of the request, the method utilized to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (for example successful, error, etc..) and other parameters related to the operating system and the users. These data, necessary to provide the web services, are processed with the following purposes: i. to obtain statistical information on the service use (for example, the most visited pages, number of hourly and daily visitors, their geographical area, etc.); ii. to control the smooth functioning of the services offered. These data are deleted immediately after processing (except in case of necessary detection of criminal offences by the judicial authority).
10. Data subject's rights
Under the Articles from 15 to 21 of the GDPR, you are entitled to exercise the following rights: i. to obtain confirmation of the existence or not of personal data relating to you, although not yet recorded, and the communication of the same in an intelligible form; ii. to obtain information about: a) the source of the personal data; b) the purposes and methods of the processing of data; c) the method applied in electronical processing of data; d) the identification details of the Controller and the managers; e) to whom the personal data may be communicated or who may access them in their capacity as designated representative in the territory of the Country, and delegated, designated and authorised data processors; iii. to obtain: a) updating, rectification or, where interested therein, integration of the data; b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected. Again according to the abovementioned Articles from15 to 21 of the GDPR, you are entitled to exercise the following rights: i. the right of access to your personal data; ii. the right of rectification; iii. the right of erasure (the right to be forgotten), except in the case where the data process is necessary for the Controller in order to exercise the rights of freedom of expression and access to information, or to comply with a legal obligation or to perform a task carried out in the public interest, or for storage purposes in the public interest, for scientific or historical or with statistic purposes research, to establish, exercise or defend a right in a legal claim pending before a court; iv. the right of restriction of processing; v. the right to object; vi. the right to revoke consent at any time, without prejudging the lawfulness of the processing based on the given consent prior to withdrawal; vii. the right to lodge a complaint with the Data Protection Supervisor.
11. Procedure for the exercise of any right
You have the right to ask to the Controller: i. to access to your personal data, its rectification and removal; ii. the integration of the complete data; iii. the limitation of the processing; iv. to receive your data in a structured, commonly used and automatic device readable format; v. to withdraw at any time the given consent to your data processing and to object in part or fully to the use of your data; vi. to lodge a complaint with the Supervisor Authority as well as to exercise your rights pursuant to the applicable European and Italian law.
You may, at any time, exercise your rights sending:
► a registered letter to C.A.C Soc. Coop. Agr. having its registered office in 47521 – Cesena, Street Calcinaro, 1450;
Under Article 8 of the GDPR and Article 2- quinques of the Privacy Code, in cases where consent is necessary, where the data subject is a minor under 14 years old (fourteen), the data processing is lawful only if and to the extent that the consent is given or authorised by the child's parent or custodian.
13. Controller, data processors and persons in charge of the processing
The data Controller is C.A.C Soc. Coop. Agr. having its registered office in 47521 – Cesena, street Calcinaro, 1450, Tax Code 00144040409, in the person of Legal Representative. To get more information about the managers and the delegated, designated and authorised data processors, you may contact the Controller at the above addresses.