Privacy Policy
This privacy policy document, updated with EU Regulation (GDPR) 2016/679 on the processing of personal data, as well as with Legislative Decree 181/18 which modifies Legislative Decree 196/2003, regulates the methods of processing data collected by a website during navigation by the user.
Its specific purpose is to inform the user about the processing of his/her personal data as required by law and by the recent EU Regulation 679/2016, which has profoundly changed the discipline.
A website must have a Data Controller . The data controller is the person who has decisional and organizational power over the processing, as well as deciding the methods of data processing and is responsible to the privacy guarantor. Two or more joint controllers can also be appointed. In this case, it is mandatory for the user to know what the responsibilities of each joint controller are, through a link that indicates the agreement between them.
The data controller is supported by the Data Processor . This figure is the one who processes the data on behalf of the data controller. This means that he will be a subject close to the owner, from whom he receives directives on how to manage the data. The Data Processor must be a competent figure able to fully satisfy the security implemented by the Data Controller.
These two figures are flanked by the Data Protection Officer (DPO), who, despite being appointed directly by the owner, is still an independent subject from the latter. The DPO, previously only optional, is now a figure sometimes mandatory under art. 37 of Regulation (EU) 679/2016. This article indicates the subjects obliged and those who are exempt. In any case, the DPO, called RPD in Italian, is an independent subject and processes data autonomously. Furthermore, he is directly responsible and communicates with the privacy guarantor. Ultimately, the designation of the DPO reflects the new approach of the GDPR, towards a responsibility for data processing, being aimed at facilitating the implementation of the regulation by the owner and the processor. The role of the DPO is to protect personal data, not the interests of the data controller.
Therefore, while the Data Processor is a figure close to the Data Controller, the DPO is a much more independent figure, who cannot and must not receive orders from the Data Controller on the actual protection of the data.
Returning to the information, the place where the data will be processed must also be indicated , which coincides with the headquarters of the data controller.
It is also essential to include the purposes of data processing. In fact, according to the new legislation, data must be stored for a period suitable for achieving the purposes set by the site, and then deleted. Therefore, it is mandatory that the purposes are indicated in a clear and concise manner within the information.
The document must also indicate the types of cookies that are used on the web page. Cookies are short pieces of information that can be saved on the user's computer when the browser calls a certain website. With them the server sends information that will be read and updated every time the user returns to the site.
There are various types of cookies:
-
Technical cookies : according to the law, these are those used for the sole purpose of "carrying out the transmission of a communication on an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service". They are not used for other purposes and are normally installed directly by the owner or manager of the website.
-
Third-party cookies: these occur when a third party places cookies on a web page. In this case, the user must be informed that there will be cookies from other parties in addition to those of the web page. Typical third-party cookies are those of social networks
-
Profiling cookies: these are designed to create profiles relating to the user and are used to send advertising messages in line with the preferences shown by the user while browsing the internet. According to the privacy guarantor, these can be:
-
for advertising profiling , i.e. those that collect and process user data for advertising purposes (e.g. to pass them on to advertising agents);
-
retargeting activities , consisting of forms of online advertising chosen on the basis of the user's previous actions or searches on the web (e.g. Google AdWords);
-
set by social networks ;
-
of statistical activities, managed by third parties (e.g. Google Analytics).
-
The document must also indicate whether the site allows social network plug-ins and any transfer of data to companies located in non-continental countries.
It is also important to mention what the new rights of the interested party are under the new European legislation, such as the right to delete data, update them or to oppose any transfer of data.
How to use the document?
Through this document you will be able to:
-
Please indicate the website for which you are using the following document;
-
Indicate the owner of the data and the place where the data will be processed;
-
Indicate the possible presence of multiple data controllers;
-
Indicate the data controller (DPO);
-
Indicate the purposes of data processing, and the time it will take for the site to be able to use them;
-
Establish which cookies will be used by the site, whether only technical cookies, third-party cookies and/or profiling cookies;
-
Indicate whether the site uses social network plug-ins;
-
Indicate whether the user will receive notifications for any site updates.
Once you have the document, it will need to be inserted into the website's web page and made available to the user.
Reference legislation
REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Legislative Decree 181/18, containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)" which amends Legislative Decree 196/2003 , "Code regarding the protection of personal data."
Provision of the Privacy Guarantor n. 229/2014 , relating to the "Identification of simplified procedures for the information and the acquisition of consent for the use of cookies."