NOTICE ON THE PROCESSING OF PERSONAL DATA for the WEBSITE www.caffeleoni.it
This notice is provided pursuant to Art. 13 of EU Regulation 2016/679 issued by the European Parliament and Council on 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (so-called “General Data Protection Regulation” or “GDPR”) and pursuant to Italian Legislative Decree 30.06.2003, no. 196, as amended and supplemented by Italian Legislative Decree 10.08.2018, no. 101 (“Personal Data Protection Code” or “Privacy Code”) by:
► Caffè Premium Srl with registered office in in Via Speranza, 5, 40068 San Lazzaro di Savena (BO), Tax Code/VAT no. IT00561991209
as Data Controller (hereinafter referred to as “Data Controller”).
The Data Controller, who is aware of the importance of ensuring the security of private information, in accordance with applicable European and Italian legislation and with the principle of transparency set out in Art. 12 of the GDPR, hereby provides the following information in order to make the user aware of the characteristics and methods used to process personal data.
1. What we process
The Data Controller processes the personal data provided by the user when using our website and/or after registering on our website. Specifically, the Data Controller processes: i. personal, identifying and non-sensitive data (by way of example, name, surname, tax code, VAT number, email address, telephone number – hereinafter referred to as “personal data” or even “data”) directly provided by you when registering on the website; ii. data not directly provided by you – and, in any case, acquired within the limits of the provisions of Art. 14, paragraph 5 of the GDPR – which are transmitted through Internet communication protocols (by way of example, page accesses, amount of data transferred, status message after access, session ID numbers, IP addresses, URL addresses, etc.)
2. Lawful basis and purposes of processing
Your personal data is processed:
a) without your express consent (see. Art. 6, letter b of the GDPR), for the following purposes:
i. to allow users to use the features of the website after accessing it;
ii. to carry out customer relations activities on the basis of pre-contractual and/or contractual agreements.
In fact, in such cases, the fulfilment of a contract for the provision of services involving the user, or the performance of pre-contractual activities at the user’s request, are the lawful basis for processing.
Moreover, we wish to inform you that your personal data may be processed without your express consent (see Art. 6, letters b, c, d, e, f) in order to:
i. fulfil the administrative, accounting and tax obligations arising from the existing contractual relationship;
ii. to fulfil the obligations envisaged by law, a regulation, community legislation or by an order from the Supervisory Authority;
iii. protect the vital interests of the data subject or of another natural person;
iv. perform tasks carried out in the public interest or in the exercise of official authority vested in the Data Controller;
v. pursue a legitimate interest of the Data Controller or of third parties, within the limits and under the conditions set out in Art. 6 (f) of the GDPR;
vi. to exercise the Data Controller’s rights (e.g. the right to defence before the courts);
b) only subject to your specific, clear consent (see Arts. 6, letter A, and Art. 7 of the GDPR) for the following purposes:
to send via e-mail, newsletter, any commercial communications and/or advertising material about products and/or services offered by the Data Controller.
In fact, in this case, consent is the lawful basis for processing.
3. Why we need your personal data
The provision of data for the purposes referred to in Art. 2, letter a) is necessary, since your refusal to provide your personal data as requested could make it impossible for the Data Controller to comply with legal obligations and/or those arising from managing the contractual relationship, thus preventing its formalisation and/or fulfilment, as well as compromising the usability and operation of the website. The provision of data for the purposes referred to in Art. 2, letter b) is optional and failure to provide such data may result in the inability to receive newsletter emails, commercial communications and/or advertising material on products and/or services offered by the Data Controller.
4. How we process your data
Your personal data will be processed by means of the operations indicated in art. 4, paragraph 1, n. 2), GDPR, that is, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. We will process your data according to the principles of correctness, lawfulness and transparency either by automated procedures to store, manage and transmit the data and via suitable instruments, where applicable, and with state of the art technology to guarantee security and confidentiality, with the use of suitable procedures to avoid the risk of loss, unauthorised access, unlawful use and diffusion. Personal data may be stored in electronic and/or paper format, as well as on any other type of media deemed suitable for processing data.
5. How long we store your data
The Data Controller will process your personal data for the time strictly necessary to fulfil the purposes above, in accordance with the principles of data minimisation and storage limitation set out in Art. 5, paragraph 1, letters c) and e) of the GDPR.
6. Data access
Personal data processed by the Data Controller will not be published, i.e. it will not be revealed indeterminately in any form, and will not be made available even for simple consultation. Your personal data may, however, be made available to employees and/or collaborators working for the Data Controller and/or to any external parties who offer sufficient guarantees that they have taken appropriate legal, organisational and technical measures to make sure processing meets the requirements of the GDPR and ensures that the rights of the data subject are protected. More specifically, your data may be made accessible to: a: i. employees and collaborators of the Data Controller, in their capacity as in-house managers, delegates, appointed and/or authorised to process personal data and/or system administrators; ii. third party companies or other parties (by way of example, credit institutions, professional firms, consultants, insurance companies, etc.) that carry out outsourcing activities on behalf of the Data Controller, in their capacity as external managers.
7. Data disclosure
Your data may also be disclosed, to the extent strictly necessary, to parties who need to provide goods and/or perform services for the purpose of processing orders or to carry out other requests relating to the contractual relationship with the Data Controller. The Data Controller may also disclose your data to parties entitled to access it in accordance with the provisions of law, regulations, Community legislation and judicial authorities, as well as to all other parties to whom disclosure is required by law.
8. Data transfer
Personal data will be managed and stored on the servers of the Data Controller and/or third party companies appointed and duly named as data processors, located within the European Union, in compliance with the provisions of Arts. 45 et seq., GDPR. The servers are currently located in Italy. Your data will not be transferred outside the European Union. It remains understood under any circumstance that, if the server needs to move in Italy and/or the European Union and/or Non-member EU Countries, this move will always be made in compliance with Arts. 45 et seq, GDPR. In this case, however, Co-data controllers guarantee as of now that the transfer of data outside the EU will comply with the applicable provisions of law and, if necessary, it will draw up agreements, which guarantee an adequate level of protection and/or which contain the standard, contractual clauses envisaged by the European Commission.
9. Browser data
During their normal activity, the computerised systems and software procedures operating the website can acquire some personal data, the transmission of which is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by users, URI/URL (“Uniform Resource Identifier” and “Uniform Resource Locator”) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (by way of example, successful, error, etc.) and other parameters relating to the user’s operating system and IT environment. Such data, necessary for the use of web services, are also processed for the purpose of: i. obtaining statistical information on the use of services (by way of example, most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.); ii. checking the proper functioning of the services offered. Such data are deleted immediately after processing (unless the judicial authority needs to ascertain crimes).
11. Rights of the data subject
Pursuant to Articles 15 to 21 of the GDPR, you have the right to: i. obtain confirmation as to whether or not personal data concerning you exist, even if not yet recorded, and communication of such data in intelligible form; ii. obtain indication of: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event that processing is carried out using electronic means; d) the identification data concerning the Data Controller and data processors; e) the parties or categories of parties to whom the personal data may be disclosed or who may become aware of it in their capacity as designated representative in the State’s territory, delegates, appointees or persons authorised to process data; iii. obtain: a) the updating, rectification or, when interested, supplementation of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including those for which storage is not necessary for the purposes for which the data were collected or subsequently processed; c) proof that the operations in letters a) and b) have been notified, as well as their contents, to those to whom the data were disclosed or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate use of means in relation to the protected right. Also pursuant to the above-mentioned Arts. 15 to 21 of the GDPR, you may exercise the following specific rights: i. right of access; ii. right to rectification; iii. right to erasure (right to be forgotten), except when the processing is necessary for the Data Controller, for exercising the right of freedom of expression and information, for compliance with a legal obligation or for the performance of a task carried out in the public interest, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, for the establishment, exercise or defence of legal claims; iv. right to restriction of processing; v. right to object; vi. the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent prior to withdrawal; vii. right to lodge a complaint with the Supervisory Authority for the protection of personal data.
12. How to exercise your rights
You have the right to ask the Data Controller: i. to access, rectify or erase your data; ii. to supplement incomplete data;
iii. to restrict processing; iv. to receive your data in a structured, commonly used format, which can be read by an automatic device; v. to revoke the consent given at any time to the processing of your personal data and to oppose the use of the data; vi. to lodge a complaint with the Supervisory Authority and to exercise the other rights recognised to you by the applicable European and Italian regulations. You may at any time exercise your rights by contacting the Data Controller:
► by registered letter with return receipt: Caffè Premium Srl with registered office in in Via Speranza, 5, 40068 San Lazzaro di Savena (BO), Tax Code/VAT no. IT00561991209
Pursuant to Art. 8 of the GDPR, as well as to Art. 2 quinquies of the Privacy Code, with regard to the direct provision of information society services to minors, in cases where consent is required, where the person giving consent is under the age of 14 (fourteen) years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
14. Data Controller, Data Processors, delegates, appointees and authorised persons
The Data Controller is:
► Caffè Premium Srl with registered office in in Via Speranza, 5, 40068 San Lazzaro di Savena (BO), Tax Code/VAT no. IT00561991209
Further information on data processors, delegates, appointees and persons authorised to process personal data may be requested by contacting the Data Controller at the addresses specified in this policy.
15. Data Protection Officer — DPO
As a result of the processing activities carried out, the Data Controller has deemed it necessary to designate, as Data Protection Officer or “DPO” – pursuant to Art. 37, GDPR, ► Avv. Daria Torelli, who you may contact for any information and/or request by sending an e-mail to: ► firstname.lastname@example.org