Information on the processing of personal data – Clients and potential clients
1. Identity and contact details of the data controller
The Website is wholly operated by:
Villa Roffa Lario
Tel: +31 104770805
Hereafter also referred to as “the Holder.”
Since the Holder is established in the territory of Italy, no representative has been appointed.
2. Contact details of the data protection officer
The Data Controller has failed to appoint a data protection officer.
3. Purpose of processing and legal basis for processing
Personal data will be processed for the following purposes:
– For contractual purposes and/or related to the execution of pre-contractual measures taken at your specific request, as well as to fulfil any legal obligations related to such purposes, and namely, to enable you to be contacted for the purpose of evaluating the possibility of purchasing a service.
In this case, the need to proceed with the processing for the purpose of the execution of the contract and/or for the management of pre-contractual relations constitutes the legal basis;
– To send direct marketing communications, newsletters, advertising material, by means of traditional contact systems and automated computer systems, including commercial or promotional communications by email or SMS, or for market research and analysis. In this case, the legal basis is consent, expressed in accordance with this notice;
– Fulfilment of legal obligations such as electronic invoicing in compliance with Italian regulations. When you make a purchase or attempt to make a purchase through the Site, we collect certain information about you, including your first and last name, billing address, shipping address, payment information, tax information (including credit card numbers), email address, and telephone number. We call this data “Order Information.”
4. Ways of expressing consent
Consent, where required, may be expressed by signing a computerized document, including through specific flag boxes.
5. Method of processing and logic
In relation to personal data processed and stored for the purposes referred to in number 3, point a), of this policy (contractual and pre-contractual purposes), the processing will be carried out by means of paper-based tools, automated logic and use of CRM-type management software managed in the cloud, which will allow the best management of the fulfilment of contractual obligations;
In relation to personal data processed for the purposes referred to in number 3, point b), of this statement (marketing purposes), the processing will be carried out through software for sending commercial information;
6. Source from which personal data originate
Only data provided in accordance with this policy will be processed. Personal data from publicly available sources will not be processed.
When you visit the Site, we automatically collect certain information on your device, including browser data, IP address, time zone, and data from certain cookies installed on your device. In addition, as you browse the Site we collect specific information about the web pages and products you view, the websites or search terms that directed you to the Site, and how you interact with the Site. We define this automatically collected information as “Device Information.”
We collect Device Information with the following technologies:
– “Cookies” are data files that are placed on your device or computer, and often include an anonymous unique identifier code. For more information about cookies and how to disable them, visit http://www.allaboutcookies.org.
– “Log files” track actions that take place on the Site, and collect data including IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
– “Web beacons,” “tags,” and “pixels” are electronic files used to record data about how you navigate the Site.
7. Recipients and possible categories of recipients of personal data
They may be recipients of personal data:
– Communications companies that carry out commercial communications activities on behalf of the Data Controller, where consent has been given, which hold the status of data controllers;
– Companies offering information society services, including, in particular, those offering hosting services;
– Companies that make cloud-based software available;
– The auditing companies;
– The partner companies of the Data Controller.
8. Data categories
Personal data will be processed.
9. Data Transfer
The Data Controller intends to transfer personal data to a third country or international organization. Such parties could be represented, by way of example, by:
– Communications companies that perform communications activities on behalf of the Controller;
– Communications company service providers;
– Subsidiary and/or parent organizations.
– The transfer of personal data to such entities, if established in a third country or an international organization, is carried out in the presence of an adequacy decision of the European Commission, which has verified how the third country, the territory or one or more specific sectors within the third country, or the international organization in question guarantee an adequate level of protection of rights. In any case, the Data Controller – should the Data Controller nevertheless deem it appropriate – reserves the right to enter into specific separate agreements obligating such entities to take appropriate security measures, including organizational measures, designed to provide appropriate safeguards with respect to rights. In order to obtain a copy of such data or the place where they have been made available, it is sufficient to send the relevant request to the Data Controller, at the addresses in the epigraph.
10. Period of retention of personal data
The personal data processed and stored for the purposes referred to in point a) number 3 of this policy (contractual and pre-contractual purposes) are processed for a period of time not exceeding, however, 10 years starting from the termination of the effects of the contract, in the case of its conclusion, and, in the case of mere pre-contractual negotiations, for a period not exceeding 10 years from the termination of the negotiations;
Personal data processed for the purposes referred to in point b) number 3 of this notice (marketing purposes) are processed and stored until the data subject requests their deletion and/or revocation;
Personal data processed and retained for the purposes referred to in point c) number 3 (fulfilment of legal obligations) are processed and retained for a period not exceeding 10 years starting from the termination of the effects of the contract, in case of its conclusion, and, in the case of mere pre-contractual negotiations, for a period not exceeding 10 years from the termination of the negotiations, without prejudice, in any case, to different legal regulations.
11. Optionality of consent and consequences of non-consent
In relation to the personal data processed and stored for the purposes referred to in point a) number 3 of this information (contractual and pre-contractual purposes), the disclosure of personal data is an obligation of a contractual nature and a necessary requirement for the performance of pre-contractual negotiations and the conclusion of the contract. The data subject has the option to provide personal data; however, in case of failure to provide such data, it will not be possible to conclude any contract or to carry out any contractual negotiations;
In relation to personal data processed for the purposes referred to in point b) number 3 of this information (marketing purposes), the disclosure of personal data is not a contractual obligation. There is an option to provide personal data; however, in case of non-disclosure of such data, no marketing activities will be possible;
In relation to personal data processed for the purposes referred to in point c) number 3 of this notice (legal obligations) the disclosure of personal data is a legal obligation. There is an obligation in this case to provide personal data; in case of failure to provide such data, it will not be possible to conclude the contract.
12. Right of opposition
The data subject has the right to object in the following terms:
The right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f) of the GDPR, including profiling on the basis of these provisions. The Data Controller shall refrain from further processing personal data unless the Data Controller demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
Where personal data are processed for direct marketing purposes, there is the right to object at any time to the processing of personal data concerning you carried out for such purposes, including profiling insofar as it is related to such direct marketing;
In case of opposition to processing for direct marketing purposes, personal data are no longer processed for such purposes. It is specified how the data subject’s right to object to the processing of his or her personal data for the aforementioned purposes may also be exercised only in part, i.e. by objecting, for example, only to the sending of promotional communications carried out by automated and/or digital means, or to the sending of paper communications;
Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out in the public interest.
13. Other Rights
The Data Controller would also like to inform you of the existence of the following rights:
Right of access: the data subject has the right to obtain from the Controller confirmation whether personal data concerning him/her is being processed and if so, to obtain access to personal data and specific information, in accordance with Article 15 of the GDPR;
Right of rectification: the data subject has the right to obtain from the Controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration, in accordance with Article 16 of the GDPR;
Right to data erasure, including the right to withdraw consent: the data subject has the right to obtain from the Data Controller the erasure of personal data concerning him/her without undue delay, and the Data Controller has the obligation to erase without undue delay the personal data, or to withdraw his/her consent, if the grounds defined in Article 17 of the GDPR exist.
Regarding the right of revocation, the data subject also has the right to revoke consent at any time without affecting the lawfulness of the processing based on the consent given before revocation;
Right to limitation of processing: the data subject has the right to obtain from the Data Controller the limitation of processing when the hypotheses defined in Article 18 of the GDPR apply;
Right to data portability: the data subject has the right to receive, in a structured, commonly used and machine-readable format, personal data concerning him or her provided to the Data Controller and has the right to transmit such data to another data controller without hindrance from the Data Controller in the cases and under the conditions specified by Article 20 of the GDPR;
Contractor’s right to object to commercial communications: the contractor has the right to object at any time, free of charge, to receiving commercial communications.
14. Exercise of rights
Requests to exercise the rights set forth in this notice, including, in particular, the right to cancellation and the right to revoke the consent given should be addressed directly to the Data Controller at the relevant email address. Alternatively, it is possible to exercise one’s rights by sending relevant communication by registered letter with return receipt to the Holder’s address.