Advisory note on processing personal data
This page describes how this site is managed with regard to processing the personal data of users who browse it. This is an advisory note which has been prepared in compliance with current legislation regarding the personal data of users who interact with the services offered on the site within the framework of EU Regulation 2016/679. This advisory note has been prepared solely for this site and for no other website whatsoever, even if users visit other websites via links to them placed on this site.
The “Controller” in terms of processing personal data
If a user browses this site, certain data relative to identified or identifiable people may be processed. The “Controller” (in terms of processing personal data) is Morello Giovanni Srl, with registered offices at Lungo Dora Pietro Colletta no. 85/A, 10153 Turin, Italy, tax code and VAT no. 00134730019.
The location where personal data is processed
Processing connected to the web services is only done by internal technical personnel, duly appointed to perform such processing, and by other parties occasionally employed to perform maintenance operations. No data derived from a web service will be communicated or divulged.
The purposes for which personal data is processed and the legal basis for doing so
Personal data provided by a user who makes a request, or who wishes to use a service or a product offered through the site, or who requests further specific content, is used purely to respond to such a request or to provide the service or product requested and this data may be communicated to a third party only in the event that it is necessary for such a purpose. The legal basis for performing this processing is the need to reply to the data subject’s request or to carry out the activities envisaged in an agreement defined with a data subject.
With the user’s express consent, data may be used for commercial communication activities relative to the Controller’s other products or services. The legal basis for performing this processing is the data subject’s consent, freely expressed.
Outside of these cases, the user’s browsing data will be stored for the time strictly necessary to manage the processing activities within the limits provided for by law.
Types of personal data processed
The information systems and software procedures used to operate the site acquire, as part of their normal operation, certain personal data the transmission of which is implicit in the use of internet communication protocols. This involves information which is not collected to be associated to an identified data subject but which, given the nature of the data itself, through processing and association with data held by third parties, could allow a user to be identified. This category of data includes the IP address or the domain name of the computer or device used by the user to connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response received from the server (OK, error, etc.) and other parameters relative to the user’s operating system and computer environment. This data is only used to obtain anonymous statistical information on how the site is used and to check that it is operating properly. Once processed, this data is deleted. Data could be used to ascertain responsibility in the case of a hypothetical computer crime against the site.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of an email to an address given on the site leads to the subsequent acquisition of the sender’s email address, which is needed in order to reply, as well as the acquisition of any other data, personal or otherwise, which the sender may have included in his/her email. Specific summary information will be progressively reported or displayed on the site’s pages which have been set up for particular on-request services.
A cookie is a text file which is stored on the hard disk of the user’s computer or device only after authorisation has been given. Cookies are used to streamline the analysis of web traffic or to indicate when a specific site is being visited and they allow web applications to send information to individual users. No personal data is acquired by the site. No cookies are used to transmit information of a personal nature, nor are so-called persistent cookies used, of any type whatsoever, nor any user tracking systems. The use of so-called session cookies is strictly limited to transmitting session identification data (consisting of numbers randomly generated by the server) which is needed to allow the site to be browsed securely and efficiently. The so-called session cookies used on the site avoid the need to use other IT techniques that could potentially jeopardise the privacy of the user’s browsing behaviour and do not permit personal identifying data to be acquired.
The optional nature of providing data
Apart from that specified regarding browsing data, the user is free to provide his/her personal data in order to request services from the Controller. Not providing this data may, however, make it impossible to fulfil any such request.
Methods of processing personal data and data retention times
Personal data is processed with automated means for the time strictly necessary to achieve the purposes for which the data was collected. Specific security measures have been implemented to prevent any loss of data, unlawful or improper use, and any unauthorised access.
Data is stored for the time strictly necessary to achieve the purposes indicated in this advisory note and data is deleted at the end of this period, unless the data needs to be kept for legal obligations or to uphold a right in court.
The data subject’s rights
Within the limits and under the conditions established by law, the Controller is held to respond to the data subject’s requests regarding the personal data which concerns him/her. Specifically, based on current legislation:
1. The data subject has the right to obtain from the Controller a confirmation, or otherwise, that the data subject’s personal data is subject to processing and, if this be the case, to obtain access to this personal data and to the following information:
- the purposes for which personal data is processed;
- the categories of personal data in question;
- the recipients or categories of recipients to whom personal data has been or will be communicated, and in particular if a recipient is based in a third country or is an international organisation;
- when possible, the personal data’s expected retention period or, if this is not possible, the criteria used to determine such a period;
- the existence of the data subject’s right to ask the Controller to rectify or to delete his/her personal data or to restrict processing of the same or to object to such processing;
- the right to lodge a complaint with an appropriate Supervisory Authority;
- if data is not collected from the data subject him/herself, all information regarding the origin(s) of such data;
- the existence of an automated decision-making process, including profiling.
2. The data subject has the right to obtain from the Controller the rectification of inaccurate personal data that concerns him/her without undue delay. Depending on the purposes for which personal data is processed, the data subject has the right to supplement incomplete personal data, including by providing a supplemental declaration.
3. The data subject has the right to obtain from the Controller the deletion of the personal data that concerns him/her without unjustified delay and the Controller is held to delete, without unjustified delay, the personal data to the extent and in the cases provided for by existing legislation. The Controller shall inform each of the recipients to whom personal data has been sent of any rectification or deletion or restriction of processing to the extent and in the forms provided for by existing legislation.
4. The data subject has the right to obtain from the Controller a restriction on the processing of the personal data that concerns him/her.
5. The data subject has the right to receive the personal data that concerns him/her, which he/she has provided to the Controller, in a structured, commonly used and machine-readable format and the data subject has the right to have this data transmitted to another controller without hindrance from the Controller to whom the personal data was originally provided.
Any request related to this advisory note must be sent to the Internal Processor at firstname.lastname@example.org at which the Data Protection Officer, as may be appointed by the Controller, can be contacted.
This version of the advisory note on processing personal data was updated on 21 May 2018