Categories of people involved in the processing of personal data
The Controller of the processing of personal data, in compliance with the laws in force, is the company Tenuta Giustini di Papadopoli Salvatore, with headquarters in San Giorgio Ionico, Via Pietro Germi Snc, in the name and person of its legal representative Mr. Salvatore Papadopoli, who can be reached at the addresses enlisted in the CONTACTS section of the website.
The Processor(s) of the processing of personal data are exclusively the subjects specifically appointed by the Controller according to art. 28 of the Regulation and in particular:
- the Company’s employees to whom the personal data are disclosed as their duty is to correspond with the website’s users and/or to process orders made on the Online Shop of the website and/or to perform an activity specifically required by the user itself that involves the disclosure of personal data.
- web hosting Aruba, that elaborates personal data on behalf of the Controller and takes place in the European Economic Area and acts in compliance with the European laws and rules (policy privacy di VHosting).
Legal basis and lawfulness of the processing
In this website personal data are processed under the consent of the data subject, in compliance with art. 13 of the Regulation.
The consent is given by the data subject clicking the banner at the bottom of the page or entering personal data when subscribing to the newsletter or when buying products on the Online Shop.
Personal data can also be collected by filing communications forms or request for service’s forms and these data can be processed only if the consent to the processing is given and if the processing is necessary in order to provide a requested service.
Certain categories of data are collected browsing the website, in particular data collected for statistics and security purposes, which are data that does not require the consent to be processed as they are anonymous and not personal data.
The communication of personal data and the consent to their collection and processing should be optional and voluntary: the data subject can deny the consent and can at any time withdraw it if previously given (using for this purpose the banner at the bottom of the page or the cookie settings of the browser or by means of the section “Contacts”). Anyway, the denial or the withdrawal of the consent to personal data processing could compromise the possibility to provide some service and could compromise the browsing experience too.
Categories of processed data and purpose of the processing
The only data collected and processed are personal data and not data belonging to special categories according to art. 9 of the Regulation.
The processing of data collected from the website is possible for the purposes which are linked to and necessary for the performance of the requested service and for the following other purposes:
- Statistical purpose: Data and information are collected exclusively in anonymous and aggregate form with the aim to verify the correct functioning of the website. None of these data and information is connected to the data Subject-uses of the website and do not allow to identify that person. The consent is not necessary in this case.
- Security purpose: Data and information are collected exclusively with the aim to verify the security of the website (antispam methods, firewall, virus detection) and of the Users and in order to prevent and discover frauds and abuses against the website. Data are automatically collected and registered and can include personal data (ip address) that could be used, pursuant to all the laws in force, in order to avoid attempts of damages to the website and to the users or criminal activities. These data are never used with identification or profiling purposes and are periodically cancelled. The consent is not necessary in this case.
- Subsidiary activities: Data can be communicated to third parties who perform activities which are necessary or subsidiary to the service offered (i.e. comments box) or technical and logistics activities performed on behalf of the Controller. Suppliers can acknowledge only personal data which are necessary to perform their activities and they are bound not to use the data for other purpose and to use them pursuant to all the laws in force..
Ways in which data are collected
This site collects data in two ways:
By means of the browsing of the users, the following data can be collected and kept in the log of the hosting of the website:
- internet protocol address (IP);
- browser used;
- parameters of the device used to connect;
- name of the internet service provider (ISP);
- date e and hour of browsing;
- web page from which the user logs in (referral) and logs out;
- number of clicks.
These data are used for statistical and analytical purposes, exclusively in aggregate form.
IP address is only used for security purpose and is not crossed with any other data.
Willful disclosure from the data Subject
The website can collect other data in case the user wilfully uses of some services, for example the comment box, the communication requests, the online shop; these data are exclusively used in order to provide the requested service. These data are:
- email address;
- residence address;
- telephone number;
- invoicing information.
Place in which the processing takes place
Data are processed at the headquarters of the Controller and at the datacenter of the web Hosting Aruba.
Retention period of personal data
Data which are collected from the browsing in the website are kept for an amount of time which is strictly necessary in order to perform the abovementioned activities. At the expiration of this time, data are cancelled or made anonymous, unless there are further purposes for their retention.
Data (IP address) used for security purposes (to block attempts to damage the website) are kept for 30 days.
Data used for statistics and analytics purposes are kept in aggregate form for 30 days.
Transfer of personal data to Third Parties
Data collected from the website are not usually transferred to Third Parties, except in case of a lawful request from the Judicial Authority, in the cases allowed by the laws in force; in case it is necessary in order to provide a specific service requested by the data Subject; in case it is necessary in order to perform security checks and activities that allow to optimize the website.
Transfer of personal data to Third Parties outside the EU
This website could share some of the collected data with services which are located outside the EU, such as Google, Facebook, Microsoft (LinkedIn) by means of social plugin and Google Analytics.
The transfer in these case is allowed on the basis of UE and Personal Data Protection Authority’s Decisions, with specifical reference to the Decision n. 1250/2016 (Privacy Shield – here), so that no further consent is needed. The abovementioned companies grant their acceptance of the Privacy Shield.
All the data are collected and processed in lawful, fair and transparent manner, adopting all the necessary security measures in order to avoid unauthorized accesses, communication, modification, loss or disruption of the data.
We are concerned in defending the security of personal data at the moment of their sending, using the software Secure Sockets Layer (SSL) for the encryption of the information.
The processing is made using informatic/telematics instruments, with organisational modalities and techniques strictly linked to the abovementioned purposes.
Apart from the Controller, in some circumstances the data can be acknowledged by specifically appointed people (those who works on the website and those who supply external services, such as the hosting provider).
Data Subject’s rights;
Pursuant to artt. 15 – 22 of the Regulation, the Data Subject has the following rights:
- Right to object, entirely or partially, the processing of personal data for direct or indirect marketing purposes;
- Right to obtain confirmation as to whether or not personal data concerning him/her are collected and processed the (right of access);
- Right to obtain any available information as to the source of the personal data when not collected from him/her;
- Right to have information on the reason, logics, modalities and purposes of the processing;
- Right to request the update, rectification, integration, erasure, transformation in anonymous form of the personal data such as the interruption of the processing of the data if collected unlawfully or no more necessary;
- In case the data are collected on the grounds of their wilful disclosure from the data Subject, right to their portability, which means the right to receive them in a structured, commonly-used and machine-readable format, bearing the only expense of the instrument used;
- Right to lodge a complaint with a supervisory Authority (Autorità Garante della Privacy, according to artt. 77 and 79 of the Regulation;
- Right to exercise any and all the rights the laws in force grants.
All the requests shall be addressed to the Controller at the e-mail address firstname.lastname@example.org.
The requests shall be answered within 30 days, term which can be postponed according with law provision, and for free.