The privacy notice is a general obligation that must be fulfilled before or at the latest at the time of initiating the direct collection of personal data. In the case of personal data not collected directly from the data subject, the notice must be provided within a reasonable period, or at the time of communication (not the recording) of the data (to third parties or the data subject). Pursuant to the General Data Protection Regulation of natural persons (GDPR - Reg.(EU)2016/679), the undersigned organization, as the data controller, informs of the following:
SOURCES AND CATEGORIES OF PERSONAL DATA
The personal data in the possession of the undersigned organization are collected directly from the data subjects. This website does not collect sensitive data, which refers to those capable of revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in unions, associations or organizations of a religious, philosophical, political or union-related nature, as well as health status and sexual life.
Browsing data
The IT systems and software procedures responsible for the operation of this website acquire, during their normal course of operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified individuals, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user's operating system and IT environment. These data are used solely for the purpose of obtaining anonymous statistical information on the use of the site and to monitor its proper functioning and are deleted immediately after processing. The data could be used to establish liability in the event of potential cybercrimes against the site.
Profiling data
No profiling data regarding the habits or consumption choices of the data subject are directly collected. However, it is possible that through links or by embedding third-party elements, such information may be acquired by separate or independent entities. Please refer to the third-party cookies section for more details.
Newsletter and Mailing List
The email contacts used for sending communications from the website are obtained through voluntary subscriptions by the recipient, who is always asked for confirmation, as well as from information acquired in the context of selling products or services of the Data Controller, or similar. This includes the sending of information, promotional communications, and materials. It is emphasized that contacts are not acquired from public subscriber directories. If the communications are not of interest to the recipient, they can prevent any further contact by clicking the appropriate link included in each message or by writing to the contact details provided at the bottom, exercising their right to unsubscribe from the newsletter.
Payments
The data requested are freely provided by the data subject: some of these (type, holder, number, and expiration date) are essential; others are optional (notes, reason, etc.).
PURPOSES AND LEGAL BASES OF PROCESSING
Personal data are used (ref. Art. 6(b) of the GDPR):
to allow navigation on the website and
possibly to perform the service or activity requested within the scope of the normal operations of the undersigned organization.
Additionally, all personal data may be processed:
for purposes related to obligations established by laws, as well as provisions issued by authorities authorized by law (ref. Art. 6(c) and 9(b,g,h) of the GDPR);
for the establishment, exercise, or defense of a right in legal and non-legal proceedings (legitimate interest) of the undersigned organization (ref. Art. 6(f) and 9(f) of the GDPR);
for purposes of direct marketing according to the legitimate interest of the Data Controller, particularly for cookies, advertising IDs used to display advertisements and announcements, email addresses for sending newsletters, and browsing and usage logs to protect the website and service from cyber-attacks; in these cases, the data subject may always withdraw consent, and the Data Controller will refrain from processing (ref. Art. 6(f) of the GDPR);
for purposes functional to the activity for which the data subject may or may not give consent, such as subscribing to the newsletter to receive informational, promotional, and sales messages for products and services, satisfaction surveys, and sharing data with third parties for receiving informational and promotional communications and marketing (GDPR Art. 6(a)).
CONSEQUENCES OF REFUSING TO PROVIDE DATA
The provision of data collected from the data subject is optional but essential for their processing for the purposes outlined in points a) and b). If the data subjects do not provide their essential data and do not allow processing, it will not be possible to carry out or implement the proposed services and fulfill the contractual obligations undertaken, which would result in a failure to properly comply with legal obligations, such as accounting, tax, and administrative requirements, etc.
Apart from what is specified for browsing data, the user is free to provide personal data for cookies and specific requests through forms, e.g., for products and/or services. Failure to provide such data may result in the inability to obtain what was requested. For all non-essential data, including sensitive data, the provision is optional. In the absence of consent or in the case of incomplete or incorrect provision of certain data, including sensitive data, the requested services may be incomplete to the extent that it could cause harm, such as penalties or loss of benefits, either due to the inability to ensure that the processing aligns with the obligations for which it is carried out, or due to the possible non- compliance of the processing results with the obligations imposed by the laws to which it is subject. In such cases, the undersigned organization shall be exempt from any and all liability for any penalties or punitive measures.
METHODS OF DATA PROCESSING
The data processing related to the website's services is carried out using automated tools for the time strictly necessary to achieve the purposes for which they were collected. Processing takes place at servers located in Italy or the EU and is handled only by technical personnel responsible for processing or by those in charge of maintenance and administration. Specific security measures are observed to prevent data loss, unlawful or incorrect use, unauthorized access, and loss of confidentiality. The structure is equipped with anti-intrusion devices, firewalls, logs, and disaster recovery mechanisms. Specific encryption and data segregation mechanisms are used, as well as user authentication and authorization controls.
Data processing refers to their collection, recording, organization, storage, processing, modification, deletion, and destruction, or the combination of two or more of these operations. In relation to the aforementioned purposes, personal data processing occurs through manual, IT, and telematic tools, following logic strictly related to the purposes themselves and in a manner that ensures security and confidentiality. Personal data will therefore be processed in compliance with the methods outlined in Article 5 of Regulation (EU) 2016/679, which, among other things, requires that data be processed lawfully and fairly, collected and recorded for specific, explicit, and legitimate purposes, accurate and, if necessary, updated, relevant, complete, and not excessive in relation to the purposes of the processing. All of this is done with respect for the rights, fundamental freedoms, and dignity of the data subject, with particular attention to confidentiality and personal identity, and through protection and security measures. The undersigned organization has established and will continue to improve its data access and storage security system.
No automated decision-making processes (e.g., profiling) are carried out.
TRANSFER OUTSIDE THE EU
IProcessing does not occur in non-EU and non-EEA countries.
RETENTION PERIOD
IPersonal data will be retained, in general, as long as the purposes of processing persist, depending on the category of data processed.
Data (only essential one) are communicated:
• To data processors and data controllers, both internal to the organization and external, who perform specific tasks and operations (website administration, analysis of browsing data, traffic, profiling, management of emails and voluntarily submitted forms, fulfillment of requests and e-commerce orders, etc.)
• In cases and to subjects required by law.
CATEGORIES OF RECIPIENTS
Data will not be disseminated unless required by law or anonymized. Except as specified for cookies and third-party elements, without the general prior consent of the data subject for communications to third parties, only services that do not involve such communications will be provided. If necessary, specific and explicit consents will be requested, and the recipients of the data will use it as independent data controllers.
In some cases (not part of the ordinary management of this site), the Authority may request information and details for the purpose of supervising the processing of personal data. In such cases, responding is mandatory under penalty of administrative fines.
RIGHTS OF THE DATA SUBJECT
At any time, you can: exercise your rights (access, rectification, deletion, restriction, portability, opposition, and absence of automated decision-making processes) as provided by the data controller, in accordance with Articles 15 to 22 of the GDPR (link to the regulation); file a complaint with the Data Protection Authority (www.garanteprivacy.it); and if the processing is based on consent, withdraw that consent, considering that the withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.
CONTACT DETAILS
The data controller is Réva srl Agr., represented by its legal representative at the time.
The office is located at Loc. San Sebastiano 68, ZIP code 12065, Monforte d’Alba (CN).
The contact details are: phone + 39 0173 789269; e-mail info@revamonforte.it
The complete list of data processors is available upon request.