Cookie Policy

1. Legal framework of reference.

1.1. The Policy is based on the following EU and / or national regulatory provisions (first and / or second level): (i) Directive no. 2002/58 / EC of 12.7.2012 (so-called ePrivacy Directive), as amended by Directive no. 2009/136 / EC; (ii) art. 122 of the new Legislative Decree no. 196/2003 (Privacy Code), which transposed the ePrivacy Directive within the national legal system; (iii) GDPR: art. 4 n. 11), 7, 12, 13, 25 and 95 (in addition, in particular, to Recital no. 30, 32 and 173); (iv) Guidelines no. 5/2020 adopted on 4.5.2020 by the EDPB, replacing the Guidelines of 10.4.2018 signed by WP Art. 29; (v) Provision no. 231 of 10.6.2021 [doc. web n. 9677876] signed by the Guarantor for the protection of personal data (Privacy Guarantor); (vi) Recommendation No. 2/2001 of the WP Art. 29; (vii) Opinion no. 2/2010 of WP Art. 29; (viii) Opinion no. 4/2012 of the WP Art. 29; (ix) Guidelines no. 8/2020 of the EDPB.


2. Cookies and other tracking tools: definition and classification.

2.1. I “cookie[1] are, as a rule, strings of text that a website ("publisher" or "first party") visited by the user or a different website ("third party") places and stores, directly (in the case of the site first party internet) or indirectly (through the latter, in the hypothesis of a third party website), within a terminal device available to the user: in this regard, the Privacy Guarantor has specified the fact that the information, encoded in the cookies, may include both personal data pursuant to art. 4 n. 1) of the GDPR (e.g. IP address; username; email address; unique identifier) and non-personal data pursuant to art. 3 n. 1) of EU Regulation no. 1807/2018 (e.g. language; type of device used).

Alongside (or beyond) them, the "other tracking tools", Which can be divided into" active "(which have almost the same characteristics as cookies) and" passive "(eg finger printing).

2.2. Beyond the intrinsic characteristics described, cookies (and other tracking tools) can record different peculiarities in terms of time (and, therefore, be considered of "session"[2] O "permanent "[3], by reason of their duration), from a subjective point of view (depending on whether the publisher acts independently or on behalf of a "third party") and, finally (but in particular), based on the processing purpose pursued, so as to can be divided into two different (macro) categories:

- “technicians", Used for the sole purpose of" carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provider of an information society service explicitly requested by the contractor or by the user to provide this service "( art.122 paragraph 1) of the Privacy Code).
In this regard, the Privacy Guarantor highlighted, within the Provision no. 231 of 10.6.2021 (in line with the previous Provision on the matter of 2014), that the "cookie analytics”[4] may well be included within the channel of cookies (or other tracking tools) of a "technical" nature (and, therefore, can be used in the absence of the prior acquisition of consent by the interested party), upon the occurrence of certain conditions, aimed at precluding the possibility that, through their use, the direct identification of the interested party (single out)[5].

- “profiling "/" marketing " (so-called non-technical), used to bring back to specific, identified or identifiable subjects, specific actions or behavioral patterns recurring in the use of the functions offered (patterns) in order to group the different profiles within homogeneous clusters of different size, so that it is possible for the Data Controller, among other things, to modulate the provision of the service in an increasingly personalized way beyond what is strictly necessary for the provision of the service, as well as to send targeted advertising messages (i.e., in line with the preferences expressed by the user in the context of surfing the net). 

 

3. Cookies installed on the Site

 

 

4. Rights of the interested party.


4.1. In relation to the user's personal data, GF informs that the relevant interested party pursuant to art. 4 n. 1) of the GDPR has the right to exercise the following rights that may be subject to the limitations provided for by articles. 2 undecies and 2 duodecies of the Privacy Code: right of access pursuant to art. 15 of the GDPR: the right to obtain confirmation as to whether or not personal data concerning the data subject is being processed, as well as the information referred to in art. 15 of the GDPR (e.g. processing purposes, retention period); right of rectification pursuant to art. 16 of the GDPR: right to correct, update or integrate personal data; right to cancellation pursuant to art. 17 of the GDPR: right to obtain the cancellation or destruction or anonymization of personal data, however, where the conditions listed in the same article are met; right to limit the processing pursuant to art. 18 of the GDPR: right with a markedly precautionary connotation, aimed at obtaining the limitation of processing where the hypotheses governed by the same art. 18; right to data portability pursuant to art. 20 of the GDPR: right to obtain personal data, provided to GF, in a structured format, commonly used and readable by an automatic system (and, where required, to transmit them directly to another Data Controller), where the specific conditions indicated by the same article exist (e.g. legal basis of consent and / or execution of a contract; personal data provided by the interested party); right to object pursuant to art. 21 of the GDPR: right to obtain the permanent cessation of a specific processing of personal data; right to lodge a complaint with the Supervisory Authority (ie, Italian Privacy Guarantor) pursuant to art. 77 of the GDPR: right to lodge a complaint where it is believed that the processing under analysis violates national and EU legislation on the protection of personal data.

4.2. In addition to the rights described in the previous art. 6.1.), GF specifies that, in relation to the personal data of the interested party, there is, where possible and conferring, the right to exercise, on the one hand, the (sub) right provided for by art. 19 of the GDPR ("The data controller communicates to each of the recipients to whom the personal data have been transmitted any corrections or cancellations or limitations of the processing carried out pursuant to Article 16, Article 17, paragraph 1, and Article 18, unless this proves impossible or involves a disproportionate effort. The data controller communicates these recipients to the interested party if the interested party requests it "), to be considered connected and connected to the exercise of one or more rights regulated by art. 16, 17 and 18 of the GDPR; on the other hand, GF specifies that, in relation to the personal data of the interested party, there is, where possible and conferring, the right to exercise the right provided for by art. 22 paragraph 1) of the GDPR ("The interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person") , subject to the exceptions provided for in paragraph 2 below).

4.3. In compliance with art. 12 paragraph 1) of the GDPR, GF undertakes to provide the user with the communications referred to in Articles from 15 to 22 and 34 of the GDPR in a concise, transparent, intelligible, easily accessible form and in simple and clear language: such information will be provided in writing or by other possibly electronic means or, at the user's request, will be provided orally provided that the identity of the latter is proven by other means.

4.4. In compliance with art. 12 paragraph 3) of the GDPR, GF informs that it undertakes to provide the user with information relating to the action taken regarding a request pursuant to Articles from 15 to 22 of the GDPR without undue delay and, in any case, at the latest within one month of receipt of the request; this term can be extended by no. 2 months if necessary, taking into account the complexity and number of requests (in this case, the Owner undertakes to inform the user of this extension and the reasons for the delay, within one month of receipt of the request).

4.5. The user can exercise, at any time, the aforementioned rights (except for the right pursuant to art. 77 of the GDPR) by using the contact details illustrated in art. 7.



5. Contact details of the Data Controller.

5.1. GF can be contacted at the following address: privacy@gfgarden.it

5.2. The Data Protection Officer (DPO) pursuant to art. 37 of the GDPR, appointed by GF, is the Baldi & Partners firm of Reggio Emilia, in the person of the lawyer Sara Mandelli, who can be contacted at the following address: dpo@gfgarden.it



6. Recipients of your Personal Data

The personal data processed will be known by the employees of the Data Controller, who will operate as authorized subjects for the processing of personal data.

Furthermore, your personal data will be processed by third parties belonging, by way of example, to the following categories:

a) Subsidiaries, parent companies or affiliates of the Data Controller.

b) subjects that provide services for the management of the IT system, including server hosting and backup services;

c) subjects who provide the Data Controller with advice on tax, legal, judicial and compliance matters;

The subjects belonging to the categories listed above operate, in some cases, in total autonomy as separate data controllers, in other cases, as data processors specifically appointed by the Data Controller in compliance with Article 28 of the GDPR.

Furthermore, pursuant to the Provision of the Guarantor for the protection of personal data of 27 November 2008 concerning "Measures and precautions prescribed to the owners of the treatments carried out with electronic tools in relation to the attributions of the functions of System Administrators", as an interested party also ask the Data Controller for the identity of the System Administrators who operate on the operating systems where your personal data are present.

The personal data processed by the Data Controller are not subject to disclosure.

GF does not intend to transfer your data to a country outside the European Union. However, where, in execution of the purposes listed above, GF were to proceed with the transfer of your data outside the European Union, the Data Controller will proceed to carry out this transfer only after having ascertained the existence of one of the guarantees provided for by Articles 44 and ss. GDPR, in order to guarantee an adequate level of protection for your data.



Correggio (RE), there 1 September 2021


srl 
(in the person of its pro tempore legal representative)




[1] See Recital no. 30) of the GDPR ("Natural persons can be associated with online identifiers produced by the devices, applications, tools and protocols used, such as IP addresses, temporary markers (cookies) or other types of identifiers, such as radio frequency identification. These identifiers can leave traces which, in particular if combined with unique identifiers and other information received from servers, can be used to create profiles of natural persons and identify them "), and art. 122 paragraphs 1) and 2) of the Privacy Code ("1. The storage of information in the terminal equipment of a contractor or a user or access to information already stored are permitted only on condition that the contractor or user has given his consent after being informed in a simplified manner. This does not prohibit any technical archiving or access to information already archived if aimed solely at carrying out the transmission of a communication over an electronic communication network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or by the user to provide this service. For the purposes of determining the simplified procedures referred to in the first period, the Guarantor also takes into account the proposals formulated by the most representative associations at national consumers and economic categories involved, including at the sco po to ensure the use of methodologies that ensure the effective awareness of the contractor or user. 2. For the purpose of expressing the consent referred to in paragraph 1, specific configurations of computer programs or devices may be used that are easy and clear to use for the contractor or the user ... "); see also p. 15) of Provision no. 231 of 10.6.2021 signed by the Privacy Guarantor: "... as of today, there is still no universally accepted system of semantic encoding of cookies and other tracking tools that allows to objectively distinguish, for example, the technical ones from analytics or from those of profiling, if not based on the indications provided by the owner himself in the privacy policy [...] the hope that a general coding will be added quickly ".

[2] Cookies designed to collect and store data while a user accesses a website, and disappear once the latter has closed the relevant browsing session.

[3] Cookies suitable to last for a predetermined period of time (e.g. minutes; months; years).

[4] Analytical cookies are usually used to evaluate the effectiveness of an information society service provided by a publisher, for the design of a website or, finally, to help measure traffic (i.e., the number of visitors, even possibly broken down by geographical area, time slot of the connection).

[5] See the Guidelines in question, p. 13) and 14): "The structure of the analytics cookie must then provide for the possibility that it can be referred not only to one, but to multiple devices, in order to create a reasonable uncertainty about the computer identity of the person who receives it. As a rule, this effect is achieved by masking appropriate portions of the IP address within the cookie. Taking into account the representation of 32-bit IP version 4 (IPv4) addresses, which are usually represented and used as a sequence of four decimal numbers between 0 and 255 separated by a period, one of the measures that can be implemented in order to benefit from the exemption is in masking at least the fourth component of the address, an option that introduces an uncertainty in the attribution of the cookie to a specific interested party equal to 1/256 (approximately 0.4%). Similar procedures should be adopted with reference to IP version 6 (IPv6) addresses, which have a different structure and an enormously larger address space (being made up of binary numbers represented with 128 bits). The Guarantor also underlines the need for the use of analytics cookies to be limited only to the production of aggregate statistics and for them to be used in relation to a single site or a single mobile application, so as not to allow tracking of the navigation of the person who uses different applications or browses different websites. It is therefore understood that third parties, who provide the publisher with the web measurement service, will not have to combine the data, even so minimized, with other processing (customer files or statistics of visits to other sites, for example) or transmit them to in turn to further third parties, under penalty of an unacceptable increase in the risk of identifying the user; except in the case in which the production of statistics carried out by them with the minimized data involves multiple domains, websites or apps attributable to the same publisher or business group. However, even in the absence of the adoption of the prescribed minimization measures, it is possible to deem it lawful to use statistical analyzes relating to multiple domains, websites or apps attributable to the same owner, provided that the latter carries out the statistical processing on its own, without in any case case that such analyzes result in an activity which, going beyond the confines of a mere statistical count, actually assumes the characteristics of a processing aimed at taking decisions of a commercial nature ".