1. Legal framework.
1.1. The Policy is inspired by the following EU and/or national (first and/or second level) legislative measures: (i) Directive no. 2002/58/EC of 12.7.2012 (the so-called ePrivacy Directive), as amended by Directive no. 2009/136/EC; (ii) art. 122 of the new Legislative Decree no. n. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into the national legal system; (iii) GDPR: articles 4 no. 11), 7, 12, 13, 25 and 95 (in addition, in particular, to Recitals no. 30, 32 and 173); (iv) Guidelines no. 5/2020 adopted on 4 May 2020 by the EDPB, replacing the Guidelines of 10.4.2018 signed by WP Art. 29; (v) Measure No. 231 of 10.6.2021 [web doc. no. 9677876] signed by the Italian Authority for the protection of personal Data (Data Protection Authority); (vi) Recommendation No. 2/2001 of the WP Art. 29; (vii) Opinion No. 2/2010 of the WP Art. 29; (viii) Opinion No. 4/2012 of the WP Art. 29; (ix) Guidelines No. 8/2020 of the EDPB
2. Cookies and other tracking tools: definition and classification.
2.1. “Cookies" are, as a rule, strings of text that a website ("publisher" or "first party") visited by the user or a different website ("of a third party") places and stores, directly (in the case of the first party website) or indirectly (through the latter, in the case of a third party website), in a terminal device available to the user: in this regard, the Data Protection Authority has specified the fact that the information, encoded in the cookies, can include both personal data ex art. 4 n. 1) of the GDPR (e.g. IP address; user name; email address; unique identifier) and non-personal data ex art. 3 n. 1) of EU Regulation n. 1807/2018 (e.g. language; type of device used).
Next to (or in addition to) them, "other tracking tools" may exist (and therefore be used), which can be divided into "active" (which have almost the same characteristics as cookies) and "passive" (e.g. finger printing).
2.2. Beyond the described intrinsic characteristics, cookies (and other tracking tools) can have different peculiarities from a temporal point of view (and, therefore, be considered "session" [1] or "permanent "[2], due to their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a "third party") as well as, finally (but especially), from the point of view of their duration. depending on their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a "third party") and, finally (but especially), on the basis of the processing purpose pursued, so that they can be divided into two different (macro) categories:
i. "technical", used for the sole purpose of "carrying out the transmission of a communication over an electronic communication network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service" (art. 122 paragraph 1) of the Privacy Code).
In this regard, the Data Protection Authority has highlighted, within the Measure no. 231 of 10.6. 2021 (in line of continuity with the previous Provision on the matter of 2014), that the "analytics cookies" [3] may well be included within the alveo of cookies (or other tracking tools) of a "technical" nature (and, therefore, may be used in the absence of the prior acquisition of consent by the person concerned), at the occurrence of certain conditions, aimed at precluding the possibility that it is reached, through their use, the direct identification of the person concerned (single out) [4].
ii. "profiling"/"marketing" (the so called non-technical), used to trace specific actions or behavioral patterns recurring in the use of features offered (pattern) to specific subjects, identified or identifiable, in order to group the different profiles within homogeneous clusters of different sizes, so that it is possible for the Data Controller, among other things, also modulate the provision of the service in an increasingly personalized beyond what is strictly necessary to provide the service, as well as send targeted advertising messages (ie, in line with the preferences expressed by the user during navigation on the network).
3. Cookies installed on the Site
4. Rights of the Data Subject
4.1. With regard to your Personal Data that are processed by the Controller GF, We hereby inform you, as Data Subjects pursuant to art. 4 n. 1) of the GDPR, that you are entitled to exercise the following rights possibly subject to the limitations provided for by art. 2 undecies and 2 duodecies of the Privacy Code: Right of access – Article 15 of the GDPR: the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data – including a copy of them – and the following information( the purposes of the processing,);right to rectification – Article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed; right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain the erasure or destruction or anonymization of personal data, however, where the conditions listed in the same article are met; right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction, right with a markedly precautionary connotation, aimed at obtaining the limitation of processing where the hypotheses governed by the same art. 18 of processing where one of the following applies: right to object – Article 21 of the GDPR: the right to object to the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing;right to data portability – Article 20 of the GDPR: the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and the processing is carried out by automated means; right to lodge a complaint with the Italian Data Protection Authority (Garante), Piazza Venezia 11, 00187 Rome (RM)- ex. Article 77 of the GDPR, where it is believed that the processing under analysis violates national and EU legislation on the protection of personal data.
4.2.In addition to the rights described in the previous art. 6.1.), GF specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise, on the one hand, the (sub) right provided for by art. 19 of the GDPR ("The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it”), to be considered connected and connected to the exercise of one or more rights regulated by art. 16, 17 and 18 of the GDPR; on the other hand, GF specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise the right provided for by art. 22 paragraph 1) of the GDPR ("The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.") , subject to the exceptions provided for in paragraph 2 below).
4.3. In accordance with Article 12(1) of the GDPR, GF undertakes to provide the communication under Articles 15 to 22 of the GDPR in a concise, transparent, intelligible and easily accessible form. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
4.4. In accordance with Article 12(3) of the GDPR, the Controller informs you that it undertakes to provide information on action taken on a request under Articles 15 to 22 to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
4.5.The data subject can exercise, at any time, the aforementioned rights (except for the right pursuant to art. 77 of the GDPR) by using the contact details illustrated in art. 7. of this “Notice”.
5. Data Controller’s contact details
5.1. The Controller can be contacted at the following email address: privacy@gfgarden.it
5.2. The “Data Protection Officer”, as specified in Article 37 of the GDPR is the lawyer Sara Mandelli of BALDI & PARTNERS, who can be contacted at the following email address: dpo@gfgarden.it
6. Recipients of your Personal Data
The Controller will disclose your Personal Data to its collaborators, who will act as persons authorised to process personal data.
Furthermore your Personal Data will be processed by third parties belonging, by way of example, to the following categories:
a) any subsidiary, parent or associated company of the Controller, including:
b) entities providing IT system management services, including server hosting and backup services;
c) entities that provide the Controller with tax, legal, judicial and compliance advice;
The entities listed above operate, in some cases, independently as separate data controllers, and in other cases, as data processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.
Moreover, with regard to the Provision of the Italian Data Protection Authority (Garante) made on 27 November 2008 “Misure e accorgimenti prescritti ai titolari dei trattamenti effettuati con strumenti elettronici relativamente alle attribuzioni delle funzioni di Amministratori di sistema” (Measures and mechanisms required by data processing controllers using electronic media with regard to attributing the functions of system administrator), as Data Subject you may also ask the Controller the names of the System Administrators of the operating systems containing the personal data collected.
The personal data processed by the Controller are not disclosed.
GF does not intend to transfer your personal data to any non-EU countries. However, if, in execution of the purposes listed above, GF should transfer your data outside the European Union, the Controller will proceed to carry out such transfer only after establishing that one of the conditions laid down in Articles 44 et seq. of the GDPR is met, in order to ensure an adequate level of protection of your personal data.
Correggio (RE), there 1 September 2021
G.F. srl
(in the person of its pro tempore legal representative)
[1] Cookies designed to collect and store data while a user accesses a website, and disappear once the user closes the relevant browsing session
[2] Cookies that are designed to last for a set period of time (e.g., minutes; months; years).
[3] Analytical cookies are usually used to assess the effectiveness of an information society service provided by a publisher, for the design of a website or, finally, to help measure the relative traffic (i.e. the number of visitors, also possibly split by geographical area, time of connection).
[4] See Guidelines in question, pg. 13) and 14): " Accordingly, analytics cookies will have to be structured in such a way as to enable the same cookie to relate to several devices, which will create reasonable uncertainty as to the IT identity of the cookie recipient. This is usually achieved by masking out appropriate portions of the IP address in the cookie. Taking into account the 32-bit IPv4 representation of IP addresses, which are usually represented and used as a sequence of four dot-separated decimal numbers between 0 and 255, one of the measures that can be implemented in order to benefit from the said exemption is the masking out of at least the fourth component of the address, which creates a 1/256 (approximately 0.4%) uncertainty in attributing the cookie to a specific data subject. Similar procedures should be adopted with regard to IPv6 addresses, which have a very different structure and a significantly larger addressing space since they consist of 128-bit binary numbers. Further, the Garante stresses the need for analytics cookies to be only used for the production of aggregated statistics and in relation to an individual website or mobile application, so as not to allow tracking an individual’s navigation across different applications or websites. Accordingly, third parties providing web measurement services to the publishers shall not match the data, even if minimized in the manner described above, with any other information (such as customer records or statistics concerning visits to other websites) nor will they forward such data to other third parties since this will result into unacceptably increasing user identification risks. This is without prejudice to the production of statistics based on minimized data across several domains, websites or apps that can be traced back to the same publisher or publishing group. However, statistical analyses concerning several domains, websites or apps that can be traced back to one single controller can be considered lawful even in the absence of the aforementioned minimization measures – on condition such analyses are performed by way of the controller’s own resources and do not turn into activities that go beyond statistical counting and take on ultimately the features of processing operations aimed to enable business-related decision-making”.
