INFORMATION ON THE PROCESSING OF PERSONAL DATA
This information will try to explain to the user who and how the data of the data subject is treated (also referred to in this statement, User), what are his data, and what his rights are and how he can exercise them. For particular clarifications, if the user does not understand or does not consider sufficient what is included in the information, please write to the following address: firstname.lastname@example.org
2: SOME IMPORTANT NOTIONS ON PERSONAL DATA
What is meant by personal data? Personal data are all information referring to an identifiable natural person. Name and surname are personal data, to be precise they are identification data, but they are not the only personal data of the user. There are indeed others in the communication between User and Acquaclick: email, category of belonging (private, company, architect etc.).
But not only: as personal data is as mentioned above, information referring to a natural person, the same content of communications sent to Acquaclick or published by the User on the site (in the comments section) can contain personal data, or information, related to the user or third parties. Writing for example in a comment a judgment on the product that at the same time contains information about one's own person is equivalent to supplying Acquaclick with a datum.
The personal data are only those of natural persons (so, in the case of the form inserted in this service: name and contact email, the latter only among others if it is the personal one of the writer and not if it is that one generally assigned to the company as for example info@XXX.com or to an office of the same as for example personale@XXX.com).
What does it mean to process data? The legal definition of treatment includes any operation or set of operations concerning the collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, deletion and destruction of data. Practically then everything that can be done with the user's data is treatment. Already then collecting or reading data for example, or consulting them, is a treatment. As is the treatment, in the case of Acquaclick, to process the information contained in the request to respond to it.
Why are they important to the user? The data tells who the user is and what he does. They are his, therefore, precisely because they are "his", they are important and it is also clear that as "his" he has the right to decide whether to let them be treated by a third party, and to know how this is done.
Why are they important to Acquaclick and its related services? They are important because they allow to provide the requested service. Without such data it is impossible for Acquaclick to respond to the communication through this service, execute the contract, perform ancillary activities (such as statistics, etc.).
3: WHO TREATS THE DATA
The data controller is the person who makes the decisions on how to handle the data, therefore - among other things - on what precautions to take to protect them, on where to lodge them (if in server or cloud etc.), on what data to ask the user , on which to elaborate and for what purpose, on which and to whom to sell them, how to manage the relationships and the rights of the users, on whom to choose as collaborator, responsible or simple person in charge to process the data, on what instructions to give to the collaborators etc. So, given that the owner of the data is very important, let the user know that it is:
F.lli Della Fiore Spa
S.P.205 Vigentina 2,4,6 27010 San Genesio ed Uniti
REA: PV - 131625
Paid up capital from last balance sheet: € 2.000.000,00
Then, with regard to any ancillary functions, Acquaclick may avail itself of internal subjects authorized to treat (also called appointees) or external subjects mostly as data processors.
For the provision of the Acquaclick service it avails itself of the collaboration of:
• Register.it SpA for the management of the email service.
• HETZER For information on the policy, visit the following page: https://www.hetzner.com/rechtliches/datenschutz
• Mailchimp for the newsletter service. For information on the policy, visit the following page: https://mailchimp.com/legal/privacy/
• Zendesk for the management of the Chat service (service located in the United States). For information on the policy, visit the following page:
3 / a: WHO THE DATA IS COMMUNICATED TO (OR TO WHOM IT IS CONESENTIFIED WITH THE SAME)
The data can be communicated to subjects that collaborate in fiscal management (for example, accountant), administrative.
The data are also communicated, for the performance of the functions referred to in the previous paragraph to the subjects indicated therein (hosting, etc.).
The data are also communicated to the subjects who collaborate in the execution of the contract, such as banks, institutes or payment services if provided, express courier for delivery.
It is important to know that Acquaclick can manage and dominate only the data stored and processed within its own system: data transferred or communicated to third parties will, in the manner and in the how much, be autonomously treated by third parties to whom they are communicated according to their own privacy policies. In any case, where Acquaclick ceases the processing of a user's personal data, it will also communicate the termination to the subjects to whom such data have been communicated, but cannot guarantee the termination of the treatment by these.
4: WHERE IT IS
Acquaclick processes personal data at its offices.
Regarding the support chat (Zendesk) the data is processed in the United States
5: WHICH DATA IS PROCESSED
Based on the significant quality of the data, we can identify:
- Identification data: are name, surname, email, social security number, telephone number and company, image (avatar).
- Content data: information that can be inferred or read from the content of the communications (comments or requests sent to Acquaclick may contain information about the person).
- Analytical statistics data: they are aggregated data, processed using fingerprinting techniques (currently cookies). A sort of survey obtained from the union of the data as above. They may have technical or statistical significance. Acquaclick treats them because even the statistics can have a value to establish the effectiveness of the site.
- Users' browsing data, whose transmission to the site is implicit in the functioning of the IT systems responsible for its management, such as for example IP addresses, the domain names of the computers used by users who connect to the site and other parameters relating to the operating system.
6: FOR WHICH PURPOSES ARE TREATED, AND INDICATION OF THE LEGAL BASIS AND PRESERVATION DURATION.
Acquaclick processes user data for the following purposes:
1. Fulfillment of orders forwarded to the Acquaclick e-commerce site: consists in processing the order, sending the product, activating the payment, managing the after-sales service. Legal basis: execution of the contract; Duration: up to the end of the transaction, except for further conservation to allow the consumer to exercise the rights (of withdrawal, of guarantee up to two years and two months). For further conservation for tax purposes (up to ten years) the legal basis is the observance of a legal obligation on the owner.
2. Management of the registration and the User's account on the Acquaclick site; Legal basis: execution of the request for registration of the User (contract and express consent by completing the registration form); Duration: up to the cancellation of the account (even after the cancellation of the account the data can be kept for the purposes of point 1).
3. Sending newsletter: Legal basis: express consent by registration. Duration: up to the cancellation by special function.
4. Chat: Legal basis: express consent by access to the service. Duration: until the end of the requested consultation
5. Response to requests sent by the user (information, quotes, etc.): consists in the response to contacts made by the customer (with email, chat, etc.). It consists, for example, in providing information, sending estimates, etc. Legal basis: execution of pre-contractual measures (such is the information, the estimates sent for the conclusion of a possible contract); Duration: ten years (obligation to preserve business correspondence).
6. Management of opinions: on the personal page it is possible to comment on products or articles. Legal basis: consent of the person concerned by writing the comment. Duration: up to revocation of the consent, except in the case in which the comment is unlawful (in this case it is kept for the time necessary for the exercise, also in court, of the relative rights by the Owner or Third Party).
7. Database creation: creation of a customer database at the owner's office where users are entered and registered. Legal basis: legitimate interest of the owner in maintaining customer records to ensure business continuity and effective satisfaction of customers' rights (for example withdrawal, guarantee, etc.) at its headquarters and independently of the database integrated in the ecommerce.
8. Statistics: elaboration of statistics based on the categories of users to optimize the business of the Data Controller (evaluate the categories most interested, etc.). Legal basis: legitimate interest of the Data Controller to evaluate market sectors of interest, effectiveness of the sales system. Duration: the statistics are performed in real time, but only the aggregated and therefore anonymous data is kept.
7: HOW THE DATA IS GIVEN (BY THE USER)
All data is provided by the user. Name, surname, email, company, category, contents, image are in fact those written by the same in the registration, purchase or comment form.
In addition to the data provided by the user when filling in the form, there are data that can be obtained by analyzing the content of what the user wrote. Well, these are data that the user confers with an active behavior, even if perhaps in a not very conscious way, but if elaborated they can assume a different and greater value than he believes because they could if elaborated synthesize, profile and categorize the same
Finally there are the acquired data: the history is created by the succession of purchases made by the customer.
8: WHAT DATA IS OBLIGATORY AND WHAT IS OPTIONAL (AND THE CONSEQUENCES OF REFUSAL TO GIVE THE DATA)
Only the data relating to the identification of the user are required, like name, surname and contact details (email, however, which can be that of the company as email@example.com), tax identification number and telephone number which serve to execute the sales contract.
Not providing such data makes it impossible to execute the distance selling contract.
Finally there are the physiological ones: they are the data that above have been defined above content data. As for the latter, it is not possible to discriminate between mandatory and optional, as they are formed as a natural consequence of writing the content of the message or comment.
9: HOW THEY ARE TREATED
The data is collected and processed by electronic means.
They are hosted on servers located in EU territory, with the application of security systems according to the HTTPS protocol.
Only data duly authorized and provided with single authentication credentials can access and process the data received as part of the assignment received.
10: FOR HOW MUCH TIME THEY ARE TREATED
The data are processed as long as they serve the purpose for which they are given, except for the conservation obligations provided for by the law (for example, with regard to the ten-year conservation of communications with fiscal or commercial content, see DPR 600/19773 among others).
For the duration relative to the single purposes, see point n. 6.
11: WHAT IS THE LEGAL BASIS OF THE TREATMENT
The data is essentially processed to execute the sales contract, to execute legal obligations connected to it. In some cases they are treated according to consent or legitimate interest. For a detailed explanation see point n. 6.
12: HOW THE SERVICE "DISORDERS" THE USER
The user who sends a communication via the site to Acquaclick:
You may receive emails or other communications from Acquaclick: these will be operational emails or otherwise in response to the communication sent by the User. These emails are essential for the regular management of the service. It could happen that these emails are sent by the connected services, competent in relation to the request made by the User (professionals, artisans who could carry out complementary activities).
13 NEWSLETTER: The newsletter is managed by Mailchimp; It has a monthly frequency; Contains product promotions from our suppliers, informational articles.
14: WHAT ARE THE RIGHTS OF THE USERS
Users are beneficiaries of a series of rights.
Information rights about:
• Categories of data are processed (see point 2 and 5);
• Data origin, like knowing where the service got its data from (see point 7);
• Purpose of data processing, like for what purposes the data is processed (see point 6);
• Data processing methods (see point 9);
• Details of the data controller and any data processors (see point 3);
• Subjects to whom the data are communicated (see point 3 / a);
• Data storage and processing time (see points 10 and 6);
• Right to lodge a complaint before the privacy guarantor by accessing the following link: http: //www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri-dati-personali
• Existence or not of profiling process;
• Legal basis of the processing (see point 11 and 6);
• Interests pursued by the owner through the processing: economic promotion of services and sale of products connected to Acquaclick.
Then there are rights that are not simple information but operational. They are of various kinds. In summary:
• The interested party has the right to have a copy of the data provided. If the data has been processed using automated methods and on the basis of your consent or a contract, the user can request - if technically possible - that the data be transmitted to the interested party or even to a possible new owner (portability), always that this operation does not infringe the rights (and data) of other people. In the present case, this right cannot be exercised in relation to communications that contain data of third parties, industrial secrets or in any case protected contents. In this case, it may also request the deletion of data (unless the law requires storage to the Data Controller as in the case of commercial communications).
• If personal data are inaccurate or incomplete, the interested party may request to rectify or complete them, providing indications to this effect. If the Data Controller must verify the accuracy of the data contested by the data subject, he may at the same time obtain the limitation of the disputed data (limitation means that the data is only stored and no other processing is done except with a specific consent of the concerned or if they serve to exercise or defend a right in court).
• If personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the interested party may request cancellation. If, however, the data are used by the data subject to exercise his own right in a judicial context, he can request the limitation ( like the sole conservation).
• If the processing is unlawful because the data are processed without consent, legitimate interest on the part of the Data Controller, contract for the execution of which the treatment is necessary, legal obligation of processing by the Data Controller, the data subject may request cancellation or limitation.
For a more detailed general overview of rights
Right of access: The user has the right to obtain confirmation from the data controller of the fact that the processing of personal data concerning him, the purposes (ie the purposes) for which his personal data is treaties, which personal data are processed (and, as mentioned, for what purposes), to whom the data are eventually communicated or transferred (and where), the time of storage and processing of the data, the possible existence of a process of profiling (ie data analysis with relative evaluation of the behaviors, tastes, location, etc. of the interested party).
If the data has been collected by a subject other than the holder, the right to request from whom the Data Controller has received the data also falls within the right of access.
Finally, the interested party has the right to request a copy of his / her data: if not directly downloadable from his personal account, the copy will be provided in computer format, unless the interested party requests it in a different format (see art. 15 GDPR ).
Right of rectification: The interested party has the right to obtain the correction, that is the correction, if his personal data are inaccurate (in case of doubt about the correctness see also what is said in terms of limitation right: in this case in fact the data will be stored, not processed for the purposes for which they are normally processed, until the owner has verified or not the accuracy of the same). In the event that the data are incomplete, and the completion is necessary or appropriate for the purposes for which they are processed, the interested party may obtain the integration of the same, possibly providing a supplementary declaration for this purpose.
Right to cancel data: the data subject has the right to obtain the cancellation of the data in the following cases:
• your data are no longer needed for the purposes for which they were collected or otherwise processed;
• the data were processed on the basis of a consent that the data subject has withdrawn (provided that, to justify the processing, other legal reasons remain, such as the execution of a contract, the fulfillment of an obligation imposed by the law in force to the owner);
• the data subject has opposed the processing (see the item opposition): if the data is opposed in the case of direct marketing - if used only for this purpose - it must be deleted (and in any case can no longer be processed for marketing purposes) direct), while in other cases (ie if the data are processed for other legitimate interests of the Data Controller indicated in the information note or for the performance of a task of public interest by the Data Controller) they are canceled only if there are no prevailing reasons (see opposition) that require its preservation. For the time necessary to establish whether "prevailing reasons" exist, they may be limited;
• the data have been processed unlawfully, therefore without the owner having the right to do so (as an alternative to the deletion the interested party can request the limitation, as indicated above);
• the data must be deleted due to the law;
• the data concern children under 16 years of age, were collected as part of the information society services (online) and consent or authorization was given to the parents to process them.
The cancellation is not performed, however, in the following cases:
if the data are processed in the context of a legitimate exercise of freedom of expression or information (in the judgment of the owner, without prejudice to the faculty of the data subject to contact the Guarantor or the Judge as indicated above);
if the processing of data is necessary to fulfill a legal obligation to which the Owner is subject, or for the performance of a task performed in the public interest by the Owner;
if the data is processed for reasons of public order or public health;
if the data is stored for public interest, scientific or historical research, as long as they are rendered anonymous if possible, or at least pseudonymised (ie treated in such a way that it is not possible to identify the person concerned except by means of additional information with respect to that immediately available) , and use is made of the minimum data necessary for these purposes.
if the processing of data is necessary for the exercise or defense of a right in a judicial (criminal) context;
Right of limitation: it is the right to mark the data and to limit its use to storage only. In this case, therefore, the Data Controller does not delete them, but only retains them without making any other form of processing. The holder keeps them separately from the others only if requested by the interested party: it may in fact be in the same interest that the data, even if only kept for the purpose of limitation, remain in the original location.
The right of limitation exists in the following cases:
• if the data subject disputes the accuracy of the data, for the period necessary to verify the accuracy of the data (see the information regarding the right of rectification);
• if the treatment is unlawful and the interested party does not request its deletion, but asks only for its limitation (in order to probably then exercise his rights);
• if the processing is no longer necessary for the purposes for which the data were collected or processed, but the data is necessary for the data subject himself to ascertain, exercise or defend a right in court (in this case, therefore, even though they should no longer be treated, they are preserved because, precisely, they are necessary in a court of law for the person concerned);
• if there has been opposition to the processing (not in the case of opposition to the processing of data for direct marketing), and the holder must verify if there are prevailing reasons that make the treatment necessary (see cancellation right, point n. 3 and opposition ).
The interested is informed by the holder in case of revocation of the limitation. The information will explain the time of revocation, and the processing of the data that will be carried out after this revocation.
Right to portability: it is the right to obtain a copy of your data, or rather the data that the same person has provided (in any way) to the owner, if these are processed by automated means and have been processed on the basis of a consent given by the concerned or in performance of a contract to which the interested party is a party. The copy must be readable by an automatic device and the file must be in a common format.
The interested party also has the right to request that this copy be sent to another owner, as long as this is technically feasible.
The right to portability cannot damage the rights and freedoms of others: if, therefore, the personal data of the interested party are not technically divisible from the data of other persons, the right to portability cannot be exercised.
Opposition right: if the personal data are processed for the execution of a task of public interest of the Data Controller, or for a legitimate interest, the interested party may oppose it, ie he can declare that the data must not be treated for this purpose.
If the right of opposition is then exercised, the holder must refrain from further processing the data (mind you: he refrains from treating them further, but does not necessarily have to cancel them, as for this purpose a specific request is required by the interested party). ): if, however, the Data Controller shows that there are urgent and legitimate reasons to continue the treatment, and if he proves that these reasons prevail over the interests, rights and freedoms of the data subject, then the processing will continue (the right remains, for the interested, to contact the Guarantor, the Judge or even to ask while the limitation of the treatment).
The treatment, despite the opposition, may be continued, in any case, for ascertaining, exercising or defending a right in court.
In any case, if the data are processed for the legitimate interest of the owner who consists in the execution of direct marketing activities, if the data subject opposes the data, they can no longer be processed for such purposes.
The right not to be subjected to an automated decision: The interested party has the right not to be subjected to automated decisions (such as, but not limited to, profiling) that produce legal effects against him or affect his life. This right does not exist when the decision based only on automated means is authorized by a specific law, or has been the subject of consent of the interested party or is necessary for the execution of a contract of which between the interested party and the owner. In any case, if the decision is authorized by the interested party's consent or necessary for the execution of the contract, the interested party has the right to obtain the human intervention for the revision of the decision, to express his opinion to this end and in each case challenge the decision.
15: HOW YOU CAN EXERCISE THEM
Procedure for exercising rights: Your rights can be exercised by sending an email to info@Acquaclick.com
The Holder must respond within thirty days (which may be extended by another two months, but the Owner in this case must give a reasoned notice of the delay to the user).
The Owner may refuse, if he has reason, to comply with the user's request (refusal which must be communicated to the user within a month) only in the event of manifestly unfounded or repetitive requests. In this case, it must give a motivated reply. In any case, the user can contact the "Privacy Guarantor" (see link below) or the Judge.
The Owner must respond using the same channel (mail, telephone, etc.) used by the user for the request, unless the user himself requests a response by another means. In case of request coming from an e-mail address different from the one indicated in the account, the applicant must prove to be the interested party.
The Holder, where he has doubts about the identity of the person making the request or exercises one of the rights listed below, may request further information to confirm the identity of the applicant. In case of request coming from an email address different from the one indicated in the account, the applicant must prove to be the interested party.
Requests and answers are free, unless they are repetitive. In this last case the Owner can charge the living costs that he faces for the answer (therefore personnel costs, material costs, etc.).
In any case, the interested party may contact the Guarantor Authority (http://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri-dati-personali) or the competent Jurisdictional Authority for the exercise of their rights.
16 WHAT ARE THE DUTIES AND CHARGES OF THE USERS
As, as stated above, sending a communication contains (or could contain) personal information of the user or third parties, both in the body of the text and in any attachments, the user is invited to use caution and caution when entering of data and information in such communications, especially if such information relates to third parties.
Furthermore, the user is obliged to communicate truthful information.
17: DATA BREACH HYPOTHESIS
Should one or more of the following events occur with respect to user data: unauthorized access, abduction, loss, destruction, disclosure (so-called Data breach) Acquaclick, without prejudice to the urgent technical measures to be implemented for block (as far as possible) the event and to reduce its harmful effects, it undertakes to:
- restore the service as quickly as possible, recovering the data available from the last useful backup made;
- informing users, directly if the circumstances allow it or generically (by warning on the Home of the Service or by communication sent to all users, including those for which there may have been no data events) of the type of event, of the time in which it occurred, of the measures taken (without going into detail in order not to facilitate any new attacks) to reduce damage and to avoid new similar events, as well as the measures and precautions that the user should - on his part - put in place to reduce the chance of new events and limit the consequences of those that have already occurred.
In PDF format, with the following hash. http://www.acquaclick.com/doc/informativa_acquaclick.zip
Text valid from 26 March 2018