WHY THIS INFORMATION

Pursuant to the provisions of Regulation (EU) 2016/679 (GDPR), we provide you with the necessary information regarding the processing of your personal data on this website. This information is provided pursuant to Article 13 GDPR. This notice does not apply to other websites of third parties that may be consulted through links on this website, for which we decline any liability. With specific reference to the purpose of direct marketing through electronic means, this information is also intended for legal entities, in accordance with the provisions of Directive 2002/58/EC (e-Privacy Directive), as implemented in Italian law by Legislative Decree no. 196/2003 and subsequent amendments and additions.

1. DATA CONTROLLER

The Data Controller is Citterio S.p.A., with registered office in Via Don Giuseppe Brambilla 16/18 – 23844 Sirone (LC), represented by the person with necessary powers. You can contact the Data Controller at the following email address: privacy@citteriospa.com.

2. 2. CATEGORIES OF PERSONAL DATA PROCESSED

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristics (C26, C27, C30 GDPR).

More in detail, we will process your following personal data:

Browsing data

During their ordinary course of operation, the IT systems and software procedures required to run this website acquire certain personal data, whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects but, by its very nature, it could enable identification of the users through the processing and matching of data held by third parties. This data category includes IP addresses or domain names of computers used by the users who visit the site, as well as the URI addresses (Uniform Resource Identifier) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply from the server (done, error, etc.) and other parameters related to the operating system and the IT environment of the user.

Data provided voluntarily by the user

The optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and / or the compilation of data collection forms entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data inserted.

Information about the processing of personal data carried out through Social Media platforms

Regarding the processing of personal data carried out by the managers of the Social Media platforms used by the Data Controller, please refer to the information notice provided by them through their respective privacy policies. The Data Controller processes the personal data provided by users through the pages of the dedicated Social Media platforms, to manage interactions with users (comments, public posts, etc.) and in compliance with current legislation.

Cookies and other tracking systems

For cookies and other tracking systems, please see the cookie policy in the footer of the website and at the following link .

3. PURPOSES OF PROCESSING | LEGAL BASIS | DATA RETENTION PERIOD | PROVISION OF PERSONAL DATA

PURPOSES

Browsing on this website.
The data necessary for the use of web services are also processed for the purpose of:
• obtain statistical information on the use of services (most visited pages, number of visitors by time or day, geographical areas of origin, etc.);
• check the correct functioning of the services offered.

LEGAL BASIS

Legitimate interest of the Data Controller (art. 6 (1) lett. f) and C47 GDPR).

DATA RETENTION

Duration of the browsing session (except for the investigation of crimes by the judicial authorities).

NATURE OF DATA PROVISION

The provision of data is necessary for the browsing of the website.

PURPOSES

Use of cookies and similar technologies.
Please see the cookie policy linked in the website’s footer.

LEGAL BASIS

For cookies and similar technologies of a technical nature/strictly necessary for the proper functioning of the site, processing is based on the legitimate interest of the Data Controller (Art. 6(1)(f) and C47 of the GDPR).
For the necessary non-technical cookies and similar technologies, the processing is based on the consent to the processing of personal data (art. 6 (1) lett. a) and C42, C43 GDPR).
The consent is given through the banner and the cookie policy of the website.

DATA RETENTION

Please see the cookie policy linked in the website’s footer.

NATURE OF DATA PROVISION

Please see the cookie policy linked in the website’s footer.

PURPOSES

Contacts. Send requests for contact, information, quotes, projects.

LEGAL BASIS

Execution of a contract and / or pre-contractual measures at the request of the Data Subject (art. 6 (1) lett. b) and C44 GDPR).

DATA RETENTION

Maximum 12 months.

NATURE OF DATA PROVISION

The provision of data is necessary.
Failure to provide it will make it impossible to be contacted and receive information.

PURPOSES

Customer area, to access the reserved area.

LEGAL BASIS

Execution of a contract and / or pre-contractual measures at the request of the Data Subject (art. 6 (1) lett. b) and C44 GDPR).

DATA RETENTION

Until the termination of the contract and the technical time for disabling the credentials.

NATURE OF DATA PROVISION

The provision of data is necessary.
Failure to provide it will make it impossible to access the customer area.

PURPOSES

Management of your requests and requests from other Data Subject, pursuant to art. 15 et seq. GDPR (rights of data subject).

LEGAL BASIS

Legal obligation of the Data Controller (art. 6 (1) lett. c) and C45 GDPR).

DATA RETENTION

5 years from the closure of the request, except for litigation.

NATURE OF DATA PROVISION

The provision of data is mandatory, as it is essential to be able to execute legal obligations.

4. RECIPIENTS OF PERSONAL DATA

The personal data will be communicated to recipients, who will process the data as Data Processors (art. 28 of the GDPR), as persons acting under the authority of the Controller and Processor (art. 29 of the GDPR) or independent Data Controllers, for the purposes listed above. Precisely, the data will be communicated to:

• Entities based in Italy, which provide services for the website and communication networks, including e-mail, hosting and website management (also companies of the Molteni Group, affiliates, subsidiaries);
• Competent authorities for the fulfillment of legal obligations and / or provisions of public bodies, upon request.

The list of Data Processors is available by writing to the contacts indicated above.

5. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

The data will be stored in Italy for the hosting, management, development and maintenance of the website. Personal data, in the case of communication of the same to subjects in non-EEA countries, will be transferred to non-EEA countries in order to comply with the purposes indicated above. The data will be transferred within the limits and under the conditions set out in art. 44 et seq. GDPR, to subjects who have provided adequate guarantees for the transfer pursuant to art. 45, 46, 47 GDPR. For information on the guarantees regarding the transfer of data outside the EEA write to: privacy@citteriospa.com.

6. AUTOMATED PROCESS

Personal data will be subjected to traditional manual, electronic and automated processing. It is specified that fully automated decision-making processes are not carried out.

7. RIGHTS OF THE DATA SUBJECT

You may exercise your rights pursuant to art. 15 et seq. GDPR, contacting the Data Controller at privacy@citteriospa.com, or at the contacts indicated above. You have the right, at any time, to request the Data Controller to access your personal data (art. 15), to amend (art. 16), to delete your data (art. 17) or limit their processing (art. 18). The Data Controller informs (art. 19) each of the recipients to whom the personal data have been transmitted any corrections or cancellations or limitations of the processing carried out. The Data Controller informs the Data Subject of these recipients under request. In the cases provided for, you have the right to the portability of your data (art. 20) and in this case they will be provided to you in a structured format, commonly used and readable, by an automatic device.

Furthermore, you have the right to object, at any time, to processing of your personal data pursuant to art. 6 (1), point (f) GDPR (Data Controller’s legitimate interest).

In the event you consider the processing of personal data carried out by the Controller is in breach of the provisions of Regulation (EU) 2016/679, you have the right to lodge a complaint with the Supervisory Authority, specifically in the Member State in which you reside habitually or work or in the place where the alleged breach of the Regulation occurred, or to take appropriate legal action, pursuant to Articles 78 and 79 GDPR.

8. CHANGES TO THIS PRIVACY POLICY

The Data Controller reserves the right to amend, update, supplement or remove parts of this Privacy Policy. For your convenience, when we post changes, we will revise the “last update” date of the Privacy Policy.

Last update: 29^th November 2022

Citterio S.p.A.