Privacy Policy

Ex art. 13-14 of the EU Regulation n. 679/2016
Premise

OLEIFICI SITA ‘SRL (hereinafter the “Data Controller”), pursuant to Articles 13 and 14 of the EU Regulation n. 679/2016, hereby announces the information relating to the processing of personal data in the provision of its service.

It is necessary to point out right away that the entire information must be read bearing in mind that the Data Controller provides a service exclusively aimed at the sale of graphic and digital projects, management packages, material assets and training courses.

The information is also inspired by Recommendation no. 2/2001 that the European authorities for the protection of personal data, gathered in the Group established by art. 29 of the directive n. 95/46 / EC, adopted on 17 May 2001 to identify some minimum requirements for the collection of personal data online and, in particular, the methods, timing and nature of the information that the data controllers must provide to users. when these connect to web pages, regardless of the purpose of the connection as following consultation of a site, data relating to identified or identifiable persons may be processed.

The information is provided only for the website of the Data Controller and not for other websites that may be consulted by the user via links.

Art. 1. Owner – Data processing and protection manager The Data Controller of your data is OLEIFICI SITA ‘SRL, telephone +39 0964 323209, email: info@oliosita.it.

Any collaborators of the Data Controller (administrative, commercial staff), as managers and persons in charge of the processing, are all specifically assigned to data processing.

Art. 2. Place of processing of personal data, are processed in the premises of the Data Controller, as well as on IT support by means of the software made available by the various Partners and the devices made available to the persons authorized to process the data.

The treatments connected to the web services of the sites are carried out with the help of:

Fastweb

Art. 3. Type of data processed The Data Controller only processes data provided voluntarily by the user, or data acquired from third parties with his explicit consent; data strictly necessary to process any request, be it information or service provision. For the provision of the service and / or for pre-contractual activities, the Data Controller processes the following categories of data:

Common personal data

(any information relating to a natural person, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number) including: personal data, banking / financial data, telephone and telematic contacts.

a) Navigation data.

The computer systems of the Site and the Blog collect some Personal Data whose transmission is implicit in the use of Internet communication protocols.

This is information that is not collected to be associated with you, but which by its very nature could, through processing and association with data held by third parties, allow you to be identified.

These data are used in order to obtain anonymous statistical information on the use of the Site and to check its correct functioning; to allow – given the architecture of the systems used – the correct provision of the various features requested by you, for security reasons and to ascertain responsibility in the event of hypothetical computer crimes against the Site or third parties.

For example, at each access to the pages of the website of the Data Controller, the user data will be transmitted through the Internet browser and saved in protocol files, the so-called server log files.

The following data will be saved: date and time of access, name of the visited site, IP address, URL of the referrer (URL of origin through which you arrived on the websites of the Data Controller), the amount of data transmitted, related information to the product and version of the browser used. The IP addresses of users are deleted or made anonymous at the end of use. In the case of anonymization, the IP addresses will be modified in such a way that they cannot be attributed to a specific natural person except with an excessive effort in terms of time, costs and manpower.

We analyze these log file data sets anonymously in order to improve our offerings, find and eliminate errors faster and to check server capabilities. In support of this information on the data acquired by browsing the portal of the Data Controller, the interested party is invited to consult the Cookies session, which is an integral part of this information.

b) Data provided voluntarily.

Through the Site you have the possibility to voluntarily provide Personal Data such as name, surname and e-mail address or bank details to make a payment. The Data Controller will process these data in compliance with the Applicable Law, assuming that they refer to you or to third parties who have expressly authorized you to provide them on the basis of an appropriate legal basis that legitimizes the processing of the data in question.

With respect to these hypotheses, you place yourself as an independent Data Controller, assuming all the obligations and responsibilities of the law. In this sense, you grant the widest indemnity on this point with respect to any dispute, claim, request for compensation for damage from treatment, etc. that should reach the Data Controller from third parties whose Personal Data have been processed through your use of the Site in violation of the Applicable Law.

c) Data processed in interaction with social networks.

In addition to filling out the appropriate service request forms, you can submit this request, if you have a Facebook or Google profile, also by simply clicking on the “Register with Facebook” or “Register with Google” button. In this case, Facebook or Google will automatically send some of your data to the Data Controller, specified in the appropriate “pop-up” window that appears at the time of the request, and there will be no need to fill in other forms on your part.

Art. 4. Purpose of the processing The Data Controller informs that it will process personal data to the extent strictly necessary to fulfill the following purposes:

a) purposes related to the execution of a contract of which you are a party or to the execution of pre-contractual measures adopted at your request;
b) purposes related to the fulfillment of a legal obligation to which the Data Controller is subject;
c) purposes necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions;
d) allow navigation of the Site and the provision of the services of the Data Controller;
e) find specific requests addressed to the Data Controller;
f) fulfill any obligations established by applicable laws, regulations or community legislation, or satisfy requests from authorities;
g) carry out direct marketing via e-mail for services similar to those signed by you, unless your express refusal to receive such communications, which you may express during registration or on subsequent occasions;
h) carry out marketing / newsletter activities such as: elaborating studies, researches, market statistics; send information and promotional material relating to the activities, services and products of the Data Controller and its commercial Partners (without any communication of personal data owned by the Data Controller to the aforementioned Partners); send you surveys to improve the service (“customer satisfaction”). Such communications may be made by e-mail or text message, by paper mail and / or the use of the telephone with operator and / or through the official pages of the Data Controller on social networks; it is specified that the Data Controller collects a single consent for the marketing purposes described here, pursuant to the General Provision of the Guarantor for the Protection of Personal Data “Guidelines on promotional activities and the fight against spam”, of 4 July 2013 ; if, in any case, you wish to object to the processing of your data for marketing purposes carried out with the means indicated here, you can do so at any time by contacting the Data Controller at the addresses indicated in the “Contacts” section of this information, without prejudice to the lawfulness of the processing based on the consent given before the revocation;
l) for statistical or research purposes, without it being possible to trace your identity.

The user at any time has the right to revoke their authorization for the use of personal data for these purposes, even if only partially or for specific methods of communication. This operation does not involve additional costs and it will only be necessary to send a communication to the known contacts of the Data Controller.

Art. 5. Processing methods The information systems and computer programs are configured by minimizing the use of personal data and identification data, so as to exclude their processing when the purposes can be pursued through anonymous data or with the use of appropriate methods that allow the data subject to be identified only in case of need.

To access the service offered by the Data Controller, the data subject will initially provide only common personal data that will be processed by administrative staff.

In fact, the Data Controller takes all possible initiatives and security measures to prevent the appointees from processing data that is not necessary for the accomplishment of its purpose.

Your personal data will be recorded, processed, managed and archived with the aid of electronic IT tools and only possibly in paper form.

In any case, the chosen method will not affect the security and confidentiality of the data which remain guaranteed.

Personal data are managed with automated tools for the time strictly necessary to achieve the purposes of the processing. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

In this sense, there is a widespread distribution of responsibilities and the possible activities on the data are defined through regulations and operating instructions to the persons in charge. The Data Controller has undertaken to guarantee training and refresher courses on privacy issues, potential dangers and

responsibilities related to data processing. In addition, all operators who access the computerized systems are identifiable, bound by professional and / or official secrecy and in any case authorized for processing.

In cases where special laws provide for the processing of data in an anonymous form (protection of victims of acts of sexual violence and pedophilia, seropositivity, use of narcotic drugs, psychotropic substances and alcohol, voluntary interruption of pregnancy, birth in anonymity, services offered by family counseling, responsible procreation choices, etc.) the data are obscured at the time of their creation in accordance with the provisions of the law in force and are not subject to processing.

The Data Controller does not perform profiling on the data processed.

Art. 6. Security Measures

The processing of personal data is guaranteed by the application of suitable and preventive security measures that make it possible to minimize the risk of destruction or loss, even accidental, of the data, of unauthorized access or processing that is not permitted or does not comply with the purpose of the collection.

Organizational choices and operating procedures regarding security in the processing of personal data are also defined by the processing of sensitive personal data using electronic tools.

The security system for personal data identifies the organizational choices and operating methods regarding the security in the processing of personal data, in particular with regard to:

• the list of personal data processing;
• access to authorized personnel based on the purpose of the processing;
• the analysis of the risks affecting the data;
• the measures to be taken to ensure the integrity and availability of the data;
• the description of the criteria and methods for restoring the availability of data following destruction or damage;
• the provision of training interventions for the persons in charge of processing, to make them aware of the risks affecting the data, of the measures available to prevent harmful events, of the profiles of the discipline on the protection of personal data most relevant in relation to the related activities, of the responsibilities that derive and how to update on the minimum measures adopted by the Data Controller;
• the description of the criteria to be adopted to ensure the adoption of the minimum security measures in case of processing of personal data entrusted outside the owner’s structure or transferred abroad;
• for personal data suitable for revealing the state of health and sexual life, the identification of the criteria to be adopted for encryption or for the separation of such data from other personal data of the interested party.

Art. 7 Recipients of the Treatment

The subjects who will process your personal data are:

– subjects appointed within the structure of the Data Controller, necessary for the provision of the services offered;

– subjects who typically act as data controllers, i.e .:

i) persons, companies or professional firms that provide assistance and advice to the Data Controller in accounting, administrative, legal, tax and financial matters;
ii) subjects delegated to carry out technical maintenance activities;

iii) credit institutions, insurance companies and brokers;

iii) parent companies, subsidiaries and affiliates of the Data Controller, limited to the pursuit of administrative-accounting purposes connected to the performance of organizational, administrative, financial and accounting activities;

– persons authorized by the Data Controller to process Personal Data who are committed to confidentiality or have an adequate legal obligation of confidentiality; (e.g. employees and collaborators of the Data Controller);

– subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders of the authorities;

– judicial authorities in the exercise of their functions when required by the Applicable Regulations.

The display of personal data takes place only by authorized parties according to specific methods, relating to the content of the contract signed by the data subject and in compliance with the purposes already described.

The designation is made by means of a “deed of appointment” inserted in the agreements, conventions or contracts that provide for the entrusting of personal data processing externally to the Company.

7.1 Internal Data Processors

The Data Controller, in consideration of the complexity and multiplicity of the Company’s institutional functions, designates as Data Processors:

• each Manager in charge of an Operating Unit of the Company, for the paper databases and for the electronic databases of the individual structures;
• the Manager in charge of the IT Service for centrally managed electronic databases;
• all external parties who, in any way, use the Data Controller’s database on behalf and in the interest of the Data Controller for purposes related to the exercise of its business functions (Article 9).

The designation of the internal managers is linked to the assignment of the structure assignment and is considered accepted by signing the contract.

The Data Controller must inform each Data Processor, as identified by the Regulations, of the responsibilities entrusted to him in relation to the provisions of the regulations in force.

Each Manager must guarantee:

– timely and full compliance with the duties of the Company provided for by the Code, including the safety profile;

– compliance with the provisions of this Regulation as well as the specific instructions given by the Data Controller;

– interaction with the Guarantor in the event of a request for information or other investigations;

– the adoption of suitable measures to guarantee, in the organization of performances and services, respect for the rights, fundamental freedoms and dignity of the interested parties, as well as professional secrecy, without prejudice to the provisions of current legislation and the security system company regarding the methods of processing sensitive data and minimum security measures.

The data processing manager, in relation to the implementation of security measures, has the following duties:

• draw up and update the list of the types of treatments carried out (census – art. 16);
• request the Head of the IT Service to assign an individual and non-reusable personal identification code to each Data Processor for access to data;
• keep the passwords for access to data by the Officers;
• check with the Head of the IT Service the effectiveness of the protection and antivirus programs as well as define the measures of access to the premises and the security measures against the risk of intrusion;
• ensure that all security measures regarding the Company’s data are applied within the Company itself and externally, if there is access to them by third parties such as Data Processors;
• inform the Data Controller in the event that risks have been identified.

All those who, in any way, manage, individually and separately from the single structure to which they belong, personal data of third parties, individually assume the quality of autonomous “Data Controllers”.

7.3 Persons in charge of processing

Each employee assigned to a specific service and required to carry out technical processing operations is to be considered, for all purposes, “Appointed” pursuant to art. 30 of the Privacy Code.

The Person in charge, in carrying out the operations strictly connected to the fulfillment of his functions, must scrupulously comply with the instructions given by the Data Controller and the Manager, undertaking to adopt all the security measures provided for by this Regulation as well as any other measure that is suitable to prevent and / or avoid the communication or dissemination of data, the risk, even accidental, of destruction or loss, of unauthorized access or unauthorized treatment or treatment that does not comply with the purposes of the collection.

The Appointee collaborates with the Owner and the Manager by reporting any risk situations in the processing of data and providing any information necessary for the performance of the control functions.

In particular, the Person in charge must ensure that, during the processing, the data are:

• processed lawfully and fairly;
• collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in terms compatible with these purposes;
• exact and, if necessary, updated, pertinent, complete, not excessive and, if sensitive data, indispensable with respect to the purposes for which they are collected or subsequently processed;
• kept in a form that allows the identification of the data subject for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed.

The Person in charge is required to maintain complete confidentiality on the data of which he has become aware during the performance of his activity, undertaking to communicate the data exclusively to the subjects indicated by the Data Controller and the Manager, only in the cases provided for by law and / or in the carrying out the business activity.

The designation of the Appointee is carried out by the employee’s preposition, with a hiring provision or service order, to the single service unit for which the permitted processing area is identified by means of the data registration forms.

The Officers must receive suitable and analytical instructions, also for homogeneous groups of functions, regarding the activities on the data entrusted (insertion, updating, cancellation, etc.) and the obligations to which they are required.

Art. 8 Nature of the provision of data and consent The consent to the processing of personal data is both voluntary and indispensable for the purpose of providing the requested service, i.e. the main purpose of data processing (including related administrative activities), since the failure to consent would prevent the benefit from being used.

Below are some special cases of acquiring consent to the processing of data on the basis of special laws or inherent specific categories of reports:

a) Minors

The consent to the processing of the data of a child under 16 must be signed by at least one parent exercising parental authority.

b) Persons subject to guardianship powers

The guardian submits the consent form for the processing of data on behalf of the protected user, addressing it to the user himself and completing it with his personal data and his signature; to this form attach the documentation issued by the Judicial Authority or, alternatively, a self-declaration of guardianship.

c) Person Who Cannot Sign

The user who cannot sign the consent form due to illiteracy, temporary or permanent physical impediment, without a legal representative, can express his consent verbally or by other means (gestures), of which the operator acknowledges (perhaps with the help of a family member, who knows the patient’s ways of expressing himself) with the aid of audiovisual recording tools that will be archived and used exclusively in the event of disputes.

8.1 Marketing Purposes

If the customer gives explicit consent, the contact details provided may be used by the Data Controller for the promotion of products or services similar to those that the customer has purchased or joined, for sending advertising material relating exclusively to the aforementioned services or for carrying out commercial communications.

By granting consent to the processing for marketing purposes, pursuant to art. 6, paragraph 1, letter a) of the Regulations, the interested party specifically takes note of the promotional, commercial and marketing purposes in the broad sense of the treatment and expressly authorizes said treatment both where the means used for the Treatment for Marketing Purposes are the telephone with operator or other non-electronic, non-telematic means or not supported by automatic, electronic or telematic mechanisms and / or procedures that where the means used for the Processing for Marketing Purposes are e-mail, fax, sms, mms, automatic systems without operator intervention and similar, including electronic platforms and other telematic means.

Pursuant to the General Provision of the Privacy Guarantor of 15 May 2013 entitled “Consent to the processing of personal data for” direct marketing “purposes through traditional and automated contact tools”, the attention of interested parties is specifically drawn to the fact that:

1. any consent given for the sending of commercial and promotional communications through IT or telematic methods will imply the receipt of such communications, not only through such automated contact methods, but also through traditional methods, such as paper mail or calls via operator;
2. the collection of consent envisaged from time to time will be unitary and comprehensive and will refer to all possible means of marketing processing. To proceed with the Processing for Marketing Purposes, it is mandatory to acquire specific, separate, express, documented, preventive and entirely optional consent.
3. without prejudice to the possibility of freely revoking consent to the processing of personal data for “direct marketing” purposes, even if only partially with respect to certain means or treatments;
4. the aforementioned revocation may be exercised by writing to info@oliosita.it and that opposition to this treatment will not have any consequences on the provision of services.

In addition, the Data Controller informs the interested party that the data may also be disclosed to third party business partners. The consent to the Treatment for Marketing Purposes – where provided by the interested party – does not also cover the different and further marketing treatment represented by the communication of data to third parties for the same purposes. To proceed with this communication externally, it is mandatory to acquire further, separate, additional, documented, express and entirely optional consent from the interested party, in compliance with the General Provision of the Guarantor of 4 July 2013 containing the Guidelines to combat spam.

Pursuant to the General Provision of the Guarantor of 4 July 2013, containing the Guidelines to combat spam, the third parties recipients of the communications of the personal data of the interested parties for the subsequent Processing for Marketing Purposes can be identified with reference to the following subjects and the following categories commodity or economic:

a) Third parties belonging to the product sectors of publishing, sports clubs, suppliers of electronic communication goods and services, Internet service providers, communication agencies, companies that provide insurance and financial services, companies in the food and catering sector, clothing, ICT hardware and software, banks and credit institutions, travel agencies, companies that offer services in the tourism sector, companies that offer services and goods for the person, companies that supply goods and services in the energy and gas sector.

The provision of personal data to the Data Controller and the provision of both the consent to the Processing for Marketing Purposes and the distinct consent to the communication to third parties for the Processing for Marketing Purposes for the purposes and with the methods illustrated above are absolutely optional and always revocable.

Since the certain purposes of the processing pursued are of a specific commercial, advertising, promotional and marketing nature in a broad sense and that the modules on the Site pursue these purposes by default, where the interested party does not intend to give consent to the Processing for Purpose of Marketing the

the consequence will be the inability to use the services of the Data Controller. Failure to provide the Processing for Marketing Purposes will result in interference and / or consequence on any other contractual, contractual or other relationships with the user.

Art. 9 Transfer of data abroad

Your personal data may also be transferred to other countries belonging to the European Union, exclusively to allow the appointed employees of the Data Controller to carry out their work in execution of the contract.

Your personal data may also be transferred to the United States (a country not belonging to the European Union) exclusively to allow the appointed employees of the Data Controller to carry out their work in execution of the contract. For this reason, no sensitive data will be transferred abroad. The transfer of personal data to the United States is also guaranteed by the “adequacy decision” of the European Commission on the privacy regulations of that country.

Art. 10 Rights of the interested party

As a person interested in the processing of personal data, you may at any time make use of the faculties and rights provided for by art. 13 paragraph 2 letter. re a) b) c) d) e) of EU Regulation 679/2016.

In particular, you are entitled to: · The right to obtain confirmation of the existence or not of personal data concerning you; The right of access, that is to have communication of data concerning you upon simple request; The right of opposition which provides for the possibility of opposing the processing of personal data for legitimate reasons. The right of rectification, i.e. modification and updating of data; · The right to be forgotten, i.e. to have the data concerning you deleted. In order to implement the right to be forgotten, the following distinction must be made:

• if the processing of data requires express consent, only the revocation of the latter will be sufficient to obtain the deletion, to be understood as automatic, of the data;
• if the processing of the data requires consent for conclusive facts, the cancellation can be implemented, upon request, only if the personal data are no longer necessary with respect to the purposes for which they were collected or processed. · The right to limit the processing that
• minimizes the use of data processing to what is necessary for the purposes of the same. However, this right is provided only in the following mandatory cases:
• where the data subject disputes the accuracy of personal data and for the time strictly necessary to verify its accuracy;
• where, in the presence of unlawful processing, the interested party objects to the cancellation of the data;
• where, if the Data Controller no longer needs to keep the data, there is an interest on the part of the interested party in their conservation for the purpose of exercising or defending a right in court;

in case of opposition to the processing, but only for the time necessary to establish the primacy between the interest of the Data Controller and the right of the data subject.The limitation can be revoked at any time and the Data Controller will inform the interested party before the revocation is effective. · The right to portability of the data provided by the interested party which allows the interested party to receive personal data concerning him in a commonly used format.
The right to withdraw consent to the processing of data for the primary purposes of the processing at any time. However, the withdrawal of consent may make it impossible to provide the service and in any case does not affect the lawfulness of the processing based on the consent given before the revocation;
The right to withdraw consent to the processing of data for the secondary marketing and newsletter purposes of the processing at any time. The withdrawal of consent does not make it impossible not to use the services of the Data Controller. In any case, this revocation does not affect the lawfulness of the processing based on the consent given before the revocation; – The right to lodge a complaint for violation of the law with the Privacy Authority, without prejudice to any other judicial action.

Requests should be sent via e-mail to the address: info@oliosita.it

Art. 11 Data retention period

The data retention period is provided by the Data Controller within 10 years from the last legally relevant processing or from the acquisition of consent to the processing itself.

For any further clarification, the interested party can connect to http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1812198