PRIVACY POLICY

Information provided pursuant to Art. 13 of Reg. EU 2016/679 (hereinafter GDPR)

General Information

Data subjects (pursuant to Art. 4, c.1 of the GDPR) are informed of the following general profiles, valid for all processing areas:

  • All data is processed in compliance with current privacy regulations (Reg. EU 2016/679 and D.Lgs.196/2003, as amended and integrated by D.Lgs.101/2018);
  • All data is processed lawfully, fairly, and transparently concerning the data subject, respecting the general principles provided by Art. 5 of the GDPR;
  • Specific security measures are observed to prevent data loss, unlawful or incorrect use, and unauthorized access (GDPR, Art. 32).

Data Controller

The Data Controller is the undersigned Company (represented by the legal representative pro-tempore) and can be contacted for any privacy-related requests or to exercise the rights listed below at the following contacts:

DATA CONTROLLER

Name: Lafer Spa

Email: info@lafer.eu

DATA PROTECTION OFFICER

Name: Galli Data Service Srl

Email: dpo@gallidataservice.com

Rights of Data Subjects

  • The right to request the presence and access to personal data concerning them (Art. 15 “Right of Access”);
  • The right to obtain the rectification/integration of inaccurate or incomplete data (Art. 16 “Right to Rectification”);
  • The right to obtain, if justified, the deletion of data (Art. 17 “Right to Erasure”);
  • The right to obtain the restriction of processing (Art. 18 “Right to Restriction of Processing”);
  • The right to receive data concerning them in a structured format (Art. 20 “Right to Data Portability”);
  • The right to object to processing and automated decision-making, including profiling (Art. 21, 22);
  • The right to withdraw previously given consent;
  • The right to lodge a complaint with the Data Protection Authority in case of non-response.

The following specific information is provided for:

  1. Data processing related to the operation of this website
  2. Data processing of customers/suppliers of the Data Controller

1) DATA PROCESSING RELATED TO THE OPERATION OF THIS WEBSITE

1.1 Browsing Data

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature, it could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and IT environment.

Purpose and Legal Basis of Processing

(GDPR-Art.13, comma 1, lett.c)

This data is used solely to obtain anonymous statistical information on site use and to check its correct functioning. The data could also be used to ascertain responsibility in case of hypothetical computer crimes against the site (legitimate interests of the Data Controller).

Communication Scope

(GDPR-Art.13, comma 1, lett.e,f)

Data can be processed only by internal personnel, regularly authorized and trained in processing (GDPR-Art.29), or by any entities responsible for website maintenance (appointed as external processors) and will not be communicated to other entities, disseminated, or transferred to non-EU countries (unless in compliance with the provisions of Chapter V of the GDPR). Only in the case of an investigation may it be made available to the competent authorities.

Data Retention Period

(GDPR-Art.13, comma 2, lett.a)

Data is usually retained for short periods, except for any extensions related to investigation activities.

Provision of Data

(GDPR-Art.13, comma 2, lett.f)

The data is not provided by the data subject but is acquired automatically by the site’s technological systems.

1.2 Cookies

This information is provided pursuant to Art. 13 of Reg. EU 2016/679 “GDPR,” as well as the current specific regulations on cookies:

  • “Cookie Guidelines and Other Tracking Tools” of June 10, 2021 (Published in the Official Gazette No. 163 of July 9, 2021);
  • Guidelines 5/2020 on consent under Regulation (EU) 2016/679, adopted by the European Data Protection Board.

The user can check the types of cookies and set their preferences through the appropriate banner, as well as through the specific tools provided by the main web browsers. Below, some general information is provided about cookies and similar technologies.

What cookies are: Cookies are short fragments of text (letters and/or numbers) that allow the web server to store on the client (the browser) information to be reused during the same visit to the site (session cookies) or later, even after days (persistent cookies). Cookies are stored, according to the user’s preferences, by the individual browser on the specific device used (computer, tablet, smartphone). Similar technologies, such as web beacons, transparent GIFs, and all forms of local storage introduced with HTML5, can be used to collect information about user behavior and usage of services. In this privacy policy, we will refer to cookies and all similar technologies using simply the term “cookies.”

Possible Types of Cookies

In relation to the provision “Cookie Guidelines and Other Tracking Tools” of June 10, 2021 (Published in the Official Gazette No. 163 of July 9, 2021) and in the Register of Measures No. 231 of June 10, 2021, the following categories of cookies used, the purposes, and coding criteria are classified below.

CATEGORY PURPOSE CODING CRITERIA
Technical navigation, session, functionality cookies Ensure normal navigation and use of the site These are coded as technical since they are used solely to “carry out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide that service.”
Analytical (equivalent to technical) cookies Collect information on the number of visitors and pages viewed FIRST-PARTY COOKIES are coded as equivalent to technical cookies, as they are used solely to produce aggregate statistics related to the individual site (even possibly with a clear IP, in compliance with the purpose limitation). THIRD-PARTY COOKIES are coded as equivalent to technical cookies, as they are used with IP masking, without combination with other processing and without transmission to further third parties.
Profiling and identifying analytical cookies Define identifying profiles of user preferences and habits These are coded as profiling since they are used to trace specific actions or recurring behavioral patterns of identified or identifiable subjects in using the offered functionalities (patterns) to group different profiles within homogeneous clusters of varying breadth, making it possible to increasingly personalize service delivery and send targeted advertising messages, i.e., in line with the user’s preferences while browsing the web.

Functionality Provided Through the Pop-up Banner

Profiling cookies are blocked by default on the first access to the site, during which the user is presented with a banner through which the user can express their choices:

  • accept only technical cookies (thus keeping profiling cookies blocked);
  • accept all cookies;
  • express personalized preferences on which cookies to accept.

These preferences are recorded, accessible, and possibly modifiable through an icon placed in the fixed structure of the site.

Correlations with Portals and Social Media

The site’s pages may contain links to facilitate interaction with social platforms and content sharing. It should be noted that the processing of data entered by the user on the various social channels takes place according to the social platform’s privacy rules and settings, which the user agrees to upon registration. For informational purposes, some links to the main social networks are provided, through which it is possible to manage privacy configurations and acceptance of any cookies:

Further Information on Types and How to Manage Preferences

Through the main web browsers, by clicking on the appropriate icons, it is possible to obtain an analytical classification of the cookies used by the site, complete with the following: cookie name, content, domain, sending mode, persistence.

Through the main web browsers, it is also possible to:

  • block the reception of all (or some) types of cookies by default
  • remove all or some of the installed cookies

For information on setting individual browsers, see the following paragraph. It should be noted that blocking or deleting cookies may compromise site navigation. The site may contain links to third-party sites and third-party cookies; for more information, we invite you to view the privacy policy of any linked sites.

Managing Preferences through the Main Web Browsers

The user can decide whether or not to accept cookies using their browser settings (we note that, by default, almost all web browsers are set to accept cookies automatically). The setting can be changed and defined specifically for different sites and web applications. Additionally, the best browsers allow specific settings for “first-party” and “third-party” cookies. Usually, the cookie configuration is carried out from the “Preferences,” “Tools,” or “Options” menu.

Below are the links to the cookie management guides of the main browsers:

Further Information

  • allaboutcookies.org (for more information on cookie technologies and their operation)
  • youronlinechoices.com/it/a-proposito (allows users to oppose the installation of the main profiling cookies)
  • garanteprivacy.it/cookie (collection of the main regulatory interventions in the matter by the Italian Data Protection Authority)

1.3 Specific Site Features

Some site pages may involve requesting information from the navigator concerning specific services (e.g., request information, user registration, work with us, newsletter subscription, etc.).

Purpose and Legal Basis of Processing

(GDPR-Art.13, comma 1, lett.c)

Only the data necessary for the correct provision of the service and required to provide correct and exhaustive responses to the data subjects will be requested. Processing is subject to the acceptance of specific, free, and informed consent (GDPR-Art.6, comma1, lett.a). Regarding the newsletter, it will always be possible to exercise the right to unsubscribe, even through the appropriate function at the bottom of each message sent.

Communication Scope

(GDPR-Art.13, comma 1, lett.e,f)

Data is processed only by personnel regularly authorized and trained in processing (GDPR-Art.29) or by any subjects responsible for maintaining the web platform (appointed as external processors). Data will not be disclosed or transferred to non-EU countries (unless in compliance with the provisions of Chapter V of the GDPR).

Data Retention Period

(GDPR-Art.13, comma 2, lett.a)

Data is retained for periods compatible with the purpose of collection, always respecting the possible exercise of the right to erasure under Art. 17 of the GDPR.

Provision of Data

(GDPR-Art.13, comma 2, lett.f)

The provision of data relating to the required fields is necessary to obtain a response, while optional fields are intended to provide the staff with further useful elements to facilitate contact.

1.4 Data Provided Voluntarily by the User

The optional, explicit, and voluntary sending of messages to contact addresses, private messages sent by users to institutional profiles/pages on social media (where this possibility is provided), and the completion and forwarding of any forms/modules present, involve the acquisition of the sender’s contact data, necessary to respond, as well as all personal data included in the communications. The sender is therefore personally responsible for the accuracy of the data provided, as well as their relevance and non-excessiveness concerning the requests made.

2) DATA PROCESSING RELATED TO RELATIONSHIPS WITH CUSTOMERS AND SUPPLIERS

2.1 Object of Processing

The company processes personal identification data of customers/suppliers, including potential ones (e.g., name, surname, company name, personal/tax data, address, phone number, email, banking, and payment references) and their operational contacts (name, surname, and contact details) acquired and used in the context of providing the products/services offered.

2.2 Purpose and Legal Basis of Processing

Data is processed to:

  • Conclude contractual/professional relationships and provide the related services;
  • Fulfill pre-contractual, contractual, and tax obligations arising from existing relationships, as well as manage the necessary communications related thereto;
  • Fulfill obligations under the law, a regulation, EU legislation, or an order of the Authority;
  • Exercise a legitimate interest as well as a right of the Data Controller (e.g., the right to defense in court, protection of credit positions; ordinary internal operational, managerial, and accounting needs).

Failure to provide the above data will make it impossible to establish the relationship with the Data Controller. The above purposes represent, under Art. 6, paragraphs b, c, f, appropriate legal bases for processing. If processing for different purposes is intended (e.g., marketing communications, production of photo/video content, etc.), specific consent will be requested from the data subjects.

2.3 Processing Methods and Retention Period

The processing of personal data is carried out by the operations indicated in Art. 4 n. 2) GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data. Personal data is processed both on paper and electronically. The Data Controller will process personal data for as long as necessary to fulfill the purposes for which it was collected and related legal obligations (normally coinciding with the relationship with the data subject, except for an extension in reference to the obligations of administrative documentation retention and commercial correspondence).

2.4 Scope of Processing

Data is processed by internal subjects regularly authorized and trained under Art. 29 of the GDPR. It is also possible to request the scope of personal data communication, obtaining precise information on any external entities operating as Controllers or autonomous Data Controllers (e.g., consultants, technicians, banks, carriers, etc.). Data may be communicated to any controlled/affiliated companies for various reasons. Data is not subject to dissemination or transfer outside the EU (it may be subject to transfer outside the EU only in compliance with the conditions outlined in Chapter V of the GDPR, aimed at ensuring that the level of protection for data subjects is not undermined “Art. 45 Transfer on the basis of an adequacy decision, Art. 46 Transfer subject to appropriate safeguards, Art. 47 Binding corporate rules, Art. 49 Specific derogations”). Data is not subject to automated processes that produce significant consequences for the data subject.

2.5 Information Exchanged via Lafer Email Accounts

All interlocutors exchanging emails with …@lafer.eu accounts are informed that all contents of such communications are intended to be of a purely work-related nature and purpose and, therefore, may be known within the company organization. Emails sent from corporate domains and any attachments should be considered confidential and the property of the undersigned company. If received in error, they must not be disclosed, copied, or distributed for any reason. Any personal data will still be processed in accordance with current privacy and personal data protection regulations, as well as within the scope indicated in this policy.

3) POLICY UPDATE

Please note that this information may be subject to periodic revision, also in relation to applicable regulations and case law. In case of significant changes, appropriate visibility will be provided on the site’s home page for a reasonable period. The data subject is still invited to periodically review this policy.