Cookie Policy

Cookie Policy


Authorisation declaration for processing identifiable, sensitive and legal personal data pursuant to Legislative Decree no. 196/2003 and EU Regulation 2016/679

The User, herein after referred to as “Data subject” according to the meaning set forth by letter “i” of art. 4, Legislative Decree 196/03, meaning, “natural person, legal person, body or association to which the personal data refers”,

Whereas

  • the User/Data Subject is the subject who accesses website catellanismith.com (herein after simply referred to as WEBSITE), of legal age and in full possession of his faculties;
  • pursuant to art. 23 (“Consent”) of Legislative Decree no. 196/03, the processing of personal data by private actors is allowed only upon the explicit consent rendered freely by the Data Subject, with specific reference to a certain processing method, and must be documented in writing following the privacy policy set forth by art. 13, Legislative Decree no. 196/03; similarly, for the purposes of EU Regulation 2016/679, “Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies the agreement to the processing of personal data relating to him or her; always pursuant to art. 23 (“Consent”) of Legislative Decree no. 196/03, should processing also or only concern so called “sensitive” data, the consent shall be expressed in writing, except in the hypotheses set forth by art.  26, par. 4, letter “c”, which content the Data Subject declares to know, acknowledging the text indicated in note 1 at the bottom of this authorisation;
  • for the purposes of EU Regulation 2016/679, the term “Data subject” refers to any identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • for the purposes of EU Regulation 2016/679, “Personal Data” means any information relating to the Data Subject, including personal information, telephone numbers, email addresses, data on commercial transactions and cash payments, among which amount, purchased product, seller’s details and payment method; “Genetic data » means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, “Biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, and “Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
  • for the purposes of EU Regulation 2016/679 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “Cross-border processing » means processing of personal data which takes place in the context of the activities of establishments (intended the management location chosen by the Controller and place where the main processing activities are executed by the Processor) in more than one EU Member State; or processing of personal data which takes place in the context of the activities of establishments in one single EU Member State, but which substantially affects data subjects in more than one Member State;
  • for the purposes of EU Regulation 2016/679, “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • for the purposes of EU Regulation 2016/679, “Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • for the purposes of EU Regulation 2016/679, “Controller” means the natural or legal person, public authority, agency or other body which, along or jointly with others, determines the purposes and means of the processing of personal data; “Processor” means a natural or legal person, public authority agency or other body which processes personal data on behalf of the controller, “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not, “Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • for the purposes of EU Regulation 2016/679, “Supervisory authority” means a supervisory authority that monitors the proper application of EU Regulation 2016/679 in the Italian Republic, in particular the Data Protection Supervisor with office in Rome, Piazza di Monte Citorio no. 121 – certified email: protocollo@pec.gpdp.it.
  • For the purposes of this privacy policy, “Transaction” means the sale or anyhow trade of products pursuant to laws in force in the Italian Republic.

In compliance with art. 13 (“Privacy Policy”) of Legislative Decree no. 196, par. 03, letter “c”, which content that you declare to know, acknowledging the text indicated in note 2 at the bottom of this authorisation, and pursuant to art. 7 (“Conditions for Consent”) and art. 12 of EU Regulation 2016/679, you declare to have been previously informed of the following:

The identification details of the Controller are as follows:

CATELLANI & SMITH S.R.L. – email: privacy@catellanismith.com.

The Controller can be contacted at the following email address: privacy@catellanismith.com.

Any change of Processor shall be also notified upon renewal of this consent, by amending the name of the Processor thereto.

The Personal Data is processed lawfully, fairly and in a transparent manner, only for scopes related to the functions allowed by the WEBSITE.

The WEBSITE collects, records, organises, stores, processes, modifies, selects, extracts, compares, uses, combines, discloses, deletes, and blocks the personal data processed for the operation of the WEBSITE.

Personal data is also colleted for commercial purposes, in line with the scope for which the User/Data Subject registered or viewed the WEBSITE and anyhow, for related scopes and/or or instrumental to the WEBSITE’s management activities.

The WEBSITE collects and processes data also for its own and third party’s commercial scopes, including for example Users’ profiling, analysis of purchase preferences, comparison of prices and offers, product comparison, marketing and commercial promotion activities, in addition to customise the WEBSITE’s offer to the User/Data Subject’s tastes and needs.

The WEBSITE reserves anyhow the right to collect and process data for different scopes and/or in conflict with the User/Data Subject’s interests for its own legitimate interest and to fulfil legal obligations to which it is bound as Data Controller or Processor.

The processed Personal Data will be exclusively limited and pertinent to the operation of the WEBSITE to which the User/Data Subject has registered or viewed.

The WEBSITE does not intentionally process data of minors and will immediately erase said data, in case it becomes aware of said unintentional processing.

 

The Personal Data shall be exact and, if needed, updated according to the User/Data subject’s indications upon registration.

The Personal Data shall be stored for the time required to execute the activities object of the permitted processing.

Personal Data will be processed through suitable methods that ensure security and prevent loss or destruction, even partial.

To said scope, it is specified that the processing by the WEBSITE does not imply high risks for the rights and freedoms of natural persons; however, the processing does not concern racial or ethnic origins, political opinions, religious believes, trade union memberships, genetic or biometric data that may univocally identify a natural person, data concerning health, sex life or sexual orientation or criminal convictions; therefore, profiling and marketing activities will not be executed based on said data but exclusively according to the preferences related to the products purchased or viewed through the WEBSITE’s platform.

Personal Data will be acquired and processed also for the scopes set forth by anti money-laundering laws, pursuant to EU Directive no.  2001/97 EC, Legislative Decree no. 56/2004 and subsequent changes and acknowledgement integrations and by implementation Ministerial Decrees, and you are aware of the possibility that said data may be disclosed to the Italian Exchange Office (UIC) to verify the punctual fulfilment of the afore-cited obligations.

Conferment of personal data is optional and not mandatory, unless specifically foreseen by law, however said action is required to view and browse the WEBSITE.

Should the Data Subject be authorised to use mobile apps linked to the WEBSITE, data concerning the location of the data subject is also conferred, stored and processed, including general information (e.g. IP address, postal code) and more specific information (e.g. GPS functions available on the mobile devices used to login the platform or related specific functions). If the Data Subject logs in the WEBSITE from a mobile device and does not wish the device to disclose information on his/her position, he/she can disable the GPS or other location tracking functions on the device, if this option is permitted by the latter.

The User/Data subject is aware of the Processing of “Log data », which are automatically recorded by our servers or cloud servers, also hosted by Third parties, each time the User/Data subject logs in the WEBSITE or uses it, regardless of whether he/she is a registered user or logged in from his/her account; for example, this data are the IP address, login date and time, font of text character, hardware and software used to login, login and logout sites and URL, number of clicks, viewed pages and order of said pages, as well as the time spent on particular pages.  Said data are also object of separate consent that the Data Subject releases to the Controller performing search engine activities on the web, the so called browser (e.g.  Google) and can be used for analytics service and track the User/Data subject’s activities based on the interaction with the WEBSITE.

No users’ personal data is acquired by the WEBSITE through cookies.  Cookies to transmit personal information are not used, neither persistent cookies of any type, or tracking systems of users. The use of session cookies (which are not stored permanently on the user’s computer and are deleted when closing the browser) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server), which are necessary to allow the secure and efficient browsing the site. The session cookies used in this site also avoid resorting to other IT techniques that may prejudice the privacy of the users’ browsing activity and do not allow acquiring personal identifiers of the user. The cookies to integrate third party’s products and software functions (Google Maps, YouTube videos, integrations with social networks, online payments, etc) integrate functions developed by Third Parties on the WEBSITE pages in order to share the site contents or to use third party’s software (e.g. software for payments and transactions and other software that offer additional services). These cookies are sent by third party’s domains and partner sites that offer their functions on the site pages. You can view the settings of your browser’s cookies in the website or the relative producer (e.g.: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).

The Data Subject can disable the use of cookies through the settings of his/her browser, however the procedures and data processing methods will be modified by selecting « Do Not Track » in the http heading prompted by your browser or mobile app.

The Data Subject’s activities are tracked if the latter clicks an adv for the WEBSITE’s services on third party’s sites or platforms as search engines and social networks, similarly the User/Data Subject’s activities are tracked if he clicks on a Third party’s ad on the WEBSITE.

The WEBSITE collects, also on behalf of third parties, and allows third parties to collect information on Users’ online activities for profiling the purchases made by the User also for commercial purposes, including marketing activities.

The WEBSITE may use social plugins provided and managed by Third parties (e.g. Facebook Like button); with the use of similar plugins, the Data Subject may transmit to Third parties, the information that is viewing on a specific section of the WEBSITE.  If the Data subject did not login his/her account from Third party’s sites, the Third party should not be able to discover his/her identity, unless the Data Subject has granted consent to the Third Party, to Process Personal Data.  If the Data subject has logged in his/her account from a Third party’s site, the latter may be able to associate information concerning the Data Subject’s browsing activity on the WEBSITE, to his/her account on the Third party’s site. Similarly, his/her interactions with the social plugin may be registered by the Third party. These Third party’s methods to access the Data Subject’s personal data are outside the WEBSITE’s functions and processing is not performed by the WEBSITE’s Controller or Processor but by the Third Party to whom the Data Subject should have granted his/her consent to data processing.  The Data subject declares to know the Third party’s privacy policy and their practices in terms of personal data processing and declares to have duly authorised processing, relieving the WEBSITE’s Controller or Processor from any liability.

The WEBSITE may allow the User/Data subject to share login information on the WEBSITE through his/her device or other sites and social platforms, such as for example list of contacts and relative identification details; in this case, the WEBSITE will collect and process shared information in order to improve the exploitation of the WEBSITE’s services by the User/Data Subject.

The WEBSITE may allow the use of some services without prior registration, such as transactions with non-registered Users. In this case, the WEBSITE collects only data strictly required to provide the service allowed to the non-registered User, among which login information to the WEBSITE, technical data to use the platform, geo-localization information to allow the Transaction and the necessary data for payments related to the Transaction.

Should consent and conferment of the necessary data be denied, it will not be possible to browse and/or continue browsing the WEBSITE.

The Controller may transfer the data referring to the Data Subject abroad or to third countries.

The Data subject is entitled to exercise the rights set forth by art. 7 (“Right to access personal data and other rights”), Legislative Decree no.  196, which content the Data Subject declares to know, acknowledging the full text indicated in note 5 at the bottom of this authorisation.

The User/Data Subject is entitled to exercise the following rights pursuant to EU Regulation 2016/679, by sending a request to the Controller:

– right to access (art. 15 of the afore-cited EU Regulation) data to verify whether certain information is being processed and processing scopes, category of processed data, recipients of potential communications of processed data, storage period of the processed data, potential existence of an automated decision-making process, including profiling as set forth by art. 22, par. 1 and 4 of EU Regulation 2016/679;

– right to rectification, including integration of incomplete data (art. 16 of the afore-cited EU Regulation);

– right to erasure (art. 17 of the afore-cited EU Regulation) data with no delays, upon request of the Data subject and compulsorily, if:

  • they are no longer required for the Processing scopes;
  • consent to Processing has been revoked;
  • the Data Subject objects to the Processing pursuant to art. 21 of the EU Regulation;
  • data have been unlawfully processed;
  • the erasure obligation is set forth by Italian or EU laws.

The erasure obligation is not applicable in case the right of freedom of expression and information is exercised to fulfil a legal obligation that imposes processing for reasons of public interest or national security that request processing, for justice purposes that justify processing.

– right to restriction of processing (art. 18 of the afore-cited EU Regulation) if the accuracy of the personal data is contested by the Data subject, for a period enabling the controller to verify the accuracy of the personal data, the processing is unlawful and the data subject opposes to erasure of the personal data, the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims, and when the Data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data subject.

– Controller’s obligation to notify (art. 19 of the afore-cited EU Regulation) potential Recipients of personal data, of any erasures, rectifications and restrictions to processing.

– right to data portability (art. 20 of the afore-cited EU Regulation), the Data subject shall have the right to receive the personal data concerning him or her,  in a structured, commonly used, durable and machine-readable format from automated devices, also in multiple copies, via email at the address specifically indicated by the User/Data subject, free of charge, and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, when processing is carried out by automated means like in this case;

– right to object to the processing of his/her Personal Data (art. 21 of the afore-cited EU Regulation), unless the Controller demonstrates compelling legitimate grounds for the processing;

– right not to be subject to a decision based on automated processing, including profiling, unless said decision-making method is necessary for entering into, or performance of, a contract between Data subject and a Data Controller, is authorised by Union or Member State law, or is based on the Data subject’s explicit consent (art. 22 of the afore-cited EU Regulation).

The Controller declares that there are no specific risks related to the processing of the Data Subject’s Personal Data, to have evaluated any filing and processing duty and risk, to have accurately selected the best security measures to ensure privacy and non-disclosure of the Data Subject’s Personal Data.

The Controller reserves the right to use any suitable security method including encryption, pseudonymisation, coding of processed personal data.

The Data Controller declares anyhow to use suitable anti-intrusion and anti-breach systems also on servers or cloud servers, whether hosted by the same or third party.

The processing of identification, sensitive and legal personal data will take place within the limits set forth by law in accordance to art.  25, Legislative Decree no. 196/03, which content the Data Subject declares to know, acknowledging the text indicated in note 6 at the bottom of this authorisation, and can be subject in addition to processing for the afore-cited scopes, also to disclosure and/or diffusion according to the technical meaning set out in letters “a”, “l” and “m” of par. 1 of art. 4, Legislative Decree no. 196/03, acknowledging the text indicated in note 7 at the bottom of this authorisation.

The WEBSITE’s Controller and owner may be involved in merger, incorporation, purchase, division transactions and in this case, may transfer their corporate assets including the personal data of the Data Subject, who acknowledges and accepts the foregoing; in this case, the Data Subject will be informed of his/her personal data that are transferred or anyhow object of different privacy policies and/or authorisations.

The Data subject agrees to keep his/her personal data up-to-date and to the scope, will notify any change or update to the Controller.

Pursuant to the above, the User/ Data subject spontaneously declares to authorise the processing of his/her personal data, in conformity to the foregoing and as set forth by Legislative Decree no. 196/03 and EU Regulation 2016/679.

_______________________________

 

Privacy Policy pursuant to Legislative Decree no. 196 of 30th June 2003

  1. ART.26 par. 4 letter “c” – GUARANTEES FOR SENSITIVE DATA: “(…) 4. Sensitive data may be object of processing also without consent, prior authorisation by the Italian Data Protection Supervisor: c) when processing is required to execute defensive investigations as set forth by Law no. 397 of 7th December 2000 or – anyhow- assert or defend a right in trial, provided that data are processed exclusively for said scopes and for the time strictly required to attain them. If the data may reveal details on the state of health or sex life, the right must be equal to that boasted by the Data Subject or be a human right or other inviolable and fundamental right or right to freedom (…)”.
  2. ART.13 – INFORMATION: 1. The Data subject or person of whom personal data is collected, are previously informed orally or in writing about:: a) the processing scopes and methods to which data are destined; b) compulsory or optional nature of the data conferment; c) consequences of a potential refusal; d) subjects or categories of subjects to whom the personal data may be disclosed or who may come to acquire knowledge thereof in the capacity of processors or persons appointed by controllers, and scopes of disclosure of said data; e) the rights set forth by art. 7; f) the personal details of the data controller and, if appointed, the representative on the State territory pursuant to art. 5 and the data processor. If several data processors have been designated by the data controller, at least one of them shall be referred to, and the communication networks or the mechanisms for easily accessing the updated list of the data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights set forth by art.  7 are exercised, such data processor shall be referred to. 2. The information set forth by par. 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences. 3. The Italian Data Protection Supervisor can identify, with its own provision, simplified modalities for the information given in particular by the telephone services for public assistance and information. 4. Whenever the personal data are not collected from the Data subject, the information as per par. 1, also including the categories of processed data, shall be provided to the Data subject at the time of recording such data or, if their communication is foreseen, no later than when the data are first communicated. 5. The provision set forth by par. 4 is not applicable when: a) the data are processed in compliance with an obligation imposed by law, a regulation or EU legislation; b) the data is processed to carry out defensive investigations as set forth by Law no. 397 of 7th December 2000,  or otherwise, to enforce or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer that is necessary therefore; c) the provision of information to the Data subject involves an effort that is declared by the Data Protection Supervisor to be manifestly disproportionate compared to the right to be protected – in which case the Data Protection Supervisor shall lay down suitable measures – of if it proves impossible in the opinion of the Data Protection Supervisor”.
  3. ART.4 – DEFINITIONS: (…) b) < personal data >, any information relating to a natural person, legal person, body or association, which can be identified or are identifiable, also indirectly, by reference to any other information, including a personal identification number ; c) < identification data>, personal data that allow identifying the data subject directly; d) < sensitive data >, personal data revealing racial or ethic origin, religious or philosophical beliefs or other beliefs, political opinions, membership to parties, unions, associations or organisations of religious, philosophical, political or union character, and data that reveal the state of health and sex life ; e) < judicial data >, personal data revealing measures of the type set forth by art. 3, par. 1, letters from a) to o) and from r) to u) of Presidential Decree no. 313 of 14/11/2002,  concerning criminal records, records of administrative sanctions resulting from offences and related charges, or the condition of accused person or person under investigation pursuant to art. 60 and 61 of the Criminal Code ».
  4. ART.4 – DEFINITIONS: (…) f) <Controller >, the natural, legal person, public administration and any other body, association or organism which decides – also with another controller – about the processing scopes and methods of personal data and tools used, including the security profile ; g) < processor >, the natural, legal person, public administration and any other body, association or organism appointed by the controller for personal data processing; h) <persons appointed by the Controller>, natural persons authorised by the controller or processor, to process data”.
  5. ART. 7 – RIGHT TO ACCESS PERSONAL DATA AND OTHER RIGHTS: 1. The Data subject has the right to obtain confirmation of the existence or his/her personal data even if not registered yet and their disclosure in intelligible form. 2. The Data subject has the right to obtain indication: a) of the origin of personal data, b) processing scopes and methods; c) logic applied in case of processing executed with electronic tools; d) identification details of the controller, processors and appointed representative pursuant to art. 5 par. 2; e) subjects or categories of subjects to whom the personal data may be disclosed or who may come to acquire knowledge thereof in the capacity of representative appointed in the State Territory, processors or controllers. 3. The Data subject has the right to obtain: a) data updating, rectification or integration, as required; b) erasure, transformation in anonymous form or block of data processed in breach of laws, including those data which are not required to be stored in relation to the scopes for which they were collected or subsequently processed; c) confirmation that the operations set forth by letters from « a” to “b” were disclosed, also in terms of content, to those subjects to whom data was disclosed or diffused, unless said fulfilment involves an effort that is impossible or manifestly disproportionate compared to the right to be protected. 4. The Data Subject has the right to fully or partially object: a) to the processing of his/her personal data for legitimate reasons, even if pertinent to the collection scope; b) to the processing of his/her personal data for the transmission of advertising or direct sale material or for market researches or business communications ».
  6. ART.25 – PROHIBITIONS TO DISCLOSE AND DIFFUSE: “1. Disclosure and diffusion are prohibited, in addition to the prohibition set forth by the Data Protection Supervisor and Judicial Authority: a) with regards to personal data for which erasure was ordered, or the time set forth by art. 11, par. 1, letter “e”, has been prescribed; b) for scopes other than those indicated in the processing notice, if required. 2. Without prejudice to communication or diffusion of data, pursuant to law, requested by the police, judicial authority, training and security bodies and other public subjects in conformity to art. 58, par. 2, for purposes related to defence or State security, or else for the prevention, suppression or detection of offences”.
  7. ART.4 – DEFINITIONS: (…) a) < processing > any operation or series of operations, also carried out without electronic tools, concerning the collection, recording, organisation, storage, consultation, elaboration, modification, selection, extraction, comparison, use, combination, block, disclosure, diffusion, erasure and destruction of data, even if not registered in a database (…); l) < disclosure > disclosure of personal data to one or more determined subjects other than the Data Subject, by the representative appointed by the Controller in the State territory, processor or persons appointed in any form, also by making them available or by consultation ; m) < diffusion > disclosure of personal data to undetermined subjects, in any form, also by making them available or by consultation”.