The subscription to the newsletter service is only allowed to people with a minimum age of 16 and requires the provision of some personal data.
In accordance with the current legislation regarding the protection of personal data (Article 13 General Data Protection Regulation, hereinafter also GDPR), the Antica Dolceria Bonajuto Srl, with registered office in Corso Umberto I, n. 159, 97015 Modica (RG), VAT number 01218510889, data controller, (indicated as “Owner” or “Antica Dolceria Bonajuto”), provides those users, who wish to subscribe to the service by means of the form on the website www.bonajuto,it (hereinafter also referred to as “website”), some information regarding the processing of acquired data.
Only users with an e-mail address, who are at least 16 years old, can subscribe to the Newsletter. The Newsletter includes promotional and commercial information.
Who is the data controller?
The data controller is Antica Dolceria Bonajuto Srl.
Which data are processed?
All details provided by the user through filling in the information request form, as well as his/her IP address, are processed.
What are the purposes and legal bases of processing personal data?
Personal data submitted by the user through the dedicated form are used to allow the interested party to subscribe to the newsletter and receive regular promotional and commercial information sent to the indicated e-mail address.
The legal basis of the processing of such data is the given consent, as the interested party signs up for a service that involves sending promotional e-mails.
If necessary, the data can also be used on the base of the legitimate interest of the owner to carry out defensive activities or to assert or defend a right in court.
Data are processed through the platform and online instruments offered by “MailChimp” by the American company The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308. Therefore, in case of subscription, data of the interested party may be transferred and made known to the above-mentioned American service provider that agreed to the decision of adequacy of the European Commission called “Privacy Shield”, thereby ensuring the respect of personal data being processed, and operates, for this service, as the data controller. The specifications relating to this service are available on the following links
mailchimp.com/legal/terms/ – mailchimp.com/legal/privacy/.
The data are stored until the interested party requests to do otherwise and expresses the will to stop receiving the Newsletter, and in any case not later than five years from the registration of the personal data, except for any defensive needs – in such case data may be kept even beyond the indicated deadline.
Who has access to personal data?
The data will be processed by employees and authorized collaborators. The data may also be known by consultants or by companies providing IT supply and assistance services for the purposes related to the activities carried out on behalf of the owner, by marketing consultants who provide assistance for the management of mailing lists and by consultants for the management of litigation and for legal assistance in the event of any disputes that may require their expertise.
As already indicated, data may also be known by the MailChimp service provider, used for the service of sending Newsletters.
The interested party can request the list of external parties who carry out their activities as data controllers.
Moreover, data may also be communicated, subject to the consent of the interested party, to service providing companies planning marketing activities (they do not operate as data controllers), which the owner uses for his marketing activities.
What if no data provision takes place?
The provision of data is optional. However, it won’t be possible to subscribe to the Newsletter and receive regular e-mails.
Rights of the interested party
By law, the interested party has the right to ask the data controller for access to his/her personal data and to correct or cancel them or restrict their processing or to oppose to the processing. Moreover, the user has the right to data portability.
The interested party can assert his/her rights at any time, without formalities, by contacting the data controller using the e-mail address: firstname.lastname@example.org.
Below you can find details of the rights acknowledged by the current legislation are detailed the rights recognized by current legislation with regards to the protection of personal data.
- Right of access: i.e. the right to obtain confirmation from the data controller whether or his/her personal data are being processed. If yes, he/she shall have access to those personal data as well as the following information: a) processing purposes; b) categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; (d) the retention period of personal data or, if this is not possible, the criteria used to determine such period; e) the existence of the right of the interested party to ask the data controller to correct or delete personal data or limit the processing of personal data or to be against their treatment; f) the right to file a complaint with a supervisory authority; g) all information regarding the origin of the data, if these are not collected from the interested party, h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the used logic as well as the importance and expected consequences for the interested party for the processing. Whenever personal data are transferred to a third country or an international organization, the interested party has the right to be informed of the existence of adequate guarantees relating to the transfer.
- Right of rectification: i.e. the right to ask the data controller to rectify incomplete or incorrect personal data without unnecessary delay. Considering the purposes of the processing, the interested party has the right ask his/her personal data to be integrated, also by providing an additional declaration.
- Right to cancellation: i.e. the right to ask the data controller to delete one’s personal data without unnecessary delay, if: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent on which the processing of his/her data is based on, and if there is no other legal basis for the processing; c) the interested party is against the processing because it is needed for the execution of a task of public interest or connected to the exercise of public authority for which the holder is appointed, or for the pursuit of legitimate interest and there is no legitimate reason to proceed the processing, or he/she is against processing for direct marketing purposes; d) personal data have been processed unlawfully; e) personal data must be deleted to fulfil a legal obligation under the EU or Member State law to which the data controller is subject to; f) personal data have been collected in relation to an offer by information society services of minors. However, the request for cancellation cannot be accepted if the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for the fulfilment of a legal obligation requiring processing under the EU or a Member State law to which the data controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority; c) for reasons of public interest in the public health sector; d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, insofar as the cancellation risks make it impossible or seriously prejudice the achievement of the objectives of such treatment; or e) for the assessment, exercise or defence of a right in court.
- Right of limitation, i.e. the right to be guaranteed that data are processed, except for retention, only with the consent of the interested party or for the assessment, exercise or defence of a right in court or to protect the rights of another personal or legal person, or for reasons of significant public interest of the EU or a Member State, if: a) the interested party questions the accuracy of personal data for the period needed by the data controller to verify the accuracy of such personal data; b) the processing is illegal and the interested party is against the cancellation of his/her personal data and asks that they are used in a limited way instead; c) although the data controller no longer needs the data for processing purposes, the interested party needs them, in order to verify, exercise or defend a right in court; d) the interested party has opposed the processing carried out because it is necessary for the execution of a task of public interest or connected to the exercise of public authority the owner was appointed with, or for the pursuit of the legitimate interests of the data controller or third parties, waiting for verification of a possible prevalence of legitimate reasons of the data controller as opposed to those of the interested party.
- Right to portability, i.e. the right to receive personal data (given to the holder) in a structured, commonly used and readable way from automatic devices, and the right to transfer such data to another holder without impediments by the holder they were given, as well as the right to obtain direct transfer of his/her personal data from one holder to another, if technically feasible, should the processing be based on consent or on a contract and the processing is done by automated means. This right does not affect the right to cancellation.
- Right of opposition, i.e. the right of the interested party to oppose at any time, for reasons connected to his/her particular situation, the processing of personal data, since it is necessary for the performance of a task of public interest or related to the exercise of public authority for which the holder was appointed with, or for the pursuit of the legitimate interest of the data controller or third parties. If personal data are processed for direct marketing purposes, the interested party has the right to oppose the processing of personal data at any time, including profiling in so far as it is related to such direct marketing.
Should the processing the interested party’s personal data take place in violation of the provisions of the GDPR, he/she has the right to file a complaint with the guarantor, as provided for by art. 77 of the Regulations or to take appropriate judicial offices (Article 79 of the Regulations).
Further information on the processing of personal data