Visiting the website www.bonajuto.it (hereinafter also referred to as the “website”) may involve the processing of certain personal data of users (hereinafter also referred to as the “interested party”).
In accordance with the current legislation (Article 13 General Data Protection Regulation (GDPR), the Antica Dolceria Bonajuto Srl, with registered office in Corso Umberto I, n. 159, 97015 Modica (RG), VAT number 01218510889, data controller, (indicated as “Owner” or “Antica Dolceria Bonajuto”), provides those users who visit the website with information regarding the processing of acquired data.
Who is the data controller?
The data controller is Antica Dolceria Bonajuto Srl.
Which data are processed?
All browsing data and data provided voluntarily by the user a processed.
Data provided directly by the user
The data controller processes data that are provided directly by the User, i.e. personal data the user provides optionally (for example when requesting information or clarification by contacting the telephone numbers indicated on the website or sending an e-mail to the mentioned e-mail address).
The user may contact the Owner (to seek information, to book a tasting itinerary or tour, to become a retailer…), adhere to some services (Newsletters, postings published in the blog area, access to reserved area…) or buy goods for sale (as indicated in the Terms of Sale of this website) through the dedicated form available on the website pages, which list specific indications that the user will have to review before providing any data.
The user issuing data referring to third parties (for example, by filling in the website form or through e-mail or telephone conversations) takes on all the obligations and responsibilities under current legislation regarding their processing method, guarantees that he/she has acquired and will process those third party details, if provided, in accordance with the mentioned specific regulations and indemnifies the Antica Dolceria Bonajuto from claims, disputes and damage-related reimbursements related to the information of third party details.
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transfer is implicit in the use of Internet communication protocols. This information could allow to identify users through processing and associations with data held by third parties. Such category of data includes IP addresses or domain names of computers used by users connecting to the website, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the used method to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), and other parameters related to the operating system and the User’s IT environment.
What are the purposes and legal bases of processing personal data?
Data provided directly by the user – purposes and legal bases
The personal data provided by the user by contacting the owner are used to process any requests solely.
The legal bases for processing such data are therefore: the implementation of pre-contractual measures.
If necessary, those data can also be used on the basis of legitimate interest of the owner to carry out defensive activities or to assert or defend a right in court.
Detailed information concerning the purposes and legal bases, related to the specific processing methods for which the data are required, are mentioned in the information sheet regarding services and dedicated areas.
Browsing data – purposes and legal bases
Browsing data are used to obtain statistical information about the website use, for safety purposes of the website and to check its correct functioning. The data could be used to ascertain responsibility in case of hypothetical IT crimes jeopardising website security.
Browsing data of users accessing the website are acquired and processed directly by the hosting provider without the Antica Dolceria Bonajuto having access, except for the IP of the user who fills in a form, and the data acquired through third-party services (such as Google Analytics). To this regards, please refer to the dedicated information sheets.
The legal basis of processing browsing data is the legitimate interest of the owner consisting of defensive needs and, in the case of requests by the Authorities, the legal obligation.
Who has access to personal data?
Data will be processed by employees and authorized collaborators. Moreover, data may also be disclosed to the competent Authorities in case of specific requests to which the holder is required to comply with by law, by consultants or by companies providing IT services and support for activities carried out on behalf of the owner and by consultants dealing with controversies and for legal assistance in the event of any disputes that may require their involvement.
The interested party may ask the data controller foe a list of external parties who carry out their activities as data controllers.
Collected data are processed with informatic devices and only in a limited manner in written form on paper.
Data retention period
The retention period of the personal data provided by the interested party is limited to a strict minimum needed for the fulfilment of the request and then deleted, except for defensive needs (which may require further retention).
Browsing data of users accessing the website are acquired and processed directly by the hosting provider without the Antica Dolceria Bonajuto having access, except for the IP of the user, who fills in a form, and the data acquired through third-party services (such as Google Analytics). Please refer to the dedicated information sheet.
Place of processing data
The Owner uses servers located within Europe and IT systems located at the Owner’s registered office for the data processing connected to website services. The use of some services offered by the owner, which the user can confirm through a specific form on the website (like for the Newsletter), require the data to be transferred abroad; all details are included in the dedicated information sheet regarding the requested service. Please note, however, that the owner considers whether the supplier to be used offers the necessary guarantees required for the data transfer abroad.
The provision of data by users through the various available methods is free and optional, except for the browsing data that are necessary to run the IT and telematic protocols.
However, if one does not provide the data, it will be impossible to reply to requests and use the interested services.
Rights of the interested party
By law, the interested party has the right to ask the data controller for access to his/her personal data and to correct or cancel them or restrict their processing or to oppose to the processing. Moreover, the user has the right to data portability.
The interested party can assert his/her rights at any time, without formalities, by contacting the data controller using the e-mail address: firstname.lastname@example.org.
Below you can find details of the rights acknowledged by the current legislation are detailed the rights recognized by current legislation with regards to the protection of personal data.
- Right of access: i.e. the right to obtain confirmation from the data controller whether or his/her personal data are being processed. If yes, he/she shall have access to those personal data as well as the following information: a) processing purposes; b) categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; (d) the retention period of personal data or, if this is not possible, the criteria used to determine such period; e) the existence of the right of the interested party to ask the data controller to correct or delete personal data or limit the processing of personal data or to be against their treatment; f) the right to file a complaint with a supervisory authority; g) all information regarding the origin of the data, if these are not collected from the interested party, h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the used logic as well as the importance and expected consequences for the interested party for the processing. Whenever personal data are transferred to a third country or an international organization, the interested party has the right to be informed of the existence of adequate guarantees relating to the transfer.
- Right of rectification: i.e. the right to ask the data controller to rectify incomplete or incorrect personal data without unnecessary delay. Considering the purposes of the processing, the interested party has the right ask his/her personal data to be integrated, also by providing an additional declaration.
- Right to cancellation: i.e. the right to ask the data controller to delete one’s personal data without unnecessary delay, if: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent on which the processing of his/her data is based on, and if there is no other legal basis for the processing; c) the interested party is against the processing because it is needed for the execution of a task of public interest or connected to the exercise of public authority for which the holder is appointed, or for the pursuit of legitimate interest and there is no legitimate reason to proceed the processing, or he/she is against processing for direct marketing purposes; d) personal data have been processed unlawfully; e) personal data must be deleted to fulfil a legal obligation under the EU or Member State law to which the data controller is subject to; f) personal data have been collected in relation to an offer by information society services of minors. However, the request for cancellation cannot be accepted if the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for the fulfilment of a legal obligation requiring processing under the EU or a Member State law to which the data controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority; c) for reasons of public interest in the public health sector; d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, insofar as the cancellation risks make it impossible or seriously prejudice the achievement of the objectives of such treatment; or e) for the assessment, exercise or defence of a right in court.
- Right of limitation, i.e. the right to be guaranteed that data are processed, except for retention, only with the consent of the interested party or for the assessment, exercise or defence of a right in court or to protect the rights of another personal or legal person, or for reasons of significant public interest of the EU or a Member State, if: a) the interested party questions the accuracy of personal data for the period needed by the data controller to verify the accuracy of such personal data; b) the processing is illegal and the interested party is against the cancellation of his/her personal data and asks that they are used in a limited way instead; c) although the data controller no longer needs the data for processing purposes, the interested party needs them, in order to verify, exercise or defend a right in court; d) the interested party has opposed the processing carried out because it is necessary for the execution of a task of public interest or connected to the exercise of public authority the owner was appointed with, or for the pursuit of the legitimate interests of the data controller or third parties, waiting for verification of a possible prevalence of legitimate reasons of the data controller as opposed to those of the interested party.
- Right to portability, i.e. the right to receive personal data (given to the holder) in a structured, commonly used and readable way from automatic devices, and the right to transfer such data to another holder without impediments by the holder they were given, as well as the right to obtain direct transfer of his/her personal data from one holder to another, if technically feasible, should the processing be based on consent or on a contract and the processing is done by automated means. This right does not affect the right to cancellation.
- Right of opposition, i.e. the right of the interested party to oppose at any time, for reasons connected to his/her particular situation, the processing of personal data, since it is necessary for the performance of a task of public interest or related to the exercise of public authority for which the holder was appointed with, or for the pursuit of the legitimate interest of the data controller or third parties. If personal data are processed for direct marketing purposes, the interested party has the right to oppose the processing of personal data at any time, including profiling in so far as it is related to such direct marketing.
Should the processing the interested party’s personal data take place in violation of the provisions of the GDPR, he/she has the right to file a complaint with the guarantor, as provided for by art. 77 of the Regulations or to take appropriate judicial offices (Article 79 of the Regulations).
Stand of the present privacy information 18/09/2018