Purchasing online through the website www.bonajuto.it (hereinafter also referred to as the “website”) and/or the account registration facilitating the purchase process, involves the transfer of determined personal data of users (hereinafter also referred to as “interested party”).
In accordance with the current legislation (Article 13 General Data Protection Regulation (GDPR), the Antica Dolceria Bonajuto Srl, with registered office in Corso Umberto I, n. 159, 97015 Modica (RG), VAT number 01218510889, data controller, (indicated as “Owner” or “Antica Dolceria Bonajuto”), provides those users who visit the website with information regarding the processing of acquired data.
Who is the data controller?
The data controller is Antica Dolceria Bonajuto Srl.
Which data are processed?
All details provided by the user through filling in the information request form, as well as his/her IP address, are processed.
What are the purposes and legal bases of processing personal data?
Data will be only processed in order to initiate an order request and for the purposes related to product purchases through the website, and to manage those activities connected with and related to the purchase (such as accepting an order, carrying out inventory, shipping, managing complaints and returns, accounting management of purchases).
If the user requests the registration of his/her account, data are processed to allow him or her to take advantage of the adhered service and to manage purchases made on the website in a quicker way.
The legal basis for processing such data is therefore the execution of pre-contractual and contractual measures. If expressly agreed, data of the interested person may also be used to send advertising or direct sales materials, or to carrying out market research or business communication referred to the activities and services offered by the Owner via traditional means, such as telephone contact through call-centre, and automatic means, such as e-mails and text messages. The legal basis of processing for marketing purposes is given by the consent of interested party.
If necessary, the data can also be used on the base of the legitimate interest of the owner to carry out defensive activities or to assert or defend a right in court.
The data acquired through the form are managed by the holder in his registered office, by means of informatic devices and paper support. Appropriate security measures are taken to prevent loss of data, illegal or incorrect use and unauthorized access.
Processed data to manage purchases are saved in accordance with existing legal requirements, and anyway within the timeframe indicated for the rights and obligations tinged in for the processing. However, if the interested party authorizes the processing of personal data for commercial and promotion purposes based on Article 130, Comma 1 and 2 of D. Lgs. 196/2003 (Privacy Code), communication may occur not only through automated contact methods, but also more traditional ones, such as mail or calls. Promotional e-mails are sent by the holder via “MailChimp” by the American company The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, that agreed to the decision of adequacy of the European Commission called “Privacy Shield”, thereby ensuring the respect of personal data being processed, and operates, for this service, as the data controller. The specifications relating to this service are available on the following links mailchimp.com/legal/terms/ – mailchimp.com/legal/privacy/.
If the user agrees, the data processed for marketing purposes will be kept for five years, without prejudicing the right of opposition that the interested party may freely exercise at any time and without any charge, even separately, for sending promotional communications via automated or through traditional means.
Any defensive needs are reserved for which the data may be kept even after the indicated deadline.
Who has access to personal data?
The data will be processed by employees and authorized collaborators. The data may also be known by the competent Authorities in case of specific requests to which the holder is required by law to follow up, by consultants or by companies providing IT supply and assistance services for the purposes related to the activities carried out on behalf of the owner, by the consultants that support the owner for the accounting and administrative management, by the shipping and logistics companies for the activities related to the purchase, by the consultants and the companies to which the marketing activities are delegated and by the legal consultants for the management litigation and for legal assistance in the event of any disputes that may require their expertise.
As already indicated, data may also be known by the MailChimp service provider, used for the service of sending promotional emails.
The interested party can request the list of external parties who carry out their activities as data controllers.
Moreover, data may also be communicated, subject to the consent of the interested party, to service providing companies planning marketing activities (they do not operate as data controllers), which the owner uses for his marketing activities.
Place of processing data
The Owner uses servers located within Europe for the data processing connected to website services.
However, if the interested party authorizes the processing of personal data for marketing purposes, these could be sent to the companies indicated in the present information, in compliance with the provisions of current regulations with regards to privacy. In some cases, such companies are based in non-EU countries.
To this matter, please consider that the Owner sends any business and promotion related communications via email by using the platform and the tools offered by “MailChimp” service of the American company The Rocket Science Group. Standard contract clauses have been signed with such company, in order to legitimize and ensure the non-EU transfer. The specifications, related to this service the Owner relies on, are available under link mailchimp.com/legal/terms/ – mailchimp.com/legal/privacy/.
What if no data provision takes place?
The provision of data is optional. However, any possible refusal will make it impossible for the owner to allow using the offered features and services.
Rights of the interested party
By law, the interested party has the right to ask the data controller for access to his/her personal data and to correct or cancel them or restrict their processing or to oppose to the processing. Moreover, the user has the right to data portability.
The interested party can assert his/her rights at any time, without formalities, by contacting the data controller using the e-mail address: firstname.lastname@example.org.
Below you can find details of the rights acknowledged by the current legislation are detailed the rights recognized by current legislation with regards to the protection of personal data.
- Right of access: i.e. the right to obtain confirmation from the data controller whether or his/her personal data are being processed. If yes, he/she shall have access to those personal data as well as the following information: a) processing purposes; b) categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; (d) the retention period of personal data or, if this is not possible, the criteria used to determine such period; e) the existence of the right of the interested party to ask the data controller to correct or delete personal data or limit the processing of personal data or to be against their treatment; f) the right to file a complaint with a supervisory authority; g) all information regarding the origin of the data, if these are not collected from the interested party, h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the used logic as well as the importance and expected consequences for the interested party for the processing. Whenever personal data are transferred to a third country or an international organization, the interested party has the right to be informed of the existence of adequate guarantees relating to the transfer.
- Right of rectification: i.e. the right to ask the data controller to rectify incomplete or incorrect personal data without unnecessary delay. Considering the purposes of the processing, the interested party has the right ask his/her personal data to be integrated, also by providing an additional declaration.
- Right to cancellation: i.e. the right to ask the data controller to delete one’s personal data without unnecessary delay, if: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent on which the processing of his/her data is based on, and if there is no other legal basis for the processing; c) the interested party is against the processing because it is needed for the execution of a task of public interest or connected to the exercise of public authority for which the holder is appointed, or for the pursuit of legitimate interest and there is no legitimate reason to proceed the processing, or he/she is against processing for direct marketing purposes; d) personal data have been processed unlawfully; e) personal data must be deleted to fulfil a legal obligation under the EU or Member State law to which the data controller is subject to; f) personal data have been collected in relation to an offer by information society services of minors. However, the request for cancellation cannot be accepted if the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for the fulfilment of a legal obligation requiring processing under the EU or a Member State law to which the data controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority; c) for reasons of public interest in the public health sector; d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, insofar as the cancellation risks make it impossible or seriously prejudice the achievement of the objectives of such treatment; or e) for the assessment, exercise or defence of a right in court.
- Right of limitation, i.e. the right to be guaranteed that data are processed, except for retention, only with the consent of the interested party or for the assessment, exercise or defence of a right in court or to protect the rights of another personal or legal person, or for reasons of significant public interest of the EU or a Member State, if: a) the interested party questions the accuracy of personal data for the period needed by the data controller to verify the accuracy of such personal data; b) the processing is illegal and the interested party is against the cancellation of his/her personal data and asks that they are used in a limited way instead; c) although the data controller no longer needs the data for processing purposes, the interested party needs them, in order to verify, exercise or defend a right in court; d) the interested party has opposed the processing carried out because it is necessary for the execution of a task of public interest or connected to the exercise of public authority the owner was appointed with, or for the pursuit of the legitimate interests of the data controller or third parties, waiting for verification of a possible prevalence of legitimate reasons of the data controller as opposed to those of the interested party.
- Right to portability, i.e. the right to receive personal data (given to the holder) in a structured, commonly used and readable way from automatic devices, and the right to transfer such data to another holder without impediments by the holder they were given, as well as the right to obtain direct transfer of his/her personal data from one holder to another, if technically feasible, should the processing be based on consent or on a contract and the processing is done by automated means. This right does not affect the right to cancellation.
- Right of opposition, i.e. the right of the interested party to oppose at any time, for reasons connected to his/her particular situation, the processing of personal data, since it is necessary for the performance of a task of public interest or related to the exercise of public authority for which the holder was appointed with, or for the pursuit of the legitimate interest of the data controller or third parties. If personal data are processed for direct marketing purposes, the interested party has the right to oppose the processing of personal data at any time, including profiling in so far as it is related to such direct marketing.
Should the processing the interested party’s personal data take place in violation of the provisions of the GDPR, he/she has the right to file a complaint with the guarantor, as provided for by art. 77 of the Regulations or to take appropriate judicial offices (Article 79 of the Regulations).
Further information on the processing of personal data
Stand of the present privacy information 18/09/2018