User privacy policy

Purchasing online through the website www.bonajuto.it (hereinafter also referred to as the “website”) and/or the account registration facilitating the purchase process, involves the transfer of determined personal data of users (hereinafter also referred to as “interested party”).
In accordance with the current legislation (Article 13 General Data Protection Regulation (GDPR), the Antica Dolceria Bonajuto Srl, with registered office in Corso Umberto I, n. 159, 97015 Modica (RG), VAT number 01218510889, data controller, (indicated as “Owner” or “Antica Dolceria Bonajuto”), provides those users who visit the website with information regarding the processing of acquired data.

 

Who is the data controller?

The data controller is Antica Dolceria Bonajuto Srl.

Which data are processed?

All details provided by the user through filling in the information request form, as well as his/her IP address, are processed.

The platform used by the Data Controller to send emails for marketing allows identification of which IP address or type of browser is used to open the email and other similar details via tracking systems, information detection such as the opening of a message, and the clicks made on hyperlinks in the email.

What are the purposes and legal bases of processing personal data?

Data will be only processed in order to initiate an order request and for the purposes related to product purchases through the website, and to manage those activities connected with and related to the purchase (such as accepting an order, carrying out inventory, shipping, managing complaints and returns, accounting management of purchases).
If the user requests the registration of his/her account, data are processed to allow him or her to take advantage of the adhered service and to manage purchases made on the website in a quicker way.
The legal basis for processing such data is therefore the execution of pre-contractual and contractual measures.
If expressly agreed, data of the interested person may also be used to send advertising or direct sales materials, or to carrying out market research or business communication referred to the activities and services offered by the Owner via traditional means, such as telephone contact through call-centre, and automatic means, such as e-mails and text messages. The legal base of processing for marketing is the consent of the person concerned, which may be revoked at any time, even separately for the despatch of promotional communications automatically or via traditional means.

Data acquired through the tracking systems of the platform used to manage the emails may be processed automatically to assess the preferences and habits of the person concerned (profiling) and, based on such data, to plan the despatch of promotional communications and announcements. The legal base of this processing is consent, which may be revoked at any time.

If necessary, the data can also be used on the base of the legitimate interest of the owner to carry out defensive activities or to assert or defend a right in court.

 

Data management

The data acquired is managed by the Data Controller through IT tools and paper supports with adequate security measures to prevent the loss of data, illegal or improper use and unauthorised access.

However, if the interested party authorizes the processing of personal data for commercial and promotion purposes based on Article 130, Comma 1 and 2 of D. Lgs. 196/2003 (Privacy Code), communication may occur not only through automated contact methods, but also more traditional ones, such as mail or calls.

Storage times
Data processed for the management of purchases is stored in accordance with the law linked to administrative and accounting purposes and, however, within the time set for rights and the obligations underlying processing.
For registration, the data is stored while the user decides to maintain an active account and, in any case, not more than five years from the last access.
Data processed for marketing is stored until a possible request for opposition by the user and, however, not more than two years from consent to processing. Data subject to profiling is stored for one year.
Exceptions are made for any defensive requirements for which the data may also be stored beyond the terms indicated.

Transfer of data abroad
Hosting the website does not lead to a transfer of the data to non-EU countries. Some services used by the Data Controller (email, analysis of visits, newsletters and marketing campaigns) are provided by American companies and lead to transfer of data abroad. Such a transfer occurs with the guarantees offered by the standard contractual clauses.


Who has access to personal data?

The data will be processed by employees and authorized collaborators. The data may also be known by the competent Authorities in case of specific requests to which the holder is required by law to follow up, by consultants or by companies providing IT supply and assistance services for the purposes related to the activities carried out on behalf of the owner, by the consultants that support the owner for the accounting and administrative management, by the shipping and logistics companies for the activities related to the purchase, by the consultants and the companies to which the marketing activities are delegated and by the legal consultants for the management litigation and for legal assistance in the event of any disputes that may require their expertise.
As already indicated, data may also be known by the MailChimp service provider, used for the service of sending promotional emails.

Please note that some of the persons indicated operate as data controllers and others as data processors and transmission to those operating as autonomous data controllers is made because required by legal obligations or necessary to fulfil the obligations arising from the precontractual relationship or the data controller’s legitimate interest consisting of maintaining the security of the IT systems and taking defensive action.

The data may also be advised by the Data Controller, subject to the consent of the person concerned, to service providers for planning marketing campaigns.

The detailed list of persons to whom data may be transmitted can be requested by contacting the Data Controller.

Please note that communication of personal data is, however, limited to just the data categories whose transmission is necessary to fulfil the activities and purposes pursued.

What if no data provision takes place?

The provision of data is optional. However, any possible refusal will make it impossible for the owner to allow using the offered features and services.

Rights of the interested party

By law, the interested party has the right to ask the data controller for access to his/her personal data and to correct or cancel them or restrict their processing or to oppose to the processing. Moreover, the user has the right to data portability.

In particular, please remember that you can oppose data processing for marketing purposes.

The interested party can assert his/her rights at any time, without formalities, by contacting the data controller using the e-mail address: privacy@bonajuto.it.
The Data Controller shall respond within 30 days of receipt of the request, as set out by the legislation in force.

Below you can find details of the rights acknowledged by the current legislation are detailed the rights recognized by current legislation with regards to the protection of personal data.

    • Right of access: i.e. the right to obtain confirmation from the data controller whether or his/her personal data are being processed. If yes, he/she shall have access to those personal data as well as the following information: a) processing purposes; b) categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; (d) the retention period of personal data or, if this is not possible, the criteria used to determine such period; e) the existence of the right of the interested party to ask the data controller to correct or delete personal data or limit the processing of personal data or to be against their treatment; f) the right to file a complaint with a supervisory authority; g) all information regarding the origin of the data, if these are not collected from the interested party, h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the used logic as well as the importance and expected consequences for the interested party for the processing. Whenever personal data are transferred to a third country or an international organization, the interested party has the right to be informed of the existence of adequate guarantees relating to the transfer.

 

    • Right of rectification: i.e. the right to ask the data controller to rectify incomplete or incorrect personal data without unnecessary delay. Considering the purposes of the processing, the interested party has the right ask his/her personal data to be integrated, also by providing an additional declaration.

 

    • Right to cancellation: i.e. the right to ask the data controller to delete one’s personal data without unnecessary delay, if: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent on which the processing of his/her data is based on, and if there is no other legal basis for the processing; c) the interested party is against the processing because it is needed for the execution of a task of public interest or connected to the exercise of public authority for which the holder is appointed, or for the pursuit of legitimate interest and there is no legitimate reason to proceed the processing, or he/she is against processing for direct marketing purposes; d) personal data have been processed unlawfully; e) personal data must be deleted to fulfil a legal obligation under the EU or Member State law to which the data controller is subject to; f) personal data have been collected in relation to an offer by information society services of minors. However, the request for cancellation cannot be accepted if the processing is necessary: ​​a) for the exercise of the right to freedom of expression and information; b) for the fulfilment of a legal obligation requiring processing under the EU or a Member State law to which the data controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority; c) for reasons of public interest in the public health sector; d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, insofar as the cancellation risks make it impossible or seriously prejudice the achievement of the objectives of such treatment; or e) for the assessment, exercise or defence of a right in court.

 

    • Right of limitation, i.e. the right to be guaranteed that data are processed, except for retention, only with the consent of the interested party or for the assessment, exercise or defence of a right in court or to protect the rights of another personal or legal person, or for reasons of significant public interest of the EU or a Member State, if: a) the interested party questions the accuracy of personal data for the period needed by the data controller to verify the accuracy of such personal data; b) the processing is illegal and the interested party is against the cancellation of his/her personal data and asks that they are used in a limited way instead; c) although the data controller no longer needs the data for processing purposes, the interested party needs them, in order to verify, exercise or defend a right in court; d) the interested party has opposed the processing carried out because it is necessary for the execution of a task of public interest or connected to the exercise of public authority the owner was appointed with, or for the pursuit of the legitimate interests of the data controller or third parties, waiting for verification of a possible prevalence of legitimate reasons of the data controller as opposed to those of the interested party.

 

    • Right to portability, i.e. the right to receive personal data (given to the holder) in a structured, commonly used and readable way from automatic devices, and the right to transfer such data to another holder without impediments by the holder they were given, as well as the right to obtain direct transfer of his/her personal data from one holder to another, if technically feasible, should the processing be based on consent or on a contract and the processing is done by automated means. This right does not affect the right to cancellation.

 

  • Right of opposition, i.e. the right of the interested party to oppose at any time, for reasons connected to his/her particular situation, the processing of personal data, since it is necessary for the performance of a task of public interest or related to the exercise of public authority for which the holder was appointed with, or for the pursuit of the legitimate interest of the data controller or third parties. If personal data are processed for direct marketing purposes, the interested party has the right to oppose the processing of personal data at any time, including profiling in so far as it is related to such direct marketing.

Should the processing the interested party’s personal data take place in violation of the provisions of the GDPR, he/she has the right to file a complaint with the guarantor, as provided for by art. 77 of the Regulations or to take appropriate judicial offices (Article 79 of the Regulations).

 

Further information on the processing of personal data

Additional information on the processing of personal data of users are available on the Privacy Policy and Cookie Policy page.

Stand of the present privacy information 10/12/2021