This privacy policy document, updated with EU Regulation (GDPR) 2016/679 relating to the processing of personal data, as well as with Legislative Decree 181/18 which modifies Legislative Decree 196/2003, regulates the processing methods of the data collected by a website while the user is browsing.

It has the precise purpose of informing the user about the processing of his personal data in accordance with the law and the recent EU Regulation 679/2016, which has profoundly changed the regulation.

A website must have a Data Controller (Data Controller). The data controller is the one who has decision-making and organizational power over the processing, as well as deciding the methods of data processing and is responsible towards the privacy guarantor. Two or more joint owners can also be appointed. In this case, it is mandatory for the user to know what the skills of each joint owner are, through a link indicating the agreement between them.

The data controller is supported by the Data Processor. This figure is the person who processes the data on behalf of the data controller. This means that it will be a person close to the owner, from whom he receives directives on how to manage the data. The Data Controller must be a competent figure capable of fully satisfying the security implemented by the Data Controller.

These two figures are joined by the Data Protection Officer DPO, who, despite being appointed directly by the owner, is nevertheless a person independent of the latter. The DPO, previously only optional, is now a sometimes mandatory figure pursuant to art. 37 of Regulation (EU) 679/2016. This article indicates the obliged subjects and those who are exempt. In any case, the DPO, called RPD in Italian, is an independent subject and processes the data autonomously. Furthermore, he is directly responsible for and communicates with the privacy guarantor. Ultimately, the designation of the DPO reflects the new approach of the GDPR, towards empowerment of data processing, being aimed at facilitating the implementation of the regulation by the owner and manager. The role of the DPO is to protect personal data, not the interests of the data controller.

Therefore, while the Data Controller is a figure close to the Data Controller, the DPO is a much more independent figure, who cannot and must not receive orders from the Data Controller on effective data protection.

Returning to the information, the place where the data will be processed must also be indicated, which coincides with the headquarters of the data controller.

It is essential to also include the purposes of data processing. In fact, according to the new legislation, the data must be kept for a period suitable for achieving the purposes set by the site, and then be deleted. It is therefore mandatory that the purposes are indicated clearly and concisely within the information.

The document must also indicate the types of cookies that are used on the web page. Cookies are small pieces of information that can be saved on the user's computer when the browser calls up a particular website. With them the server sends information which will be re-read and updated every time the user returns to the site.

There are various types of cookies:

There are various types of cookies:

Technical cookies: in accordance with the law, they are those used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or by the user to provide this service". They are not used for other purposes and are normally installed directly by the owner or manager of the website.

Third-party cookies: these occur when a third party places cookies on an internet page. In this case, the user must be informed that there will be cookies from other parties in addition to those of the web page. Typical third-party cookies are those of social networks

Profiling cookies: they are aimed at creating profiles relating to the user and are used to send advertising messages in line with the preferences expressed by the user when browsing the internet. According to the privacy guarantor these can be:

advertising profiling, i.e. which collect and process user data for advertising purposes (e.g. to pass them on to advertising agents);
of retargeting activities, consisting of forms of online advertising chosen based on the user's previous actions or searches on the web (e.g. Google AdWords);
set by social networks;
of statistical activities, managed by third parties (e.g. Google Analytics).

The document must also indicate whether the site allows social network plug-ins and the possible transfer of data to companies located in extracontinental countries.

It is also important to mention what the new rights of the interested party are under the new European legislation, such as the right to delete data, update them or to oppose a possible transfer of data.

How to use the document?

Through this document you will be able to:

Indicate the website for which the following document is used;

Indicate the owner of the data and the place where they will be processed;

Indicate the possible presence of multiple data controllers;

Indicate the data manager (DPO);

Indicate what the purposes of the data processing are, and the time it will take for the site to use them;

Establish which cookies will be used by the site, whether only technical cookies, third-party cookies and/or profiling cookies;

Indicate whether the site uses social network plug-ins;

Indicate whether the user will receive notifications for any site updates.

Once you have the document, it must be inserted into the site's web page and made available to the user.