Art. 13 EU Reg. 679 of 27th April 2016
Pursuant to article 13 of “European Legislative decree 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (henceforth “GDPR”), Aboca S.p.A. Società Agricola (hereafter “ABOCA”) with address at Loc. Aboca 20, Sansepolcro 52037 (AR) - Arezzo Italy, as the Owner, is required to provide users that connect to the domain www. abocamuseum.it and www.abocashop.com (regardless of the reason for connecting) with information on the personal data processing carried out on the domain.
For the purposes of this information, without prejudice to GDPR art. 4, the following definitions shall apply for:
Domains abocamuseum.it; abocashop.com: the domains www. aboca.museum.it and www.abocashop.com, reachable through the Internet’s world wide web service, consisting of data, applications, technological resources, human resources, organisational rules and procedures for the acquisition, storage, processing, exchange, retrieval and transmission of information.
Collection points: areas within the domains www. abocamuseum.it and www.abocashop.com for the collection of personal data.
I. Warnings and Protection of Children
The processing of personal data will apply the principles of lawfulness, fairness and transparency. Personal data will be collected for specified, explicit and legitimate purposes (restriction of purpose) and will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). They will always be kept up to date and accurate and kept for a period of time not exceeding that necessary for the purpose of executing the Contract, without prejudice to the fulfilment of legal and tax obligations that establish longer retention periods (storage limitation). Personal data will be processed by adopting all appropriate security measures to ensure the integrity, confidentiality and unavailability to unauthorised third parties (integrity and confidentiality). Wherever not expressly indicated, the provision of personal data through collection points on the websites www. aboca.museum.it and www.abocashop.com is reserved for adults.
II. Reference standards and legal grounds for processing.
The processing operations, which we will illustrate in detail below, have their legal basis in the rules governing your right to the protection of your personal data, your right to privacy, and finally in those rights that allow you to express or withdraw your informed consent to processing operations at any time, namely:
- The General EU Regulation 679 of 27th April 2016 concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data;
- Your informed consent, expressed in accordance with the current provisions of law on the protection of personal data (GDPR Article 6).
- The fulfilment of the contractual obligations assumed by ABOCA on your behalf at the time of your participation in the Service (GDPR Article 6);
- Fulfilment of obligations or orders to which the Data Controller is bound by law or order of the Authority (GDPR Article 6).
III. Nature of the personal data undergoing processing
III.1. - The optional, explicit and voluntary sending of emails to the addresses indicated on this website entails the subsequent acquisition of the sender's address which is necessary to respond to requests, as well as any other personal data included in the message. Specific summary information will be progressively shown or displayed on the pages of the site set up for particular services upon request. In any case, from time to time as required by law, you will be required to consent to the processing of your personal data.
III.2. - Only after your consent, where necessary, the following categories of your personal data shall or could be processed for the purposes indicated.
(a). - Common personal data, identification data.
Such as; Name and Surname, Year of birth, Sex, Address, City, Province, E-mail address, Telephone number, postcode, Links to the profiles of the following social networks: Facebook, Instagram and Twitter.
(b). - Technical processing.
Machine-generated data is likewise subject to data processing of a technical nature (in particular, IP addresses, log files relating to Site navigation and to purchases made). ABOCA will keep, within the period required by law, the log files and IP addresses used when making an online purchase, in order to verify and prevent possible fraudulent online transactions. Such personal data shall be used exclusively for the purpose of checking network traffic to the aboca.com domain.
This information is not collected for the purpose of being associated with interested parties, but by its very nature could allow users to be identified through the processings and association with data held by third parties. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning, and is deleted immediately after its use. The data may be used to ascertain responsibility in case of hypothetical computer crimes to damage the site: with this exception, web contact data is not retained for more than seven days. Credit card details. To make a payment on the Site, the User must enter the confidential data from their credit or debit card (card number, cardholder, expiry date, security codes). This data shall not be processed by the Company that owns the Website but is acquired by the payment service provider who will act as an independent data controller, without passing through the ABOCA server. The data will be acquired in an encrypted format and according to the security requirements of the PCI (Payment Card Industry) and DDS (Data Security Standard) certification, whose purpose is to ensure that critical data relating to Credit Cards (Cardholder Data) is always safe. The payment service provider uses the TLS (Transport Layer Security) cryptographic protocol, providing authentication, data integrity, confidentiality and a higher level of security during transactions.
(c). - Cookies.
(d). - Particular categories of personal data.
In the event that particular categories of personal data pursuant to EU Reg. 679/2016 Art. 9 are collected through the ABOCA domain, you will be informed in advance and be put in a position to express the relative consent, pursuant to law.
IV. - Nature of the provision, data sources.
The provision of your personal data is not mandatory, but in some cases, it is necessary, and therefore mandatory, to allow you to benefit from the services and functionalities of the site.
IV.1. - Data for which transfer is necessary.
IV.1.1. - The provision of some personal data is necessary, and therefore mandatory, to carry out your specific requests; you always have the choice whether to provide your personal data, but in this case it may be impossible for the Data Controller to satisfy your requests, meet your needs or make use of all the features available on the Aboca.com website in its entirety.
IV.1.2. - The provision of identifying personal data is required for:
(a). – the ability to register on the site and to receive, together with the other advantages, the desired information on ABOCA products, services and initiatives.
IV.1.3. - This identifying data will be processed both on paper and electronically, and will be kept by ABOCA only as long as the interested parties keep their registration on the Site, or for a maximum period of three years from the last action carried out on the Site. Once such retention times have passed, personal identification data will be deleted automatically.
IV.2. - Data used for authentication.
Once registration has been completed, during which you will be able to decide access credentials, including your password, which only you will know, you can access the ABOCA website from a mobile device or desktop by entering the chosen personal authentication credentials (which you will need to keep with the utmost care) in the appropriate fields.
We advise you to choose a password that has the following characteristics as a minimum: no less than eight characters in length, including at least one special character. In case you forget your password, the recovery procedure provides a link to reset it independently. Authentication data will be encrypted from first use and ABOCA will in no way be able to access it.
IV.3. - Data Sources.
We will collect your data, directly from you, through your interactions with the www.aboca.com website.
V. Purpose of Processing.
In addition to the necessary processing obliged by law, by regulation, or by order of the Authority, Aboca will carry out, only with your consent and if necessary, the operations necessary to enable you to benefit from the services and features of the website www.aboca.com; in particular:
- the management of your relationship with ABOCA;
- purposes strictly connected and instrumental to the management of the aforesaid relationship (e.g. for the acquisition of pre-contractual information and to implement services and operations, such as the purchase of ABOCA goods through the Website);
- purposes of analysing the information obtained in order to offer information/promotions; by sending ABOCA newsletters and/or promotional or advertising material, ABOCA services and/or products, or those of third parties which ABOCA deems of interest to you, as well as conducting ABOCA opinion polls; purposes relating to the monitoring of customer relations and credit and fraud risk controls related to the services provided by ABOCA;
- to fulfil specific requests of the interested party.
VI. Methods of processing your personal data.
Regarding all the purposes indicated in the previous paragraphs, your personal data shall be processed both electronically and on paper and processed by specific IT procedures in order to customise the services that ABOCA is able to offer. The data will be processed in such a way as to guarantee its logical and physical security and confidentiality, and may be carried out using manual, computerised and telematic tools designed to store, transmit and share the data. The logic of the processing will be strictly related to the purposes pursued.
VI.1. - Data Retention Policy.
Regarding the purposes referred to in letter (V.3), namely the proposal of commercial or promotional information, the corresponding data processing will not contain sensitive information and will be handled by the data controller with the prior approval of the data subject for no longer than 24 months from data collection, and exclusively on aggregate data, in compliance with the provisions of Provv. Doc. Web 1103045 of the Italian Data Protection Authority.
VI.2. - Security and data retention.
VI.2.1. - Your personal data will be stored within the European Union and the related security policies are reviewed in accordance with applicable Best Practices.
VI.2.2. - Traceability of Accesses and transactions. Audit Log.
Every time data is accessed, a log will be stored in appropriate Log tables. The relevant information will contain an access timestamp, an identifier of the user who has accessed the data; the type of data accessed, the owner of the data, the operation performed, and the application from which access was made.
(E.6). - Profiling, automated decision making;
We do not perform profiling operations of the data collected through this website (except as specified in our cookies policy) beyond those necessary to enable us to carry out the performances that allow you to use the website services.
(E.7). - Data Protection Impact Assessment.
In relation to the processing of personal data related to site operation, ABOCA is developing a targeted Data Protection Impact Assessment (DPIA) by using a specific assessment tool, made available by the French Personal Data Protection Authority (Commission Nationale de l'informatique et deslibertés), the results of which will be available upon request by the interested party.
VII. - Recipients of data and transfers abroad.
VII.1. – Data Processors and Controllers.
As Data Processors or Controllers, the following individuals may become aware of the personal data referred to in this document:
- within ABOCA, qualified personnel, each one limited to their own competencies and duties and based on the tasks assigned and instructions given.
- outside ABOCA., third parties, who have also been specifically designated as Data Processors or Controllers. ABOCA makes use of such third parties for various services and to perform only these services, with each one limited to their competencies and duties and based on the tasks assigned and instructions given.
VII.2. - Communication of the data (to certain external subjects).
In the course of its ordinary accounting and administrative activities, ABOCA may communicate your personal data, subject to your consent, in accordance with the law and where required for compliance with security measures, to third party service providers for the sole purpose of services requested by you, such as; postal service companies, legal and notary offices, consultants or associations of consultants, other service companies, and any other parties in compliance with legal obligations (e.g. insurance institutions, police forces, judicial authorities, etc.). The list of subjects to whom the data may be communicated is available at the head offices of the Data Controller.
VII.3. - Transfer of personal data abroad.
ABOCA does not transfer personal data abroad of its own initiative. However, some third party service providers, may have their servers physically located abroad (as in the case of the email provider). In such cases, the transfer of data abroad will take place exclusively within the scope and in compliance with EU Reg. 679/2016 Art. 44 ss.
VII.4. - Dissemination of the data (to undetermined external subjects).
Under no circumstances will personal data be disseminated.
VIII. - Rights of the interested party.
Articles 15 to 22 of the GDPR confer on the interested parties the exercise of specific rights. GDPR Article 15 recognises the right of individuals to access their own personal data and to obtain a copy thereof. The right to obtain a copy of the data must not affect the rights and liberties of others. With a data subject access request, the interested party has the right to obtain ABOCA’s confirmation of whether or not their personal data is being processed and to know the purposes and categories of the data processed, the third parties to whom the data is communicated and if the data is transferred to a non-EU country with proper safeguards. The interested party also has the right to know the retention period for their personal data and has the right to request the rectification of inaccurate data and to have incomplete data completed, the erasure (right to be forgotten) under the conditions indicated in GDPR art. . 17, the restriction of processing, the revocation of consent, the right to data portability and the right to object, at any time and without having to provide justification, to the processing for direct marketing purposes.
These rights may be exercised via email to the ABOCA Data Protection Officer’s address, or by ordinary mail to the address indicated below. The Data Protection Officer may need to identify the data subject by requesting to provide a copy of his identity document. The interested party who believes that the processing of their personal data violates the provisions of the GDPR or of the internal regulations regarding the protection of personal data has the right to lodge a complaint with the Italian Data Protection Authority based in Rome, pursuant to GDPR art. 77 and/or to appeal to the Judicial Authority. To exercise these rights, or to obtain any other information regarding them, or more generally on the processing of personal data, requests may be sent via e-mail to the following address: firstname.lastname@example.org; - by ordinary post to Aboca S.p.A., a company with registered office in Loc. Aboca n. 20, - 52037 - Sansepolcro (AR), Italy.
IX. Withdrawal of Consent Questions about Privacy Access and Feedback
You are entitled to withdraw your consent to the processing of your personal information at any time, by communicating this intention. If you have questions or wish to have more information on the processing of your personal data or to exercise the rights referred to in section VI above, you can send an email to the administrator of the ABOCA website, writing to email@example.com. You can also contact us at the same address for questions regarding the management of information by ABOCA. Before any information can be provided or modified, ABOCA may need you to verify your identity and answer a few questions. We will provide a response as soon as possible.
X. - Data Controller.
The data controller is ABOCA with registered office in Loc. Aboca 20, 52037, SANSEPOLCRO (AR).
XI. – Personal Data Protection Officer.
The DPO is the lawyer Giuseppe Serafini with Studio in 06012, Città Di Castello (PG), Via S. Antonio nr. 7. mail: firstname.lastname@example.org
XI.1. – Data Processors
The complete list of data processors is available at the registered head office.
The present mandatory information is subject to updating, depending on possible changes in the applicable provisions of the law.