The protection of your personal information is very important for Caratti e Poletto S.r.l. (“Caratti” o “Società”).
The entry into force of the regulation (UE) 2016/679 “Regulation (UE) 2016/679 of the European Parliament and the Council from April 27, 2016 relative to the protection of the individual’s personal information and the sharing of such data” (“GDPR”) gave the opportunity to further adjust the activities of the Company to the principles of transparency and protection of personal data, based on respect of the fundamental rights of all parties, be they employees, collaborators, clients, vendors, or third parties interested in receiving information.
Caratti therefore implemented a “Privacy Organizational Model” (di seguito “POM”) which general guidelines are described below, aiming to analyze the processing of personal data, organizing them in a functional way, and manage them safely and transparently. In this section of the website we report also the information concerning the rights of the interested party and how to exercise these rights towards the Company owner.
INDEX
1 – GDPR PRIVACY ORGANIZATIONAL MODEL
1.1 – PARTIES
1.2 – RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
2 – TRANSPARENCY AND RIGHTS OF THE INTERESTED PARTY
2.1 – RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
2.2 – EXERCISE OF RIGHTS
2.3 – FORMS AND INFORMATION NOTICE
1 – GDPR PRIVACY ORGANIZATIONAL MODEL
1.1 – PARTIES
DATA CONTROLLER
The data controller is:
Caratti e Poletto S.r.l. (“Controller”)
Legal Address: Corso Santi Felice e Fortunato, 25 – 36100 Vicenza
Tel. +39 0444/787889
email: [email protected]
Certified email: [email protected]
VAT Code: 03135920241
DATA PROTECTION OFFICER
Caratti e Poletto S.r.l. nominated a Data Protection Officer (“DPO”)
Contact information: [email protected]
TEAM PRIVACY
The Controller nominated a “Privacy Team” of individuals, including third-party individuals, with organizational, technical, and digital expertise. The Privacy Team supports the Company Owner.
The POM foresees that every employee/collaborator of the Controller processes only the indispensable data in order to perform their duties for internal organization and, fore and foremost, for the purposes indicated by the interested party (c.d. principle ofi “limitation of the purposes and data minimization”, art. 5 comma 1, lett. b) and c) of GDPR). Therefore a segmentation of the processing has been prepared, per homogeneous areas of subjects authorised for the processing, binding the employees/collaborators in charge of each area to a specific area of processing. Each authorised subject has received specific instructions from the Controller regarding the processing of personal data. To this end, by design, the information system is also made up of “watertight compartments”. The employee/collaborator will be able to access only the data necessary to perform their duties from their computer workstation. The designation of these specific processing areas happens after a careful analysis of the company’s structure and organization, as well as the flow of data internal and external to the Company, and is summarized in a specific internal matrix that identifies the processing area of each area.
The employee/collaborator has also received internal regulations on the use of IT tools and rules of conduct, including ethical, on all the information accessed by virtue of his/her specific task.
To effectively ensure compliance with the principles regarding the processing of personal data, the Controller has also foreseen the provision of training and refresher courses on the subject to its employees/collaborators who, by virtue of their duties, carry out the processing of personal data.
SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)
The Controller uses computer systems to manage and organize its activities. For this reason, attention to the construction of software, the methods of use thereof and the security of data have always been the basis of the activity of the Controller. Individuals with “administrator” privileges within the company are specifically appointed and trained. Also the other specialised external companies that access company data are specifically appointed External Data Processors and/or External System Administrators pursuant to art. 28 of GDPR.
External IT service providers shall be selected with particular attention to their skills, not only technical, but also in relation to the respect and protection of personal data, prioritizing certified entities.
DATA PROCESSORS (ex art. 28 GDPR)
In principle, the CONTROLLER manages almost all processing activities internally. Cases of outsourcing of certain activities involving the processing of data on behalf of the DATA CONTROLLER to third parties are appropriately indicated in the individual information notices. In these cases, the relationship with the third party is governed by a specific contract of appointment to “Data Processor” pursuant to art. 28 of the GDPR.
The CONTROLLER entrusts this processing to external parties who offer sufficient guarantees to put in place suitable technical and organisational measures to meet the requirements of the GDPR and to guarantee the protection of the rights of the data subjects.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
According to the principles of the c.d. “accountability” (accountability) it is up to the HOLDER to implement a series of measures – organizational, physical, legal, technical and IT – aimed at preventing the risk of violation of the personal rights and freedoms of data subjects. To achieve this objective, a constant analysis of the risks is carried out, depending on the treatments, the tools used, the type and the amount of data processed.
RECORD OF PROCESSING (ex art. 30 GDPR) AND ANALYSIS OF THE IMPACT ON DATA PROTECTION (ex art. 35 GDPR)
The POM foresees a careful and continuous analysis of the risks for processing personal information, prevede un’attenta e costante analisi dei rischi per il trattamento dei dati personali, identified for each activity or service provided through a Record of Processing Activities pursuant to art. 30 comma 1 of GDPR.
After analysing the processing performed by the CONTROLLER, it is believed that to date there are no activities at risk such as to require a specific impact assessment pursuant to art. 35 of GDPR (c.d. “DPIA”).
The analysis on IT risks and on the company hardware and software infrastructures and on the IT measures of adaptation was carried out both by our System Administrator with special tools and checklists and by an external company specialized in IT security, which carried out an in-depth audit with security testing. The outcomes of the survey have allowed our technicians to further improve the measures to protect against cyber attacks and cyber threats, gradually and in proportion to the risk for the rights and freedoms of those concerned.
2 – TRANSPARENCY AND RIGHTS OF THE INTERESTED PARTY
2.1 RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
The CONTROLLER, in this notice, deems it essential to inform the data subjects of the existence of some rights regarding the protection of personal data, listed below.
– Right to be informed (transparency in data processing)
The interested party has the right to be informed about how the CONTROLLER processes personal data, for what purposes, and other information provided for by art. 13 of the GDPR. To this end, the DATA CONTROLLER has set up organizational processes that allow, at the time of acquisition or request of personal data, the issue of an information template created “ad hoc” depending on the category of data subjects to which the data subject belongs (employee, customer, supplier, etc.). This document allows all parties to whom the data refer to be adequately informed on how the data is processed by the CONTROLLER. The information form can be requested by sending a specific application addressed to the CONTROLLER.
– Right to withdraw consent (art. 13)
You have the right to revoke your consent at any time for all processing operations whose legitimacy is based on your consent. Withdrawal of consent shall not affect the lawfulness of previous processing.
– Right of access to data (art. 15)
You may request a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients from third countries or international organisations; d) where possible, the expected retention period of personal data or, if that is not possible, the criteria used to determine that period; e) the existence of the right of the data subject to ask the controller to rectify or delete personal data or to restrict the processing of personal data concerning him or her or to oppose their processing; f) the right to lodge a complaint with a supervisory authority; g) where the data are not collected from the data subject, all available information on their origin; h) the existence of an automated decision-making process, including the profiling referred to in paragraphs 1 and 4 of Article 22, and, at least in such cases, significant information on the logic used and the importance and expected consequences of such processing for the data subject. You have the right to request a copy of the personal data being processed.
– Right of rectification (art. 16)
You have the right to request the rectification of inaccurate personal data concerning you and to obtain the integration of incomplete personal data.
– Right to be forgotten (art. 17)
You have the right to obtain from the controller the erasure of personal data concerning you if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw your consent, if there is no overriding legitimate reason to proceed with the profiling, if the data have been processed unlawfully, if there is a legal obligation to delete them; if the data are related to web services rendered to minors without their consent.Cancellation may be effected unless the right to freedom of expression and information prevails, is retained for the performance of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the field of health, for archiving in the public interest, for scientific or historical research or for statistical purposes or for the establishment, exercise or defence of a right in a court of law.
– Right to restriction of processing (art. 18)
You have the right to obtain from the controller limitation of processing when you have contested the accuracy of personal data (for the period necessary for the controller to verify the accuracy of such personal data) or if the processing is unlawful, But you oppose the deletion of personal data and ask instead that its use be limited or if they are necessary for the assessment, exercise or defense of a right in court, while the CONTROLLER are no longer needed.
– Right to portability (art. 20)
You have the right to receive in a structured, commonly used and machine-readable format the personal data concerning you provided to us and you have the right to transmit them to another if the processing is based on consent, the contract and whether the processing is carried out by automated means, unless the processing is necessary for the performance of a task in the public interest or in connection with the exercise of official authority, and that such transmission does not affect the rights of third parties.
– Right to object (art. 21)
You have the right at any time to object, in whole or in part, to the processing of your personal data if the processing is carried out for the pursuit of a legitimate interest of the CONTROLLER or for direct marketing purposes.
– Right to lodge a complaint to the Italian Personal Data Protection Authority (art. 77).
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the Data Protection Regulation, in particular in the Member State where you reside, work, or in the place where the alleged infringement occurred.
2.2 EXERCISE OF RIGHTS
For the effective exercise of your rights, you can request information from the CONTROLLER, or fill out the access forms that we provide below.
2.3 FORMS AND INFORMATION NOTICE
1) Below is a draft document to be filled in for the practical exercise of the rights of the interested party. The form can thus be sent to the CONTROLLER, to the addresses listed above, in accordance with current legislation.
Cookie Policy
This notice on the use of cookies on the website www.carattiepoletto.it is provided to the user for the implementation of the provision of the Italian Data Protection Authority of 8 May 2014 “Identification of the simplified procedures for the notice and the acquisition of consent for the use of cookies”. Any further request regarding the use of cookies on this website can be sent to the email address [email protected]
Cookie Policy
Extended notice about cookies
What are Cookies?
Cookies are portions of code saved on the user’s PC within the browser in order to ensure the optimal use of the site according to the purposes described in the notice. Some cookies have purposes that may require the explicit consent of the user. Cookies, usually present in users’ browsers in very large numbers and sometimes even with a long temporal persistence, are used for different purposes such as execution of computer authentication; monitoring of sessions; storage of information on specific configurations concerning users accessing the server, etc.
What are the main types of cookies?
For the purpose of this provision, two categories of cookies are identified: “technical” cookies and “profiling” cookies.
a. Technical cookies.
Technical cookies are those used for the sole purpose of “transmitting a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service that is explicitly requested by the subscriber or user “(see Article 122, paragraph 1, of the Privacy Code).
They are not used for other purposes and are normally installed directly by the controller or manager of the website. They are either navigation or session cookies, and they allow the normal browsing and use of the website (like purchases or accesses); cookie analytics, that are like technical cookies if used directly by the site manager to collect information on the number of users and on how they visit the site; functionality cookies which allow the users to browse according to a series of selected features and options, such as language, in order to improve the service rendered to them. The user’s prior consent is not required for these cookies.
b. Profiling cookies.
Profiling cookies are used to create user profiles and are used to send advertising messages based on the preferences expressed by the user while browsing the internet. Since they are quite invasive in the private sphere of users, European and Italian legislation require the user to be informed about their use and to express their consent. Art. 122 of the Privacy Code refers to them when it states that “the storage of information in the terminal of a contracting party or a user or the access to information already filed is permitted only on condition that the contracting party or the user has given their consent after having been informed via the simplified procedures referred to in Article 13, paragraph 3 of the Privacy Code.”
Session e Persistent Cookies
Session Cookies are limited to your current browser session. These cookies are deleted when the browser is closed. Nothing is stored on your computer beyond the time you use the site (ASP.NET_SessionId and language).
Persistent Cookies (ASPXANONYMOUS type) allow sites to recognize that you are an already known user or visitor and adapt accordingly; they have a duration that is set by the website and can vary from a few minutes to several years.
First-party and third-party cookies
First-party cookies are created and readable by the site that created them.
Third-party cookies, on the other hand, are created and readable by domains that are external to the site and their data are kept at the third party’s location.
Registered visitors
We analyze the online activities of the visitors registered on our websites and online services through the use of cookies and other tracking methods. If you receive our communications, these can be customized according to the preferences you have shown on the site.
In addition, we use other tracking technologies inside the communications you receive from us (for example, to know if our emails are received, read and clicked) in order to make future communications more in line with your interests.
Which cookies we use and how
Google Analytics
It is a web statistical service provided by Google, Inc. (“Google”). The collected data are used in order to track and examine the browsing within the site; the collected data can be shared with other services managed by Google.
The data collected could be used by Google for the personalization of advertisements within its network.
What data are collected? Usage data.
More information: Privacy Policy – Disable tracking
Google Maps
It is a service that enables the display of geographic maps and their integration within a website and to show geolocalized information.
What data are collected? Usage data and GPS position (if active).
For more information: Privacy Policy
Tweet button Twitter social widgets
They are services provided by Twitter which enable the direct interaction of the site with the social network, facilitating the direct sharing of content and posts.
What data are collected? Usage data.
For more information: Privacy Policy
Instagram widget
It is a social network for the management of images and through the widget it enables the integration of images from the platform into your pages.
What data are collected? Usage data.
For more information: Privacy Policy
How are Cookies managed within the browser?
The user has the right to also manage cookies through the settings of their browser. Below we list the sites where you can find the management procedure for different browsers.
Google Chrome
Microsoft Explorer
Firefox
Opera
Safari, iphone, ipad
Consenso
Continuing the browsing by accessing another area of the site or by selecting one of its elements (for example, an image or a link) implies the consent to the use of cookies.