PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679 CONCERNING THE PROTECTION AND PROCESSING OF PERSONAL DATA (GDPR)
1.WHO IS THE DATA CONTROLLER?
The Data Controller is Cogenio S.r.l. with registered office at Viale di Tor di Quinto n. 45/47, Rome, Italy, in the person of its pro-tempore legal representative (hereinafter the “Data Controller”
For the purpose of exercising your rights or obtaining any information about them and/or about this Policy, you can contact the Data Controller at the following address: firstname.lastname@example.org.
PURPOSES OF PROCESSING, LEGAL BASIS AND DATA RETENTION PERIOD
The personal data that you provide directly or that is collected when you browse www.cogenio.it (hereinafter “Website”),
will be processed by Cogenio for the following purposes.
BROWSING THE WEBSITE
When you browse the website, the IT systems and software procedures on which it runs acquire certain items of personal data, transmission of which is implicit in the use of Internet communication protocols. These include, for example, the IP addresses or domain names of users’ computers and devices, the URI/URL (Uniform Resource Identifier/Locator) addresses of the resources requested, the time of the request, the size of the file obtained and other parameters relating to users’ operating systems, in order to:
enable you to access and use the Website;
obtain statistical information regarding the use of the services (most visited pages, number of visitors per day or per time-band, geographical areas of origin, etc.);
check that the services offered are working properly.
The legal basis for processing your data for the purposes set out in points 1, 2 and 3 is the fulfilment of a request from you, pursuant to Article 6(1)(b) of the GDPR. Should you refuse to provide this data, you will be unable to consult the Website.
RESPONSE TO REQUESTS FOR INFORMATION
The “Contact Us” section of the Website contains a contact form that you can use to voluntarily provide certain items of basic personal data (e.g. email address, telephone number, name and surname, etc.) in order to request the information you need about the selected service. If you decide to fill in the contact form, the Data Controller will process your personal data for the sole purpose of responding to your request for information.
The legal basis for processing your data for this purpose is the fulfilment of a request from you, pursuant to Article 6(1)(b) of the GDPR.
Providing your personal data for the aforementioned purpose is optional. Should you decide not to provide your personal data, however, you will be unable to obtain the information you need.
For this purpose, the personal data provided through the Website will be kept for the time necessary to fulfil the request.
PURPOSE OF PROMOTIONAL COMMUNICATION
If you provide your personal data for information purposes (para. 2.2), the Data Controller will assume that you are potentially interested in receiving information about Cogenio's initiatives and services.
In these circumstances, the Data Controller’s intention is to use your personal data (name, surname, telephone number, email address) to send you promotional communications about Cogenio initiatives and services. These communications may be by traditional (e.g. telephone calls) and/or automated means of contact (e.g. email, fax, pre-recorded telephone calls, SMS, MMS, instant messaging, etc.).
Your personal data will only be used for promotional communication purposes if you give your express consent (on the legal basis set down in Article 6(1)(a) of the GDPR), by selecting the checkbox that appears when you submit your data.
Each time you receive an email communication, however, you can opt out of receiving any further communications from Cogenio by simply clicking the opt-out link (“If you no longer want to receive these emails, click here”) that appears in all electronic commercial communications, or by contacting the Data Controller at the address given in point 1 above.
Your personal data will be processed for this promotional purpose until you decide to withdraw your consent or object to the continuation of processing by contacting the Data Controller at the address given in point 1 of this Policy.
Signing up for promotional initiatives is optional and opting out of doing so will have no consequences on the other purposes of processing mentioned in this policy. It will, however, prevent Cogenio from keeping you informed of any of its further initiatives and services.
DISCLOSURE OF DATA TO THIRD PARTIES FOR MARKETING PURPOSES
If you provide your personal data for information purposes (para. 2.2), Cogenio may disclose or transfer your personal data to third parties (companies involved in commercial partnerships with Cogenio), which may process it for the purpose of sending you commercial or promotional communications or newsletters.
You can request a copy of the full, up-to-date list of the Cogenio partner companies to which your personal data may be disclosed, by contacting the Data Controller at the address provided in Article 1 of this Policy.
The processing of your data for this purpose is based on the condition of lawfulness set down in Article 6(1)(a) of the GDPR, i.e. your consent.
Your personal data will be processed for the specified purposes in accordance with the GDPR, using hard-copy and ICT systems, in such a way as to ensure an adequate level of security and confidentiality, in accordance with the requirements of Article 32 of the GDPR.
The processing of personal data means collecting, recording, organising, storing, processing, editing, selecting, extracting, comparing, using, interconnecting, blocking, communicating, disseminating, erasing or destroying personal data, or any combination of two or more of the above operations, including by automated means of storing, managing and transmitting said data, using appropriate tools to ensure its security and confidentiality.
RECIPIENTS OF YOUR PERSONAL DATA AND PERSONS WHO MAY GAIN ACCESS TO IT
In pursuit of the purposes described in para. 2 above, the processed personal data will be accessible to employees, equivalent personnel and external contractors operating on behalf of Cogenio as persons authorised to process personal data.
Furthermore, in pursuit of the purposes described in para. 2 above, your personal data may be processed by third parties belonging, by way of example, to the following categories:
parties providing services relating to the management of the IT system, including server hosting and backup services;
providers of technical support services;
aother service providers;
supervisory and regulatory agencies and authorities, and public or private bodies responsible for fulfilling functions relating to public law;
companies involved in commercial partnerships with Cogenio.
In some cases, the parties belonging to the aforementioned categories operate with full autonomy as distinct Data Controllers, whereas in others, they operate as Data Processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.
The disclosure of your data to parties belonging to the aforementioned categories and operating as autonomous Data Controllers does not require your consent, because it is based on the legitimate interest of the Data Controller, insofar as the said disclosures are necessary for the purposes mentioned in paragraph 2 above. You can request a full, up-to-date list of the parties to whom your personal data may be communicated, by contacting the Data Controller at the address provided in para. 1 of the Policy.
TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
The Data Controller does not intend to transfer your personal data to countries outside the European Union.
WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?
In relation to the processing described in this Policy, you may, as a Data Subject and under the conditions specified in the GDPR, exercise the rights set down in Articles 15 – 21 of the GDPR, namely:
right of access –
Article 15 of the GDPR: the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to obtain access to your personal data – including a copy thereof – and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
the period for which the personal data will be stored, or the criteria used to determine that period;
the Data Subject’s rights (rectification or erasure of personal data, restriction of processing and the right to object to such processing);
the right to lodge a complaint with the supervisory authority;
where the personal data are not collected from the Data Subject, the right to any available information as to their source;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved and the envisaged consequences of such processing for the data subject.
right to rectification –
Article 16 of the GDPR: the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the right to have incomplete personal data completed.
right to erasure (right to be forgotten) –
Article 17 of the GDPR: the right to obtain, without undue delay, the erasure of personal data concerning you, where one of the following applies:
the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent and there is no other legal ground for the processing;
you have successfully objected to the processing of your personal data;
the data have been unlawfully processed;
the data have to be erased for compliance with a legal obligation;
he personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
The right to erasure shall not apply where processing is necessary for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.
right to restriction of processing–
Article 18 of the GDPR: the right to obtain restriction of processing, where one of the following applies:
the accuracy of the personal data is contested by the data subject;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the personal data are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pending verification of whether the legitimate grounds of the controller override those of the data subject.
right to data portability –
Article 20 of the GDPR: the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance, where the processing is based on consent and is carried out by automated means. Furthermore, the right to have your personal data transmitted directly by the data controller to another data controller, where technically feasible.
right to object –
Article 21 of the GDPR: the right to object to the processing of personal data concerning you unless the controller has legitimate grounds to continue processing them.
right to make a complaint to the Personal Data Protection Authority,
Piazza Venezia n. 11, 00187, Rome (RM).
The above rights may be exercised, in relation to the Data Controller, by contacting the reference persons indicated in para. 1 above. The Data Controller will take charge of your request and provide you, without undue delay and, in any event, within one month of receipt of your request, with information regarding the action taken in connection therewith.
You may exercise your rights as a Data Subject free of charge pursuant to Article 12 of the GDPR. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge you a reasonable fee taking into account the administrative costs of dealing with your request, or refuse to act on the request.
Lastly, you are advised that the Data Controller may request any further information necessary to confirm the identity of the Data Subject.