Users are kindly requested to review this document each time they connect to the Site, as it may be subject to revisions, integrations, and/or modifications, occasioned by legislative prescriptions and/or changes and/or integrations to the Site’s functionality.
Data Controller of Personal Data:
Agrestis Soc. Coop. Agricola Via Pappalardo 11, 96010 Buccheri (SR), VAT No: 01440920898
Email address of the Data Controller: email@example.com
TYPES OF DATA COLLECTED
Personal Data may be freely provided by the User or, in the case of Usage Data, collected automatically during the use of the Site.
Unless otherwise specified, all Data requested by the Site are mandatory. If the User refuses to communicate them, it may be impossible to provide the Service.
In cases where the Site indicates some Data as optional, Users are free not to communicate such Data, without this having any consequence on the availability of the Service or its operation.
Users who have doubts about which Data are mandatory are invited to contact the Data Controller.
The User assumes responsibility for the Personal Data of third parties obtained, published, or shared through the Site and guarantees to have the right to communicate or disseminate them, releasing the Data Controller from any liability towards third parties.
METHODS AND PLACE OF PROCESSING THE COLLECTED DATA
The Data Controller adopts appropriate security measures aimed at preventing unauthorized access, disclosure, modification, or unauthorized destruction of Personal Data.
Processing is carried out using IT and/or telematic tools, with organizational methods and with logic strictly related to the purposes indicated. In addition to the Data Controller, in some cases, other parties involved in the organization of the Data Controller and/or in the management of the Site (such as, but not limited to: administrative, commercial, marketing, legal staff, system administrators, etc.) or external parties (such as, but not limited to: third-party technical service providers, postal couriers, hosting providers, IT companies, communication agencies, and/or email message management service providers, etc.) appointed, if necessary, as Data Processors by the Data Controller, may have access to the Data. The updated list of Data Processors may always be requested from the Data Controller.
LEGAL BASIS OF PROCESSING
The Data Controller lawfully processes Personal Data relating to the User if one of the following conditions exists:
- The Data Subject has given consent to the processing of their Personal Data for one or more specific purposes, as per GDPR, art. 6, paragraph 1, letter a). Note: In some jurisdictions, the Data Controller may be authorized to process Personal Data without the User’s consent or without another of the legal bases specified below, until the User objects (“opt-out”) to such Processing. However, this is not applicable if the processing of Personal Data is regulated by European legislation on the protection of personal data;
- The Processing is necessary for the performance of a contract with the User and/or for the execution of pre-contractual measures, as per art. 6, paragraph 1, letter b) of GDPR 2016/679;
- Processing of Personal Data is necessary to fulfill a legal obligation to which the Data Controller is subject, as per GDPR, art. 6, paragraph 1, letter c);
- The Processing is necessary for the protection of the vital interests of the data subject or another natural person, as per GDPR, art. 6, paragraph 1, letter d);
- The Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, as per art. 6, paragraph 1, letter e) of GDPR;
- The Processing of Personal Data is necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that such interests are not overridden by the interests or rights and freedoms of the Data Subject requiring the protection of personal data, in particular where the Data Subject is a child, all as per GDPR, art. 6, paragraph 1, letter f).
Under art. 6 of the GDPR, Personal Data acquired through the Site without the consent of the Data Subject will be processed by the Data Controller for the management and maintenance of the Site, to allow the enjoyment of the Services, to fulfill User requests, to allow effective communication with customers, to fulfill obligations under the law, regulations, community legislation or orders of Authorities or otherwise for purposes connected to the activities and functions of the Data Controller or finally to prevent or detect fraudulent activities or abuses detrimental to the Data Controller through the Site.
It is always possible to ask the Data Controller to clarify the concrete legal basis of each Processing and, in particular, to specify whether the Processing is based on the law, provided for by a contract, or necessary to conclude a contract.
PLACE OF PROCESSING THE PERSONAL DATA
Data is processed at the legal and/or operational headquarters of the Data Controller and/or in any other place where the parties involved in the Processing are located and/or at the Data Controller’s Offices and/or at other subjects or IT systems/servers of other subjects specially designated as external Data Processors.
For more information, the User is invited to contact the Data Controller.
The User’s Personal Data may be transferred to a country other than the one in which the User is located. For more information on the place of Processing, the User can consult the relevant section of this information notice.
The User has the right to obtain information regarding the legal basis for the transfer of Data outside the European Union or to an international organization of public international law or constituted by two or more countries (such as, for example, the UN), as well as the security measures adopted by the Data Controller to protect the Data. If one of the transfers just described takes place, the User can refer to the respective sections of this document or request information from the Data Controller (as specified in the “CONTACT INFORMATION” section).
PERIOD OF RETENTION
Data is processed and stored for the time required by the purposes for which it was collected.
The User can obtain further information regarding the period of retention of individual Personal Data processed by contacting the Data Controller (as specified in the “CONTACT INFORMATION” section).
At the end of the retention period, Personal Data will be deleted. Therefore, at the end of such period, the right of access, cancellation, rectification, and the right to data portability, opposition, limitation to their processing can no longer be exercised.
PURPOSES OF PROCESSING COLLECTED DATA
The User’s Data is collected to allow the Data Controller to provide its Services, as well as for the following purposes:
Contacting the User Statistics Displaying content from external/third-party platforms Contact management and sending messages and/or newsletters Interaction with data collection platforms and other third parties Behavioral targeting and remarketing Interaction with online quiz platforms Registration and authentication Platform services For more detailed information on the purposes of the Processing and on the Personal Data concretely relevant to each purpose, the User can refer to the following section of this document.
DETAILS ON THE PROCESSING OF PERSONAL DATA
To verify the methods of Processing Personal Data according to the purposes pursued, the User can consult the special section below.
Contacting the User: To contact the User, the Data Controller may use the Personal Data collected through the following tools:
Contact form; Mailing list or sending newsletters (if the User has subscribed to the related service).
Personal Data: name; surname; e-mail address, telephone number, gender, date of birth, Data regarding the skin, Data on products purchased/for which the User is interested, Cookies, Usage Data, other types of Data.
For the contact form, the Google invisible reCaptcha service is active (see the specific section below).
Statistics The services contained in this section allow the Data Controller to monitor and analyze traffic data and are used to track User behavior.
These purposes are pursued through the following tools:
Google Analytics with anonymized IP;
Google Analytics is a web analysis service provided by Google for statistical purposes to understand how visitors interact with the Site, compile reports, and share them with other services developed by Google. Google Analytics may use a set of cookies to collect information and generate statistics on the use of the Site, without providing personal information about individual visitors to Google. The user’s IP address is anonymized. Anonymization works by shortening the IP address within the borders of the member states of the European Union or other countries adhering to the agreement on the European Economic Area. Only in exceptional cases will the IP address be sent to Google’s servers and shortened within the United States.
It should be noted that data may also be processed outside the EEA.
Users are also advised that since July 16, 2020, Google no longer bases the Processing of Personal Data of Users on the EU-U.S. Privacy Shield (EU-USA privacy shield) to transfer data from the European Economic Area and the United Kingdom to the United States; more precisely, since September 30, 2020, Google has updated its policy on the Processing of Personal Data and uses the standard contractual clauses approved by the European Commission and based on the European Commission’s adequacy decisions regarding certain countries, depending on the case, for data transfers from the EEA to the United States and other Countries.
Google Tag Manager This Site uses Google Tag Manager. Google Tag Manager is a solution managed by Google LLC that allows managing tags of managed websites using a specific interface.
The same Tag Manager tool (which implements the tags) is a cookie-free domain and does not record Personal Data. This tool allows the activation of other tags that may, on their part, record Data under certain circumstances.
Personal Data: Usage Data; other types of Data.
Display of content from external platforms / third parties This type of service allows the display of content hosted on external platforms directly from the pages of the Site and to interact with them.
In the case that a service of this type is installed, it is possible that, even in the case of non-concrete use, it collects traffic data relating to the pages in which it is installed.
These purposes are pursued by means of:
Facebook, Facebook Widget; On the Site, there are redirection or sharing buttons to the social platform Facebook, and to the individual social network pages traceable to the Data Controller.
Facebook shares information globally, both internally with Facebook companies and externally with its partners and with people with whom the user connects and shares content around the world. The information controlled by Facebook may be transferred or transmitted or stored and processed in the United States or other countries outside the EEA.
Furthermore, by visiting the Site, the Facebook Pixel cookie may be installed, which allows the Data Controller to monitor the conversions that occur on the Site as a result of the ads being run on Facebook.
The information detected through cookies may be shared with organizations outside of Facebook, such as advertisers and/or advertising networks for the publication of ads and for measuring the effectiveness of advertising campaigns.
Users are also advised that since July 16, 2020, Facebook no longer bases the Processing of Users’ Personal Data on the EU-U.S. Privacy Shield (EU-USA privacy shield) to transfer data from the European Economic Area and the United Kingdom to the United States; but uses standard contractual clauses approved by the European Commission and based on the European Commission’s adequacy decisions regarding certain countries, depending on the case, for data transfers from the EEA to the United States and other Countries.
In this case, the following Personal Data is processed: Cookies; Usage Data; other types of Data.
Instagram, Instagram Widget On the Site, there are redirection or sharing buttons to the social platform Instagram, owned by Facebook, and to individual social network pages traceable to the Data Controller.
Facebook/Instagram shares information globally, both internally with Facebook/Instagram companies and externally with partners and with people with whom the user connects.
The information controlled by Facebook/Instagram may be transferred and/or transmitted and/or stored and/or processed in the United States or other countries outside the user’s country of residence or outside the EEA for the purposes described in the legislation at the following links: Facebook Conditions; Instagram Conditions.
Users are also advised that since July 16, 2020, Facebook/Instagram no longer bases the Processing of Users’ Personal Data on the EU-U.S. Privacy Shield (EU-USA privacy shield) to transfer data from the European Economic Area and the United Kingdom to the United States; but uses standard contractual clauses approved by the European Commission and based on the European Commission’s adequacy decisions regarding certain countries, depending on the case, for data transfers from the EEA to the United States and other Countries.
In this case, the following Personal Data is processed: Cookies; Usage Data; other types of Data.
Regarding the conditions of use of the Instagram service, users are finally invited to consult the said conditions.
Google Maps Google Maps is a map display service operated by Google LLC or Google Ireland Limited, depending on the location where the Site is displayed, which allows the Site to integrate such content within its pages.
Personal Data: Cookies; Usage Data; other types of Data.
Data may be processed outside the EEA.
Users are also advised that since July 16, 2020, Google no longer bases the Processing of Users’ Personal Data on the EU-U.S. Privacy Shield (EU-USA privacy shield) to transfer data from the European Economic Area and the United Kingdom to the United States; more precisely, since September 30, 2020, Google has updated its policy on the Processing of Personal Data and uses the standard contractual clauses approved by the European Commission and based on the European Commission’s adequacy decisions regarding certain countries, depending on the case, for data transfers from the EEA to the United States and other Countries.
Contact management and sending messages and/or newsletters This type of service allows managing a database of email contacts, telephone contacts, or contacts of any other type, used to communicate with the user.
These services might also allow collecting data related to the date and time of viewing of messages by the user, as well as the user’s interaction with them (e.g., the detection of the use of links inserted in the messages).
This purpose is pursued by means of the following tool:
MailChimp For the purpose of sending newsletters, this Website uses the third-party service MailChimp, which analyzes and categorizes requests through the contact form on the Site (see: https://mailchimp.com/legal/data-processing-addendum/). Mailchimp is a software company based in the United States that provides tools for social media marketing, content management, web data analysis, landing pages, customer service, and search engine optimization.
Therefore, by filling out the relevant form and providing the necessary consents, the User’s email address is automatically added to a contact list (managed via Mailchimp) to which email messages containing a periodic newsletter on the initiatives and activities of the Data Controller can be sent. These may include, for example, awareness campaigns and/or fundraising and/or marketing and/or special newsletters for general or urgent information, including commercial and promotional content.
If the User does not want MailChimp to process their Data, we recommend contacting us in another way (e.g., via email) instead of using the contact form.
OPT-OUT: If the User does not want their Data collected, they can prevent the storage of Cookies at any time using their browser settings.
The User is informed that the Data collected may also be used by the Data Controller for profiling purposes (direct marketing) to suggest products that are most suitable for the User’s interests.
Personal Data: name and surname, email address, telephone number, gender, date of birth, skin data, data on products purchased/which the User is interested in, Cookies; Usage Data; other types of Data.
Interaction with Data Collection Platforms and Other Third Parties This type of service allows Users to interact with data collection platforms or other services directly from the pages of the Site for the purpose of saving and reusing data.
If one of these services is installed, it may collect Usage Data related to the pages where it is installed, even if the Users do not use the service.
By using reCAPTCHA, data is transmitted to Google to determine whether the User is truly human. reCAPTCHA thus ensures the security of our website and, consequently, the User’s security.
The IP addresses and other data required by Google for its reCAPTCHA service may be sent to Google, whose servers may be located in the USA.
First, the reCAPTCHA algorithm checks whether Google cookies from other Google services (YouTube, Gmail, etc.) have already been placed in the User’s browser. Then reCAPTCHA sets an additional cookie in the User’s browser and takes a snapshot of the browser window.
The IP address that the User’s browser transmits to Google is generally not merged with other Google data from other company services.
However, data will be merged if the User is logged into their Google account while using the reCAPTCHA plugin.
If you want to prevent your data and behavior from being transmitted to Google, you must completely log out of Google and delete all Google cookies before visiting our website or using the reCAPTCHA software. Generally, data is automatically sent to Google as soon as you visit our website. To delete this data, you must contact Google Support at https://support.google.com/?hl=en-GB&tid=111401120.
By using our website, you agree that Google LLC and its representatives may automatically collect, modify, and use data.
For more information about reCAPTCHA, please visit Google’s developer page at https://developers.google.com/recaptcha/.
Personal Data: Cookies; Usage Data; other types of Data.
Google Tag Manager This Site uses Google Tag Manager. Google Tag Manager is a solution managed by Google LLC that allows you to manage website tags using a special interface.
The same Tag Manager tool (which implements the tags) is a domain without cookies and does not record Personal Data. This tool allows the activation of other tags that may record Data under certain circumstances.
Personal Data: Usage Data; other types of Data.
Behavioral Targeting and Remarketing This type of service allows this Site and its partners to inform, optimize, and prepare advertisements based on the User’s past use of this Site.
This activity is facilitated by tracking Usage Data and using trackers to collect information that is then transferred to partners who manage remarketing and behavioral targeting activities.
Some services offer a remarketing option based on email address lists.
Facebook and Instagram Remarketing Facebook (and Instagram) remarketing is a remarketing and behavioral targeting service provided by Facebook Inc.
With the help of Facebook’s pixel (or equivalent functions for transferring event data or contact information via interfaces or other software in apps), Facebook (/Instagram) can target visitors to this Site’s online services as a target for presenting advertisements.
Therefore, this Site uses Facebook Inc.’s “Custom Audiences” remarketing function: this allows Users of the Site to see interest-based advertisements (“Facebook Ads” or “Instagram Ads”) when browsing the Facebook or Instagram social networks or other websites that use this process. This shows the User ads that interest them in order to make online offers more interesting for them.
The use of Custom Audience means that the User’s browser automatically establishes a direct connection to the Facebook/Instagram server.
The Data collected is processed by Facebook Inc. in the United States.
This Site has no power over the scope of the Data collected and the further use of the Data by Facebook Inc.: therefore, please carefully read the relevant Privacy Policies of Facebook and Instagram.
The User can obtain more information about Facebook’s behavioral advertising by visiting this page: https://www.facebook.com/help/164968693837950.
To disable Facebook ads based on interests, please follow these instructions: https://www.facebook.com/help/568137493302217.
Facebook adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance. To opt-out of Facebook and other participating companies through the Digital Advertising Alliance in the United States http://www.aboutads.info/choices/, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/ or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/, or disable it using the settings of your mobile device.
Disabling the “Facebook Custom Audiences” function is available for users logged in at https://www.facebook.com/settings/?tab=ads#.
Personal Data: Usage Data; email, Cookies, other types of Data.
Registration and Authentication Tools:
Personal data: various types of Data.
Platform Services The Site was created using the WordPress.com platform.
Personal Data: various types of Data.
The Privacy Shield, or the “privacy shield” between the EU and the USA, is a self-certification mechanism for companies established in the USA that intend to receive Personal Data from the European Union. It was also deemed adequate by the European Commission in 2016.
In particular, companies commit to respecting the principles contained therein and to providing the interested parties (i.e., all subjects whose Personal Data have been transferred from the European Union) with adequate protection tools, under penalty of deletion from the list of certified companies (“Privacy Shield List”) by the U.S. Department of Commerce and possible sanctions by the Federal Trade Commission.
However, with Decision 2016/1250 of July 16, 2020, on the adequacy of protection offered by the EU-US privacy shield regime – known as the “Schrems II Judgment”, the Court of Justice of the European Union (CJEU) found that the Privacy Shield does not offer an adequate level of protection for Personal Data transferred from the EU to a company established in the United States.
In the same ruling, the European Court of Justice confirmed Decision 2010/87, judging the standard contractual clauses for the transfer of personal data from the EU to a non-EU state to be valid.
Users are invited to consult the FAQs related to the Schrems II judgment and its effects prepared by the European Data Protection Board (EDPB), the website www.privacyshield.gov, and the website of the Italian Data Protection Authority for a better understanding of the matter.
COMMUNICATION AND TRANSFER OF DATA
The Data Controller emphasizes that the utmost care and confidentiality in Data Processing is one of its core values.
The User’s Data may be communicated to third parties.
The Data Controller may use Data Processors and service providers, as necessary to provide the services, such as authentication services, hosting and maintenance, data analysis services, email messaging services, delivery services, payment transaction management, creditworthiness, and email and address verification.
Some of the Data Processors/service providers mentioned in the previous sections are located outside the European Union (EU)/European Economic Area (EEA). In any case, the User’s Personal Data will be shared with countries outside the EU/EEA, provided that:
- The country in question is considered a safe third country;
- The Data Processor/service provider in question has adhered to the European Commission’s standard contractual clauses for the transfer of Personal Data to third countries;
- The Data Processor/service provider in question is certified under Article 40 of the GDPR or
- The Data Processor/service provider in question has a set of binding corporate rules approved.
It is also possible that the User’s Personal Data, particularly the email, may be communicated or shared with companies and/or third parties with whom the Data Controller collaborates and/or has signed agreements if the Users have subscribed to the newsletter, expressly consenting with the “point and click” method to the transfer of said Data to companies and/or third parties for the purposes indicated in the relevant consent, including marketing purposes and profiling.
The User may exercise the following rights concerning the Data processed by the Data Controller:
- The right to revoke consent at any time. The User may revoke the consent previously expressed to the processing of their Personal Data (see GDPR, Art. 7);
- The right to access. The User has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning them are being processed and, in such cases, access to their Personal Data and receive all information about them (including the purposes of the processing), as well as a copy of said Data (see GDPR, Art. 15);
- The right to rectify their Personal Data. The User has the right to obtain from the Data Controller the rectification of inaccurate Personal Data concerning them without undue delay. Considering the purposes of the processing, the data subject has the right to have incomplete Personal Data completed, including by providing a supplementary statement (see GDPR, Art. 16);
- The right to erasure (“right to be forgotten”). The User has the right to obtain from the Data Controller the erasure of Personal Data concerning them without undue delay in such cases: if the Personal Data are no longer necessary or the User revokes the consent on which the processing is based and there is no other legal basis for the processing, or if the User objects to the processing or the Personal Data have been unlawfully processed, or if they must be erased to comply with a legal obligation provided for by Union or Member State law to which the Data Controller is subject, or if the Personal Data have been collected in relation to the offer of information society services (see GDPR, Art. 17);
- The right to restrict processing. The User has the right to obtain from the Data Controller the restriction of processing in the following cases: if the accuracy of the Personal Data is contested by the User, or if the processing is unlawful and the data subject opposes the erasure of the Personal Data and requests the restriction of their use, or if the User who has opposed the processing is awaiting the verification of the possible prevalence of the Data Controller’s legitimate reasons over those of the User (see GDPR, Art. 18);
- The right to data portability. The User has the right to receive the Personal Data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller without hindrance from the Data Controller to whom the personal data have been provided (see GDPR, Art. 20);
- The right to object to the processing of Personal Data. The User can object at any time to the processing of personal data concerning them (when carried out on a legal basis other than consent). In particular, where Personal Data are processed for direct marketing purposes, the User has the right to object at any time to the processing of personal data concerning them carried out for such purposes, including profiling to the extent that it is related to such direct marketing (see GDPR, Art. 21);
- The right to lodge a complaint with the competent supervisory authority. The User can lodge a complaint with the competent data protection supervisory authority (in Italy: www.garanteprivacy.it) and before the competent courts of the Member States (see GDPR, Art. 77 et seq.).
How to Exercise Rights
To exercise their rights as indicated above, Users, without payment of any fee or compensation (except as provided for in Art. 12, paragraph 5 of the GDPR), can address a request to the contact details of the Data Controller present in the “CONTACTS” section.
Further Information on Processing
Defense in Court
The User’s Personal Data may be used by the Data Controller in court or in the preparatory phases of its possible establishment for defense against abuses in the use of the Site or the connected Services by the User.
The User declares to be aware that the Data Controller may be obliged to reveal/communicate the Data by order of public authorities.
System Logs and Maintenance
For needs related to operation and maintenance, the Site and any third-party services used by it may collect system logs, i.e., files that record interactions and may contain Personal Data, such as the User’s IP address.
Further information concerning the Processing of Personal Data may be requested at any time from the Data Controller as specified in the “CONTACT INFORMATION” section.
DEFINITIONS AND LEGAL REFERENCES
“Cookie” or “Cookies”
Small portion(s) of data stored within the User’s device.
“Personal Data” or “Data” or “Personal Data” or “Data”
Any information referable to a Data Subject.
“Sensitive and/or special data”
Personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a physical person, data concerning health or sex life or sexual orientation of the person.
Information collected automatically through the Site and/or by third-party applications integrated into the Site, including: the IP addresses or domain names of the computers used by the User connecting to the Site, the addresses in URI (Uniform Resource Identifier) notation, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), the country of origin, the characteristics of the browser and operating system used by the visitor, the various temporal connotations of the visit (for example, the time spent on each page), and details related to the itinerary followed within the Application, with particular reference to the sequence of pages consulted, to the parameters relative to the operating system, and to the User’s computer environment.
“Data Subject” or “Data Subjects”
The physical person identified or identifiable to whom the Personal Data refer. A physical person is considered identifiable, directly or indirectly, with particular reference to an identifier such as the name, an identification number, data related to location, an online identifier, or to one or more characteristic elements of his/her physical, physiological, genetic, psychic, economic, cultural, or social identity.
Any form of automated processing of Personal Data consisting of using such Personal Data to evaluate certain personal aspects relating to a physical person, in particular to analyze or predict aspects concerning that physical person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
The service/services provided by the Site as defined in the relevant terms (if present) on this site/application.
“Data Controller” or “Controller”
Any operation or set of operations, performed with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, erasure or destruction.
“European Union” or “EU”
Unless otherwise specified, any reference to the European Union contained in this document is intended to extend to all current member states of the European Union and the European Economic Area (EEA).
“User” or “Users”
The individual or individuals who use the Site and who, unless otherwise specified, coincide with the Data Subject.
This privacy statement is drawn up based on the current legislation on the subject, and in particular as provided by Articles 13 and 14 of the Regulation (EU) 2016/679 (GDPR), the related adaptation legislation D. Lgs. 101/2018, and to the extent that it is still applicable from D. Lgs. 196/2003.
Date of last update: February 8, 2021.”