background-img

Privacy Policy

Privacy Policy for Personal Data Processing

For the site’s cookie policy, please refer to the dedicated page.

1. Identity of the Data Controller. Data Protection Officer. Contact Details

In compliance with the obligations prescribed by art. 13 of the European Regulation 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) and the applicable national legislation regarding the protection of individuals with regard to the processing of personal data, as well as the free movement of such data, Slow Food Gallura APS, with registered office at Via Genova 55, Olbia (SS), contactable at the email address: slowfoodgallura@gmail.com, in its capacity as Data Controller (hereinafter “Controller”), considering the importance it assigns to the protection and security of personal data provided through this site, informs that it has appointed a Data Protection Officer (DPO), pursuant to and for the purposes of arts. 37-39 GDPR, Simona Gay, Vice President of Slow Food Gallura APS, contactable at: simona.gay20@gmail.com.

 

2. Definitions

According to the purposes of the cited legislation, the following definitions apply:

«personal data»: any information concerning an identified or identifiable natural person (“data subject”); a person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity;

«processing»: any operation or set of operations performed with or without automated processes concerning personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, transmission by communication, dissemination or otherwise making available, comparison or interconnection, restriction, erasure, or destruction;

«archive»: any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed in a functional or geographical manner;

«Data Controller»: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; when the purposes and means are determined by Union or Member State law, the Data Controller or the specific criteria for its designation may be provided for by Union or Member State law;

«Data Processor»: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller;

«Recipient»: the natural or legal person, public authority, service, or other body which receives communication of personal data, whether or not a third party. However, public authorities which may receive communication of personal data in the context of a specific inquiry according to Union or Member State law are not considered recipients; the processing of such data by these authorities is in accordance with applicable data protection rules and for the purposes of the processing;

«Consent of the Data Subject»: any free, specific, informed, and unambiguous indication of the Data Subject’s wishes, by which they manifest their consent to the processing of personal data concerning them, through a statement or clear affirmative action.

 

3. Categories of personal data processed. Mandatory/optional nature of data provision. Consequences of non-provision

The Controller processes the personal data relating to the user as a “data subject”, which are voluntarily communicated or legitimately obtained.

Provision of Personal Data can occur through filling in the appropriate fields in various sections of the Site, contacting Customer Service, or by sending requests via email where provided.

The site contains almost no information directly aimed at minors. Minors must not provide information or personal data. Participation in contests possibly present on the website is exclusively for adults.

Specifically, the following personal data are processed:

 

3.1 Data related to the operation of this site

The computer systems and software procedures responsible for the operation of this website acquire, during their normal operation, the following personal data, the transmission of which is implied in the use of Internet communication protocols, such as: IP addresses; browser type used; addresses of websites from which access was made; access time; other parameters related to navigation, etc.

These are information that are not collected to be associated with identified data subjects, but which by their nature could allow identification of users through processing and association with other data held by third parties.

 

3.2 Data related to promotional activities and profiling

Optionally, with the explicit consent of the data subject (obtained through voluntary selection of the appropriate flags), contact details voluntarily provided may be used for promotional communications and/or the service may be personalized based on preferences expressed during form completion.

These are personal data not belonging to special categories (such as, for example, name, surname, phone number, email address, date of birth, residence address, etc.), provided by the data subject to enable their identification and/or the execution of the requested service (e.g., sending newsletters or communicating promotional initiatives of the Controller) or additional data to enable a personalized service (profiling), in each case only with explicit consent.

Data falling into this category are optional, and therefore the consent regarding their processing can be denied or revoked by the data subject at any time and with the same ease as it was given, without prejudice to the lawfulness of the processing carried out before revocation. The non-provision and/or revocation of consent to the processing of such data will not prevent the user from accessing the service (the “user”), but the Controller will not be able to send promotional communications, grant access to promotional benefits, or personalize the delivery based on preferences expressed.

 

4. Purpose of data processing and legal basis

Below are the purposes of processing the personal data relating to the user (data subject), whether those automatically acquired through navigation or voluntarily provided by the user, according to the needs expressed at the time of accessing contact services and/or various sections of the website, through online forms or direct access via links to the Controller’s email address related to the requested service.

 

4.1 Data related to the operation of this site

Navigation data are processed solely by authorized personnel to achieve the purpose of accessing the website sections, participating in promotions, games, or contests, including activities such as evaluating, assigning, and/or communicating digital discount coupons (also via transactional emails), and related prizes, responding to requests received via email (e.g., technical issues regarding access or contest operation). The legal basis for this is the execution of pre-contractual measures or a contract (art. 6, par.1, lett. b GDPR), or to maintain the site, where the legal basis is the legitimate interest of the Controller to ensure site security, proper functioning, and to obtain usage statistics (art. 6, par.1, lett. f GDPR).

 

4.2 Data related to promotional activities (so-called marketing) and/or market research

With the user’s prior consent and until revocation, the Controller may carry out marketing activities such as, by way of example but not limited to: subscription to the newsletter, using contact data provided by the data subject (mail, phone, email), market research, sending informational and promotional material, marketing and advertising activities concerning the products and services of the Controller, assessing user satisfaction regarding product quality, services provided, and activities carried out by the Controller, either directly or through specialized companies, using remote communication techniques including automated contact methods (such as SMS, MMS, fax, automated calls, email, messages on web applications) and traditional methods (such as postal mail and calls with operators), conducting surveys, statistical investigations for marketing purposes, analyzing consumption habits or choices, and defining user profiles based on information provided during registration, questionnaire completion, web navigation actions, interaction with advertising banners, or through digital coupons. Users may also publish news or communications (“posts”) directly on the Controller’s websites or on third-party sites with whom agreements are in place, such as social networks like Facebook, Twitter, Pinterest, etc. (hereinafter “Social Networks”). Posts may be published under a pseudonym chosen during registration, and the user is solely responsible for any choices that may prejudice third-party interests. The user is not required to use personal data that would allow third parties to identify them, but they may choose to include personal data in their nickname or profile picture.

In all such cases, the legal basis for processing is the specific and freely given consent of the data subject (art. 6, par.1, lett. a GDPR), which can be revoked at any time without affecting the lawfulness of processing based on consent before revocation.

Consent to the processing of personal data is optional; however, refusal or partial refusal to provide data or to consent to their processing and/or communication will prevent completion of the newsletter registration process and the execution of the requested service.

If only consent is given for promotional communications, registration to the newsletter service can be completed, and the processing will be limited to those data for the purposes mentioned, without the possibility of personalizing promotions or participating in loyalty programs based on expressed preferences.

At any time, the user can revoke the consent given for these purposes by sending a request to the contacts of the Controller indicated in point 1 of this policy.

Processing of all the personal data described above may in any case be carried out to manage and execute obligations under applicable law (accounting, administrative, fiscal, etc.), where the legal basis is compliance with a legal obligation (art. 6, par.1, lett. c GDPR), or to manage disputes and legal proceedings, where the legal basis is the legitimate interest of the Controller (art. 6, par.1, lett. f GDPR).

 

5. Processing methods. Categories of recipients. Transfers outside the EU

Personal data provided by the data subjects (interested parties), directly or indirectly, will be processed mainly through automated means, with logic closely related to the purposes outlined above, using archives managed by the Controller or third parties appointed as Data Processors (to view the complete and updated list of Data Processors, the interested party can contact the Controller at the contact addresses above) and/or integrated IT systems and/or websites owned or used by the Controller.

The Controller has adopted appropriate security measures to protect users (data subjects) against the risk of loss, misuse, or alteration of data. Although it is not possible to guarantee that data transmission over the Internet or websites is perfectly secure from intrusions, the Controller and its providers commit to maintaining physical, electronic, and procedural security measures to protect personal data, in accordance with legal requirements, through technical and organizational measures appropriate to the risk, as per art. 32 GDPR. The Controller uses secure transmission protocols known as http or https, processing data for the specified, explicit, and legitimate purposes for which they were collected, in a manner compatible with those purposes, based on principles of lawfulness, fairness, transparency, data minimization, accuracy, integrity, and confidentiality.

User (data subject) data are stored on servers located within the European territory or, in the case of electronic platforms such as Google and/or SAP Customer Data Cloud, may be transferred outside the EU territory by the Controller, ensuring compliance with applicable legal provisions and adequate safeguards, as provided by arts. 46, 47, and 49 GDPR. Servers are protected by advanced backup and disaster recovery systems, firewalls, and strict access restrictions based on necessity and for the purposes communicated; data transfer occurs through adequate security measures, with continuous monitoring of IT system access to prevent abuse.

Data collected from the web service are not disseminated and may only be communicated to employees or collaborators of the Controller who operate under its direct authority, process data, and are authorized to do so, or to system administrators, who receive appropriate operational instructions from the Controller. Data may also be communicated to third parties (public or private entities outside the Controller’s organizational context), appointed as Data Processors for specific processing activities (e.g., assistance, communication, promotions, sales, contest organization, IT service providers, website or app developers, electronic platform managers, transport companies, customer service providers). These third parties operate in outsourcing relationships, involved in providing the services requested by the data subject or necessary for legal obligations, and are bound by strict confidentiality, authorized solely to process data for the purpose of providing the requested service, unless communication to third parties is strictly necessary for fulfilling the user’s requests or explicitly authorized by the user, or required by public security authorities.

 

6. Data retention period

Personal data communicated by the data subject or otherwise processed by the Controller are stored for the time necessary to fulfill the specific purposes, as indicated below.

 

6.1 Data related to the operation of this site

The data referred to in point 3.1 and used solely to obtain anonymous statistical information about site usage and to monitor its proper functioning are stored for 6 months following the request for deletion from the service, exclusively to comply with this request.

In the case of processing for participation in contests, processing will be limited to the time strictly necessary to comply with legal retention obligations.

Personal data processed to respond to the user’s information requests will be stored in relation to the type of request for the time necessary to fulfill legal retention obligations and/or for legal needs.

 

6.2 Data related to promotional activities and/or market research

In case of consent to data processing for the purposes outlined in point 3.2, such data will be stored for the maximum period provided by applicable law, i.e., no more than two years for commercial communications and no more than one year for profiling, unless the user revokes consent earlier.

In both cases, the retention period may be extended to comply with legal obligations, requests from public authorities or supervisory bodies, or to conduct legal investigations or judicial protections, if necessary.

 

7. Rights of the Data Subject

In relation to the processing of personal data described, the data subject may at any time contact the Data Controller at the addresses indicated in point 1, without any formalities, to exercise the rights provided by arts. 15-22 GDPR, fully accessible on the website www.garanteprivacy.it/regolamentoue, within the limits and conditions set therein, and as exemplified below:

  • Right of access: to confirm whether or not personal data concerning them are being processed and to obtain access to such data and specific information (e.g., purposes of processing, categories of data concerned, recipients to whom data are communicated);
  • Right to rectification: to obtain the rectification of inaccurate data concerning them (e.g., to update, modify, or correct the data) without undue delay. In such cases, the data controller is obliged to communicate the rectification to all recipients to whom the data have been transmitted, unless this proves impossible or involves disproportionate effort;
  • Right to erasure (the so-called right to be forgotten): to obtain the definitive deletion of data concerning them, with the data controller obliged to delete them without undue delay if certain reasons apply (e.g., data are no longer necessary for the purposes for which they were collected; the data subject revokes consent; data must be deleted for legal obligations). The data controller must communicate the deletion to all recipients to whom the data have been transmitted, unless this involves disproportionate effort;
  • Right to restriction of processing: to impose a restriction on data processing, e.g., to only store the data, excluding any other use, in certain cases (e.g., if processing is unlawful and the data subject opposes deletion; if the data subject contests the accuracy, within the period necessary to verify accuracy). The data controller must communicate the restriction to all recipients unless this proves impossible or involves disproportionate effort;
  • Right to data portability: to receive the personal data provided in a structured, commonly used, machine-readable format and transmit it to another data controller, if technically feasible;
  • Right to object: to oppose at any time to processing for purposes of public interest, legitimate interests, marketing, or scientific, historical, or statistical research.

Pursuant to arts. 77 and 79 GDPR, the data subject also has the right to lodge a judicial complaint, without prejudice to any other administrative or extrajudicial remedy available, including the right to file a complaint with a supervisory authority (Garante per la protezione dei dati personali, Piazza Venezia n. 11 – 00187 Rome, www.gpdp.itwww.garanteprivacy.it, email: garante@gpdp.it, Fax: (+39) 06.69677.3785, Central phone: (+39) 06.69677.1).

The Data Controller reserves the right to make changes to this Privacy Policy at any time, with effects from the date of publication, by informing users on this page, which may be updated over time, also in compliance with European and national regulations. Users (data subjects) are therefore encouraged to regularly check the content of this Privacy Policy to ensure they agree with any modifications (referencing the last modification date at the bottom), and are obliged to cease browsing the website if they do not accept the changes.

 

Last updated: 09.05.2023

[/vc_row

Cookie policy acceptance

Utilizziamo cookie, anche di terze parti, per garantire il buon funzionamento del sito e, previo consenso, per raccogliere informazioni statistiche sulla navigazione del sito e per mostrarti messaggi pubblicitari personalizzati e in linea con le tue preferenze. Chiudendo il banner verranno installati solo i cookie tecnici. Per maggiori informazioni, visualizza l'informativa estesa.

Accetta tutti i cookie Gestisci preferenze Rifiuta tutti i cookie