PRIVACY INFORMATION (ART. 13 EU REGULATION 679/2016 “GDPR”)
We inform you that the personal data referring to you, to your organization and/or to vs. personal data (hereafter “Data“) acquired or to be acquired by VILLA CANAL, as “Data Controller” (hereafter also “Data Controller“), will be treated in compliance with the legal requirements and your rights
A. Methods of treatment
The processing may include the following operations (by telephone, telematics, written or verbal); collecction, registration, organization, conservation and processingmodification, selection, extraction, comparison, use, interconnection also with data of other subjects on the basis of qualitative, quantitative and temporal criteria, recurring or definable from time to time, temporary treatment aimed at rapid aggregation or transformation of the Data themselves, adoption in discretionary form (never totally automated) of decisions, creation of basic profiles and information, communication, cancellation and destruction of Data, or combinations of two or more of the aforementioned operations.
The collection takes place from the interested party or through public registers, lists of deeds and documents and/or public and/or private databases – commercial information companies, company registers -, or on websites of public and/or private bodies, and in this case it only concerns identification, contact, tax, solvency and economic- asset and financial situation data relating to the interested party or to internal contact persons of the customer or supplier such as for example directors, employees, etc., relating to the economic activity of the customer or supplier.
The processing is monitored by adequate technical and organizational security measures.
B. Purpose and legal basis of the processing
The purposes of the treatment are:
- satisfy pre-contractual needs (e.g. fulfillment of requests including sending of informative materials, estimates, etc.) and fulfillment of contractual obligations (e.g. following the stipulation of a loan agreement); legal basis of the processing is the fulfilment of a contract of which the interested party (you) is a part or the execution of pre-contractual measures adopted at the request of the same
- fulfillment of legal obligations (e.g. bookkeeping; tax formalities, administrative and accounting management, etc.); legal basis of the processing is the fulfillment of a legal obligation to which the Data Controller is subject;
- management of customers and suppliers for aspects other than those sub 1-2 (internal organization of functional activities for the provision of services); the legal basis of the processing is the legitimate interest of the Data Controller to be able to process the Data in order to effectively and efficiently manage the relationship with its customers and/or suppliers and to manage the related internal and external organizational processes, deemed to prevail over the opposing interests in the confidentiality of personal data of the subjects to whom the data refer .
- commercial promotion activities through the publication of images (photographs or videos) depicting the events organized at the VILLA CANAL premises; the legal basis of this treatment is the prior consent of the interested party.
C. Data Communication
Without prejudice to the communication to third parties carried out in execution of legal obligations or deriving from regulations or other Community legislation, or at the request of judicial offices or other third parties to whom the right is recognized by the aforementioned provisions, the Data may be communicated by us to the following categories of third party recipients : 1) banks and credit institutions, for the management of payments; 2) insurance companies; 3) credit recovery companies, factoring companies, leasing companies, credit insurance or assignment companies, credit consortia (only for the purpose of credit protection and better management of our rights relating to the individual commercial relationship); 4) commercial information company; 5) consultants; 6) professionals and professional firms (lawyers, chartered accountants) 7) subjects that provide maintenance and/or IT assistance services in relation to our systems and databases and IT services; 8) shippers, carriers and couriers; 9) other suppliers and sub-suppliers (in the case of customer or supplier data), or customers (in the case of supplier or sub-supplier data); 10) other companies, entities and/or natural persons who carry out instrumental, supportive or functional activities for the execution of the contracts or services requested by the SV and/or for the development of the owner’s activity (for example web marketing companies, advertising); 11) public bodies and/or other subjects to whom the communication is necessary for the fulfillment of legal obligations.
The Data Controller has appointed as external managers all the categories of third party recipients to whom it communicates the Data, except in the case in which they assume the role of independent data controller pursuant to current legislation.
D. Obligatory or optional nature of data communication and consequences of failure to communicate.
For the processing aimed at the purposes referred to in the aforementioned letter B) points from 1 to 3, the communication of data is a necessary requirement for the conclusion of the contract, it is not an obligation of the interested party, but failure to communicate implies the impossibility of Owner of concluding the contract and/or executing it and/or carrying out the requests of the interested party; in this case, the consent of the interested party is also not necessary for the processing of the data.
In relation to those purposes under letter B), point 4, your consent is always optional (free and deniable); failure to provide or consent to the processing will prevent us from processing for these purposes, while it will not interfere with our relationships with you and/or your organisation.
E. Transferring data abroad – Google Analytics 4
The site uses Google Analytics “4” (“GA4”), a third-party software (Google Inc. is based in the USA) which, in compliance with the GDPR (EU Privacy Regulation), guarantees advanced protection of personal data.
In the past, the “Universal” (“GA3”) Google Analytics service used by the Data Controller reasoned by Page-TAG, i.e. windows opened by the user. A snippet of Java code was added to each open window and action monitoring began. If a user repeated the same action N times, turned off the screen of his mobile device or accessed the same site with different devices , all these actions were recorded as “new” and connected to his IP address.
The new GA4, structured according to the principle of privacy by design, focuses on the protection of user anonymity by reasoning on user behavior through a machine learning system that aims to have predictive information on user behavior and which somehow to fill the data deficit deriving from the possibility for the web user to deactivate cookies (obligation always linked to the GDPR and the recent Guidelines on Cookies of the Guarantor). In this regard, greater value is given to scrolling, downloading, filling in forms and watching videos, which clearly indicate an interest on the part of the surfer.
In GA4 the IPs of EU users are no longer recorded, but are only used in a volatile manner in the first instance to extrapolate other metadata, such as for example the physical place of connection. Once this metadata is obtained, the connection Internet Protocol is completely ignored.
A pseudonymized file on the Google server to store a string of code that is associated randomly on a single client that connects to a portal. Thus the navigation data can be associated with a browser instance that cannot be connected directly to the physical user.
Warning: GA4 does not anonymize IPs by default: the anonymization of IP addresses in Google Analytics 4 is in fact not necessary, since IP addresses are not recorded or archived.
However, this “device ID” data, combined with other information that can be activated on the GA4 platform, could theoretically lead to the identification of a “human” profile, with privacy risk. To minimize this potential risk, the Owner has chosen to:
- se GA4 only in its default anonymous form (see below, point “A”)
- Use the anonymous data collected through GA4 only for aggregate statistical reporting purposes (see below, point “B”).
A. The “Granular Location and Device Data Collection” feature is disabled for any country
In doing so, Google Analytics 4 does not collect the following data:
- Latitude (of the city)
- Longitude (of the city)
- Browser minor version
- Browser user agent string
- Device brand
- Device model
- Device name
- Operating system minor version
- Minor platform version
- Screen resolution
B. Signals ” for personalizing advertising are not activated
Google Signals is the tool that GA4 uses to personalize advertisements (tracking and profiling). Google Signals collect session data of sites and applications that Google associates with those users who have logged in to their Google accounts and have ad personalization. In GA4 the Signals function has not been activated by the Holder .
Should this feature be installed in the future, it will be the Owner’s responsibility to request the prior consent of the interested parties (web users).
C. The duration of data processing is limited
GA4 gives the Holder the possibility to choose between two storage time options: 2 or 14 months. COMPANYNAME chose the first option.
Upon expiry, the aggregated data will no longer be available (the standard reports remain available or, alternatively, the possibility of migrating to BigQuery with free native connection with GA4).
D. EU Server. Limited data transfer to the USA
In addition, all user data belonging to the EU will be stored and stored on servers resident in the EU.
However, the possibility remains that some personal and/or non-personal data may also be sent to Google USA as part of the GA4 service used by the Data Controller in the terms illustrated above.
In exceptional situations, the American public authority – based on the legislation in force in the USA (Article 702 of FISA and Executive Order EO 12333), i.e. for exclusive national security purposes, eg. anti-terrorism or crime-fighting – access any personal data as above transferred by the Data Controller to the USA Through the GA4 service. The public authority or Google may not give notice to the Data Controller and/or the interested party of this access. However, based on an analysis carried out by the Data Controller, the possibility that in concrete terms there is an effective interest of the aforementioned authorities in accessing the user’s data and further processing appears entirely remote, considering: i) the particular core business of the Data Controller ii) the limited types of personal data processed by Google through aa4, and iii) the limited categories of interested parties (web users) to whom the data refer.
In any case, the Data Controller enters into standard contractual clauses with Google in compliance with the model approved by the EU Commission (so-called CCS) which provide for a series of measures to protect the rights of data subjects.
The Data Controller also carries out constant monitoring of its suppliers based or data centers in the USA, verifying that the transfer of data to them is based on adequate legal bases provided for by the GDPR.
Furthermore, starting from the future entry into force of the new US-EU bilateral convention stipulated called “Trans Atlantic Data Protection Framework”, the legal basis of the aforementioned transfer of personal data to the USA will consist of the provisions of the same convention, which will introduce new safeguards in favor of the interested parties and will eliminate the potential critical issues related to the possible exceptional access to data by the US public authorities.
F. Data retention period.
As a rule, the Data will be processed for the entire duration of the contractual relationships established with the interested party, and, subsequently, only for the duration necessary for the fulfillment of the legal obligations to which the Data Controller is subject (10 years from the termination and/or regular fulfillment of the contractual relationship with the interested party or the organization to which he belongs.
To the extent that the Data is processed for IT security purposes (e.g. log recordings relating to online transactions or choices made on our website, storage will take place for sufficient time to allow security checks and document the results (usually 1 year from collection).In the event of a dispute with the interested party and/or with third parties, the data will be processed for all the time strictly necessary to exercise the protection of the rights of the Data Controller.
Processing for direct marketing purposes to customers, consisting in sending e-mails or making commercial telephone calls based on telephone numbers available in public lists or registers (unless the interested party is registered in the public Opposition Register ), will last until any express opposition by the interested party.
In the case of marketing to potential customers (so-called “leads”), data processing has a duration of 10 years from the date of collection, unless express renewal of consent is necessary.
With regard to the processing of personal data, the SV can exercise the following rights listed below, by contacting our Company at the above email address:
- ask our The Company confirms whether or not personal data concerning him is being processed and, in this case, to obtain access to personal data and the following information:
- the purposes of the processing;
- the categories of personal data in question;
- the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
- when possible, the envisaged retention period of personal data or, if this is not possible, the criteria used to determine this period;
- the existence of the interested party’s right to ask our Company the rectification or cancellation of personal data or the limitation of the processing of personal data concerning him or to oppose their treatment;
- the right to lodge a complaint with a supervisory authority; if the data are not collected from the interested party, all the information available on their origin;
- the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such treatment for the interested party.
- if personal data are transferred to a third country or to an international organization, the interested party has the right to be informed of the existence of adequate guarantees relating to the transfer (NB: as explained in this statement, currently our Company does not transfers the data of the interested party abroad );
- request, and obtain without unjustified delay, the rectification of inaccurate data; taking into account the purposes of the processing, the integration of incomplete personal data, also by providing a supplementary declaration;
- request the deletion of data if
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the interested party revokes the consent on which the treatment is based and there is no other legal basis for the treatment;
- the interested party opposes the treatment, if there is no overriding legitimate reason to proceed with the treatment;
- the personal data have been processed unlawfully;
- personal data must be canceled to fulfill a legal obligation established by the law of the Union or of the Member State to which ours is subject. Society;
- request the limitation of the treatment that concerns the SV, when one of the following hypotheses occurs:
- the interested party disputes the accuracy of the personal data; in this case the limitation of the treatment (i.e. the suspension of the same) can take place for the period necessary for our. Company to verify the accuracy of such personal data;
- the processing is unlawful (for example because the interested party has not been provided with the prior legal information) and the interested party opposes the cancellation of personal data (i.e. prefers that they be kept by us in our paper and/or computer archives) and instead requests that its use be limited as above;
- although our Company no longer needs it for processing purposes, personal data are necessary for the interested party to ascertain, exercise or defend a right in court;
- obtain from our Company, upon request, the communication of third party recipients to whom the personal data have been transmitted;
- revoke at any time the consent to the treatment where previously communicated for one or more specific purposes of one’s personal data, it being understood that this will not affect the lawfulness of the treatment based on the consent given before the revocation.
- receive in a structured format, commonly used and readable by an automatic device, the personal data concerning the interested party provided by him to our Company and, if technically feasible, to have such data transmitted directly to another Data Controller without impediments on our part, if the following (cumulative) condition occurs:
- the treatment is based on the consent of the interested party for one or more specific purposes, or on a contract of which the interested party is a part and for whose execution the treatment is necessary; And
- the processing is carried out by automated means (software) (overall right to the so-called “portability”).
The exercise of the so-called portability right is without prejudice to the aforementioned right to cancellation;
- not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person in a similar way. As a clarification, we specify that we do not operate any automated processing of the aforementioned type.
- propose a complaint to the competent Supervisory Authority based on the GDPR (Privacy Guarantor) or to the ordinary Court.
H. Data controller
Co-owners of the processing of personal data are Messrs Antonella Celin, Anna Celin , Pinton Luigia Alma, domiciled for this purpose at Villa Canal, Via Piave, 25 – Grumolo delle Abbadesse (PD), firstname.lastname@example.org .
For updates and/or changes to the identification data of external managers and/or for any further information, it is possible to consult the VILLA CANAL website (https://www.villacanal.it ) and send any request to the email address email@example.com.