Privacy Policy
Introduction
This Privacy Policy will try to explain who and how processes the data of the data subject (also called User), what are their data, and what their rights are and how they can exercise them. For specific clarifications, whether the User does not understand or does not consider the information in the policy sufficient, they are invited to write to the following address: ecommerce@castellani.eu
Some important notions about pesonal data
What is meant by personal data? Personal data are all the information that refers to an identifiable natural person. The email address is personal data. The text of a message, if it reveals information related to a person, is personal data. The nickname is personal data, but also the list of purchases is personal data because it reveals, or could reveal, the tastes of the Customer etc.
What does processing data mean? The legal definition of processing includes any operation or set of operations concerning the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure by transmission, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination or otherwise making available, deletion, alignment or combination, restriction, and destruction of data. Therefore, everything that can be done with the user’s data is processing. Therefore, collecting or reading the data, therefore consulting them, for example, is processing.
Who processes the data
Data controller:
CASTELLANI S.r.l.
Via Galileo Galilei Tr. III, 24
San Zeno Naviglio
25010 Brescia Italy
ecommerce@castellani.eu
Then, as far as any ancillary functions are concerned, Castellani may use internal subjects authorized to process (also called Appointed) or external subjects mostly as Data processors, as autonomous holders or Joint controllers, depending on the case.
To whom the data is communicated (or to whom access is allowed)
The data are communicated to internal subjects of the Controller (employees) who collaborate in the executive and administrative management of the service.
They can be further communicated in compliance with communication obligations in case of request by a public authority (for example, request by the Court, tax assessments, checks on record-keeping, etc…).
Additionally, the data are communicated:
- to the newsletter service provider;
- to the hosting service;
- to third parties managing cookies installed through the site (see the related information),
- to social networks in case of installation of widgets or “like/share etc.” functions included in the website;
- to payment service providers (in this case, the data is not communicated, but the user is conveyed directly to the payment processing platforms, that are third-party services);
- to couriers for the delivery or collection of goods;
- marketing automation application providers;
It is important to know that Castellani can manage and control only the data stored and processed within its own system: data transferred or communicated to third parties will be, in the manner and to the extent, independently processed by the third parties to whom they are communicated according to their own privacy policies. In any case, whether Castellani ceases the processing of a user’s personal data, it will also notify the subjects to whom such data have been communicated but cannot guarantee the cessation of processing by these.
Where it processes them
Castellani processes the personal data of Users at its headquarters (central administration) and in the cloud located in the EU zone. Only the newsletter is sent via Mailchimp, based in the USA.
What data is processed
Based on the significant quality of the data, we can identify:
- Contact data: email and phone number;
- Identifying data: name, surname, date of birth, address, tax code, Identity Document number;
- Content data: the content of the communication sent by the User through the appropriate form.
- Navigation;
- Purchase and subsequent;
- Website use data (for marketing automation);
For what purposes they are processed, and indication of the legal basis and duration of conservation
Castellani processes users’ data for the following purposes:
- Response to requests sent by the user (information, exercise of rights, etc.): consists of responding to contacts made by the customer/user (via email or other forms of contact).
Legal basis: execution of the performance requested by the user in the communication (such as the exercise of a right).
Duration: ten years (obligation to keep commercial mail).
Data processed: contact, identifying, and other depending on the content of the request (for example, the information contained in the text of the request may refer to people, and as such, they are personal data). - Connection to the social page: The service hosts functions (widgets, buttons, or similar) that allow the user to connect to Castellani’s social page. It is up to the user to connect to the Page, but mere sharing (or – if the user is subscribed to social networks – mere browsing) involves the transmission of data to the social network, and in particular browsing and subscription to Castellani, as well as in some cases the device and the IP address from which the subscription or social sharing is made (for more info on Meta: https://www.facebook.com/help/2207256696182627?ref=off_facebook_activity). Such data are then managed by the social networks according to their own logics and policies.
Data processed: shared event (including browsing), social account, IP or connection device with which subscription or social sharing is made,
Legal basis: legitimate interest of the Controller in promoting the social page. The legitimate interest is deemed to prevail over the interests and rights of users for the following reasons:
– The event is shared on social platforms to which the user is already subscribed.
– The user can deny the collection of data both by modifying the social network settings and by denying consent to profiling and analysis cookies.
Duration: instantaneous as far as Castellani is concerned. The duration of the processing carried out by the social network depends on their policies on the processing of personal data. - Sending newsletters for own or third-party marketing purposes: The user’s email address is used to send periodic emails with operational and promotional content of goods or services provided by Castellani (promotional content of goods or services provided by third parties will still be included in emails that will primarily contain information related to Castellani: products, events, creative content, other).
Data used: email contact, possibly personal preferences or qualities if emails are intended for a selected audience, name and surname.
Legal basis: given consent during the subscription phase with the insertion of the email in the appropriate form.
Duration: until the withdraw of consent or until cancellation from the newsletter service through a specific function. In the case of soft spam until opposition and request for cancellation. The data will be stored after such revocation only to demonstrate the withdraw itself.
Frequency of sending emails: weekly.
Service used for the newsletter: Mailchimp
Please note: the consent can always be withdrawn. The withdraw of the consent entails the cessation, from that moment, of the processing of data for the purpose for which consent was given. - Activation and management of the User’s account.
Legal basis: execution of the request for activation and management of the User’s account (performance of the contract);
Data used: name, surname, address, date of birth.
Duration: until account deletion, except for storage for the time of three months from the account deletion to allow its reactivation without data loss if requested by the user (as well as – in the event of commission of crimes – to allow the exercise of the complaint).
Mandatory: failure to provide the data prevents the activation of the account. - Activation and management of the User’s account.
Legal basis: execution of the request for activation and management of the User’s account (performance of the contract);
Data used: name, surname, address, date of birth.
Duration: until account deletion, except for storage for the time of three months from the account deletion to allow its reactivation without data loss if requested by the user (as well as – in the event of commission of crimes – to allow the exercise of the complaint).
Mandatory: failure to provide the data prevents the activation of the account. - Distance selling of Products (see Distance Selling Conditions): The website allows the purchase of goods at a distance. The data is processed by Castellani to perfect the sale of the Good at a distance (thus processing the request, payment, shipment, after-sales service);
Legal basis: performance of the contract;
Data used: identifiers data (name, surname, and date of birth, address), contact (email and phone), purchase history, complaints. Billing data if an invoice is requested.
Duration: ten years from the conclusion of the purchase (unless the account has a longer duration);
Mandatory provision: failure to provide the data does not allow the purchase of goods; - Execution of distance selling for non-registered User (guest): the site allows the distance selling of Goods also for non-registered users. In this case, the necessary data to receive the order, payment, ship the Good, manage the after-sales service will still be processed.
Legal basis: performance of the contract.
Data used: name, surname, address, phone, email.
Duration: ten years from the conclusion of the purchase (unless the account has a longer duration);
Mandatory provision: failure to provide the data does not allow the purchase of goods; - Statistiche aggregate: elaborazione di statistiche basate sulle categorie di utenti per ottimizzare il business del Titolare (per valutare categorie maggiormente interessate ecc). Base giuridica: legittimo interesse del Titolare a valutare settori di mercato di interesse, efficacia del sistema di vendita. Durata: le statistiche sono eseguite in tempo reale, ma viene conservato solo il dato aggregato e quindi anonimizzato.
- Aggregate statistics: processing of statistics’ information based on user categories to optimize the business of the Controller (to evaluate more interested categories, etc.).
Legal basis: legitimate interest of the Controller in evaluating market sectors of interest, effectiveness of the sales system.
Duration: statistics are performed in real-time, but only the aggregated and therefore anonymized data is stored. - Analysis of individual use of the site: Castellani uses programs to monitor the use of the site (navigation, access, purchases, etc.) by the individual user.
Legal basis: legitimate interest of the Seller in optimizing the usability of the site, sales, and personalization of offers.
Data used: identifiers, account, service usage, contact;
Duration: until account deletion. - Creating a subscriber database: Castellani creates a database of contacts (internal/external) received through the forms on the site. The database is used for the following purposes:
as a backup copy of the addresses from which communications have been received;
Legal basis: legitimate interest of the owner in the preservation of contact data (deemed to prevail over contrary interests as it ensures the availability of the data to Castellani and on the other hand – being data of low danger and significance – does not harm the user);
Duration: until request for deletion (see clause relating to the exercise of rights) by sending an email to ecommerce@castellani.eu;
Data used: email, identifiers, content, account data.Please note: consent can always be revoked. The withdrawn of the consent entails the termination, from that moment, of the processing of data for the purpose for which consent was given.
How data is provided
The data are provided directly by the User by filling in the appropriate forms on the site. In some cases, they are communicated to the Controller (for example, comments).
How the service "will contact" the usr
Castellani “will contact” the User in the following ways:
- The User may receive emails, phone calls, messages, or other communications from Castellani: these will be operational communications or in any case in response to the communication sent by the User. These communications are essential for the ordinary management of the relationship with the User.
- Newsletter: frequency: weekly; content: operational, promotional related to products or services of Castellani or third-party companies; service provider: Mailchimp;
What are the rights of users
Users are beneficiaries of a series of rights.
Rights to information about:
- Categories of data being processed (see points n. 2 and 5);
- Origin of the data, i.e., knowing where the service has drawn its data from (see point n. 7);
- Purposes of data processing, i.e., for what purposes the data is processed (see point n. 6);
- Details of the controller and any data processors (see point n. 3);
- Subjects to whom the data is communicated (see point n. 3/a);
- Time of conservation and processing of data (see point n. 6);
- Right to lodge a complaint with the Garante della Privacy (Italian supervisory authority) by accessing the following link: http://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri-dati-personali
- Existence or not of profiling process;
- Legal basis of the processing (see point n. 6);
Then there are rights not of simple information but operational. They are of various kinds. In summary:
- The data subject has the right to have a copy of the data they have provided. If the data has been processed with automated methods and based on their consent or a contract, the user can request – if technically possible – that the data be transmitted to the same data subject or even to a possible new controller (portability), provided that this operation does not harm the rights (and data) of other people. In this case, they can also request the deletion of the data (unless the law imposes the conservation on the Controller as in the case of commercial communications).
- If the personal data is inaccurate or incomplete the data subject can request to rectify or complete them, providing indications in this way. If the Controller must verify the accuracy of the data contested by the data subject, they can meanwhile obtain the restriction of the contested data (limitation means that the data is only stored, and no other processing is done except with specific consent of the data subject or if they are needed to exercise or defend a right in court).
- If the personal data is no longer necessary for the purposes for which it was collected or otherwise processed the data subject can request its deletion. However, if the data is needed by the data subject to exercise their own right in court, they can request its limitation (i.e., only storage).
- If the processing is unlawful because the data is processed in the absence of consent, legitimate interest of the Controller, contract for the performance of which the processing itself is necessary, legal obligation of processing by the Controller, the data subject can request its deletion or restriction.
How they can exercise them
Procedure for exercising rights: The User’s rights can be exercised by sending an email to ecommerce@castellani.eu
The Controller must respond within thirty days (which can be extended by another two months, but the Controller in this case must give a motivated notice of the delay to the user).
The Controller can refuse, if they have reason, to act on the user’s request (refusal that must be communicated to the user within a month) only in the case of manifestly unfounded or repetitive requests. They must give a motivated answer in this case. In any case, the user can lodge a complaint to the “Garante della Privacy”(Italian supervisory authority: see the link below) or to the Judge.
The Controller must respond using the same communication tool (email, phone, etc.) used by the user for the request, unless the user themselves requests a response in a different way. In the case of a request coming from an email address different from the one indicated in the account, the requester must prove to be the data subject.
The Controller, if it has doubts about the identity of the person making the request or exercising one of the rights listed below, can request further information to confirm the identity of the requester. In the case of a request coming from an email address different from the one indicated in the account, the requester must prove to be the data subject.
Requests and responses are free of charge, except that they are repetitive. In this last case, the Controller can charge the living costs they face for the response (thus personnel costs, material costs, etc.).
In any case, the data subject can lodge a complaint to the Garante della Privacy, (the Italian supervisory authority: https://www.garanteprivacy.it/i-miei-diritti) or to the Competent Jurisdictional Authority for the exercise of their rights.
What are the duties and burdens of user
Users are required to communicate truthful data.
It is the User’s responsibility to communicate to the Controller any changes that have occurred in the personal data previously communicated. It is finally the user’s responsibility, where the functionalities allow it, not to enter excessive data. For example, if the form requires entering non-mandatory data (usually marked with an asterisk), it is recommended to enter them only if deemed necessary. Similarly, if you write a message through the service, it is recommended to avoid explicit references to identifiable people, if not necessary.
Hypothesi of data breach
In case one or more of the following events should occur concerning the Users’ data: unauthorized access, theft, loss, destruction, disclosure, modification (so-called Data breach), Castellani, while maintaining the urgent technical measures to be put in place to block (as far as possible) the event and to reduce its harmful effects, commits to:
- restore the service as soon as possible efficiently, recovering the available data from the last useful backup made;
- inform Users, directly if circumstances allow or generically (through a notice on the home of the website or through communication sent to all users, including those for whom there have been no events on the data) of the type of event, the time in which it occurred, the measures taken (without going into detail in order not to facilitate possible new attacks) to reduce the damage and to avoid new similar events, as well as the measures and precautions that the user should – on their part – put in place to reduce the likelihood of new events and limit the consequences of those already occurred.