Declaration of authorisation of processing of personal, identifying, sensitive and legal data pursuant to Italian legislative decree 196/2003 and Regulation (EU) 2016/679

1. Definitions
2. Identifying the data controller and contact of the processor
3. Type of data. Processing methods
4. Log Data and Analytics
5. Cookies
6. Social Plug-ins
7. Rights of data subject
8. Risk analysis and methods for protecting processed data

1. Definitions
1.1 The User/Data subject is the subject who accesses the website www.cbomnia.it (known hereinafter for the sake of brevity also only as WEBSITE) by entering his or her own personal data for use for the purposes permitted by the website, in the meaning specified under letter “i” of article 4 of Italian legislative decree 196/03, i.e. “natural person, legal person, body or association to which the personal data refer”. In accordance with Regulation (EU) 2016/679, the term “data subject” refers to any identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2 Pursuant to article 23 (“Consent”) of Italian legislative decree 196/03, the processing of personal data by private bodies is permitted only with the freely given express consent of the data subject that refers specifically to the defined processing and is documented in writing and preceded by the notice specified in article 13 of Italian legislative decree 196/03; similarly, Regulation (EU) 2016/679 states that “Consent” should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.
1.3 Pursuant to Regulation (EU) 2016/679 ,Personal Data are any type of information relating to the data subject; Genetic Data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample; Biometric Data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; Data concerning Health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
1.4 Pursuant to Regulation (EU) 2016/679, Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Cross-border Processing means either processing of personal data which takes place in the context of the activities of establishments (understood to be the chosen registered office of the controller and the place of actual performance of the main processing activities by the processor) in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
1.5 Pursuant to Regulation (EU) 2016/679, Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
1.6 Pursuant to Regulation (EU) 2016/679, Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
1.7 Pursuant to Regulation (EU) 2016/679, Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not; Third party means a subject other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
1.8 Pursuant to Regulation (EU) 2016/679, “Supervisory Authority” means any authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Italian Republic; in Italy, the supervisory authority is the Authority for the Protection of Personal Data located in Rome at Piazza di Monte Citorio 121 – PEC: protocollo@pec.gpdp.it.

2. Identifying the data controller
The following data identify the controller:
Carlo Bianchi S.r.l. - email: info@carlobianchi.com .
The processor can be contacted at the following e-mail address: email info@carlobianchi.com .
Any change to the name of the processor will be communicated at the same time as the renewal of this consent, by amending the name of the processor referred to herein.
The controller and owner of the WEBSITE could be involved in mergers, takeovers, acquisitions, and demergers and in this case could transfer company assets, including the personal data of the data subject, who acknowledges and accepts this; in this case, the data subject will be informed before his or her personal data are transferred or are subject to different personal data processing policy and/or authorisation procedures.

3. Type of data. Processing methods
The personal data are processed legally, fairly and transparently for the sole purpose of running the functions permitted by the WEBSITE.
The personal data will be gathered exclusively for commercial purposes in conformity to the purpose for which the user/data subject is registered with the WEBSITE and for aims connected to and/or instrumental to the WEBSITE management activities, thus excluding any other use and/or use conflicting with the interests of the user/data subject, but without prejudice to the legal requirements by which the controller or processor must abide.
The personal data processed will be limited exclusively and be relevant to the operation of the functions of the WEBSITE with which the user/data subject has registered.
The personal data will be correct and if necessary updated according to the instructions of the user/data subject during registration.
The personal data will be kept for the period necessary for the activities that are the object of the permitted processing and for a maximum further period of 2 (two) months from the end of the permitted processing. In all cases, the processing can never exceed ten years, without express renewal of the consent thereto given by the data subject.
Personal data will be processed using suitable methods to ensure their security and prevent their loss or destruction (even partial).
The personal data will be acquired and processed also for the purposes prescribed by anti-money laundering legislation as introduced by Council Directive 2001/97/EC on prevention of the use of the financial system for the purpose of money laundering by Italian Legislative Decree 56/2004 and subsequent amendments and transposing additions and by implementing Italian ministerial decrees, and it is known that such data may be divulged to the UIC (Italian Foreign Exchange Office) to ascertain correct compliance with the aforesaid obligations.
Providing the personal data is merely optional and not an obligation, unless required by law, but is necessary for registering with the WEBSITE and the corresponding consent to processing is a condition for registration. The personal data are provided whenever the data subject accesses the WEBSITE for registration and accesses it to manage/use the services offered by it and connects his or her account to a site of third parties on his or her account of the WEBSITE, where permitted by the latter.
If the data are not provided that are necessary for registration and browsing, the membership of the WEBSITE cannot be accepted and/or continued and the account cannot be enabled or will be erased if authorisation to renew personal data processing is denied.
If the data subject is authorised to use mobile applications connected to the WEBSITE, also the data relating to the position of the data subject are provided, stored and processed, including general information (e.g. IP address, post code), and more specific information (e.g. functions based on GPS found in mobile devices that are used to access the platform or specific functions of the platform). If the data subject accesses the WEBSITE from a mobile device and does not want the device to provide information on his or her position, he or she can disable the GPS or the other tracking functions of the position in the device provided that this is permitted by the device.
The WEBSITE could enable third parties previously authorised by the user/data subject to gather information on the online activities of the users, also for profiling purchases made by the user and for commercial purposes.
The data subject allows personal data to be transmitted to third parties (e.g. website suppliers for managing and maintaining the website and the management programmes used in the controller’s organisation).
The data subject undertakes to keep the personal data up to date and for this purpose will inform the controller of any need for modifications or updating.

4. Log Data and Analytics
The user/data subject is aware of the processing of the log data, which are automatically recorded by our servers or server spaces, which are also located with third parties, each time that the user/data subject accesses the WEBSITE or uses it, whether he or she is a registered user or not or has accessed his or her account; such data are, for example, IP address, date and time of access, the hardware and software used for access, the websites and URLs which he or she comes from and moves to after ours, number of clicks, pages viewed and the order of such pages, as well as the amount of time spent on specific pages. Such data also require separate consent that the data subject already gives to the controller, who performs search engine tasks on the website, browsers (e.g. Google) and can be used for analytics services (e.g. Google Analytics – anonymised by the IP’s anonymisation function) and to track the activities of the user/data subject following the interaction with the WEBSITE.

5. Cookies
No personal data of the users are acquired by the WEBSITE via so-called cookies. Cookies are not used to transmit information of a personal nature and no persistent cookies of any type are used, i.e. systems for tracking users. The use of session cookies (which are not stored persistently in the user’s computer and disappear when the browser is shut down) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) that are necessary for enabling the website to be explored securely and efficiently. The session cookies used in this website make it unnecessary to resort to other IT techniques that are potential threats to the confidentiality of the users’ browsing and do not allow personal data identifying the user to be acquired. The cookies for integrating software products and functions of third parties (Google Maps, YouTube videos, social network integrations, online payments, etc.) supplement functions developed by third parties within the pages of the website in order to share website content or for using the software services of third parties (such as the software for generating the maps and further software that provides additional services). These cookies are sent from third-party domains and from partner websites that offer their functions on the pages of the website. You can view the management of the cookies of your browser on the website of the relative producer (e.g.: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc).
The data subject can disable cookies by the settings of his or her browser, but the methods and processing of the data will change following a "Do Not Track" signal in the http header from his or her browser or mobile application. The activities of the data subject are tracked if he or she clicks on an advertisement for WEBSITE services on websites or platforms of third parties such as search engines and social networks.

6. Social Plug-ins
The WEBSITE may use social plug-ins supplied and managed by third parties, such as for example Facebook’s Like button; by using similar plug-ins, the data subject could send third parties information that the data subject is viewing a given part of the WEBSITE. If the data subject has not logged into his or her account with third parties, the third party should not be aware of the data subject’s identity without consent to processing of personal data being given by the data subject directly to the third party. If the data subject has logged into his or her account with the third party, the third party could be able to link information to the data subject’s visit to the WEBSITE to the data subject’s account with the third party. Similarly, the data subject’s interactions with the social plug-in could be recorded by the third party. These methods of access to the data of the data subject by the third party is unrelated to the functions of the WEBSITE and the data are not processed by the controller or the processor of the WEBSITE, but by the third party whom the data subject should have authorised to process the data. The data subject declares that he or she is familiar with the privacy policy of such third parties and their methods of processing personal data and declares that he or she has validly authorised such data processing, exonerating the WEBSITE controller and processor from liability.

7. Rights of data subject
The data subject will be guaranteed all the rights as specified in article 7 of Italian legislative decree 196/03.
The user/data subject is guaranteed all the rights specified by Regulation (EU) 2016/679 and which are exercised upon request to the processor:
  • right of access (article 15 of Regulation (EU) 2016/679) to the data to check whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, recipients of disclosures of the processed data, the envisaged period for which the personal data will be stored, the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of Regulation (EU) 2016/679;
  • the right to rectification, including the right to have incomplete personal data completed (article 16 of Regulation (EU) 2016/679);
  • the right to erasure (article 17 of Regulation (EU) 2016/679) of personal data without undue delay at the request of the data subject and obligatorily where one of the following grounds applies:
    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based;
    • the data subject objects to the processing pursuant to Article 21(1) of Regulation (EU) 2016/679;
    • the personal data have been unlawfully processed;
    • the obligation to erase is imposed by Italian and EU regulations. The obligation to erase shall not apply to the extent that processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing; for reasons of public interest or public order which requires processing; for reasons of justice that justify the processing.
  • right to restriction of processing (article 18 of Regulation (EU) 2016/679) when the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • controller’s notification obligation (article 19 of Regulation (EU) 2016/679) to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom personal data have been disclosed.
  • right to data portability (article 20 of Regulation (EU) 2016/679), meaning the data subject’s right to receive the personal data concerning him or her in a structured, durable, commonly used and machine-readable format, also provided in multiple examples, by e-mail at the address specifically indicated by the user/data subject, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if the processing is carried out by automated means;
  • right to object to processing of personal data concerning him or her (article 21 of Regulation (EU) 2016/679), unless the controller demonstrates compelling legitimate grounds for the processing;
  • right not to be subject to a decision based solely on automated processing, including profiling, unless such automated decision-making is necessary for entering into or performance of a contract between the data subject and a data controller, is authorised by Union or Member State law, or is based on the data subject's explicit consent (article 22 of Regulation (EU) 2016/679).

8. Risk analysis and methods for protecting processed data
The controller declares that there are no specific risks connected with the processing of the data subject’s personal data, that he has assessed all storage and processing charges and risks and has carefully selected the best types of precaution to ensure the confidentiality and inviolability of the personal data of the data subject.
The controller reserves the right to use the best methods to ensure the security of the data, including the pseudonymisation and encryption of the personal data processed.
The controller also declares that he uses suitable anti-intrusion and anti-violation systems also with the servers or server spaces, available to him or used by him with third parties.
Personal data will be processed using suitable methods to ensure their security and prevent their loss or destruction (even partial) (e.g. system backups, antivirus systems, changing passwords to access data for persons authorised by the controller at appropriate intervals, uninterruptible power supply).

The User/data subject spontaneously declares that he or she authorises, in conformity to what has been indicated above and more in general to what has been specified by Italian legislative decree 196/03 and by Regulation (EU) 2016/679, the processing of his or her personal data.
The User/data subject spontaneously declares that he or she authorises, in conformity to what has been indicated above and more in general to what has been specified by Italian legislative decree 196/03 and by Regulation (EU) 2016/679, the processing of his or her personal data for commercial purposes, including profiling, marketing and the sending of commercial and promotional messages.