INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 GDPR

This information notice is provided pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data (the “General Data Protection Regulation” or “GDPR”) and Legislative Decree No. 196/2003, as amended and supplemented by Legislative Decree No. 101/2018 (“Personal Data Protection Code” or “Privacy Code”) by:

DATA CONTROLLER

► LegaLigure delle cooperative e mutue, headquartered in 16121 – Genoa, via Brigate Liguria, 105r, C.F./P.I. 80039110103, represented by Mattia Rossi in the capacity of Data Controller (hereinafter “Data Controller”).

The Data Controller, aware of the importance of ensuring the security of private information, in compliance with the applicable European and Italian legislation, and in accordance with the transparency principle set forth in Article 12 of the GDPR, provides the following information to inform the user of the characteristics and methods of personal data processing.

DATA PROTECTION OFFICER (DPO)

► Due to the processing activities carried out, the Data Controller has deemed it necessary to appoint a Data Protection Officer (DPO), as per Article 37 of the GDPR, who can be contacted for any information and/or request by writing to: marco.fossi.dpo@gmail.com.

Purpose of Processing

The Data Controller processes personal data of the user that is provided during the use of the website and/or after registration on the website. Specifically, the Data Controller processes: i. personal identifying data (e.g., name, surname, tax code, VAT number, email, phone number – hereinafter “personal data” or “data”) directly provided by the user during website registration; ii. data not directly provided by the user – and in any case collected within the limits set by Article 14, paragraph 5, GDPR – whose transmission is connected to the use of Internet communication protocols (e.g., page access, amount of data transferred, status messages upon access, session ID numbers, IP addresses, URL addresses, etc.).

Legal Basis and Purpose of Processing

Your personal data are processed:

• Without your explicit consent (cf. Article 6, letter b, GDPR), for the following purposes:
  • Enable the use of website features upon user access;
  • Carry out customer relationship activities based on pre-contractual and/or contractual agreements.

In these cases, the execution of a service contract to which the user is a party, or the performance of pre-contractual activities at the user’s request, forms the legal basis for processing.

Additionally, we inform you that your personal data may be processed without your explicit consent (cf. Article 6, letters b, c, d, e, f), for the purpose of:

• Complying with administrative, accounting, and tax obligations arising from the contractual relationship;
• Complying with legal, regulatory, EU, or Authority requirements;
• Safeguarding vital interests of the data subject or another natural person;
• Performing tasks of public interest or related to the exercise of public powers vested in the Data Controller;
• Pursuing a legitimate interest of the Data Controller or third parties, within the limits and conditions of Article 6, letter f), GDPR;
• Exercising the rights of the Data Controller (e.g., the right of defense in court).
• Only with your explicit and unambiguous consent (cf. Articles 6, letter a, 7, GDPR), for the following purposes:
  • Sending newsletters, commercial communications, and/or advertising material regarding products and/or services offered by the Data Controller via email.

In this case, consent constitutes the legal basis for processing.

Nature of Providing Personal Data

The provision of data for the purposes outlined in Article 2, letter a), is necessary, as refusal to provide the requested personal data could prevent the Data Controller from fulfilling legal obligations and/or obligations arising from the management of the contractual relationship, thus preventing its formalization and/or execution, as well as compromising the usability and functionality of the website. The provision of data for the purposes in Article 2, letter b), is optional, and failure to provide data may prevent you from receiving email newsletters, commercial communications, and/or advertising material regarding products and/or services offered by the Data Controller.

Processing Methods

Your personal data are processed through operations indicated in Article 4, paragraph 1, n. 2), GDPR, including any operation or set of operations performed with or without the aid of automated processes, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication via transmission, dissemination, or any other form of making available, comparison, or interconnection, restriction, deletion, or destruction. Processing will be conducted in accordance with the principles of fairness, lawfulness, and transparency, and may also be performed through automated means suitable for storing, managing, and transmitting the data, with adequate security and confidentiality measures to prevent loss, unauthorized access, unlawful use, and dissemination. Personal data may be stored on both electronic and paper media, or any other type of support deemed most suitable for processing.

Data Retention Period

The Data Controller will process personal data for the time strictly necessary to fulfill the purposes above, in compliance with the principles of data minimization and retention limitation set out in Article 5, paragraph 1, letters c) and e), GDPR.

Access to Data

The personal data processed by the Data Controller will not be disseminated or made accessible to indefinite subjects in any possible form, including making them available or simply consulting them. However, they may be made accessible to employees and/or collaborators working under the Data Controller, and/or to some external parties who provide sufficient guarantees of having adopted appropriate legal, organizational, and technical measures to ensure that the processing meets GDPR requirements and safeguards the data subject’s rights. In particular, your data may be made accessible to: i. employees and collaborators of the Data Controller, in their capacity as internal managers, delegates, or authorized persons for personal data processing and/or system administrators; ii. third-party companies or other subjects (e.g., credit institutions, professional firms, consultants, insurance companies, etc.) performing outsourcing activities on behalf of the Data Controller, as external data processors.

Data Communication

Your data may also be communicated, as strictly necessary, to subjects who, for the purposes of fulfilling orders or addressing other requests related to the contractual relationship with the Data Controller, must provide goods and/or perform services. The Data Controller may also communicate your data to subjects legally entitled to access them under legal provisions, regulations, EU legislation, judicial authorities, and other subjects to whom communication is mandatory by law.

Data Transfer

The management and storage of personal data will occur on servers of the Data Controller and/or third-party companies appointed as data processors, located within the European Union, in accordance with Articles 45 et seq. of the GDPR. Currently, the servers are located in Italy. Data will not be transferred outside the European Union. However, if necessary, the transfer of servers outside Italy, the European Union, and/or non-EU countries will be carried out in compliance with the provisions of Articles 45 et seq. of the GDPR. In this case, the Data Controllers ensure that any data transfer outside the EU will be done in compliance with applicable legal provisions, including the adoption of standard contractual clauses required by the European Commission.

Navigation Data

The IT systems and software procedures used for the functioning of the site may acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. These data include IP addresses or domain names of computers and terminals used by users, URI/URL addresses of requested resources, request times, methods used to submit requests to the server, file sizes returned, response status codes from the server, and other parameters related to the operating system and user’s IT environment. These data, necessary for providing web services, are also processed for the purpose of: i. obtaining statistical information about the use of services (e.g., most visited pages, visitor numbers by time or day, geographical areas of origin, etc.); ii. ensuring proper functioning of services offered. These data are deleted immediately after processing (except in case of judicial investigations by authorities).

Cookies

The site uses only technical cookies. When you use the Data Controller’s website, cookies are stored on your computer. Cookies are small text files saved on your computer to provide certain information. They are widely used to make websites work, or to work more efficiently, to improve the user experience, and to provide certain information to website owners. The website uses cookies that remain on your computer for varying periods. Some expire at the end of each session, while others remain longer, so that when you return to the website, you can benefit from a better user experience. Browsers allow you to control cookies through browser settings. Most browsers allow you to block cookies or block cookies from specific sites. Browsers can also help you delete cookies when you close the browser. However, it’s important to keep in mind that this might mean that any opt-out or preferences you set on a site may be lost. Please consult the technical information related to your browser for instructions. If you choose to disable cookie settings or refuse to accept a cookie, some parts of the service may not work properly or may be significantly slower.

Data Subject Rights

Under Articles 15-21 of the GDPR, you have the right to: i. obtain confirmation of whether personal data related to you exists, even if not yet registered, and to receive such data in an intelligible form; ii. obtain information on: a) the origin of personal data; b) the purposes and methods of processing; c) the logic applied in case of processing with the aid of electronic tools; d) the identification details of the Data Controller and processors; e) the subjects or categories of subjects to whom personal data may be communicated or who may come to know it as designated representatives in the State, delegated, or authorized persons for data processing; iii. obtain: a) updating, rectification, or, when relevant, completion of data; b) deletion, transformation into anonymous form, or blocking of data processed unlawfully, including data not necessary for the purposes for which they were collected or subsequently processed; c) notification that the operations mentioned in letters a) and b) have been brought to the attention, even regarding their content, of those to whom the data has been communicated or disclosed, except when this proves impossible or involves a disproportionate effort in relation to the protected right. You can also exercise the following specific rights: i. right of access; ii. right of rectification; iii. right to erasure (right to be forgotten), except when processing is necessary for the Data Controller for the exercise of freedom of expression and information rights, compliance with a legal obligation, or the performance of a task carried out in the public interest, statistical or historical research, or for legal claims; iv. right to restriction of processing; v. right to object; vi. right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before the withdrawal; vii. right to lodge a complaint with the Data Protection Authority.

Minors

Pursuant to Article 8 of the GDPR and Article 2 quinquies of the Privacy Code, where consent is required and the person granting consent is under 14 (fourteen) years of age, processing is only lawful if and to the extent that consent is granted or authorized by the holder of parental responsibility.

Exercise of Rights

You have the right to request the Data Controller: i. access to data concerning you, rectification or deletion; ii. integration of incomplete data; iii. restriction of processing; iv. to receive the data in a structured, commonly used, and machine-readable format; v. to revoke any consent given regarding the processing of your personal data at any time and to object, in whole or in part, to the use of data. You can exercise your rights at any time by contacting the Data Controller:

► by registered mail: LegaLigure delle cooperative e mutue, 16121 – Genoa, via Brigate Liguria, 105r;

► by email: legacoop.privacy@legaliguria.coop

► by email to the DPO Marco Fossi: marco.fossi.dpo@gmail.com

Right to Lodge a Complaint

If interested parties believe that the processing of their personal data through this website violates the provisions of the Regulation, they have the right to lodge a complaint with the Data Protection Authority, as provided by Article 77 of the Regulation, or to seek appropriate judicial remedies (Article 79 of the Regulation).

This Information Notice was last updated on 25/02/2022.