Last modify: 01/04/2018

LAWFULNESS FOUNDATIONS OF PROCESSING
European regulation confirms that every processing must be well- founded in an adequate legal basis. Lawfulness foundations of processing are specified in article 6 of the Regulation and these coincide, broadly, with those currently foreseen by the Code (consent, compliance of contractual obligations, vital interests of interested person or of a third party, law's obligation in which the owner is subjected, public interest or the exercise of public authorities, legitimate and prevalent interest of the owner or a third party to whom the data are communicated).

In particular:
As regards the sensitive data article 9 of the Regulation, the consent must be explicit; the same applies to the consent to decisions based on automated processing (profiling included – article 22).

It need not be "documented in writing", it isn't required the "written form", even if this is the correct way to configure the unequivocal consent and its being "explicit" (as regards sensible data); moreover, the owner (article 7.1) must demonstrate that the person concerned has given consent to a specific processing.

Vital interest of a third party:
You can invoke this legal basis only if every other lawfulness condition has been applied.

Legitimate and prevailing interest of a owner or a third party:
The balancing between the legitimate interest of the owner or a third party and rights and liberties of the person concerned isn't entitled to the authority but to the owner. This is one of the main expression of the accountability principle introduced by the new packet of data protection. The legitimate interest of the owner or of a third party has to prevail over fundamental rights and liberties of the person concerned in order to build a valid lawfulness foundation.

The regulation explicitly clarifies that the legitimate interest of the owner doesn't constitute a suitable legal basis as regards the treatments conducted by public authorities in execution of the respective tasks.

REPORT

Report's subjects:
The report's subjects are peremptorily listed in the article 13, paragraph 1 and 14, paragraph 1 of the regulation and partly they are wider compared to the privacy code.

This company's Manifatture dell'Adriatico Srl website www.extraflexmaterassi.it, located in Nereto (TE) at Via Roma 103, the owner of the treatment is DE BERARDINIS DANIELE.

In particular, the owner must always specify what is his legitimate interest, if this last constitute the legal basis of processing or if he transfers personal data in third countries and, if affirmative, through what countries. The regulation also foresees other information since these are "necessary to guarantee a correct and transparent treatment": in particular, the owner has to specify the data collection period or the parameter followed to establish the collection's period. If the treatment involves decisional automated processes (profiling included), the report must specify that and it must also indicate the logic of those decisional processes and the consequences foreseen for the data subject.

Time of the report:
In case of personal data which aren't directly collected from the interested person (article 14 of the regulation), the report must be provided within a reasonable term which can't exceed one month from the data collection or at the time of data communication (to a third party or to the interested person).

The way of the report:
The regulation specifies, in a much more detail than the Privacy Code, the characteristics of the report which must be concise, transparent, intelligible for the data subject and easily accessible; a clear and simple language must be used, the report must be given, in principle, in writing and preferably in electronic form.

The report (regulated by articles 13 and 14 of the regulation) must be given to the data subject before carrying out the data collection. In any case, the owner must specify his identity and the one of the possible representative in the Italian territory, the purpose of the processing, the rights of the data subjects (the right to data portability included), if a responsible of the processing exists, what is his identity, and who are the recipients of the data.

RIGHTS OF DATA SUBJECTS
The time limit for the answer to the data subject is, for all the rights (right of access included) one month, extensible until 3 months in case of particular complexity; anyway, the owner must give a feedback to the data subject within 1 month from the request, also in the case of denial.

The owner, who is the person who owns and the legal representative of the company Manifatture dell'Adriatico Srl, must evaluate the complexity of the feedback given to the data subject. The feedback must normally be in writing, also through electronic means which facilitate accessibility; it can be given orally only if the data subject himself requires it (article 12, paragraph 1; see also article 15, paragraph 3).

The answer given to the data subject must be intelligible, concise, transparent and easily accessible, in addition to using a clear and simple language.

• Right of access (article 15):
  The right of access foresees in any case the right to receive a copy of personal data in question. Among the information the owner mustn't give the way of treatment. On the contrary he must indicate the period for which retention is required and, where it isn't possible, the criterion used to define this period, and the guarantees applied in case of transfer of data towards third countries.
• Right to erasure (right to be forgotten article 17)
  The so-called right to be forgotten is like the right to erasure of personal data in a more strong way. The owners, in fact, must inform (if the personal data of the interested party: for example, publishing them on a web-site) other owners about the request of cancellation of personal data, "link, copies or reproduction included" (see also article 17, paragraph 2). The field of application is wider than the one referred to in the article 7, subparagraph 3, letter b), of the Code, because the interested party has the right to ask the cancellation of the data, for example, even after the withdrawal of consent for processing. (see also article 17, paragraph 1)
• Right to restriction of processing (article 18):
  It concerns a different and wider right than the block of the treatment referred to in the article 7, subparagraph 3, letter a), of the Code: in particular, this is exercisable not only in case of violation of the conditions of lawfulness of processing (as an alternative to the cancellation of the data), even if the interested party asks the correction of the data (waiting for the correction from the owner) or opposes to their processing under article 21 of the regulation (waiting for the valuation from the owner). Every other processing of data, conservation excluded, is forbidden unless certain circumstances are used (interested party's consent, rights detection in court, protection of the rights of a natural or legal person, relevant public interest).

OWNER, MANAGERS AND THE REPRESENTATIVE OF THE PROCESSING
The regulation regulates the co-ownership of processing (article 26) and impose the owners to define the respective area of responsibility and tasks with particular regard to the use of interested party's rights, who can indifferently address to one of the owner who work together; it fixes more in detail (than article 29 of the Code) the characteristics of the act with which the owner designate a manager of processing giving him specific tasks: it must concern, in fact, a contract and it has to regulate the subjects in paragraph 3 of article 28 with the aim to demonstrate that the manager gives "sufficient guarantee" such as, in particular, nature, the duration and the purpose of processing or the assigned processing, data categories about processing, technical and organisational measures which consent the respect of the instructions given by the owner and, in general, the dispositions contained in the regulation.

THE APPROACH BASED ON RISK AND OWNERS AND MANAGERS' MEASURES OF ACCOUNTABILITY
The regulation vigorously emphasises owners and managers' accountability, that is to say, the adoption of proactive behaviours which demonstrate the adoption of measures which assure the application of the regulation.

Among those activities there are many fundamental which are connected to the second criterion found in the regulation related to the management of owners' obligations, that is to say the risk related to the processing. This last is the risk of negative impacts on freedoms and on the right of interested parties. Those impacts must be analysed through an evaluation process (see also article 35 and 36) taking into account the known and defined risks and technical and organisational measures that the owner has to adopt to mitigate the risks. The owner will be able to decide independently if the processing starts on the outcome of this evaluation (by adopting the suitable measures to sufficiently mitigate the risk) that is to say to consult the competent supervisory authority in order to obtain indications about how to handle the residual risk; the authority won't have the task to authorize the processing, but to indicate the additional measures to implement and it will be able to adopt, where necessary, all the remedial measures pursuant to article 58: from the warning for the owner to the limitation or the prohibition to proceed to the processing.

Therefore, the intervention of the supervisory authority will be mainly "ex post", that is to say it will follow the determinations taken by the owner; it explains the abolition of some institutes foreseen by the 1995 directive and by the Italian code from 25 of May 2018, such as the prior notification of the processing to the supervisory authority and the so-called prior check (see also article 17 of the Code) which are substituted by the obligation for the owner to possess a processing register and, to do impact assessments in complete independence. Moreover, supervisory authorities and in particular the "European data protection committee" will have a fundamental role in order to guarantee consistency of approach and provide analytical and interpretative aids.

• Security Measures:
  Security measures must "ensure a level of security that is appropriate to the risk" of processing (article 32, paragraph 1); in this regards, the list of paragraph 1, article 32, is open and it isn't exhaustive. The attention is drawn on the possibility to use the accession to specific codes of conduct or to certification schemes in order to certify the adequacy of the security measures.
• Notification of personal data violation:
  From 25 of may 2018 all the owners, not only the provider of electronic communication services available to general public, will be able to notify to the supervisory authority personal data violation, in 72 hours and "without unjustified delay", but only if they believe that this violation brings to risks for the rights and the freedom of interested subject. Therefore, the notification of the violation to the authority isn't obligatory, being subordinate to the evaluation of the risk for the interested subject. If the risk is high, the interested subject must mi informed of the violation, "without unjustified delay"; the exceptions are the circumstances indicated at paragraph 3, article 34, which coincide only partially with those currently mentioned in the article 32-bis of the Code.
• Recommendations
  All the owners of processing must document in any case the suffered violation of personal data, even if they aren't notified to the supervisory authority and aren't communicated to the interested subjects, as well as its circumstances and consequences and the measures taken (see also article 33, paragraph 5); this obligation isn't different from the one currently foreseen by article 32-bis, subparagraph 7, of the Code. Therefore, the owners of processing must adopt necessary measures to document any potential violation, because they have to provide this document, upon request, to the Guarantor in case of findings.
• Data Protection Officer:
  The designation of a "data protection officer" reflects the approach that is precisely the regulation (see also article 39), being finalized to facilitate the implementation of the regulation by the owner/manager. Among the tasks of a DPO there are "staff training and awareness" and the supervisory on the development of the impact assessment according to article 35. Its designation is obligatory in few cases (see also article 37) and the regulation defines the subjective and objective characteristics of that figure (independence, authority, management skills: see also article 38 and 39) so that the work team, former article 29, considered appropriate to clarify through recent guidelines, available also on the Garantor's website.
• Legal basis for the processing
  This website processes users' data on the basis of consensus. Visitors, through the use and the consultation of this website, approve expressly this privacy policy and give consent to the process of personal data with regard to the way and the purpose described below. The interested subject has the right to oppose, in whole or in part, for legitimate reasons, to the processing of his data although they are relevant for the collection id est for commercial communication, for the delivery of advertising material or for the direct sale.
• Data collection and purpose
  This website, like all websites, uses log files where information are gathered automatically during users visits. The information gathered may be the following:
  1. internet protocol address (IP);
  2. type of browser and the parameters of the device used to log on the website;
  3. internet service provider's name;
  4. date and time of visiting;
  5. web page of the visitor;
  6. eventually the number of clicks.

Those information are processed automatically and gathered in aggregated form in order to verify the correct functioning of the web site, and for security reason. For security reasons (antispam filters, firewall, virus protection) data collected automatically may comprehend personal data too such as IP, that may be used, in accordance with the law existing, in order to block attempts of damaging. These data are never used for the identification or the user profiling, but only to protect the website and its users (these information will be processed on the basis of the legitimate interests of the owner).

Whenever the website allows the inclusion of comments, or in case of specific services required from the user, the website detect and record some identifying data of the user, email address included. These data are considered voluntarily given by the user when he required the service. The user expressly accepts the privacy policy by including a comment or another information and, in particular, he agrees that the content included are freely widespread to third parties too.

Data received will be only used for the provision of the service required and for the only time needed to the provision of the service.

The website users provides the information knowingly and voluntarily, by exempting this website from any responsibility on any possible violation of the laws. The users must verify the permission for the introduction of third parties personal data or content protected by national and international laws.

Data collected by the website during its functioning are only used for the purposes abovementioned and are stored for the time absolutely necessary to carry out the activities specified. In any case data which are recognised by the site will be never given to third parties, for no reasons, unless it is self-defence from the judicial authority and as otherwise required by law.

• Place of processing
  Data collected by the website are processed at the seat of the processing owner and at the web hosting datacenter, which is responsible of data processing, drawing up data on behalf of the owner, it is in the economic European space and acts in accordance with European laws.
• Cookies
  As usual on website, this site uses cookies too. Those are short text files that permit store information on the visitors preference, to improve website functionality, to simplify web surfing automating procedures (es. Login) and to analyze the use of the site.

Session cookies are essential to distinguish among logged users and are useful to avoid that a function requested can be provided to the wrong user, as well as for security purposes to avoid cyber attacks to the site. Session cookies don't have personal data and last for the only session in progress, that is until the closure of the browser. For those consensus isn't required. Functionality cookies used by the site are closely necessary for the use of the site, in particular they are linked to a request of functionality from the user (such as login) for which consensus isn't required.

Technical session cookie
The use of session cookie is closely limited to the transmission of session identifiers (casual numbers generate by the server) which are necessary to consent the safety and efficient exploration of the site.

Session cookies, used in this site, avoid the use of other computer techniques which are potentially injurious for the privacy of user's web surfing and don't consent the acquisition of personal data which identify the user. Those cookies are processed with technology modalities.

Other technical cookies
The website www.extraflexmaterassi.it uses some technical cookies that are inserted to record consensus to the use of analytics cookie and proliferation's one. He can feel free to erase the cookie from his computer.

There are other cookies which are essential for the proper functioning of the website. These cookies provide services required by users and permit to surf the website using its best performances. This cookie cannot be disabled because it's necessary for the proper functioning of the site.

Cookie analytics
This website uses Google Analytics, a web analysis service provided by Google. Google Analytics uses some cookies which are text files stored on your computer to permit to the website to analyze how users use the website. Information generate by cookies regarding your use of the site (your IP included) will be transmitted and stored in Google server in the USA. Google (autonomous owner of processing) will use these information in order to examine your use of the website, to fill reports on the activities of the website and to provide other services related to website activity and to the use of cookies. Google can also transfer these information to third parties where this is required by law or where third parties process those information on behalf of Google. Google won't associate your IP address to any other data possessed by Google. You can refuse to use cookies by selecting the appropriate approach on your browser, but this may prevent you to use the function of this website. This website's cookies are processed by technology modalities.

Il presente sito web utilizza i seguenti tipi di cookie:

1. Cookie tecnici (Necessari)
2. Cookie analytics (Statistiche)
3. Cookie marketing (Marketing)

CAMBIA IL TUO CONSENSO
Puoi cambiare il tuo consenso sui cookie o revocarlo.
Cambia il consenso –  Revoca il consenso

Cookie tecnici (Necessari)
I cookie tecnici aiutano a contribuire a rendere fruibile un sito web abilitando le funzioni di base come la navigazione della pagina e l'accesso alle aree protette del sito. Il sito web non può funzionare correttamente senza questi cookie.

Cookie analytics (Statistiche)
I cookie analytics aiutano i proprietari del sito web a capire come i visitatori interagiscono con i siti raccogliendo e trasmettendo informazioni in forma anonima.

Cookie marketing (Marketing)
I cookie marketing vengono utilizzati per monitorare i visitatori nei siti web. L'intento è quello di visualizzare annunci pertinenti e coinvolgenti per il singolo utente e quindi quelli di maggior valore per gli editori e gli inserzionisti terzi.

Per conoscere le norme sulla privacy di Google, si invita ad accedere al seguente link
Per ulteriori informazioni sui cookie di Google e relativi aggiornamenti si invita ad accedere al seguente link

How to disable cookies
The majority of the browser permit to refuse/accept cookies. The user can manage his preferences about cookies through the functions contained in common browsers which permit to erase/remove cookies (all or some of them) or to change the approach of the browser in order to block the sending of the cookies or to limit to specific website. Therefore you can deny cookies use, following the disablement procedure provided from your browser.

Some practical information to disable cookies on the main browser: Microsoft Windows Explorer, Mozilla Firefox, Google Chrome, Apple Safari.

Information which are not contained in this policy
Major information about personal data processing can be required in any moment to the owner of processing using contact information.

Changes to this privacy policy
The owner of processing reserves the right to make changes to this privacy policy at any time giving advertising to the users on this page. Please often consult this page, taking as reference the last change date indicated below. In case of non acceptance of the changes to this privacy policy, the user must end the use of this application and can require to the owner of processing to remove his personal data. Unless otherwise specified.

Information on this privacy policy
The owner of the processing is responsible for this privacy policy.

Minors' privacy
Our website is run by a general audience and it doesn't offer services addressed to children. If we find out that a minor gave us personal data without parental or guardian authorization, we'll erase immediately these information.

External links
If some pages of this website or some sections of our applications contain links to other website, they are not bound to this privacy policy. We recommend you to read with attention the privacy policy available on these external website and to examine the procedures for the collection, the use and the disclosure of personal information used.

Defence in court
User's personal data can be used for the owner defence in court or in the stages leading to an eventual establishment of the process, from abuses in the use of the same or of the services connected from the user.
After a subpoena, a court order or another legal proceeding; in order to establish or exercise the rights granted by law; in order to defend us from an eventual legal action against us or for another purpose.
The user declare to be aware that the owner may be asked to reveal data upon request of public authorities.

This privacy policy concerns only this website.