(version no.  of 14 January 2022)
The Data Controller wishes to inform herewith all data subjects about the processing of their personal data carried out through the Website and the Cookies used by the Website, underlining the maximum efforts and commitment by the Data Controller to protecting the data subjects’ rights.
Further and more accurate details on the purposes of the processing as well as other useful information are available in the specific privacy policies of the various services.
In any case, the Data Controller guarantees that personal data shall be processed according to the principles of lawfulness, fairness, transparency and protection of the data subject’s privacy and rights.
Data Controller and contact details
Name: Onit S.p.A.
Tax code: 04057301006
Number of registration in the Companies’ Register of Forlì: 292006
Registered office: Via Dell’Arrigoni 308, Cesena, Italy
Certified email: firstname.lastname@example.org
Tel.: +39 0547 313110
Fax: +39 0547 318021
For any requests about the processing of personal data and the exercise of the data subject’s rights, please use the contact details below
Certified email: email@example.com
Tel.: +39 0547 313110
Fax: +39 0547 318021
Data Protection Officer (DPO) and contact details
The Data Controller has appointed a Data Protection Officer (DPO) that may be contacted for any matter concerning the protection of personal data by using the following contact details: Email: firstname.lastname@example.org; Certified email: email@example.com
Types of data being processed, methods and purposes of processing, storage period and/or criteria for determining storage periods, and legal bases
The following categories of personal data shall be processed: (i) navigation data; (ii) data provided by the data subject; (iii) data obtained through the cookies.
Data shall be processed automatically by the computer systems owned by and/or available to the Data Controller.
(i) Navigation data
The computer systems, the applications and the software procedures used to operate the Website collect, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
Such personal data include: (a) IP address or domain name of the PC and terminal used by the data subject; (b) URI/URL addresses of the requested resources; (c) the time of the request; (d) the method used to submit the request to the server; (e) the size of the file obtained in reply; (f) the numerical code indicating the status of the reply given by the server; (g) the search engine, if any, used to find the link to the Website and then access the Website; (h) other parameters concerning the operating system and computer environment used by the data subject to access and navigate the Website.
(i).1. Purposes of processing
Navigation data under point (i) shall be processed for the following purposes:
(a) allowing users to use the Website;
(b) checking the correct operation of the Website and carrying out the technological maintenance of the Website;
(c) establishing responsibility for any offences committed against the Data Controller through the Website or against the Website itself;
(d) obtaining anonymous aggregate statistical information about the use of the Website.
(i).2. Storage period
Navigation data under point (i) shall be stored for no longer than seven days and shall be cancelled immediately after having been aggregated and anonymised, unless otherwise required by a judicial authority for the detection of any offences.
(i).3. Legal basis
The legal basis for processing the navigation data under point (i) shall consist of the following concurrent and/or alternative criteria: (1) the legitimate interest of the Data Controller, pursuant to as well as within the limits of art. 6, par. 1, point f) of the Regulation, in order to ensure the correct use of the Website and prevent any possible cyber crimes; (2) the consent of the data subject pursuant to art. 6, par. 1, point a) and, if applicable, art. 9, par. 2, point a) of the Regulation; (3) the implementation of pre-contractual measures taken at the data subject’s request or the performance of a contract to which the data subject is party, which functionally require the processing of such data [art. 6, par. 2, point b), of the Regulation] in order to allow users to navigate the Website and access its contents free of charge, unless otherwise specified.
(ii) Data provided by the data subject
The voluntary sending of messages by the data subject to the Data Controller’s contact addresses, also by sending any emails or filling in and submitting any forms to the Data Controller, implies the collection by the Data Controller of the data subject’s contact details as well as other data, if any, provided by the data subject upon sending of the message (e.g. any data provided in the message content). The data subject shall be expressly forbidden to provide through any forms any personal data of a special nature and/or any personal data of third parties.
Pursuant to art. 13 and 14 of the Regulation, it is understood that, if the Data Controller intends to collect personal data for other specific purposes, the Data Controller shall provide the data subject with information on such additional purposes.
(ii).1. Purposes of processing
The processing of the data provided by the data subject (1) is aimed at allowing communication between the data subject and the Data Controller according to the data subject’s needs, including (2) the submission of any requests for additional information with respect to the information available on the Website or (3) the start of negotiations in order to enter into contracts for the supply of the services offered by the Data Controller. Obviously, should the Data Controller carry out any additional and more specific processing through the Website, the Data Controller shall each time provide the data subject with the relevant additional and more specific information on the protection of personal data (e.g. in relation to any requested services or if the Website includes specific processing such as the subscription to a newsletter or the request to send a CV for specific job roles). Should there be a material and actual risk of a dispute or of any offences committed through the above-mentioned means of communication, the data might be processed (4) to defend or to establish a right in court or (5) to allow any necessary investigations to be carried out, including by any competent public authorities.
(ii).2. Storage period
The data provided by the data subject under point (ii) shall be stored for the time strictly necessary to satisfy any communication needs as well as any data subject’s requests, except in the event of any requirements relating to the establishment or defence of legal claims or any dispute (in these cases the storage period shall be the one required for the above defence, taking also into account, if necessary, any evidence requirements, any terms of lapse and statutory limitation, which may also provide for a ten-year period, as well as any necessary investigations to be carried out about any offences, including by any competent authorities). It is also understood that the Data Controller may establish different storage periods within the specific privacy policies provided in relation to any additional specific services provided through the Website or any other purposes, for which the Data Controller shall provide specific and separate information on the protection of personal data, including information on storage periods.
(ii).3. Legal basis
(iii) Data obtained through the Cookies, methods and purposes of processing, storage period, and legal bases
Cookies may be defined (see Cookie Regulation) as «small strings of text which the websites visited by the user send to the user’s terminal (usually to the browser), where they are stored to be retransmitted to the same websites at the next user’s visit. While navigating a website, the user may also receive on his/her terminal cookies sent by other websites or web servers (so-called “third-party cookies”), which may contain some elements (such as images, maps, sounds, specific links to pages of other domains) available on the website that the user is visiting. The user’s browsers usually contain a great quantity of cookies, which sometimes are also very persistent. Cookies are used for several purposes: computer authentication, session monitoring, storage of information on specific settings about the users accessing the server, etc.».
There are different categories of Cookies according to objective (non-persistent technical session or navigation cookies; persistent technical cookies or functional cookies; analytical cookies with or without anonymised IP address; profiling cookies) or subjective classifications (cookies attributable to the website owner or manager, the so-called “editor” or “first-party” cookies; cookies attributable to other subjects, the so-called “third-party” cookies).
In particular, the Website uses the following Cookies for the specified purposes and storage period.
The Website does not use any Cookies that have not been expressly specified in the above list.
(iii).1. How to disable and/or not accept cookies
Generally, the data subject may at any time set his/her browser in such a way to accept all Cookies or only some of them or to reject cookies, disabling their use by the Website.
Moreover, the data subject may usually set the preferences of his/her browser in order to be notified every time a Cookie is stored in the memory of his/her device.
Finally, at the end of each navigation session, the data subject may in any case cancel from his/her hardware both the browsing cache-memory and the collected Cookies. If the data subject disables the Cookies on his/her device, this shall not affect or prejudice in any way the interaction with the Website.
Below are the links to the instructions on how to disable Cookies on the most common browsers (for other browsers, search this option in the Help guide of the relevant software).
– Internet Explorer: https://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies#ie=ie-10
– Google Chrome: https://support.google.com/chrome/answer/95647?hl=it
– Apple Safari: https://www.apple.com/it/privacy/use-of-cookies/
The functions of the single Cookies may also be disabled through the relevant page provided by EDAA (European Interactive Digital Advertising Alliance) and available at the URL address https://www.youronlinechoices.com/it/le-tue-scelte
Even if the authorization to the use of third-party Cookies is revoked, Cookies may still have been stored on the data subject’s device before that. For technical reasons such Cookies cannot be cancelled, but they can be deleted through the privacy settings of the data subject’s browser by selecting the browser option “Clear browsing data”, which enables to delete Cookies, website data and plugins.
(iii).2. Additional information on third-party Cookies
For information on third-party cookies, see the above table.
(iii).3. Purposes of processing (summary of the data in the above table)
For the purposes and/or aim of each type of cookies, see the above table.
(iii).4. Storage period (see the above table)
For the storage period of each type of cookies, see the above table.
(iv).5. Legal basis
For technical cookies the legal basis for data processing is the legitimate interest of the Data Controller, while for the other types of cookies it is the user’s express consent.
Voluntary nature of the provision of personal data
Unless otherwise specified, the provision of personal data by the data subject is optional. However, the failure to provide such data may make it impossible or difficult: as to the data under point (i) and (iii), to benefit from the full and correct browsing of the Website or from better interaction with the Website; as to the data under point (ii), to ensure correct communication between the data subject and the Data Controller and thus to satisfy the requests freely submitted by the data subject through the communication channels available on the Website.
It is to note that disabling (or inhibiting the operation of) third-party Cookies does not prejudice the use of the Website by the data subject, but, as specified above, it may limit the overall performance of the Website or make browsing less effective.
Recipients and categories of recipients of personal data and extent of data being disclosed to them
In order to achieve the purposes described above, the data subject’s personal data shall be disclosed to the Data Controller’s collaborators, employees and similar personnel, who shall act as subjects authorised to process data and/or as data processors.
The collected data shall be also disclosed to the following subjects appointed by the Data Controller as data processors pursuant to art. 28 of the Regulation:
Linxs S.r.l. as provider responsible for the development, operation, management and maintenance of the Website’s technological platforms.
In view of his role and for the execution of his tasks, the data subject’s personal data may be disclosed to the Data Protection Officer (DPO) appointed by the Data Controller. Finally, it is to note that the User’s personal data may be disclosed to competent authorities if required by law, especially in case of any offences committed by users of which the Data Controller becomes aware, but without any general monitoring obligation by the Data Controller in relation thereto.
Rights of the data subject
According to the conditions set forth therein, the data subject shall be entitled to exercise the rights under art. 15-21 of the Regulation, and in particular:
– the right of access, pursuant to art. 15 of the Regulation, according to which the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to obtain access to such personal data, obtain a copy thereof and be provided, without limitation, with the following information: a) purposes of the processing; b) categories of personal data being processed; c) recipients to whom the personal data have been or will be disclosed; d) data storage period or criteria used to determine such period; e) data subject’s rights (right to rectification, erasure of personal data, restriction of processing and right to object to processing); f) right to lodge a complaint; g) right to receive information as to the source of personal data, if they are not collected from the data subject; h) the existence of automated decision-making, including profiling, if any is carried out;
– the right to rectification, pursuant to art. 16 of the Regulation, according to which the data subject shall have the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her and/or to have incomplete personal data completed;
– the right to erasure (the so-called “right to be forgotten”), pursuant to art. 17 of the Regulation, according to which the data subject shall have the right to obtain the erasure of personal data concerning him or her without undue delay, when: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject has withdrawn consent and there is no other legal ground for the processing; c) the data subject has successfully objected to the processing of personal data; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation; f) the personal data have been collected in relation to the offer of information society services referred to in art. 8, par. 1, of the Regulation. The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
– the right to restriction of processing, pursuant to art. 18 of the Regulation, according to which the data subject shall have the right to obtain restriction of processing when: a) the accuracy of the personal data is contested by the data subject; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the personal data are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject;
– the right to data portability, pursuant to art. 20 of the Regulation, according to which the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format as well as the right to transmit those data to another controller without any hindrance if processing is based on consent and is carried out by automated means. The data subject shall also have the right to have the personal data transmitted directly from Onit Group S.r.l. to another data controller, where technically feasible;
– the right to object, pursuant to art. 21 of the Regulation, according to which the data subject shall have the right to object at any time to the processing of personal data concerning him or her based on his or her legitimate interest, including profiling, if any is carried out, unless the Data Controller has legitimate grounds to carry on processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
– the right not to be subject to automated decision-making, pursuant to art. 22 of the Regulation, according to which the data subject shall have the right to not to be subject to a decision based solely on automated processing, including profiling, if any is carried out, which produces legal effects concerning him or her or similarly significantly affects him or her, unless it is necessary for entering into, or performance of, a contract or the data subject has given his or her consent. In any case, the data subject’s personal data shall not be subject to automated decision-making and the User shall be entitled at any time to obtain human intervention on the part of the data controller, to express his or her point of view and to contest the decision;
– the right to withdraw his or her consent at any time and as easily as it was given. This shall not affect the lawfulness of processing based on consent before its withdrawal.
The data subject shall also have the right to lodge a complaint with the Data Protection Supervisor (represented in Italy by the Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome) or to take the appropriate legal measures.
The above rights may be exercised towards the Data Controller by contacting the relevant subjects specified herewith.
Pursuant to art. 12 of the Regulation, the exercise of his or her rights by the data subject shall be free of charge. However, if the data subject’s requests are manifestly unfounded or excessive, also due to their repetitive character, the Data Controller may charge a reasonable fee taking into account the administrative costs incurred to manage the request or refuse to act on the request.
In any case, the Data Controller, either directly or through the relevant appointed subjects, shall acknowledge the request and provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. Such term may be extended by two further months where necessary, taking into account the complexity and number of the requests.
Finally, if the Data Controller has doubts concerning the identity of the natural person making the request, the Data Controller may request the provision of additional information necessary to confirm the identity of the data subject.