WHAT THIS ADVISORY IS FOR
This page describes how the STEFRA S.r.l. site is managed with regard to the personal data of the users that visit it.
It is a statement made in conformance with art. 13 of Legislative decree no. 196/2003 (Personal Data Protection Code) for the benefit of those who interact with the Web services of STEFRA S.r.l. starting from the address:
The statement concerns this site only and not any other Web sites visited by the user through links on the site.
The statement is also based on Recommendation no. 2/2001 that the European personal data protection authorities belonging to a Working Party, set up in accordance with art. 29 of directive no. 95/46/EC, adopted on 17 May 2001 to establish some minimum requirements for the collection of personal data on line and, in particular, the methods, times and nature of the information that the data controllers must give to users when they visit web pages, irrespective of the purpose of their visit.
Data processing site
The processes associated with the web services of this site are carried out at the Stefra site mentioned previously, exclusively by technical staff at the office responsible for processing the data, or others responsible for occasional maintenance operations. No data is communicated or disclosed by the web service, except in the cases indicated below.
The personal data provided by users requesting informative material (newsletters, answers to questions, etc.) is used exclusively to provide the service requested and is only communicated to third parties if this is necessary for the aforesaid purpose.
Types of data processed
During normal operation, the information systems and software procedures used for the functioning of this web site acquire some personal data that has to be sent in order to use the internet communication protocols. It is information that is not collected in order to associate it with identified persons but that, due to their nature, could be used to identify users through processing and association with data held by third parties.
This category of data comprises IP addresses or names in the computer domain used by the persons connecting to the site, addresses of the resources requested in URI (Uniform Resource Identifier) notification, the time at which the request was made, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (successful completion, error, etc.) and other parameters concerning the user’s operating system and IT environment.
This data is used exclusively to obtain anonymous statistics on the use of the site and to check that it is functioning properly, and it is deleted immediately after processing. The data could be used to establish liability in case of IT crimes against the site: except in this case, the data on web contacts in this status does not remain for more than seven days.
Data provided voluntarily by the user
The optional, express and voluntary transmission of e-mails to the addresses indicated on this site entail subsequent acquisition of the sender’s address, which is necessary to answer his requests, and any other personal data included in the e-mail.
Specific summary statements will gradually be indicated or shown on the pages of the site set up for particular services provided on request.
None of the users’ personal data is acquired by the site.
No use is made of cookies to send personal data or any types of persistent cookies, which are systems for profiling and/or tracking users. The use of session cookies (which are not saved on the user’s computer and disappear when the browser is closed) is strictly limited to the transmission of session IDs (consisting of random numbers generated by the server), which are necessary to permit safe and efficient exploration of the site.
The session cookies used on this site eliminate the need to use other IT methods that could jeopardize the confidentiality of users’ navigation and do not allow the personal data identifying the user to be acquired.
Optional nature of data provision
In addition to the indications given for the navigation data, the user can provide the personal data indicated on the Stefra request forms or in any other form in contacts with its offices to request the transmission of informative material or other communications.
Data provision is obligatory for the standard commercial and administrative practices and refusal to provide the data could entail failure to fulfil the contract, relationship and/or contact and thus make it impossible to have your request fulfilled.
Data processing methods
The purpose of processing your requested or acquired personal data, both before the contact and/or commercial relationship of collaboration and work is established and for contacts made simply to promote the activities of the organization, is to fulfil the legal and contractual obligations, to check the fulfilment of these obligations by STEFRA S.r.l. and to facilitate the performance of the activities most closely linked to its corporate purpose.
The data will be processed using methods and tools that ensure its confidentiality and may be processed using electronic or automated means (computers on a network not accessible to the public) and non-automated means (hard copy archives), both equipped with adequate security measures such as personalized passwords with exclusive access, a personal identification code and archive access control as laid down and regulated by articles 31 to 36 inclusive of the Code and always in conformance with article 11 of the Code.
Once you have given your formal consent, your personal data may be communicated:
- a) only in the cases laid down in the law, to fulfil the administrative, accounting and/or tax obligations indicated in paragraph 1);
- b) to external collaborators of the Stefra S.r.l. company in their capacity as tax, accounting and/or legal consultants to fulfil the obligations set forth under letter a);
- c) to founding, licensed, sublicensed, contracting and/or subcontracting organizations/institutions/companies where involved in conducting the contractual or commercial relationship established;
- d) only following your specific consent, which can be revoked at any time, your (non-sensitive) personal data can be added to the Stefra S.r.l. lists for the transmission of newsletters, informative, advertising and promotional material on the corporate activities carried out by Stefra S.r.l.;
- e) only following your specific consent, which can be revoked at any time, your (non-sensitive) personal data can be disclosed through insertion on the “stefra.net” web site.
and through articles published in specialized magazines and journals;
- f) only following your specific consent, which can be revoked at any time, to companies operating in the same sector as Stefra S.r.l.
The Data Controller
The data controller is STEFRA S.r.l., based at Via Per Panzano n. 171, 41013 Castelfranco Emilia, in the person of the current Sole Director and legal representative, Mr. Stefano Giuliani.
Data Subjects’ Rights
The data subject, that is, the person to whom the personal data refers, has the right, at any time, to obtain confirmation of the existence of such data and to find out their content and source, check their accuracy or have them completed, brought up to date or corrected, as appropriate (articles 7, 8, 9 and 10 of Legislative decree no. 196/2003 set forth below for your convenience).
In accordance with these articles, the data subjects can have any unlawfully processed data deleted, converted into anonymous form or blocked, and object to their processing in any case for legitimate reasons.
Such requests should be made to the data controller by writing to the following e-mail address: (firstname.lastname@example.org).
This privacy statement can be consulted automatically using the latest browsers that implement the P3P (“Platform for Privacy Preferences Project”) standardproposed by the World Wide Web Consortium (www.w3c.org).
Every effort will be made to make the functions of this site interoperable with the automatic privacy control mechanisms available in some products adopted by users.
Art. 7 Right to Access Personal Data and Other Rights
- The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him/her exist, regardless of its being already recorded and communication of such data in an intelligible form.
- The data subject shall have the right to be informed:
- a) of the source of the personal data;
- b) of the purposes and methods of its processing;
- c) of the logic applied to the processing, if the latter is carried out with the aid of electronic means;
- d) of the identification details concerning the data controller, data processors and the representative designated as per article 5, subsection 2;
- e) of the entities or categories of entity to whom or which the personal data may be communicated and who become aware of said data in their capacity as designated representative in the State’s territory, data processors or persons in charge of processing.
- The data subject shall have the right to obtain:
- a) updating, rectification or, where interested therein, completion of the data;
- b) erasure, anonymization or blocking of data that has been processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed;
- c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data was communicated or divulged, unless this requirement proves impossible or involves a manifestly disproportionate effect compared with the right that is to be protected.
- The data subject shall have the right to object, in whole or in part:
- a) on legitimate grounds, to the processing of personal data concerning him/her, even if it is relevant to the purpose of collection;
- b) to the processing of personal data concerning him/her where this is performed for the purpose of sending advertising material, making direct sales or conducting market or commercial communication surveys.
Art. 8 Exercise of Rights
- The rights referred to in article 7 may be exercised by making a request to the data controller or processor without formalities, also by the agency of a person in charge of the processing. A suitable response shall be provided to said request without delay.
- The rights referred to in Article 7 may not be exercised by making a request to the data controller or processor, or else by lodging a complaint in pursuance of Article 145, if the personal data is processed:
- a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as converted, with amendments, into Act no. 197 of 5 July 1991, and subsequently amended, concerning money laundering;
- b) pursuant to the provisions of decree-law no. 419 of 31 December 1991, as converted, with amendments, into Act no. 172 of 18 February 1992, and subsequently amended, concerning support for victims of extortion;
- c) by Parliamentary Inquiry Committees set up as per Article 82 of the Constitution;
- d) by a public body other than a profit-seeking public body, where this is expressly required by a law for purposes exclusively related to currency and financial policy, the system of payments, control of brokers and credit and financial markets and protection of their stability;
- e) in pursuance of Article 24, subsection 1, letter f), as regards the period during which performance of the investigations by defence counsel or establishment of the legal claim might be actually and concretely prejudiced;
- f) by providers of publicly available electronic communications services in respect of incoming phone calls, unless this may be actually and concretely prejudicial to performance of the investigations by defence counsel as per Act no. 397 of 7 December 2000;
- g) for reasons of justice by judicial authorities at all levels and of all instances as well as by the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of Justice;
- h) in pursuance of Article 53, without prejudice to Act no. 121 of 1 April 1981.
- In the cases referred to in subsection 2, letters a), b), d), e) and f), the Data Protection Authority (called the Garante), also following a report submitted by the data subject, shall act as per Articles 157, 158 and 159; in the cases referred to in letters c), g) and h) of said subsection, the Data Protection Authority shall act as per Article 160.
- Exercise of the rights referred to in Article 7 may be permitted with regard to data of a non-objective nature on the condition that it does not concern rectification of or additions to personal evaluation data in connection with judgments, opinions and other types of subjective assessment, or else the specification of policies to be implemented or decision-making activities by the data controller.
Art. 9 Mechanisms to Exercise Rights
- The request addressed to the data controller or processor may also be conveyed by means of a registered letter, facsimile or e-mail. The Data Protection Authority may specify other suitable arrangements with regard to new technological solutions. If the request is related to exercise of the rights referred to in Article 7, subsections 1 and 2, it may also be made verbally in which case, it will be written down in summary form by either a person in charge of the processing or the data processor.
- The data subject may grant, in writing, power of attorney or representation to natural persons, bodies, associations or organizations in connection with exercise of the rights as per Article 7. The data subject may also be assisted by a person of his/her choice.
- The rights as per Article 7, where related to the personal data concerning a deceased person, may be exercised by an entity that is interested therein or else acts to protect a data subject or for family-related reasons deserving protection.
- The data subject’s identity shall be verified on the basis of suitable information, also by means of available records or documents or by producing or attaching a copy of an identity document. The person acting on instructions from the data subject must produce or attach a copy of either the proxy or the letter of attorney, which shall have been undersigned by the data subject in the presence of a person in charge of the processing or else shall bear the data subject’s signature and be produced jointly with a copy of an ID document from the data subject, which shall not have to be certified true pursuant to law. If the data subject is a legal person, body or association, the relevant request shall be made by the natural person that is legally authorized thereto based on the relevant regulations or articles of association.
- The request referred to in Article 7, subsections 1 and 2, may be worded freely without any constraints and may be renewed at intervals of not less than ninety days, unless there are well-grounded reasons.
Art. 10 Response to Data Subjects
- With a view to effectively exercising the rights referred to in Article 7, data controllers shall take suitable measures in order to, in particular:
- a) facilitate access to personal data by the data subjects, even by means of ad hoc software allowing accurate retrieval of the data concerning individual identified or identifiable data subjects;
- b) simplify the arrangements and reduce the delay for the responses, also with regard to public relations departments or offices.
- The data processor or the persons in charge of the processing shall be responsible for retrieval of the data, which may be communicated to the requesting party also verbally, or else displayed by electronic means – on condition that the data is easily intelligible in such cases also in the light of the nature and amount of the information. The data shall be reproduced on paper or magnetic media, or else transmitted via electronic networks whenever this is requested.
- The response provided to the data subject shall include all the personal data concerning him/her that are processed by the data controller, unless the request concerns either a specific processing operation or specific personal data or categories of personal data. If the request is made to a health care professional or health care body, the provision laid down in article 84, subsection 1, is implemented.
- If data retrieval is especially difficult, the response to the data subject’s request may also consist in producing or delivering copy of records and documents containing the person data concerned.
- The right to obtain communication of the data in intelligible form does not apply to personal data concerning third parties, unless breaking down the processed data or eliminating certain items from the latter prevents the data subject’s personal data from being understandable.
- Data is communicated in intelligible form also by using legible handwriting. If codes or abbreviations are communicated, the criteria for understanding the relevant meanings shall be made available also by the agency of the persons in charge of the processing.
- Where it is not confirmed that personal data concerning the data subject exist, further to a request as per Article 7, subsections 1 and 2, letters a), b) and c), the data subject may be charged a fee, which shall not be in excess of the costs actually incurred for the inquiries made in the specific case.
- The fee referred to in subsection 7 may not be in excess of the amount specified by the Data Protection Authority in a generally applicable provision, which may also refer to a lump sum to be paid if the data is processed by electronic means and the response is provided verbally. Through said instrument the Data Protection Authority may also lay down that the fee may be charged if the personal data is contained on special media whose reproduction is specifically requested, or else if a considerable effort is required by one or more data controllers on account of the complexity and/or amount of the requests and existence of data concerning the data subject can be confirmed.
The fee referred to in subsections 7 and 8 may also be paid by bank or postal draft, or else by debit or credit card, if possible upon receiving the relevant response and anyhow within fifteen days of said response.