This page offers a description of the procedures used to manage the website owned by ISPLORA S.r.l. (hereinafter, “the Controller”) and the operations performed to process the personal data of the users who access and navigate on the website.
This notice refers only to the aforementioned page and not to other websites that the user might consult through specific links.
1 – Personal data processing Controller
Pursuant to Article 4, bullet number 7, of Regulation (EU) 2016/679 – GDPR, the Controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
The Controller of this website is: ISPLORA S.r.l., with registered office at Via Andegari 4 – 20121 Milano, T: +39 02 829 57 48, e-mail: firstname.lastname@example.org.
2 – Personal data processing Processor
Pursuant to Article 4, bullet number 8, of Regulation (EU) 2016/679 – GDPR, the Processor is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Pursuant to Article 28 of Regulation (EU) 2016/679 – GDPR, the Processor designated by the Controller for processing the data of the website is: ISPLORA S.r.l., con sede legale e sede operativa in Milano, 20121, via Andegari 4, T: +39 02 829 57 48, e-mail: email@example.com.
3 – Data Protection Officer
The Data Protection Officer (DPO) is an individual envisaged in Article 37 of Regulation (EU) 2016/679. This individual is designated by the Controller or the Processor to perform support and control, advisory, training, and informational functions concerning application of the Regulation itself. He or she cooperates with the Authority (and for this very reason, his/her name must be notified to the “Garante” [Privacy Ombudsman] and is the contact person, inter alia for the data subjects, concerning questions connected with the processing of personal data (Articles 38 and 39 of the Regulation). The Controller and the Processor must designate the Data Protection Officer when the cases envisaged in Article 37, paragraph 1, sub-paragraphs b) and c), of Regulation (UE) 2016/679 apply. These are entities whose principal activities (above all, their “core business” activities) consist of processing requiring regular and systematic monitoring of the data subjects on a large scale, or of large scale processing of specific categories of personal data or data concerning criminal convictions and criminal offenses (to the extent covered by the notions of “regular and systematic” and “large scale” monitoring. This officer is not mandatory for the Controller of this website.
4- Personal data processing
Data “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 of Regulation (EU) 2016/679 - GDPR).
DATA TYPES AND PURPOSES OF THE PROCESSING
A. Browsing data
Some personal data, the transmission of which is implicit in the use of Internet communication protocols, are captured by the software and IT systems that enable the operation of this website during their regular exercise and for the only period of connection. Such information is not collected in order to be associated with identified interested parties, but could by their nature be used to identify the users, by means of processing operations and in combination with other data in the possession of third parties. This data category includes IP addresses or domain names of the computers used by the users to access the website, the addresses in URI (Uniform Resource Identifier) notation for resources requested, their time stamps, the method used to deliver the request to the server (success, error, etc.) the country of origin, the time span of the visit (e.g. the time spent on each page) and other parameters connected to the IT system and computing environment of the user.
Such data could be used to:
i) statistics: collection of data and information in aggregate and anonymous form in order to verify the proper functioning of the website. None of such information is connected to the physical person-User of the website, and does not allow identification in any way.
ii) security: collection of data and information in order to protect the security of the website and Users (spam filters, firewalls, virus detection) and to prevent or unmask fraud or abuse to the detriment of the website.
B. Data voluntarily provided by the user
This category includes:
- data provided by sending e-mails to the e-mail addresses indicated on the Site. The Processor can use the user's e-mail address and the personal data contained in the e-mail;
Data provided by filling in the form in the "Create an account" section. Personal data processed are: name, surname, e-mail address and job (mandatory data), residence; tax code, place and date of birth if the user needs the training credits;
Data provided to purchase paid content.
Such data can be used to:
i) identification and access to the e-commerce platform and allow the user to register on the website and use the training service by means of videos published by the Controller.
iii) user database management constructing User-profiles and tracking User activities through statistical capabilities, in order to structure and improve the efficiency of the website.
iv) defense in court in the event of a dispute
v) marketing: with the User’s consent, sending email messages and newsletters containing information, also of commercial and promotional nature, regarding ISPLORA services.
vi) communication of data to partners for marketing purposes: communication by transmission of the user's personal data to Isplora’s Partners who participated in the creation of the contributions displayed by the user. Partners can send email messages and newsletters, including commercial and promotional ones.
5. LEGAL BASIS
– purposes stated on the § 4, let. A), points i) and ii) and let. B) points iii) and iv): legitimate interest of the Data Controller;
–purposes stated on the § 4, let. B), points i), ii) : contract and pre-contractual negotiations;
– purposes stated on the § 4, let. B) point V) e let VI) : consent of the data subject.
6. NATURE OF THE PROCESSING
7. PROCESSING PROCEDURES
The personal data are processed lawfully, fairly, and transparently and, in any event, in compliance with the provisions of Articles 5 and 6 of Regulation (EU) 2016/679 – GDPR. Your personal data are subject to processing by means of manual and information technology tools on the basis of logics that are strictly related to the purposes for which they have been acquired and otherwise capable of guaranteeing the security and confidentiality of the data themselves. For security purposes (antispam filters, firewalls, virus detection), the automatically recorded data might also include personal data such as the IP address, which might be used, in compliance with applicable laws, to block attempts to damage the website itself or to harm other users, or other harmful or criminal activities.
The users’ IP addresses are never used for identification of the users or for automated processes to profile them on the website.
The processing of personal data is limited to the minimum necessary. No data are collected to perform statistical, historic, or scientific research.
The Controller has adopted adequate technical and organizational measures to guarantee protection of the data processed on the website.
8. DISCLOSURE AND DISSEMINATION OF THE DATA
The data of the users of the Controller’s website shall be used exclusively for activities strictly connected with and instrumental to operating the website itself.
Your Personal Data may be disclosed to and processed by in-house contract workers and/or employees of the Controller, in their capacity as persons in charge of the processing, within the scope of their own functions and in accordance with the instructions issued by the Controller.
In certain cases, the data might be accessible to external parties (e.g. technical service outsourcers, hosting providers, information technology companies, companies collaborating with the Controller for provision of the requested service) acting on behalf of the Controller, duly designated if necessary as Processors pursuant to Article 28 of the General Data Protection Regulation (GDPR). They shall guarantee an adequate personal data protection system in compliance with the GDPR. The updated list of the Processors can always be requested from the Controller.
With user's consent, data can be communicated to Isplora Partners who participated in the creation of the contributions displayed by the user.
Your data shall not be disclosed to unidentified third parties.
9. TRANSFER OF DATA
The data present on this website shall be managed and stored on servers located in Amsterdam, at Microsoft Azure West Europe region.
However, it is agreed that if necessary, the Controller will be able to move the location of the servers within the European Union and/or also to countries outside the European Union or to international organizations. In that case, the Controller hereby assures that the transfer of data outside the European Union will be made in accordance with applicable provisions of law, by stipulating agreements if necessary that assure an adequate level of protection or by adopting the standard contractual clauses prescribed by the European Commission.
10. RETENTION PERIOD
11. USER’S RIGHTS
You may exercise your rights vis-à-vis the Controller or the processor by contacting the Controller at the following addresses: Tel: +39 02 829 57 48, E-mail: firstname.lastname@example.org.
To guarantee proper exercise of his/her rights, the data subject will have to identify himself/herself unequivocally. The Controller promises to respond within 30 days and, if it is impossible to meet that deadline, to justify any extension of the required deadline. The response shall be given free of charge unless the request is unfounded (e.g. there are no data concerning the applying data subject) or excessive requests (e.g. repetitive over time), for which a contribution to defray expenses may be charged.
The data subject may also file a complaint with the Regulatory Authority, and he/she has the right to revoke his/her consent at any time when this constitutes the legal basis for processing.
If the company suffers a personal data breach, the Controller shall notify the competent supervisory authority in compliance with Article 33 of the GDPR and do so within 72 hours after it becomes aware of the event. It shall also report the event to the data subject, except in the exceptional cases indicated in Article 34, paragraph 3, of the GDPR.
The data subject is entitled to obtain information about:
• the origin of the personal data and categories of processed data;
• the purposes and procedures of the processing;
• the personal data retention period;
• the logic applied in the event of processing with the aid of electronic tools;
• the identification details of the Controller and the Processor;
• the parties and categories of parties to whom the personal data may be transmitted or who may learn about them in their capacity as processors or persons in charge of the processing, including those located in other countries
• the existence of the profiling process.
The data subject is entitled to obtaining:
• confirmation of whether or not his/her personal data exist and that those data be provided in intelligible form;
• the updating, rectification, modification, and limitation of the data;
• the erasure (right to be forgotten), anonymization or blocking of the data processed in violation of the law (including those which do not have to be kept in connection with the purposes for which they were collected or subsequently processed);
• certification that the activities indicated at the preceding bullet points have also been reported to those to whom the data has been disclosed or disseminated, except when such certification is impossible or entails the use of resources that is manifestly disproportionate to the right protected by the company;
• the portability of the data (direct transmission from one Controller to another);
• a copy of the processed data.
The data subject is entitled to opposing the processing of his/her personal data in the cases indicated in Article 21 of the GDPR.
MODIFICACTIONS TO THIS DOCUMENT
It may be modified or updated. If these consist of significant modifications and updates, they shall be announced with specific notices to the users.
This document was updated in 2018 to comply with the regulatory provisions of Regulation (EU) 2016/679 – GDPR and the Privacy Code – Legislative Decree 196/03 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Fine modulo