This page offers a description of the procedures used to manage the website owned by ISPLORA S.r.l. (hereinafter, “the Controller”) and the operations performed to process the personal data of the users who access and navigate on the website.
This notice refers only to the aforementioned page and not to other websites that the user might consult through specific links.
1 – Personal data processing Controller
Pursuant to Article 4, bullet number 7, of Regulation (EU) 2016/679 – GDPR, the Controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
The Controller of this website is: ISPLORA S.r.l., with registered office at via Andegari 4 – 20121 Milan, T: +39 02 829 57 483, e-mail: firstname.lastname@example.org.
2 – Personal data processing Processor
Pursuant to Article 4, bullet number 8, of Regulation (EU) 2016/679 – GDPR, the Processor is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Pursuant to Article 28 of Regulation (EU) 2016/679 – GDPR, the Processor designated by the Controller for processing the data of the website is: ISPLORA S.r.l., via Andegari 4 – 20121 Milan.
3 – Data Protection Officer
The Data Protection Officer (DPO) is an individual envisaged in Article 37 of Regulation (EU) 2016/679. This individual is designated by the Controller or the Processor to perform support and control, advisory, training, and informational functions concerning application of the Regulation itself. He or she cooperates with the Authority (and for this very reason, his/her name must be notified to the “Garante” [Privacy Ombudsman] and is the contact person, inter alia for the data subjects, concerning questions connected with the processing of personal data (Articles 38 and 39 of the Regulation). The Controller and the Processor must designate the Data Protection Officer when the cases envisaged in Article 37, paragraph 1, sub-paragraphs b) and c), of Regulation (UE) 2016/679 apply. These are entities whose principal activities (above all, their “core business” activities) consist of processing requiring regular and systematic monitoring of the data subjects on a large scale, or of large scale processing of specific categories of personal data or data concerning criminal convictions and criminal offenses (to the extent covered by the notions of “regular and systematic” and “large scale” monitoring. This officer is not mandatory for the Controller of this website.
4- Personal data processing
Data “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 of Regulation (EU) 2016/679 - GDPR).
PURPOSES OF THE PROCESSING
The purpose of this website notice is to:
- provide information about the procedures, timing, and nature of the information that the Controller must assure for the users when they connect to the website www.isplora.com and, regardless of the purposes of the connection itself, verify that the page functions properly, for security reasons, and to determine any responsibility in the event of unlawful acts damaging the website, the Controller, and/or third parties;
- conduct statistical analyses of the connections to the Controller’s website. This activity is performed only after adoption of measures for technical security and anonymization of the data collected on the website. Therefore, no personal information is used for this purpose;
- allow the user to register on the website and use the training service by means of videos published by the Controller. In this case, the user must fill out the specific form on which the following personal data shall be requested: name, surname, e-mail address, province of residence. Once the training video is completed and only if the user needs training credits for the Professional Association to which he/she belongs, his/her tax identification number, place and date of birth will also be requested;
- send updates, newsletters, and promotional information about ISPLORA training services;
- provide the “invite a friend” service, through which the user may enter the e-mail address of a friend who might be interested in the services offered by the Controller. The Controller shall contact the indicated person and give an adequate notice pursuant to Article 14 GDPR.
If the Controller wishes to process the personal data further for a purpose different from the one for which they were collected, it shall first give the user all necessary information and request his/her consent as required.
The personal data collected through the web page shall be processed for the purposes listed hereinabove in order to provide a service concerning the procedures, timing, and nature of the processing when the user voluntarily connects to the website, and to verify that the page is functioning properly, for security reasons and to ascertain any responsibility in the event of unlawful acts damaging the website, the Controller, and/or third parties. In that event, the information shall be processed on the basis of the Controller’s legitimate interests. The statistical analyses of the connections to the Controller’s website shall be performed only after adoption of measures for technical security and anonymization of the data collected on the website. Therefore, no personal information is used for this purpose. The personal data collected for the marketing activity envisaged in part 4 shall be processed only after the data subject has granted his/her explicit consent. The personal data provided by the data subject after filling out the form for access to the training video shall be used for registration to access and view the video service. The personal data obtained indirectly through the “invite a friend” service shall be processed after a specific notice and request for consent are made.
The personal data are processed lawfully, fairly, and transparently and, in any event, in compliance with the provisions of Articles 5 and 6 of Regulation (EU) 2016/679 – GDPR. Your personal data are subject to processing by means of manual and information technology tools on the basis of logics that are strictly related to the purposes for which they have been acquired and otherwise capable of guaranteeing the security and confidentiality of the data themselves. For security purposes (antispam filters, firewalls, virus detection), the automatically recorded data might also include personal data such as the IP address, which might be used, in compliance with applicable laws, to block attempts to damage the website itself or to harm other users, or other harmful or criminal activities.
The users’ IP addresses are never used for identification of the users or for automated processes to profile them on the website.
The processing of personal data is limited to the minimum necessary. No data are collected to perform statistical, historic, or scientific research.
The Controller has adopted adequate technical and organizational measures to guarantee protection of the data processed on the website.
No personal data are provided to commercial third parties.
The personal data are not sold or leased.
TYPE OF DATA
- Navigation data
During normal operating activity and only for the duration of the connection, the information technology systems and software procedures used to operate this website acquire certain personal data whose transmission is implicit in the user of internet communication protocols.
This involves information that is not collected for the purpose of associating it with identified data subjects. However, by their very nature, they might, through processing and associations with data held by third parties, permit identification of the users. This category of data includes the IP addresses or domain names of the computers used by the users that connect to the website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request on the server (successful, error, etc.), and other parameters concerning the operating system and the user’s computer environment. These data are used only to obtain anonymous statistical information on use of the website and to monitor its proper functioning. They are deleted immediately after being processed. The data might be used to determine responsibility in the event of hypothetical computer crimes harming the website. Except in that eventuality, the data on the web contacts currently do not persist for more than three months.
- Data provided voluntarily by the user
Filling out the training video registration form on this website entails subsequent acquisition of the sender’s address, which is necessary to provide the service. These data will be processed exclusively in order to satisfy the submitted request, and they will be deleted three months after that request is received.
A cookie is a small data file that certain websites might send during visits to the user that is visiting those websites. This is done to track the visitor’s activity within the website and to collect absolutely anonymous information to improve the offering and enjoyment of the website itself. For more information about cookies, please refer to the specific notice published on the Controller’s website.
NATURE OF THE PROCESSING
Aside from what is specified for the navigation data, the user is free to provide his/her personal data by voluntarily sending specific requests to the Controller, using the contact information found on the website. If the user wishes to register to view the training video, he/she will have to fill out the specific form and enter the required information. For recognition of credits by his/her own Professional Association, the data subject will also have to enter his/her own taxpayer identification number, place and date of birth.
DISCLOSURE AND DISSEMINATION OF THE DATA
The data of the users of the Controller’s website shall be used exclusively for activities strictly connected with and instrumental to operating the website itself.
Your Personal Data may be disclosed to and processed by in-house contract workers and/or employees of the Controller, in their capacity as persons in charge of the processing, within the scope of their own functions and in accordance with the instructions issued by the Controller.
In certain cases, the data might be accessible to external parties (e.g. technical service outsourcers, hosting providers, information technology companies, companies collaborating with the Controller for provision of the requested service) acting on behalf of the Controller, duly designated if necessary as Processors pursuant to Article 28 of the General Data Protection Regulation (GDPR). They shall guarantee an adequate personal data protection system in compliance with the GDPR. The updated list of the Processors can always be requested from the Controller.
Your data shall not be disclosed to unidentified third parties.
TRANSFER OF DATA
The data present on this website shall be managed and stored on servers located in Amsterdam, at Microsoft Aure West Europe region.
However, it is agreed that if necessary, the Controller will be able to move the location of the servers within the European Union and/or also to countries outside the European Union or to international organizations. In that case, the Controller hereby assures that the transfer of data outside the European Union will be made in accordance with applicable provisions of law, by stipulating agreements if necessary that assure an adequate level of protection or by adopting the standard contractual clauses prescribed by the European Commission.
You may exercise your rights vis-à-vis the Controller or the processor by contacting the Controller at the following addresses: Tel: +39 02 829 57 483, E-mail: email@example.com.
To guarantee proper exercise of his/her rights, the data subject will have to identify himself/herself unequivocally. The Controller promises to respond within 30 days and, if it is impossible to meet that deadline, to justify any extension of the required deadline. The response shall be given free of charge unless the request is unfounded (e.g. there are no data concerning the applying data subject) or excessive requests (e.g. repetitive over time), for which a contribution to defray expenses may be charged.
The data subject may also file a complaint with the Regulatory Authority, and he/she has the right to revoke his/her consent at any time when this constitutes the legal basis for processing.
If the company suffers a personal data breach, the Controller shall notify the competent supervisory authority in compliance with Article 33 of the GDPR and do so within 72 hours after it becomes aware of the event. It shall also report the event to the data subject, except in the exceptional cases indicated in Article 34, paragraph 3, of the GDPR.
The data subject is entitled to obtain information about:
- the origin of the personal data and categories of processed data;
- the purposes and procedures of the processing;
- the personal data retention period;
- the logic applied in the event of processing with the aid of electronic tools;
- the identification details of the Controller and the Processor;
- the parties and categories of parties to whom the personal data may be transmitted or who may learn about them in their capacity as processors or persons in charge of the processing, including those located in other countries
- the existence of the profiling process.
The data subject is entitled to obtaining:
- confirmation of whether or not his/her personal data exist and that those data be provided in intelligible form;
- the updating, rectification, modification, and limitation of the data;
- the erasure (right to be forgotten), anonymization or blocking of the data processed in violation of the law (including those which do not have to be kept in connection with the purposes for which they were collected or subsequently processed);
- certification that the activities indicated at the preceding bullet points have also been reported to those to whom the data has been disclosed or disseminated, except when such certification is impossible or entails the use of resources that is manifestly disproportionate to the right protected by the company;
- the portability of the data (direct transmission from one Controller to another);
- a copy of the processed data.
MODIFICACTIONS TO THIS DOCUMENT
It may be modified or updated. If these consist of significant modifications and updates, they shall be announced with specific notices to the users.
This document was updated in 2018 to comply with the regulatory provisions of Regulation (EU) 2016/679 – GDPR and the Privacy Code – Legislative Decree 196/03 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
CONSENT TO PROCESSING OF PERSONAL DATA
The Undersigned, acting in his/her capacity as a data subject, having read and understood the Controller’s disclosure issued pursuant to Article 13 of Regulation (EU) 2016/679 – GDPR and the national provisions contained in the Privacy Code – Legislative Decree 196/03 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, in regard to the purposes indicated in part 4:
to send updates, newsletters, and promotional information on the training services of ISPLORA