Extended information note
Who will process my data?
Your data will be processed in its role as Data controller by the company BARTOLUCCI FRANCESCO srl, Registered Office in Via Parrocchiale 12, 61010 Tavullia (PU) – Italy
How can I contact you?
Our contact information: BARTOLUCCI FRANCESCO srl, Administrative Offices in Via Lungofoglia no. 19, 61020 Montecalvo in Foglia (PU) – Italy
Tel: +39 0722 580815
Fax: +39 0722 580771
Which of my personal data do you process?
The data we process may differ based on the purpose for which they are processed, according to the following plan:
- Browsing Bartolucci websites
The categories of data processed by the applications that manage browsing on Bartolucci websites include the following types:
- Common identification data, fiscal data, optional data: Name, Surname, City, telephone number, email, free text messages, billing data (orders, invoices, tax code and/or VAT number, bank details, delivery/shipment details)
- Technical cookies and usage data assimilated by technical cookies:
The computer systems and software procedures used to operate the Bartolucci websites acquire, during their normal operation, some personal data whose transmission is implicit in the internet communication protocols.
This is information that is not collected to be associated with identified subjects, but by its very nature could, by processing and association with data held by third parties, allow users to be identified and, in particular:
- IP addresses or domain names of computers used by users who connect to the websites,
- URI (Uniform Resource Identifier) notation addresses of requested resources,
- request time,
- the method used when placing request to server,
- the size of the file obtained in response,
- the numerical code indicating the server’s response status (completed, error, etc),
- other technical parameters, regarding the user’s operating system and It environment.
These data can be used solely to obtain anonymous statistical information about website use and to check their correct function.
The data could be used to verify responsibility in the event of hypothetical cyber-crimes against the website.
- Interaction with social networks:
If the user is given the possibility of registering on the Bartolucci websites, by clicking on the “Access with Facebook” button, Facebook will automatically send some of the user’s data to Bartolucci, as specified in the “pop-up” window that appears when the request is made, and it will therefore not be necessary for the user to fill out other forms.
Data are provided freely by the user, registered on request or are automatically acquired during browsing.
The user takes responsibility for third party personal data, sent through this application, for which it acts as an autonomous controller, assuming all legal obligations and responsibilities.
In this sense, the user guarantees that they have the right to communicate them or disseminate them, freeing the controller from any responsibility towards third parties, awarding the broadest indemnity on this point,
- Newsletter and House Organ
We only process personal data that you have given us directly, using sending services that managed mailing lists anonymously and in mass numbers.
Personal data that may be processed can be:
Name, Surname, Address, Postcode and City, Province, Nation, Telephone number, e-mail, Date of Birth
We only process the data that you provide us with to complete shipment of purchases you have made at Bartolucci shops that adhere to this service to your home address; the data are as follows:
Recipient of goods: Name, Surname, Delivery Address, Postcode and City, Province, Nation, Telephone number, e-mail
These data are provided to the carrier appointed with delivery.
- Consent for User of Photo/Video Images
We inform you that with your express consent, you are authorising us to take, publish and disseminate photos and/or videos including your image, free of charge and without time limits (unless revoked), for promotional and commercial information sharing purposes concerning the Bartolucci Brand. Photographs and/or videos are taken in Bartolucci shops. They are produced on paper and/or digital supports and may be processed via both traditional information channels and on the internet and social media. Images are stored in the Bartolucci historical archives for the time required to pursue the stated purposes. You have the possibility to withdraw consent given at any time. This does not prejudice the legality of processing based on consent given beforehand. Your images may be matched with your name, surname, place and date of birth – provided by you – in our archives, but without disclosing this data unless expressly consented to and authorised by you.
Where do you take my personal data from?
You will provide us directly with your personal data, when filling out the contact forms to request information, to register and to purchase online, to subscribe to our newsletter and to other commercial promotion initiatives.
Some data, generally anonymous and grouped together in mass mode, may be automatically sent by Google Analytics, a service provided by Google Inc.
Why do you process my data and on which legal basis?
We process your personal data based on our legitimate interest, for purposes that are included in the list below:
- Direct Marketing and/or Commercial Promotion
Sending communications via e-mail (newsletter); in this way, we can provide you with information about our products and our commercial promotion initiatives.
To provide you with the shipment service to the address given by you, when purchasing bartolucci products from the shops adhering to this initiative.
Sending via email of our house-organ “Cronache dal Retrobottega”, as we take pleasure in keeping you informed about our initiatives, activities and company news.
We take photos and videos, mainly set in our shops, to promote our brand and optimise our image. It may be that you also appear in these photos and or videos and, in this case, we will ask for your consent before disseminating these images on our information channels (also on the internet and on social media).
To offer you a secure browsing experiences on Bartolucci websites and to protect the latter from any cyber-attacks.
The legal basis for lawful processing uses the legislative framework of the EU Regulation 2016/679 (GDPR) and of the National Data Protection Authority’s Provisions for Privacy and IT Security, and is set out as follows:
- To fulfil legal, accounting and fiscal obligations (GDPR article 6, section1, letter c)
The information is provided by the user, via the purchasing procedures and is aimed at the operational, accounting, fiscal and administrative management of orders/purchases/shipments that the data controller is obliged to fulfil.
- Execution of a contract or pre-contractual measures adopted on the user’s request (GDPR article 6, section 1 letter b)
The information is provided by the user when filling out the following on the Bartolucci websites: (1) contact and/or information request form; (2) management of shopping cart; (3) account management; this information aims to provide answers to information requests, pre-contractual activities and to carry out the contract and/or requested service.
- Direct marketing and right to information (GDPR article 6 section1 letter f)
The information is provided by the user while browsing the Bartolucci websites and/or during retail sales of products, through requests for subscribing to the newsletter and/or House Organ; this information is used to send commercial communications, aimed at the subsequent direct sale of similar products to the ones sold, and to exercise the information company rights.
- Consent (GDPR article 6 section 1 letter a)
The information is provided by the user via subscription request on the newsletter and/or House Organ sending form, or by filling out the form to authorise use of their own image (photo/video); in this case, it is for commercial and additional information purposes, or connected to the ones above.
- Web traffic analysis (GDPR article 6 section 1 letter f)
Information is sent to the controller by Google Analytics, a service provided by Google Inc.
In this case, the user’s personal data are automatically collected during browsing and concern cookies and website usage behaviour.
- Security (GDPR article 6 section 1 letter f)
Information is processed for website (antispam filters, firewalls, virus detection) and user security purposes, to prevent or reveal fraud or abusive damage to the website.
We would therefore like to inform you:
- that, apart from the cases where the provision and processing of your personal data are mandatory for legal obligations, providing data for direct marketing and information purposes is optional and you can object to said processing at any time. In this case, we will no longer be able to keep you informed about our initiatives, activities, products, promotions and/or offers reserved for you.
- that we will not use your personal data for purposes other than the ones described in this information note, unless we inform you beforehand, and, where necessary, obtain your consent;
- that you have the right to object to the activities of the above processing, both when registering or later, without this in any way prejudicing the possibility of making purchases and using the specific services you have requested, except in the cases where data processing is mandatory by law;
- that you have the possibility of withdrawing your consent at any time, without prejudicing the legality of processing we have carried out based on the consent you previously gave before withdrawal.
What does mandatory and optional nature of providing data mean?
Providing data is mandatory when it is necessary to fulfil a legal obligation that the controller is subject to or to execute contractual/pre-contractual requests that you make.
In this case, not providing data will result in it being impossible to execute the contract or to fulfil your requests.
On the other hand, providing data for direct marketing purposes, for the right to information and to send commercial communications is optional.
In this latter case, not providing the data means that it will be impossible to provide you with commercial communications and information, pertaining to the Bartolucci Group reality.
The technical data required to use the service provided by the Bartolucci websites are mandatory.
These data are the technical cookies and the analysis cookies (in aggregate and anonymous form), assimilated to technical cookies; these cookies are necessary to send electronic communications and to ensure correct viewing and browsing on the website.
If you refuse to accept these cookies, it may be impossible for our website to provide you with a browsing service.
The technical data required for security purposes are mandatory for ascertaining responsibility in the event of hypothetical cyber-crimes against the websites, and to ascertain responsibility in the event of fraud, identity theft and any other illegal activity against the users (you) and the data controller (us).
If you refuse to accept these cookies, it may be impossible for our website to provide you with a browsing service and to protect your data and your rights.
How do you protect my data?
Your personal data will be processed according to the principles of lawfulness, correctness and transparency, for the given, explained and lawful purposes as indicated, in observance of the principle of minimisation and exactness of data, adopting suitable technical and organisational measures in observance of the principles of integrity and confidentiality.
Your personal data will be processed using suitable instruments and procedures for ensuring security and confidentiality, in archives and on hard copies, with the aid of digital supports, IT and remote media.
Who will you share my data with?
We manage your data directly via the authorised staff of the Bartolucci Group companies, within the limits of respective responsibilities and authorisations, in observance of confidentiality obligations and according to the specific purposes stated above, under the data controller’s responsibility.
We do not transfer your personal data to third parties, for profiling and/or commercial use purposes.
We use automatic email sending systems (e.g. Mailchimp) that process mailing lists anonymously and in mass mode.
Should there be a need to entrust some activities (or part of them) to third parties to pursue the purposes stated in the answers we have given above, your data will be communicated to subjects who will be appointed as data processors.
We will provide suitable operating instructions for these processors, with special reference to the adoption of technical and organisational security measures, to ensure data confidentiality and security.
The full list of data processors is available from our company and you can obtain the relevant information by contacting us at the addresses provided above.
We inform you that data will not be subject to transfers to a country outside the European Union.
External subjects that may possibly be recipients of personal data that is processed and/or access user data, always and only within the limits of the individual specific purposes stated above, are included in the following categories (list subject to variations):
- Companies, consultants and providers of administrative, accounting and taxation services;
- Building societies/banks, insurance companies;
- Centralised IT system providers (risk centres, anti-fraud centres, etc);
- IT service providers, companies and consultants, hosting providers;
- Legal practices for credit collection and dispute management;
- Companies that carry out packaging operations;
- Companies that organise sending of post and commercial information;
- Communication agencies;
- Postal couriers and shippers.
These subjects will be authorised each time based on specific activities and/or requests for consultancy and/or provision of services, they will be subject to obligations of confidentiality and will operate under the responsibility of the data controller and, if necessary, data processors will be appointed.
Further information will be made available by contacting the data controller directly.
The data are processed at the data controller’s premises or at the premises of external subjects named data processors.
For services offered by Google Inc. for Google Analytics, the place of processing is Extra EU, towards a country that adheres to the Privacy Shield.
How long will you store the information about my personal data?
The data are available solely for the time necessary to fulfil the purposes of processing; in particular, the data processed for administrative and accounting purposes will be stored in observance of legal obligations, for a maximum period of 10 tax years.
The data provided to carry out contractual and/or pre-contractual requests will be stored for the time required to fulfil the purposes for which they were collected and in observance of the terms stated by law, regulations and EU legislation.
The data collected for direct marketing purposes, for the right to information and based on express consent, are stored from the moment they are received/updated for a period of 24 months, unless a request for erasure, objection or withdrawal of consent is made before said deadline.
Personal data provided voluntarily after your express consent will be stored for the time required to pursue the purpose for which they are collected and until consent is withdrawn or until you exercise the right to erasure.
The entity and adequacy of the data provided will be decided each time, to determine the consequent decisions and to avoid storing said data beyond the necessary period compared to the pursued purposes.
Duration of cookies:
Some cookies (session cookies) stay active only until the browser is closed or the user logs out. Some cookies “survive” when the browser is closed and are also available during subsequent visits by the user.
These cookies are known as persistent and their duration is set by the server at the time they are created.
The IP address data may also be stored even after the browser has been closed or the user has logged out, as they may be used for website security purposes (blocking attempts to damage the website).
What are my rights and how can I exercise them?
At any moment, you will have the right to request:
- access to your personal data, for example, to learn whether or not your personal data is currently being processed, the purposes thereof and the categories of data processing, to whom they have been communicated and if they are transferred to a third-party country, for how long they are stored and anything else stated in article 15 of the GDPR;
- rectification in the event of inaccuracy and addition of incomplete data, in accordance with article 16 of the GDPR;
- erasure of data, in the event of the grounds set out in article 17 of the GDPR, for example if they are no longer necessary for the purposes of processing or if purpose is unlawful, or if in the meantime you have withdrawn consent or if you object to processing;
- limitation of processing in the cases provided for by article 18 of the GDPR.
We will notify each of the recipient to whom your data was sent of your requests unless this proves to be impossible or implies an action of a disproportionate entity.
You will also have the right:
- to portability of data in the cases provided for by article 20 of the GDPR, obtaining your data in a structured, commonly-used and machine-readable format;
- to withdraw your consent at any time; in this case, your withdrawal will not affect the lawfulness of our previous processing, carried out on the basis of your consent that was provided prior to your withdrawal;
- to object to the processing of data to pursue legitimate interest for direct marketing purposes, including profiling where connected with said direct marketing, as provided for by article 21 of the GDPR.
We will acknowledge your request with the maximum undertaking to guarantee the actual exercising of your rights, providing you with the due answer without unjustified delay and within 30 days of receiving your request, notwithstanding the need for a further extension of 30 days and in this case, we will inform you about it.
You can exercise your rights by written request to the following email address: firstname.lastname@example.org
Nevertheless, where possible, we adopt simplified modes to allow you to exercise your right to withdrawal, by inserting a “ERASE ME” function (button), with which you can communicate your withdrawal of your previous consent, without carrying out any further formal obligations.
Lastly, you have the right to lodge a complaint with the national Data Protection Authority.
How long does this information note remain in force?
What do some of the technical terms mean that you use in this information note?
We apologise if, in certain cases, we are forced to use technical or legal terms that are not immediately easy to comprehend.
We are here to provide you with any further explanation and below is a short glossary of the terms most frequently used in this information note.
This is the individual or legal entity, public authority, service or other body that, alone or together with others, determines the purposes and means used for processing personal data.
In this case, it is us, i.e. the company BARTOLUCCI FRANCESCO srl.
This is any information about an identified or identifiable person (“data subject”); an individual who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an ID number, data about location, online identifier or one or more characteristics about their physical, physiological, genetic, mental, economic, cultural or social identity.
Basically, it is the information we hold concerning you.
These are the data automatically acquired via browser and session cookies, web statistical data analyses (analytics), usage cookies used to allow sending a communication over an electronic communication network.
These are electronic files, with short texts, that the websites visited by the user send to the operating terminal via the server.
It is the subject who uses the web service and who, unless otherwise indicated, coincides with the data subject (i.e, you).
It is the identified or identifiable individual (i.e. you)