Pursuant to art. 13 of EU Regulation no. 679/2016 (hereinafter, for brevity, only GDPR), users who consult this website of Spaziale s.p.a. are informed of the methods and purposes for which personal data are processed, within the limits and for the purposes provided for by the aforementioned European Regulation and by the Italian laws on the subject (legislative decrees no. 196/2003 and no. 101/2018). This privacy policy does not apply to other websites, pages or online services that can be reached via hypertext links that may be published on the website but refer to resources outside the domain of the Data Controller.

1. Data Controller. The Data Controller is La Spaziale s.p.a., with registered office in Casalecchio di Reno (Bologna), via Eleonora Duse n. 8, telephone number 0516111011, e-mail address info@laspaziale.com.

2. Purpose of the processing. The processing of common personal data through the website is necessary: a) for the technical operation and for the use of IT measures for the security of the site itself; b) for statistical processing on the use and efficiency of the website’s functions; c) for the management of an order or to respond to a request for information relating to the products in relation to any requests made directly by the data subjects.

3. Legal basis. The processing of personal data is carried out: i) on the basis of a contractual or legal obligation (art. 6, para. 1, lett. b, lett. c, GDPR), with regard to the management of contractual relationships and any tax and accounting obligations; ii) on the basis of the legitimate interest of the Data Controller (Article 6, paragraph 1, letter f, GDPR), with reference to the data essential for the efficient and secure navigation of the website; iii) on the basis of consent (Article 6, paragraph 1, letter a, GDPR), in cases where the data subjects communicate their data voluntarily through communications on the Data Controller’s social networks or on any forms on the aforementioned website.

4. Types of data processed. Consultation of the site may involve the processing of data that directly or indirectly identify a natural person (e.g. name, surname, e-mail address, telephone number, IP address, etc.).

a. Browsing data: these are personal data processed for the proper functioning of the website and for its stable and secure navigation by the user; the acquisition and processing of such data are implicit in the use of internet communication protocols, the transmission of which can take place automatically by the browser; this category includes: IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), the type of browser used and other parameters relating to the operating system and the user’s computer environment.

b. Data communicated by the user: the optional, explicit and voluntary sending of messages to the contact addresses of the Data Controller, private messages sent by users to official profiles/pages on social media (where this possibility is provided), as well as the compilation and forwarding of forms on the site, involve the acquisition of the sender’s personal and contact data, necessary to respond, as well as any personal data included in the communications.

c. Social media platforms: with regard to the processing of personal data carried out by the Data Controller through the use of social media platforms, please refer to the relevant Social media policy; regarding the data processed by the managers of the social media platforms used by the Data Controller, please refer to the respective privacy policies.

d. Cookies: with regard to the use of cookies and any data processing, please refer to the relevant Cookie policy.

5. Methods of processing. – Browsing data are stored in digital format, the data communicated by the user are stored in digital and paper format by the Data Controller; all data are processed in the ways and within the limits necessary to pursue the purposes set out above, in compliance with the law, according to the principles of lawfulness and fairness in order to protect the privacy of the interested party. This website uses the web analysis software AWStats; the data collected is analyzed in order to improve the contents of the site, optimize user navigation, implement site security, identify the geographical origin of users, offer a service of greater interest to customers. The processed data (IP address) are at the exclusive disposal of the Data Controller and are not communicated to third parties, are processed according to the principle of pseudonymization, i.e. cannot be traced back to specific persons, are deleted once the statistical evaluation has been carried out and are not subject to automated decision-making processes, including profiling.

6. Subjects authorised to process the data. The data may be processed by employees or collaborators of the Data Controller, who have received the appropriate operating instructions and have been previously authorised to process the data.

7. Recipients The data collected may be transmitted to third parties exclusively for the purposes indicated and to comply with contractual or legal obligations on the part of the Data Controller. The data may therefore be communicated to the following categories: suppliers (companies/consultants for online services and site maintenance and development services, IT technicians, professionals and external consultants, etc.) and companies of the group to which the Data Controller belongs. No data will be passed on to third parties for marketing or advertising purposes.

8. Transfer abroad. Data processing is carried out mainly in Italy or within the European Union, in compliance with the quality and security standards provided for by European legislation (Articles 45 and 46 GDPR) and Italian data protection laws. Some data may be processed outside the European Union, according to appropriate security and protection measures and according to security standards appropriate to the levels of protection required by European Union regulations. By exercising the right of access, the list of Data Processors and any related transfers may be requested at any time.

9. Data retention. Data processed on the basis of legal obligations – including tax and accounting obligations – or contractual obligations are stored according to the terms imposed by law (10 years); browsing data are stored for the duration of the single session and in any case do not persist for more than thirty days. After the expiry of the terms thus established, the data are deleted or transformed into anonymous form, unless their further storage is necessary to fulfil legal obligations or to comply with orders issued by Public Authorities and/or Supervisory Bodies. All other data are stored for the time strictly necessary for the performance of the service and until the withdrawal of consent or any opposition to the processing of data by the interested party.

10. Rights of the data subject. 1) The data subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being processed and, where that is the case, to obtain access to his or her personal data and information relating to them (Article 15 GDPR).

The data subject, compatibly with the retention times provided for the specific processing, also has the right to: a) obtain the rectification of inaccurate data or the integration of incomplete data, to obtain the cancellation and limitation of processing in the cases expressly identified by law (art. 16, 17 and 18 GDPR); b) receive communication from the Data Controller of the correction or deletion of data (art. 19 GDPR); c) receive the personal data concerning him or her provided by a Data Controller in a structured, commonly used and machine-readable format and have the right to transmit such data to another Data Controller without hindrance (Art. 20 GDPR); d) object at any time, for reasons related to your particular situation, to the processing of data concerning you (Art. 21 GDPR); e) lodge a complaint with a supervisory authority (Art. 77 GDPR).

The interested party must send their requests, without any formality, to the e-mail address of the Data Controller: privacy@laspaziale.com.

In the cases provided for above, the Data Controller undertakes to facilitate the data subject in exercising his or her rights, unless there are legitimate and compelling reasons that justify the processing and which prevail over the interests, rights and freedoms of the data subject.