In compliance with the provisions of Article 13 of the EU Regulation 2016/679 (hereinafter, the 'EU Regulation') on the protection of individuals concerning the processing of personal data and on the free movement of such data, this information notice is provided to users of the Website https://pannalu.com/ (hereinafter, the 'Website'). In addition, the Controller makes further detailed information available for specific situations.
DATA CONTROLLER AND DATA PROTECTION OFFICER
According to Article 4, no. 7, of the EU Regulation, MERLIN S.r.l., with the registered office in via La Bionda, 16 - 43036, Fidenza, Italy, is the Data Controller (hereinafter also referred to as the "Controller").
For the pursuit of the purposes set out below, the Controller will, as appropriate and, where necessary, process personal data belonging to the following categories:
* Personal data such as personal data and contact details relating to the services offered by this Website.
The optional, explicit, and voluntary sending of electronic mail to the addresses indicated on this Website entails the subsequent acquisition of the sender's address, which is necessary to reply to requests and any other personal data included in the message.
PURPOSE OF PROCESSING AND DATA RETENTION
1. Processing is necessary for the purposes of the legitimate interests pursued by the Controller (Art. 6 par. 1, lett. f GDPR)
a. Ensuring the proper functioning of the Website;
b. Preventing or detecting fraudulent activity or abuse harmful to the Website.
c. Exercising the holder's rights, e.g., the right of defence in court.
If it is necessary to ascertain, exercise, or defend the data controller's rights in court, data retention could extend until the judgment becomes final.
d. "Soft spam": commercial communications relating to the Controller's products and services similar to those the data subject has already used.
2. Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract (Art. 6 par. 1, lett. b GDPR)
e. Sign up to the reserved area of the website
f. Request information via the 'Contact Us' section.
g. Return of goods via email.
h. Online purchases made via the 'Cart' section
Data processed for the above purpose will be stored for 10 years for administrative-accounting purposes.
3. Purposes based on the data subject's consent (Art. 6 par. 1 lett. a GDPR)
i. Subscription to the newsletter service to receive commercial communications and/or advertising material on products or services offered by the Controller;
Data processed for the above purposes will be stored for a maximum period of 24 months; however, the data subject is allowed to withdraw consent at any time (Art. 7 para. 3 GDPR)
The processing of the above-mentioned personal data is based on the following legal basis:
* The legitimate interest of data controller (Art. 6 par. 1 lett. f) GDPR.
* Performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract (Art. 6 par. 1 lett. b) GDPR);
* Consent of data subject (Art. 6 par. 1 lett. a) GDPR.
The data acquired by the Data Controller, within the scope of the above-mentioned purposes, may be communicated to one or more of the categories of subjects set out below, such as:
* Third parties (e.g., credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) carrying out outsourcing activities on behalf of the Controller as external data processor;
* Companies performing management activities on the data controller's computer system;
* Marketing and advertising agencies;
* Hosting provider;
* Authorities and subjects to whom communication is mandatory by law. These subjects will process the data as autonomous data controllers.
The complete and up-to-date list of Autonomous Data Controllers, Appointed Data Processors, and Data Recipients in any capacity (according to Article 4(9) of the EU Regulation) may be obtained from the offices of the Data Controller or at the email address: firstname.lastname@example.org.
DATA PROCESSING METHODS
Personal data will be processed in paper, electronic, and/or automated form. It is possible to carry out operations of collection, recording, organisation, storage, consultation, processing, modification, extraction, comparison, use, interconnection, communication, erasure and destruction, and any other appropriate operation, even automated, in compliance with the provisions of the law necessary to guarantee, among other things, the confidentiality and security of the data as well as their accuracy, updating, and relevance to the stated purposes.
DATA SUBJECT'S RIGHTS
The data subject, concerning the personal data provided, has the right to exercise at any time and following the provisions of the EU Regulation the rights set out in the latter and set out below:
* Right to withdraw consent (Art. 7(3) of the EU Regulation): right to withdraw the consent given. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal;
* Data subject's right of access (Art. 15 of the EU Regulation): the right to obtain confirmation as to whether or not personal data relating to him/her exist and a copy of such data in intelligible form;
* Right of rectification (Art. 16 of the EU Regulation): right to rectification of inaccurate personal data concerning him/her;
* Right to erasure the right to be forgotten (Art. 17 of the EU Regulation): the right to the erasure of one's own data;
* Right to restriction of processing (Art. 18 of the EU Regulation): right to obtain the restriction of processing, e.g., if the accuracy of the data is contested or in case of unlawful processing;
* Right to data portability (Art. 20 of the EU Regulation): the right to receive in a structured, commonly used, and machine-readable format the personal data concerning him/her that he/she has provided to the Data Controller and the right to transmit such data to another Data Controller without hindrance where the processing is carried out based on consent or a contract and is carried out by automated means;
* Right to object (Art. 21 of the EU Regulation): the right to object to the processing of one's own personal data;
* Right not to be subject to automated decision-making (Art. 22 of the EU Regulation): right not to be subject to a decision based solely on automated processing.
Requests should be addressed to: email@example.com.
We inform you that the Company undertakes to answer your request within one month, except for particularly complex requests, which may take up to three months. In any case, the Company shall explain the reason for the wait within one month of your request.
The outcome of the request will be provided in writing (at the request of the person concerned) or electronically (and, in this case, free of charge). Data Controller specifies that a possible contribution may be requested from the person concerned if his claims are manifestly unfounded, excessive, or repetitive: MERLIN s.r.l. will keep track of requests. Furthermore, MERLIN s.r.l., in compliance with Article 19 of the EU Regulation, undertakes to inform the recipients to whom the subject's personal data have been disclosed of any rectification, erasure, or restriction of processing requested by the data subject, where possible. Please note that withdrawal of consent does not affect the lawfulness of the processing based on consent before revocation.
RIGHT TO LODGE A COMPLAINT (ART. 77 GDPR)
If the data subject considers that his or her rights have been compromised or infringed or that the processing of his or her data is contrary to the legislation in force, he or she has the right to lodge a complaint with the Italian Data Protection Authority per the procedures indicated by it at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524.
NATURE OF DATA PROVISION
Providing data for purposes a), b), c) is necessary; failure to do so will make it impossible to navigate the Website and ensure its security.
The provision of data for the purposes d), e), f), g), and h) is also necessary; providing such data will allow the establishment and/or continuation of the contract concluded between the parties.
For the purpose i) the provision of data by the data subject is optional: failure to provide data by the subject will make it impossible for the subject to receive commercial communications and/or advertising material on products or services offered by the Data Controller.
Regarding the use of technical cookies, please note that if the functionality of these cookies is restricted via the browser settings, browsing may be difficult or impossible.
CHANGES AND UPDATES
MERLIN S.r.l. may also make changes and/or additions to this information notice due to regulatory changes and/or additions. In such cases, the new version of this information notice will be communicated as soon as possible in such a way as to reach those concerned as quickly as possible.
The computer systems and software procedures used to operate this Website collect specific personal data, the transmission of which is implicit in Internet communication protocols. This information is not collected to be associated with identified interested parties, but it may allow users to be identified through processing and association with data held by third parties. Among the information that may be collected are IP addresses, the type of browser or operating system used, addresses in URI (uniform resource identifier) notation, the domain name and addresses of the Websites from which the access or exit (referring/exitpages) was made, the time the request was made to the server, the method used and information on the response obtained, further information on the user's navigation on the Websites and other parameters relating to the user's operating system and computer environment.
Cookies are small data that allow us to compare new and past visitors and understand how users navigate our Websites. We use the data collected through cookies to provide an experience that reflects your interests and preferences and facilitates access to our services. Cookies do not record personal information about a user, and any identifiable data will not be stored. If you wish to disable cookies, you must customise the settings on your computer by setting the deletion of all cookies or by activating a warning message when cookies are stored. To proceed without changing the application of cookies, simply continue browsing. Visit AboutCookies.org for more information on cookies and how they determine your browsing experience.
TYPES OF COOKIES
There are two basic macro-categories with different characteristics: technical cookies and profiling cookies. Technical cookies are generally necessary for the functioning of the Website and to allow navigation; with them, the person concerned may be able to view pages correctly or use certain services. For example, a technical cookie is essential to keep you logged in throughout your visit to a Website or store language settings, display settings, etc. Profiling cookies are used to link specific actions or behavioural patterns recurring in the use of the offered functionalities to specific identified or identifiable subjects to send advertising messages in line with the preferences expressed by the person concerned during his/her browsing or to personalise the browsing experience. Cookies can also be distinguished according to the entity managing the cookies installed: First-party cookies, i.e., cookies generated and operated directly by the operator of the Website on which the user is browsing. Third-party cookies are generated and managed by parties other than the operator of the Website on which the user is browsing (by virtue, as a rule, of a contract between the owner of the Website and the third party). Below are the most popular browsers, where you can find information on how to disable the storage or delete cookies already stored: Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari.