Cesi S.p.A. (hereinafter referred to as "Cesi"), deems the protection of the personal data of its potential customers and/or users to be of fundamental importance, ensuring that the processing of personal data, carried out by any means, is done in full compliance with the safeguards and rights recognised by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "Regulation") and other applicable legislation on the protection of personal data.
2 Data Controller and Website
Cesi with headquarter in Milano (Italy), Via Rubattino n. 54 (zip code 20134), VAT number IT00793580150, holds the role of data controller according to the relative definition contained in Article 4, point 7) of the Regulation, "means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" for the processing of personal data instrumental to navigation within the Internet Website in order to determine the methods of processing the personal data of the data subjects.
In addition, personal data may be processed by persons appointed data processors, as well as persons appointed as authorized to process, responsible for managing the requested service.
The provision of your personal data is mandatory only if data processing is required by law.
However, the provision of your data is necessary and, failing that, it shall not be possible to follow up to your legally-motivated requests, or to give you the opportunity to enjoy the rights provided by law.
3 Purposes of processing relating to navigation on Internet Website and type of data processed
We principally process your data for the following purposes:
- to display on the device content and information in the most useful way for users;
- to provide, in case of request, all the information about the available services;
- to manage account in relation with the website use or with the provided services.
While browsing the Website, information about you can be acquired in the following ways:
The computer systems and software procedures used acquire, during their normal operation, some personal data whose transmission is inherent in the communication protocols of the Internet.
This category of data includes: IP addresses, type of browser used, operating system, information on the pages visited by users within the website, access time, stay on the individual page, analysis of the internal path and other parameters regarding the operating system and computer environment.
This technical/computer data is collected and used solely in an aggregate and non-identifying manner and could be used to ascertain liability in the event of hypothetical computer crimes against the website.
Data voluntarily provided by users
This is all personal data that you freely give us on the Website, for example, to register and/or access a restricted area, to request or give information about a particular service using a form or writing to an e-mail address.
For the processing of common data acquire a specific consent from data subjects, it is not necessary if:
i) The processing is necessary for the performance of the contract or for the steps prior to entering into a contract (art. 6.1 lett. b);
ii) the processing is necessary for compliance with a legal obligation to which the controller is subject (art. 6.1 lett. c);
iii) the processing is necessary for the purposes of the legitimate interests pursued by the controller (art. 6.1 lett. f).
Otherwise, when the controller cannot take advantage of the abovementioned conditions, Cesi shall require a specific consent from data subjects.
4 How data is processed
The processing of personal data is carried out mainly using procedures and electronic media for the time strictly necessary, in accordance with Article 5 of the Regulation.
Personal data will be processed by the data controller to the extent strictly needed for the pursuit of the main purpose. In particular, personal data will be processed for a period of time equal to 12 months.
Personal data are not disclosed to third parties but, to achieve the purposes indicated, may be disclosed to specific categories of recipients, including: employees and collaborators Ė in any case appointed as persons authorised to process personal data under the direct authority of the Data Controller; third-party companies that, as Data Processor, process data on behalf of the Data Controller; other subjects, public or private, to which the personal data shall be disclosed.
Your data may be transferred outside the European Union where, for organizational and management needs, they will be processed by Group companies and/or by other suppliers that perform the function of the "Data Processor" and ensure levels of data protection compliant with the Italian and European law. In any case, the transfer takes place on the basis of the provisions provided for by the current legislation (e.g. verification, by the Commission, of the adequacy of the level of protection of the personal data adopted by the Country importing the data; consent of the data subject).
5 Connection to and from third-party sites
You can connect to other third-party websites from the Internet Websites.
In this regard, Cesi cannot be deemed liable for the possible management of personal data by third-party websites and for the management of login credentials provided by third parties.?
6 Rights of data subjects
As provided for in Article 15 of the Regulation, the data subject may access his/her personal data, request that it be corrected and updated, if incomplete or incorrect, request its cancellation if it was collected in violation of a law or regulation, as well as oppose processing for legitimate and specific reasons.
In particular, below is a list of all the rights that can be exercised at any time:
Right of access: the right, pursuant to article 15(1) of the Regulation, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to rectification: right to obtain, pursuant to Article 16 of the Regulation, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, it is possible to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure: right to obtain, pursuant to Article 17(1) of the Regulation, the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. In some cases, as provided for in Article 17(3) of the Regulation, the controller is entitled not to delete your personal data if their processing is necessary, for example, to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest, for purposes of filing in the public interest, scientific or historical research or for statistical purposes, for ascertaining, exercising or defending a right in court.
Right to restriction of processing: the data subject has the right to obtain the restriction of processing, pursuant to Article 18 of the Regulation, where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; c) the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject. In case of restriction of processing, personal data will be processed, except for storage, only with the consent of or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest.
Right to data portability: Pursuant to Article 20 (1) of the Regulation the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In this case, it will be the responsibility of the data subject to provide us with all the exact details of the new data controller to whom he or she intends to transfer his or her personal data by providing written authorization.
Right to object: Pursuant to Article 21(2) of the Regulation and as also reiterated in Recital 70, the data subject may object at any time to the processing of his or her personal data if they are processed for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with a supervisory authority: without prejudice to the right to appeal to any other administrative or judicial body, if the processing of personal data carried out by the data controller and/or joint controllers is deemed to be in violation of the Regulation and/or applicable law, a complaint may be lodged with the relevant Data Protection Authority.
To exercise all rights as identified above, simply contact the data in the following way:
1 Cookies Information
Cookies are small files of text (little information portions) that are stored on a user's computer, tablet, smartphone, notebook, to use during the same visit (session cookies) or sent back to the same sites during a further visit.
In accordance with the EU Regulation 2016/679, CESI informs its web site users that it uses only technical cookies or cookies assimilated to them, which do not require prior consent. These are essential cookies for the correct functioning of the web site, they allow to perform web navigation and to provide the customer with the service required; in particular, they are divided into:
navigation cookies or session cookies, that ensure the normal navigation and fruition of the web site;
cookie analytics used directly by the manager of the web site to collect aggregated information on the number of users that visit the same web site; the information collected through these cookies doesnít concern userís identity or personal information.
function reference cookies that allow userís navigation according to a series of selected criteria (for example language, products selected for purchase) in order to improve the service provided.
How to manage cookies on your PC
The user can block or delete (fully or partially) the cookie also through the specific functions of the navigation program (browser). However, in the hypothesis in which all or some of the mentioned technical cookies are disabled it is possible that the web site is no more accessible or that some services or specific functions are not available or do not work correctly and/or the user may be obliged to modify or to enter some information or preferences manually at each visit.
For instructions, visit the support website of your browser.
Under EU Regulation 2016/679, CESI declares the use of the following cookies:
- Session/navigation - Cookie that that ensure the normal navigation and fruition of the web site (Technical cookie)
- Google Analytics - Tool of web analytics (Technical cookie)