Privacy Policy

Privacy Policy

This Privacy Policy document, updated in accordance with the EU Regulation (GDPR) 2016/679 concerning the processing of personal data, as well as with Legislative Decree 181/18 which amends Legislative Decree 196/2003, governs the methods of processing data collected by a website during users' browsing activity.

Its specific purpose is to inform users about how their personal data is processed, in compliance with the law and the recent EU Regulation 679/2016, which has significantly changed the existing framework.

A website must have a Data Controller. The Data Controller is the person/entity who holds decision-making and organizational power over data processing, including how data is handled. The controller is accountable to the Data Protection Authority. Multiple joint controllers may be appointed. In such cases, users must be informed of each controller’s responsibilities, via a link to the agreement between them.

The Data Controller is supported by the Data Processor. This is the person/entity that processes data on behalf of the controller. This means the processor acts under the controller's instructions and must be a qualified party able to implement the security measures established by the controller.

Alongside these roles, there is also the Data Protection Officer (DPO). Although appointed by the controller, the DPO is an independent figure. Previously optional, the DPO is now mandatory in some cases under Article 37 of EU Regulation 679/2016. This article outlines which entities are required to appoint a DPO and which are exempt. Regardless, the DPO (also referred to as the RPD in Italian) operates independently and communicates directly with the Data Protection Authority. The appointment of a DPO reflects the GDPR’s shift toward accountability in data processing and is aimed at facilitating compliance by both controllers and processors. The DPO’s role is to protect personal data, not the controller’s interests.

So, while the Data Processor works closely with the controller, the DPO is a much more independent figure who must not take orders from the controller regarding data protection.

The privacy policy must also state where the data will be processed, typically corresponding to the Data Controller’s headquarters.

Clearly outlining the purposes of data processing is essential. According to the new regulations, data must be stored only for as long as necessary to achieve the stated purposes and then deleted. Therefore, these purposes must be listed clearly and concisely in the policy.

The document must also specify the types of cookies used by the website. Cookies are small pieces of information that can be stored on a user's device when their browser accesses a specific website. They allow the server to send information that will be read and updated every time the user returns to the site.

Types of Cookies:

  • Technical Cookies: These are used solely to transmit a communication over an electronic communication network, or as strictly necessary for the service provider to deliver a service explicitly requested by the user. They are not used for any other purposes and are usually installed directly by the website owner.

  • Third-party Cookies: These are placed by entities other than the website owner. Users must be informed that cookies from third parties, such as social networks, may be used.

  • Profiling Cookies: These create user profiles and are used to send targeted advertising based on users’ browsing preferences. According to the Data Protection Authority, these may include:

    • Advertising profiling cookies that collect and process user data for marketing purposes (e.g., shared with ad networks);

    • Retargeting cookies that deliver ads based on past web activity (e.g., Google Ads);

    • Social media cookies;

    • Third-party analytics cookies (e.g., Google Analytics).

The policy must also state whether the website uses social media plug-ins and if there is any data transfer to companies in non-EU countries.

It is also important to mention the data subject’s rights under the new EU law, such as the right to data deletion, data updates, or to object to data transfer.

How to Use This Document

With this document, you can:

  • Indicate the website to which it applies;

  • Identify the Data Controller and the data processing location;

  • Indicate if there are multiple controllers;

  • Name the Data Protection Officer (DPO), if applicable;

  • State the purposes of data processing and the retention period;

  • Specify which types of cookies are used: technical, third-party, and/or profiling cookies;

  • Indicate whether social media plug-ins are used;

  • Indicate if users will receive notifications for website updates.

Once complete, this document must be published on the website and made available to users.

Legal References

  • REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

  • Legislative Decree 181/18, “Provisions for the adaptation of national legislation to the provisions of EU Regulation 2016/679,” amending Legislative Decree 196/2003 “Personal Data Protection Code.”

  • Decision No. 229/2014 of the Data Protection Authority, “Identification of simplified methods for providing information and obtaining consent for the use of cookies.”