Website Policy

PREAMBLE
What is this document? This document is the policy on the processing of personal data related to the website, app, web application and social pages.
Why this document? National and international regulations on the protection of personal data request that you – the data subject – shall be informed on the personal data being processed and who will process it, in order to ensure that the processing is fair and transparent.
Who shall process the personal data, which personal data shall be processed, the purposes for which personal data shall be processed, how long shall personal data be processed, which are the rights and how to exercise them are all clearly listed hereinafter.

Which laws does this document refer to? This policy is provided by taking into account the:
● Legislative Decree 196/2003 (hereinafter “Privacy Code”)
● Regulation (EU) 2016/679 on the Protection of Personal Data (hereinafter “Regulation”)

POLICY
1. DATA CONTROLLER
APT Servizi S.r.l., Viale Aldo Moro 62 – 40127 Bologna (BO), e-mail: privacy@aptservizi.com (hereinafter “Controller”)
2. DATA PROTECTION OFFICER – DPO
Domiciled at APT Servizi S.r.l., Piazzale Fellini 3 – 47921 Rimini (RN), e-mail: dpo@aptservizi.com, PEC:
dpo@pec.aptservizi.com (hereinafter “DPO”)

3. PURPOSES, LEGAL BASES, STORAGE PERIOD AND NATURE OF THE PROCESSING
Personal data, according to the actions carried out by the data subject, shall be processed for the following purposes:
a. Responding to requests received by means of social platform (direct messages or on the wall):
● the legal basis of this processing is the necessity to implement pre-contractual or contractual measures adopted upon request of the data subject (for instance: replying and handling an enquiry on a product present on the company social platforms by means of private messages) and, in that event, your name or user name and any other data you provide will be used to reply to your request;
● the storage period of the personal data processed for this purpose is equal to the time necessary to process the request;
● the personal data requested is necessary to process the request and any refusal will prevent from replying the data subject.

b. Administrative and management purposes and for compliance with obligations laid down by law, regulation or order of the Authority:
● the legal basis derives from the necessity to comply with a legal obligation to which the Controller is subjected;
● the storage period of the personal data processed for this purpose is connected to each legal obligations regulated by specific legislation;
● the provision of personal data is mandatory, since the Controller has to comply with a legal obligation to which he is subjected or with requests of the competent Authorities.

c. Prevention, detection and prosecution of unlawful conducts:
● the legal basis of this processing is for the purposes of the legitimate interests pursued by the Controller to prevent, detect and prosecute unlawful actions or violations of the industrial and/or intellectual property rights (even of third parties) or cybercrimes or crimes committed via telecommunication networks, defamation or similar crimes committed on the website or during the interaction with the respective communities of the social media managed by the Controller (for instance: publishing a comment, clicking on “like” or sharing a post, etc.)
● the storage period of the personal data processed for this purpose is equal to the time reasonably necessary to assert the Controller’s rights from the time the unlawful act or its potential commission was known.

4. PERSONAL DATA PROCESSED
By processing of personal data we mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data which can be described as “special categories of personal data” pursuant to Article 9 of the Regulation, could be sent by the data subject to the Controller. Such data reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or a natural person’s sex life or sexual orientation of the person. This category of personal data will be processed by the Controller in order to process the request received. Further processing of special categories of personal data by the Controller will be carried out only upon and explicit consent.

Further personal data processed by the Controller:
● Browsing data: Throughout their normal functioning, computer systems and softwares, which are accountable for the functioning of this website, acquire some personal data whose transfer is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by the users, URI/URL addresses (Uniform Resource Identifier/Locator) of requested resources, the time of the request, the method used to submit the request to the server, the file size obtained as an answer, the numeric code indicating the state of the answer given by the server (successful, error, etc.), and other parameters concerning the operating
system and the IT environment of the user. Such data, necessary to use the web services, are also processed to obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.) and to check the correct functioning of the services offered. Browsing data do not persist more than 365 days and are deleted immediately after their aggregation (except for any need to detect criminal offences by the judicial Authority);
● Data communicated by the user: The discretionary, explicit and voluntary sending of messages to the contact addresses of the Controller entails the acquisition of the contact data of the sender, which are necessary to reply, as well as the personal data included in the communications;
● Social Media Platforms: The use of the company social pages entails a further processing of your personal data by the respective social platform provider, not strictly related to your interaction with us. The processing of users’ personal data complies with the policies in use on the platforms used; in this regard, we report the Privacy policies of the providers of the social platforms we use: Facebook, Instagram, LinkedIn, X. Personal data shared by users via private messages sent directly to the managers of the channels will be processed in compliance with data protection regulations in force and with this policy.
● Cookies and other tracking systems: No use is made of cookies for user profiling. The only processing carried out for statistical purposes (analytics), with pseudonymised data, is the use of Matomo, which is configured in such a way as to exclude the processing of identification data and collects the following information: (i) The IP address, which is masked by resetting the last 2 bytes to zero (xxx.xxx.0.0); (ii) The operating system used; (iii) The type of browser; (iv) The type of device (PC, smartphone, etc.). Use is made of technical session cookies (not persistent), strictly limited to what is necessary for the safe and efficient navigation of the sites. It should be noted that the Controller has activated the embedded Vimeo player so all third-party and “non-technical” cookies have been removed from the Vimeo player. Any remaining cookies are defined as ‘technical’ for the operation of the streaming video player.
For more information, please refer to the information provided by the service provider at the following link: https://bit.ly/3OEeW63

5. RECIPIENTS OF THE PERSONAL DATA
Personal data, depending on the actions carried out by the data subject, will be processed for the above-mentioned purposes by:
● entities, who act as “Processors”, pursuant to Article 28 of the Regulation, namely persons, companies or professionals, who assist and advise the Controller;
● entities, bodies or Authorities to whom it is mandatory to communicate your personal data by virtue of
provisions laid down by law or orders of the Authority;
● entities with whom it necessary to interact for the provision of services/products, as independent controllers (e.g. third party or instalments payment system, access via social network, etc);
● Personnel explicitly authorized by the Controller necessary to carry out activities strictly related to the
provisions of services/products, who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and who have received adequate operational instructions pursuant to Article 29 of the Regulation and Article 2-quaterdecies of the Legislative Decree 196/2003.
The full list of Data Processors is available by sending a written request to the Controller.

6. TRANSFER OF THE PERSONAL DATA
Some of your personal data is shared with recipients who could be located out of the European Economic Area (EEA).
The Controller ensures that the processing of your personal data by these recipients is carried out in compliance with the Law and Regulation. Indeed, transfers shall be based on an adequacy decision or on Standard Contract Clauses approved by the European Commission. Further information is available at the Data Controller.

7. EXISTENCE OF AN AUTOMATED DECISION-MAKING, INCLUDING THE PROFILING
The Controller shall not employ automated decision-making on the processing of personal data, including the profiling, as set out in Article 22 of the Regulation. Further information is available at the Controller.

8. PERSONAL DATA RELATED TO MINORS UNDER 18 YEARS OF AGE
Minors under 18 years of age may not give personal data. The Controller shall not be liable in any way for any collection of personal data, nor for any false declarations provided by the minor, and in any case, if the use of such data is detected, the Controller shall facilitate the right to access and erasure submitted by the guardian, trustee or by who exercises the parental responsibility.

9. RIGHTS OF THE DATA SUBJECT
Data subject shall have the right to obtain from the Controller, in the cases envisaged, the access to the personal data, the rectification or erasure of such data or the restriction of processing concerning him/her or to object to processing (Article 15 and followings of the Regulation). The specific request to the Controller shall be presented by contacting the email designed for the feedback to the data subject or by filling in the form available in the dedicated privacy section.

10. RIGHT TO LODGE A COMPLAINT
The data subject, who believes that the processing of his/her personal data is taking place in breaching of the provisions of the Regulation, shall have the right to lodge to the Data Protection Authority (www.garanteprivacy.sm), as provided for in the Article 77 of the Regulation or to bring the issue before the competent courts (art. 79 of the Regulation).

11. HOW TO EXERCISE THE RIGHTS
To exercise the rights above, you can access our Privacy section of the company website and use the specific form provided.
Alternatively you can contact the subjects appointed to respond to the data subjects:
● Data Controller: APT Servizi S.r.l., Viale Aldo Moro 62 – 40127 Bologna (BO), e-mail: privacy@aptservizi.com
● Data Protection Officer (DPO): Domiciled at APT Servizi S.r.l., Piazzale Fellini 3 – 47921 Rimini (RN), e-mail: dpo@aptservizi.com, PEC: dpo@pec.aptservizi.com

12. MODIFICATIONS
The Controller reserves the right to modify and/or integrate this policy at any time and undertakes to publish the modification on the company website in the Privacy section. Data subjects are invited to periodically check its content.
This policy is effective from 06/02/2024