Isorropia Homegallery associazione culturale no profit a company incorporated under the law of Italy, having its registered office in Viale Beatrice D’Este n. 22, 20122 Milano (MI) as data controller (the “Data Controller”), pursuant to Article 13 of the EU Reg. no. 2016/679 (“GDPR”), is committed to protecting and respecting the privacy of the Website users.

1. Data processing

This policy (together with other documents referred to herein) describes the personal data (“Personal Data”) that the Data Controller collects from the Website user and how it processes such Personal Data.
A. The Data Controller may collect information on visits to the Website including, but not limited to, traffic data, location data, weblogs, contact forms and other communication data and the resources that the user may access. This information will make the users’ visit to the Website easier in the future since the Data Controller might suggest content or services depending on the location the user accesses the Website from.
B. The Data Controller may collect all the information the user provides by sending an e-mail to the e-mail address in section “Contact Us” (name, surname, e-mail address, Tax Identification/Social Security Number, telephone number, Region, VAT Number, business name etc.)
C. The Data Controller may also store cookies, as set out more in detail in the Cookie Policy [●].

2. Scope of the data processing

The personal data are collected and managed by the Data Controller in order:
a) to customize content or services according to the user’s preferences;
b) to reply to the user’s request and questions and to keep the user informed by e-mail or telephone;
c) to send by e-mail further information or communication the user may be interested into;
d) to help the Data Controller create, publish and improve the content and services in the most appropriate manner for the user;
e) to ensure that the content and services provided through the Website are delivered in the most effective manner according to the user’s devices;
f) to allow the user to interact with the Website, if the user wishes to;
g) to further develop and improve the Website, the Data Controller’s services and systems for a better customer satisfaction.
The use of the information abovementioned is allowed by legal provisions on the protection of personal data, since it is necessary:
a) for the legitimate interests of the Data Controller to pursue the abovementioned scope of the data processing; such interests, in any case, do not result in a conflict with the privacy rights of the users;
b) in some cases, to comply with legal and regulatory liabilities of the Data Controller, for example in relation to communication obligation to the authorities, government and regulatory bodies;
c) in some cases, to fulfil of actions of public interest and, when the Data Controller uses particular categories of personal data, or to engage, carry out and defend itself in legal actions, or when the data processing regards personal information manifestly of public domain;
d) in limited circumstances on the basis of a case by case user’s consent such as, for example, when the user accepts to receive marketing news and communication by e-mail.

The Data Controller does not take decisions only based on automated decision-making, including profiling, which may produce legal effects on the user or similar consequences.
The Data Controller stores the personal data for a period of time necessary for the fulfilment of its legal obligations. The storage period of the personal data depends on the scope according to which the personal data are processed and on the instruments by means of which the data are treated.
However, it is not possible to indicate in this policy the estimate of the storage period of the personal data. The criteria used to determine the applicable period are strictly connected to the time (i) necessary for the accomplishment of the related scope, (ii) necessary for the completion of the business relationship with the user, (iii) accepted by the user and/or (iv) required by the applicable legal provisions.

3. Disclosure of information with third parties

To ease an efficient use of the user’s data, and to provide the user with the best service and/or opportunities, it may sometimes be necessary for the Data Controller to share information with third parties. However, the disclosure will only occur in the following circumstances:
a) to suppliers, contractors and agents: the Data Controller may engage or employ other companies and individuals to perform functions on its behalf. Examples may include hosting and/or maintenance of the Website content or supply of specific functions contained on the Website, supply of marketing services or economic updating required by the user. Such recipients will only have access to data required by them to perform their functions and are not permitted to use such data for any other purposes. These recipients will be subject to contractual confidentiality obligations;
b) to judicial or governmental authorities, if and to the extent that the Data Controller believes that they are legally entitled to request them.

4. IP address and cookies

The Data Controller may collect information about the user’s computer or other electronic devices. This information may include (when available) IP address, operating system and browser type, for system administration. This is statistical data about the Data Controller’s user’s browsing actions and patterns and does not identify the users or any individual.
For the same reason, the Data Controller may obtain information about the user’s general Internet usage by using a cookies file which is stored on the user’s device. Cookies help the Data Protection to improve the Website and to deliver a better and more customized service. For more detail about the use of cookies, please control the Cookie Policy [o].

5. Data transfer abroad

Personal data may be transferred and processed in one or more States within the European Union or outside the European Union. A transfer of personal data to a third country outside the EU may take place where the European Commission has decided that the third country ensures an adequate level of protection or where the Data Controller has provided adequate safeguards to preserve the confidentiality of this information.

6. Data security

Although the Data Controller endeavours to take all steps reasonably necessary to safeguard the personal data, please note that the transmission of information via internet is not totally safe and it is not possible to ensure a complete security of the personal data transmitted to the Website or to third parties; for this reason, any transmission of data occurs at the user’s own risk.
However, the Data Controller applies strict operating procedures and adequate technical and organisational security measures in order to prevent any access, modification, erasure or unauthorised transmission of personal data.

7. Rights of the user

Articles from 15 to 22 of the GDPR grant the user, as data subject, certain specific rights, as indicated hereinbelow:

a) right to access and obtain a copy of the user’s personal data:
the user has the right to claim confirmation of the fact that the Data Controller is processing any his/her personal data. In this case, the user can have access to his/her personal data and to some information regarding the processing. In some cases, the user can require to the Data Controller an electronic copy of his/her personal data;
b) right to rectification:
in case the user is able to demonstrate that his/her personal data concerning are not correct, the user has the right to ask the updating or the rectification of the data;
c) right to be forgotten/ to erasure of the data:
in specific circumstances, the user has the right to obtain the erasure of his/her personal data. The request can be filed at any time and the Data Controller will assess the possibility to accept the request. However, this right is subject to legal duties and obligations that may impose the conservation to the Data Controller. In the event that, pursuant to the legal provisions, the request of erasure of the personal data may be accepted, the Data Controller will proceed to erase the date without undue delay;
d) right to object:
although the user’s data processing by the Data Controller is based on the legitimate interest of the Data Controller (without any other reason for the processing), the user has the right to object to the processing modality of his/her personal data implemented by the Data Controller in relation to the user’s specific situation;
e) right to withdraw the consent:
since the data processing is based on the user’s consent, the user is entitled to withdraw the consent at any time. The consent withdrawal does not affect the lawfulness of processing based on a consent formerly granted.

8. Modality of the exercise of the user’s rights

In order to exercise his/her rights, the user can submit an e-mail to the following e-mail address: [o].
It is also possible to lodge a complaint regarding the data processing to the competent supervisory authority.

9. Changes to this Privacy Policy

The conditions of this Privacy Policy may change from time to time. The Data Controller will post any changes on this Website or will contact the users in alternative ways.

10. Contact

The Data Controller informs that questions, comments and requests regarding this Policy must be submitted to the following e-mail address: [o].

Last update: 11.10.2022