To book: 041 524 3677 prenotazioni@osteriaortodeimori.com

Privacy

EXTENDED INFORMATION NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)

The data controller provides below the Information Notice pursuant to articles 12, 13 and, where applicable, 14 of the GDPR regarding the processing of personal data provided by the Client/data subject by filling in and signing the Contract to purchase products/services offered for sale by the data controller, by spontaneously uploading personal data to this website (in particular through the completion of forms), or simply by browsing it.

1. Data Controller and contact details
The Data Controller is OSTERIA L’ORTO DEI MORI S.R.L., with registered office in SESTIERE CANNAREGIO 3386 – 30121 – VENICE (VE), VAT No. 03858470275, tel. +39 0415243677, e-mail osteriaortodeimori@libero.it, web https://www.osteriaortodeimori.com/ (hereinafter the Site).

2. Principles applicable to processing
In accordance with the provisions of the GDPR, the data controller constantly endeavors to ensure that personal data are:

  1. processed lawfully, fairly, and in a transparent manner;
  2. collected for specified, explicit, and legitimate purposes, and subsequently processed in a manner that is not incompatible with those purposes;
  3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
  5. kept for a period no longer than is necessary for the purposes for which they are processed;
  6. processed using appropriate technical and organizational measures to ensure their security;
  7. processed, if based on consent, by a decision freely made by the Client/data subject, on the basis of a request presented in a manner which is clearly distinguishable from the rest, in an intelligible and easily accessible form, using clear and plain language.

The data controller adopts appropriate technical and organizational measures to ensure data protection by design and to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
The data controller collects and takes into the highest consideration the indications, observations, and opinions of the Client/data subject sent to the contact details provided above, in order to implement a dynamic privacy management system that ensures effective protection of individuals with regard to the processing of their data.
This Information Notice may undergo changes in line with the evolution of the relevant legislation and the technical and organizational measures gradually adopted by the data controller; the Client/data subject is therefore requested to periodically visit this section of the Site to view updates and the text of the Information Notice in force from time to time.

3. Methods of processing personal data
The processing of personal data is carried out manually and with electronic tools, with logic strictly related to the purposes indicated below and, in any case, in such a way as to guarantee the security and confidentiality of the data themselves.

4. Purposes of personal data processing

(4a) Purposes for which data processing is necessary
The personal data provided by the Client/data subject are primarily processed for the execution of the Contract and the management of credit and, more generally, the relationship arising from the Contract itself.
The provision of data in the Contract or subsequently, during the course of the contractual relationship, for the processing purposes in question is mandatory; therefore, the failure to provide such data, or the partial or inaccurate provision thereof, makes it impossible to stipulate and/or execute the Contract and for the Client/data subject to use the products/services offered by the data controller, potentially exposing the Client/data subject to liability for breach of contract.
The personal data provided by the Client/data subject may also be processed if this is necessary to comply with a legal obligation to which the data controller is subject, to safeguard the vital interests of the Client/data subject or another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or for the pursuit of the legitimate interests of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the Client/data subject do not prevail; in these cases as well, the provision of data is mandatory and, therefore, the failure to communicate data, or the partial or inaccurate communication thereof, may expose the Client/data subject to any liabilities and sanctions provided for by the legal system.

(4b) Further purposes of processing following specific and express consent of the Client/data subject
In addition to the processing purposes mentioned above, the personal data provided/acquired may be processed, subject to the consent of the Client/data subject, to be expressed by selecting the box <<Give consent>> on the Contract or on the Site (or using other social or web applications of the data controller), also for conducting market research and for making commercial and promotional communications, via telephone (also using the mobile number provided) and automated contact systems (e-mail, SMS, MMS, fax, etc.), regarding products/services of the data controller or companies of the Group to which the data controller may belong.
Consent for the processing purposes referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed solely for the purposes indicated in the previous point (4a), except as specified below with reference to the legitimate interests of the data controller or third parties

5. Categories of personal data processed
The data controller primarily processes identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, tax/billing information, among others) and, if commercial transactions are planned, financial data (banking nature, in particular bank account identifiers, credit card numbers, among others related to the aforementioned commercial transactions).
The processing carried out by the data controller, both for the execution of the Contract and by virtue of the express consent of the Client/data subject, does not generally concern special categories of personal data, known as sensitive (revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offenses).
However, it cannot be excluded that the data controller, in order to perform the obligations arising from the Contract, may need to store and/or process sensitive, genetic, biometric, or judicial data of the Client/data subject or third parties, which the Client/data subject possesses as a data controller; in such a case, the processing by the data controller takes place by virtue of, under the conditions, and within the limits of the appointment of the data controller as a data processor by the Client/data subject.
The data controller processes, as a data controller with reference to the Site, and potentially as a data processor appointed for this purpose (in the terms mentioned above) by the Client/data subject, also so-called browsing data. The computer systems and software procedures used to operate the websites acquire, during their normal operation, some personal data, the transmission of which is implicit in the use of internet communication protocols. This is information that is not collected to be associated with identified subjects, but which, by its very nature, could allow the data subject to be identified. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access or exit was made, information on pages visited by users within the site, access time, duration of stay on a single page, internal path analysis, and other parameters relating to the user’s operating system and computer environment. This is, therefore, information that, by its very nature, allows users to be identified through processing and association also with data held by third parties.
Cookies may also be used on the Site, both session cookies (which are not stored on the data subject’s computer and disappear when the browser is closed) and persistent cookies, for the transmission of personal information, or in any case systems for tracking data subjects.

6. Source of personal data
The personal data processed by the data controller are collected directly by the data controller from the Client/data subject at the time of, and during, their navigation on the Site (or using other social or web applications of the data controller), or, also through its sales representatives, on the occasion of, or subsequent to, the signing of the Contract, during the execution phase of the same, or from public sources.
As specified above, the data controller, as a data processor appointed for this purpose, in order to perform the obligations arising from the Contract, may store and/or process data, in particular browsing data, potentially also sensitive, genetic, biometric, or judicial data of third parties, which the Client/data subject possesses as a data controller, acquired, subject to the consent of said third parties, at the time of, and during, the navigation of said third parties on the Site (or using other social or web applications attributable to the data controller).


7. Legitimate interests
The legitimate interests of the data controller or third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the data controller and the data subject, for example, when the data subject is a client of the controller. In particular, it constitutes a legitimate interest of the data controller to process personal data of the Client/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free movement of such data within the corporate Group to which the data controller may belong, or relating to traffic, in order to ensure network and information security, i.e., the ability of a network or system to resist unforeseen events or unlawful acts that may compromise the availability, authenticity, integrity, and confidentiality of the data.

8. Circulation of personal data

(8a) Communication of personal data – categories of recipients
In addition to employees and collaborators of the data controller in various capacities (who are authorized by the data controller to process data based on appropriate written operational instructions, in order to guarantee the confidentiality and security of the data), some processing operations may also be carried out by third parties to whom the data controller entrusts certain activities, or parts thereof, functional to the purposes referred to in point (4a), therefore both in execution of contractual and legal obligations, among which the following deserve mention, by way of an inevitably non-exhaustive list: commercial and/or technical partners; companies providing banking and financial services; companies performing document archiving services; debt collection companies; auditing and financial statement certification companies; rating agencies; subjects who perform professional assistance and consultancy activities for the data controller; companies performing customer care activities; factoring companies, credit securitization companies, or other assignees of credits; companies of the Group to which the data controller may belong; subjects providing commercial information; IT service companies. The subjects belonging to the aforementioned categories process the personal data as independent data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that said subjects perform for/in the interest of the data controller; the data controller provides the data processors with appropriate written operational instructions, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.
Some processing operations may be carried out by third parties to whom the data controller entrusts certain activities, or parts thereof, also functionally to the purposes referred to in point (4b), among which the following deserve mention, by way of an inevitably non-exhaustive list: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; subjects providing assistance and consultancy with reference to competitions and prize operations. The subjects belonging to the aforementioned categories process personal data as independent data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that said subjects perform for/in the interest of the data controller; the data controller provides the data processors with appropriate written operational instructions, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.
The list, subject to periodic update, of the data processors with whom the data controller maintains relationships is available upon written request to be sent to the data controller’s office.
Personal data may also be communicated, upon request, to the competent authorities, in compliance with obligations deriving from mandatory provisions of law.


(8b) Transfer of personal data to third countries
The personal data of the Client/data subject may also be transferred abroad, both to countries within the European Union and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within the framework and with the appropriate safeguards provided for by the GDPR (therefore, in particular, in the presence of standard data protection contractual clauses approved by the European Commission), or, outside the cases mentioned above, by resorting to one or more of the derogations provided for by the GDPR (in particular, by virtue of the explicit consent of the Client/data subject, or for the execution of the Contract concluded by the Client/data subject, or for the execution of a contract stipulated between the data controller and another natural or legal person in favor of the Client/data subject, specifically for the execution of activities entrusted to it by the data controller for the execution of the Contract concluded with the Client/data subject). In the event of data transfers to countries outside the European Union, the Client/data subject is allowed, upon written request to be sent to the data controller’s office, to know the appropriate safeguards, or the derogations, that legitimize the cross-border processing. It is understood, in the event of data transfer to countries outside the European Union, that for every request concerning the data, including for the exercise of the rights recognized by the GDPR to the Client/data subject, the latter may always validly contact the data controller.

9. Criteria for determining the personal data retention period
For the purposes referred to in point (4a) above, the retention period of the personal data provided by the Client/data subject, and their consequent potential processing, coincides with the limitation period of the rights/duties (legal, fiscal, etc.) arising from the Contract: generally 10 years, therefore, unless events occur that interrupt the limitation period and could, in fact, prolong said period.
For the purposes referred to in point (4b) above, the retention period of the data provided by the Client/data subject, and their consequent potential processing, ends with the withdrawal of the consent previously given by the Client/data subject or, in the absence thereof, in any case after one year from the termination of any relationship between the data controller and the Client/data subject.

10. Rights of the Client/data subject
The data controller recognizes – and facilitates the exercise by the Client/data subject of – all the rights provided for by the GDPR, in particular the right to request access to their personal data and to extract a copy thereof (art. 15 GDPR), to rectification (art. 16 GDPR) and erasure of the same (art. 17 GDPR), to restriction of processing concerning them (art. 18 GDPR), to data portability (art. 20 GDPR, where the conditions are met) and to object to processing concerning them (arts. 21 and 22 GDPR, for the cases mentioned therein and, in particular, to processing for marketing purposes or which results in an automated decision-making process, including profiling, which produces legal effects concerning them, where the conditions are met).
The data controller also recognizes the Client/data subject’s right, where the processing is based on consent, to withdraw said consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To do this, the Client/data subject can unsubscribe at any time on the Site (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of every commercial communication received, or by contacting the data controller at the contact details provided above.

The data controller also informs the Client/data subject of the right to lodge a complaint with the Data Protection Authority, as the supervisory authority operating in Italy, and to seek a judicial remedy, both against a decision of the Data Protection Authority and against the data controller and/or a data processor.

11. Security of systems and personal data
Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context, and purposes of processing, as well as the risk, in terms of probability and severity, for the rights and freedoms of natural persons, the data controller adopts technical and organizational measures deemed appropriate to ensure a level of security adequate to the risk, in particular by ensuring, on a permanent basis, the confidentiality, integrity, availability, and resilience of processing systems and services (also through the encryption of personal data, where necessary) and the ability to restore the availability of data in a timely manner in the event of a physical or technical incident, and by adopting internal procedures aimed at regularly testing, verifying, and evaluating the effectiveness of the technical and organizational measures employed.
In assessing the appropriate level of security, account is taken of the risks presented by processing that derive, in particular, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
The data controller endeavors to ensure that anyone acting under its authority and having access to personal data does not process such data unless instructed to do so by the data controller.
That said, the Client/data subject acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller is not liable for acts or facts of third parties who, despite the appropriate precautions adopted, should access the systems without due authorization.

12. Automated decision-making, including profiling
The data controller may carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the purchasing experience, except as specified above regarding the rights of objection and withdrawal of consent by the Client/data subject.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning, for example, that person’s personal preferences, interests, or location, also for the purpose of creating profiles, i.e., homogeneous groups of subjects by characteristics, interests, or behaviors.
The data controller does not carry out any automated processing that produces legal effects concerning the Client/data subject or similarly significantly affects them, unless this is necessary for the conclusion or performance of the Contract, is authorized by law, or is based on the explicit consent of the Client/data subject, in any case always recognizing the latter’s right to obtain human intervention, to express their point of view, and to contest the decision.