- Legal framework.
1.1. The Policy is based on the following EU and/or national (first and/or second level) regulatory provisions: (i) Directive n. 2002/58/EC of 12.7.2012 (so-called ePrivacy Directive), as amended by Directive n. 2009/136/EC; (ii) art. 122 of the new Legislative Decree n. 196/2003 (Privacy Code), which has implemented, within the national legal system, the ePrivacy Directive. (ii) art. 122 of the new Legislative Decree n. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into the national legal system; (iii) GDPR: articles 4 n. 11), 7, 12, 13, 25 and 95 (in addition, in particular, to Recitals n. 30, 32 and 173); (iv) Guidelines n. 5/2020 adopted on 4.5.2020 by the EDPB, replacing the Guidelines of 10.4.2018 signed by WP Art. 29; (v) Measure n. 231 of 10.6.2021 [web doc. n. 9677876] signed by the Italian Data Protection Authority (Privacy Guarantor); (vi) Recommendation n. 2/2001 of the WP Art. 29; (vii) Opinion n. 2/2010 of the WP Art. 29; (viii) Opinion n. 4/2012 of the WP Art. 29; (ix) Guidelines n. 8/2020 of the EDPB.
- Cookies and other tracking tools: definition and classification.
2.1. The “cookies”1 are, as a rule, strings of text that a website (“publisher” or “first party”) visited by the user or a different website (“third party”) places and stores, directly (in the case of the first party website) or indirectly (through the latter, in the case of the third party website), in a terminal device available to the user: in this regard, the Privacy Guarantor has specified the fact that the information, encoded in cookies, may include both personal data under art. 4 n. 1) of the GDPR (e.g. IP address; user name; email address; unique identifier) and non-personal data pursuant to art. 3 n. 1) of EU Regulation n. 1807/2018 (e.g. language; type of device used).
Alongside (or in addition to) them, ‘other tracking tools’ may exist (and therefore be used), which can be divided into ‘active’ (which have almost the same characteristics as cookies) and ‘passive’ (e.g. finger printing).
2.2. In addition to the above-mentioned intrinsic features, cookies (and other tracking tools) may have different characteristics in terms of time (and thus be considered “session”2 or “permanent”3, depending on their duration), subjectively (depending on whether the publisher acts autonomously or on behalf of a “third party”) and, finally (but especially), depending on the purpose of the processing pursued, so that they can be divided into two different (macro) categories:
- “technical”, used for the sole purpose of “carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide such service” (Article 122(1) of the Privacy Code).
In this regard, the Privacy Guarantor has highlighted, in Measure n. 231 of 10.6.2021 (in line with the previous provision on the subject of 2014), that the “analytics cookies”4 may well be included within the scope of cookies (or other tracking tools) of a “technical” nature (and, therefore, can be used without the prior acquisition of consent from the person concerned), under certain conditions, aimed at precluding the possibility that it comes, through their use, the direct identification of the person concerned (single out)5.
- profiling”/”marketing” (so-called “non-technical”), used to trace specific actions or behavioural patterns recurring in the use of the offered functionalities to specific, identified or identifiable subjects. non-technical), used to trace specific actions or behavioural patterns recurring in the use of the functions offered (patterns) to specific identified or identifiable subjects, in order to group the various profiles within homogeneous clusters of different sizes, so that the Data Controller can, among other things, also modulate the provision of the service in an increasingly personalised manner beyond what is strictly necessary for the provision of the service, as well as send targeted advertising messages (i.e., in line with the preferences expressed by the user when surfing the web).
- Cookies installed on the Site.
3.1. Within the Site, the following types of cookies have been installed (or may be installed, subject to obtaining the specific consent of the user):
- Browser settings.
4.1. COOPSELIOS highlights the possibility for the user to delete and block the cookies described in article 3 above at any time by using the specific settings available in the browser used: in this respect, COOPSELIOS adds that if the user decides to disable the technical cookies described in article 2.2. i), the quality and speed of the services and functionalities offered and made available on the Website may deteriorate.
You can find information on how to manage cookies with some of the most popular browsers by visiting the following web pages:
- Data subject’s rights.
5.1. In relation to the user’s personal data, COOPSELIOS informs that the relevant data subject pursuant to art. 4 n. 1) of the GDPR has the right to exercise the following rights which may be subject to the limitations provided for in art. 2 undecies and 2 duodecies of the Privacy Code: right of access pursuant to art. 15 of the GDPR: right to obtain confirmation as to whether or not personal data concerning the data subject are being processed, as well as the information referred in art. 15 of the GDPR (e.g. purpose of processing, storage period); right to rectification under art. 16 of the GDPR: right to correct, update or supplement personal data; right to erasure under art. 17 of the GDPR: right to obtain erasure or destruction or anonymisation of personal data, where, however, the conditions listed in the same article apply; right to restriction of processing under art. 18 of the GDPR: right to obtain the restriction of the processing of personal data in the cases governed by art. 18 of the GDPR; right to data portability under art. 20 of the GDPR: right to obtain the personal data provided to COOPSELIOS in a structured, commonly used and machine-readable format (and, where required, to transmit them directly to another Data Controller), where the specific conditions set out in that article are met (e.g. legal basis of consent and/or execution of a contract; personal data provided by the data subject); right to object under art. 21 of the GDPR: right to obtain the cessation, on a permanent basis, of a specific processing of personal data; right to lodge a complaint with the Privacy Guarantor under art. 77 of the GDPR: right to lodge a complaint where it is considered that the processing under analysis violates national and EU legislation on the protection of personal data.
5.2. In addition to the rights described in art. 5.1. above), COOPSELIOS specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise, on the one hand, the (sub)right provided for art. 19 of the GDPR (“The controller shall communicate to each of the recipients to whom the personal data have been transmitted any rectification or erasure or restriction of processing carried out pursuant to article 16, article 17(1) and article 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of such recipients if the data subject so requests”), to be considered connected and related to the exercise of one or more of the rights regulated in articles 16, 17 and 18 of the GDPR; on the other hand, COOPSELIOS specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise the right provided for in art. 22(1) of the GDPR (“The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning him or her or significantly affects him or her in a similar way”), subject to the exceptions provided for in paragraph 2 below.)
5.3. Pursuant to article 12 paragraph 1) of the GDPR, COOPSELIOS undertakes to provide the User with the communications referred in art. from 15 to 22 and 34 of the GDPR in a concise, transparent, intelligible, easily accessible and plain language form: such information shall be provided in writing or by other electronic means, or, at the User’s request, orally provided that the User’s identity is proven by other means.
5.4. In accordance with article 12 paragraph 3) of the GDPR, COOPSELIOS informs you that it undertakes to provide you with information regarding the action taken in respect of a request pursuant to art. from 15 to 22 of the GDPR without undue delay and, in any event, at the latest within one month of receipt of such request; this period may be extended by n. 2 months if necessary, taking into account the complexity and number of requests (in this case, the Controller undertakes to inform the user of such extension and the reasons for the delay, within one month of receipt of the request).
5.5. The user may exercise the above-described rights at any time (with the exception of the right under Art. 77 of the GDPR) by using the contact details set out in art. 6.
- Contact details.
6.1. COOPSELIOS can be contacted at: email@example.com
6.2. The Data Protection Officer (DPO) pursuant to art. 37 of the GDPR, appointed by COOPSELIOS, can be contacted at the following address: firstname.lastname@example.org
- Social plug-in.
7.1. In compliance with EDPB Guidelines n. 8/2020, COOPSELIOS also specifies that it is a joint data controller under Articles 4(7) and 26 of the GDPR with certain social media providers (e.g. Linkedin; YouTube), by virtue of the installation, within the Website, of the relevant social plug-ins, which can be easily viewed and used on the Website.
Finally, COOPSELIOS specifies that the cookie banner that can be viewed within the Site respects, as required by Privacy Guarantor within its Provision n. 231 of 10.6.2021, the “AA” level success criteria, applicable in this case, of the “Web Content Accessibility Guidelines” (WCAG) 2.1., document referred by art. 2.2. of the “Guidelines on the accessibility of IT tools” signed by AGID of 13.2.2020.
Reggio Emilia, 4.1.2022 (date of last update)
COOPSELIOS Cooperativa Sociale S.C.
(in the person of its legal representative pro tempore)
2 Cookies designed to collect and store data while a user accesses a website, and disappear once the user closes the relevant browsing session.
3 Cookies that are designed to last for a fixed period of time (e.g. minutes; months; years).
4 Analytical cookies are usually used to assess the effectiveness of an information society service provided by a publisher, for the design of a website or to help measure traffic (i.e. the number of visitors, including possibly broken down by geographic area, time of connection).
5 See Provision no. 231 of 10.6.2021 signed by the Privacy Guarantor, p. 13/14: “The structure of the analytics cookie must then provide for the possibility that the same is referable not only to one, but to several devices, so as to create a reasonable uncertainty about the identity of the person who receives it. As a rule, this effect is achieved by masking appropriate portions of the IP address in the cookie. Taking into account the representation of IP addresses version 4 (IPv4) at 32 bits, which are usually represented and used as a sequence of four decimal numbers between 0 and 255 separated by a point, one of the measures that can be implemented in order to benefit from the exemption consists in masking at least the fourth component of the address, an option that introduces an uncertainty in the attribution of the cookie to a specific person equal to 1/256 (about 0.4%). Similar procedures should be adopted with reference to IP addresses version 6 (IPv6), which have a different structure and a much larger address space (being made up of binary numbers represented with 128 bits). The Guarantor also stresses the need for the use of analytics cookies to be limited solely to the production of aggregate statistics and that they be used in relation to a single site or a single mobile application, so as not to allow tracking of the navigation of the person using different applications or browsing different websites. Therefore, it is understood that third parties providing the web measurement service to the Publisher shall not combine the data, even if minimized in this manner, with other processing (customer files or statistics on visits to other websites, for example) or pass them on to other third parties, otherwise the risk of user identification would be unacceptably high, unless the production of statistics carried out by them with the minimized data involves several domains, websites or apps attributable to the same Publisher or business group. However, even in the absence of the adoption of the prescribed minimization measures, it is possible to consider lawful the use of statistical analyses relating to multiple domains, websites or apps attributable to the same owner, provided that the owner performs the statistical processing himself, without such analyses resulting in an activity which, going beyond the boundaries of a mere statistical count, actually takes on the characteristics of a processing aimed at making commercial decisions”.