PERSONAL DATA PROTECTION
1. Legal framework
1.1. The Policy is based on the following EU and/or national (first and/or second level) regulatory provisions: (i) Directive n. 2002/58/EC of 12.7.2012 (ePrivacy Directive), as amended by Directive n. 2009/136/EC; (ii) art. 122 of the amended Legislative Decree n. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into the national legal system; (iii) GDPR: art. 4 (11), 7, 12, 13, 25 and 95 (in addition, in particular, to Recital n. 30, 32 and 173); (iv) Guidelines n. 5/2020 adopted on 4.5.2020 by EDPB, replacing Guidelines of 10.4.2018 signed by WP Art. 29; (v) Measure n. 231 of 10.6.2021 [web doc. no. 9677876] signed by Italian Data Protection Authority; (vi) Recommendation n. 2/2001 of WP Art. 29; (vii) Opinion n. 2/2010 of WP Art. 29; (viii) Opinion n. 4/2012 of WP Art. 29; (ix) Guideline n. 8/2020 of EDPB; (viii) Measure n. 224 of 9.6.2022 [web doc. no. 9782890], n. 243 of 7.7.2022 [web doc. no. 9806053] and n. 254 of 21.7.2022 [web doc. no. 9808698] signed by Italian Data Protection Authority.
2. Cookies and other tracking tools: definition and classification
2.1. The "cookies"1 are, as a rule, strings of text that a website ("publisher" or "first party") visited by the user or a different website ("third party") places and stores, directly (in the case of the first party website) or indirectly (through the latter, in the case of the third party website), in a terminal device available to the user. 4 n. 1) of GDPR (e.g. IP address; user name; e-mail address; unique identifier) as well as non-personal data ex art. 3 n. 1) of EU Regulation no. 1807/2018 (e.g. language; type of device used). Alongside (or in addition to) them, 'other tracking tools' may exist (and therefore be used), which can be subdivided into 'active' (which have almost the same characteristics as cookies) and 'passive' (e.g. finger printing).
2.2. In addition to the described intrinsic characteristics, cookies (and other tracking tools) may have different peculiarities in terms of time (and, therefore, be considered "session"2 or "permanent"3, depending on their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a "third party") and, finally (but in particular), depending on the purpose of the processing pursued, so that they can be divided into two different (macro) categories:
- 'technical', used for the sole purpose of 'carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide such service' (art. 122(1) of Privacy Code). In this regard, the Privacy Guarantor pointed out, within Provision n. 231 of 10.6.2021 (in continuity with the previous Measure on the subject of 2014), that the "analytics cookies"4 may well be included within the scope of cookies (or other tracking tools) of a "technical" nature (and, therefore, may be used in the absence of the prior acquisition of consent by the data subject), provided that certain conditions are met, aimed at precluding the possibility that, through their use, the direct identification of the data subject (single out) is achieved5.
- “profiling"/"marketing” (so called non-technical), used to link specific actions or recurring behavioural patterns in the use of the offered functionalities (patterns) to specific identified or identifiable subjects, in order to group the various profiles within homogeneous clusters of different sizes, so that the data controller can, among other things, also modulate the provision of the service in an increasingly personalised manner beyond what is strictly necessary for the provision of the service, as well as send targeted advertising messages (i.e., in line with the preferences expressed by the user when surfing the web).
2 Cookies designed to collect and store data while a user accesses a website, and disappear once the user has closed the relevant browsing session.
3 Cookies designed to last for a set period of time (e.g. minutes; months; years).
4 Analytical cookies are usually used to assess the effectiveness of an information society service provided by a publisher, for the design of a website or, finally, to help measure traffic (i.e. the number of visitors, also possibly broken down by geographic area, time of connection).
5 Cf. Provision n. 231 of 10.6.2021 signed by Privacy Guarantor, p. 13/14: 'The structure of the analytics cookie must then provide for the possibility that it is referable not only to one, but to several devices, so as to create reasonable uncertainty as to the computer identity of the person receiving it. As a rule, this effect is achieved by masking appropriate portions of the IP address within the cookie. Taking into account the 32-bit representation of IP version 4 (IPv4) addresses, which are usually represented and used as a sequence of four decimal numbers between 0 and 255 separated by a dot, one of the measures that could be implemented in order to benefit from the exemption consists in masking at least the fourth component of the address, an option that introduces an uncertainty in the attribution of the cookie to a specific data subject equal to 1/256 (about 0.4%). Similar procedures should be adopted with regard to IP version 6 (IPv6) addresses, which have a different structure and a much larger address space (being made up of binary numbers represented with 128 bits). The Garante also emphasises the need for the use of analytics cookies to be limited solely to the production of aggregate statistics, and for them to be used in relation to a single site or a single mobile application, so as not to allow the tracking of a person's browsing using different applications or surfing different websites. It is therefore understood that the third parties that provide the publisher with the web measurement service shall not combine the data, even if minimised in this way, with other processing (customer files or statistics on visits to other websites, for example) or pass them on to other third parties, otherwise the risk of user identification would be unacceptably increased, unless the production of statistics by them using the minimised data involves several domains, websites or apps that can be traced back to the same publisher or business group. It is, however, possible to consider lawful, even in the absence of the adoption of the prescribed minimisation measures, the use of statistical analyses relating to more than one domain, website or app attributable to the same data controller, provided that the latter carries out the statistical processing itself, without such analyses resulting in an activity which, going beyond the boundaries of a mere statistical count, actually takes on the characteristics of a processing aimed at making decisions of a commercial nature".
3. Cookies installed on the Site
3.1. Within the Site, the following types of cookies have been installed (or may be installed, subject to obtaining the specific consent of the user):
|_UTMB||Analytical||It retains the user's visit time.||Part One||10/2022|
|_UTMT||Analytical||Stores the number of requests.||Part One||4/2023|
|_UTMZ||Analytical||It stores how the user reached the website.||Part One||10/2022|
|_UTMC||Analytical||Stores user activity on the website.||Part One||Session|
|_UTMA||Analytical||Used to identify the visitor.||Part One||11/2023|
|PHPSESSID||Analytical||Allows information on session status to be stored.||Part One||Session|
|Analytical||It records a unique ID for statistics related to which YouTube videos have been viewed by the user.||Part Three (YouTube)||Persistent|
|Analytical||Stores user's video player preferences using embedded YouTube video.||Part Three (YouTube)||Persistent
4. Browser settings
4.1. IMA ITALIA points out the possibility for the user to delete and block the operation of the cookies described in art. 3 above at any time by using the appropriate settings features within the browser used: in this regard, IMA ITALIA adds that, where the user decides to disable the technical cookies referred to in art. 2.2. point i), the quality and speed of services and features offered and made available on the Site may deteriorate.
You can find information on how to manage cookies with some of the most popular browsers by visiting the following web pages:
Finally, IMA ITALIA indicates the website link of the third party described in art. 3 above: www.youtube.com
5. Data subject’s rights
5.1. In relation to the user's personal data, IMA ITALIA informs that the relevant data subject pursuant to art. 4 n. 1) of GDPR has the right to exercise the following rights which may be subject to the limitations provided for in art. 2 undecies and 2 duodecies of Privacy Code: right of access pursuant to art. 15 of GDPR: right to obtain confirmation as to whether or not personal data concerning the data subject are being processed, as well as the information referred in art. 15 of GDPR (e.g. purpose of processing, storage period); right to rectification under art. 16 of GDPR: right to correct, update or supplement personal data; right to erasure under art. 17 of GDPR: right to obtain erasure or destruction or anonymisation of personal data, where, however, the conditions listed in the same article apply; right to restriction of processing under art. 18 of GDPR: right to obtain the restriction of the processing of personal data in the cases governed by art. 18 of the GDPR; right to data portability under art. 20 of GDPR: right to obtain the personal data provided to IMA ITALIA in a structured, commonly used and machine-readable format (and, where required, to transmit them directly to another Data Controller), where the specific conditions set out in that article are met (e.g. legal basis of consent and/or execution of a contract; personal data provided by the data subject); right to object under art. 21 of GDPR: right to obtain the cessation, on a permanent basis, of a specific processing of personal data; right to lodge a complaint with the Privacy Guarantor under art. 77 of GDPR: right to lodge a complaint where it is considered that the processing under analysis violates national and EU legislation on the protection of personal data.
5.2. In addition to the rights described in art. 5.1. above, IMA ITALIA specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise, on the one hand, the (sub)right provided for art. 19 of GDPR ("The controller shall communicate to each of the recipients to whom the personal data have been transmitted any rectification or erasure or restriction of processing carried out pursuant to article 16, article 17(1) and article 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of such recipients if the data subject so requests"), to be considered connected and related to the exercise of one or more of the rights regulated in articles 16, 17 and 18 of GDPR; on the other hand, IMA ITALIA specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise the right provided for in art. 22(1) of GDPR ("The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning him or her or significantly affects him or her in a similar way"), subject to the exceptions provided for in paragraph 2 below.
5.3. Pursuant to article 12 paragraph 1) of GDPR, IMA ITALIA undertakes to provide the User with the communications referred in art. from 15 to 22 and 34 of GDPR in a concise, transparent, intelligible, easily accessible and plain language form: such information shall be provided in writing or by other electronic means, or, at the User's request, orally provided that the User's identity is proven by other means.
5.4. In accordance with article 12 paragraph 3) of GDPR, IMA ITALIA informs you that it undertakes to provide you with information regarding the action taken in respect of a request pursuant to art. from 15 to 22 of GDPR without undue delay and, in any event, at the latest within one month of receipt of such request; this period may be extended by n. 2 months if necessary, taking into account the complexity and number of requests (in this case, the Controller undertakes to inform the user of such extension and the reasons for the delay, within one month of receipt of the request).
5.5. The user may exercise the above-described rights at any time (with the exception of the right under Art. 77 of GDPR) by using the contact details set out in art. 6.
6. Contact details
6.1. IMA ITALIA can be contacted at the following address: firstname.lastname@example.org
6.2.The Data Protection Officer (DPO) ex art. 37 of GDPR, appointed by IMA ITALIA, can be contacted at the following address: email@example.com
7. Social plug-ins
7.1. In accordance with EDPB Guidelines n. 8/2020, IMA ITALIA also specifies that it acts as a joint data controller under Articles 4(7) and 26 of the GDPR with certain social media providers (e.g. Linkedin), by virtue of the installation of the relevant social plug-ins within the Site, which can be easily viewed and used on the Site.
Sesto S. Giovanni (MI), 17.10.2022 (date of last update).
IMA ITALIA ASSISTANCE S.p.A. (in the person of its legal representative pro tempore)