PERSONAL DATA PROTECTION

INFORMATION NOTICE PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679

IMA ITALIA ASSISTANCE S.p.A., (Fiscal code: 09749030152 – VAT n.: 02069150965) (hereinafter “IMA ITALIA”), in the person of its legal representative pro tempore, with registered office in Sesto S. Giovanni (MI), Piazza Indro Montanelli, 20, in its capacity as Data Controller ex art. 4 n. 7) and 24 of the EU Regulation n. 2016/679 (GDPR), informs, pursuant to art. 13 and 14 of the GDPR, that the personal data, described in art. 1, will be processed by IMA ITALIA for the execution of the processing purposes described in art. 2.


1. Category of personal data being processed

1.1. IMA ITALIA collects and processes, for the execution of the processing purposes described in art. 2, the following information concerning, depending on the factual/contractual circumstances, mainly the following categories of data subject pursuant to art. 4 n. 1) of the GDPR: insured party (also member); policyholder; beneficiary; family member/supporting party of the insured party/beneficiary; animal subject to insurance protection:
i. Personal data pursuant to art. 4 n. 1) of the GDPR so-called identification/contact data (e.g. first name; surname; date and place of birth; tax code; address of residence/domicile/dormitory; telephone number; e-mail address; degree of relationship; identity document information (e.g. type and number of the document; date of issue; expiry date; place/entity of issue; nationality); vehicle registration number plate, if necessary; insurance policy number; gender; travel document identification information, if necessary; identification elements of the animal subject to insurance protection: e.g. microchip), including bank/financial data (e.g. bank/post account number) and/or location/location information if necessary, as well as any other information, not described herein by way of example, directly or indirectly linked to the claim and/or to the insurance claim that has occurred/been reported/reported (e.g. telephone recording made with an operator of IMA ITALIA), in order to provide, in the best way possible, the insurance assistance/coverage contractually agreed with IMA ITALIA (hereinafter only “personal data”).
ii. Particular personal data within the meaning of art. 9 paragraph 1) of the GDPR, processed, if necessary, following the correct, complete and timely management of a claim and/or a request for insurance assistance occurred/reported/reported, in order to provide, in the best possible way, the insurance assistance/coverage contractually agreed with IMA ITALIA (e.g. information on the state of health or on the need for medical/health/social assistance/assistance, including at home (e.g. hospitalisation; accident; illness; medical diagnosis/therapy; death; medical expenses) (hereinafter only “particular personal data”).
iii. Judicial personal data within the meaning of art. 10 of the GDPR, including any information about an active/passive and/or direct/indirect involvement in a civil/criminal/administrative judicial/legal dispute (hereinafter “judicial personal data”).
Given the subjective and objective heterogeneity of the categories of personal information described above, IMA ITALIA recalls, in this regard, that it will only process the personal information that is strictly necessary to perform each of the processing purposes described in article 2 below, in accordance with the principles under article 5 of the GDPR, and on the basis of the specific product/contract/insurance policy signed with IMA ITALIA.
Lastly, IMA ITALIA specifies that the subjects, described in greater detail in art. 1.1 above (i.e.: insured party (including policyholder); policyholder; beneficiary; family member/perpetrator of the insured party/beneficiary), have, in a singular manner, the status of data subject pursuant to art. 4 n. 1) of the GDPR, to which must be added, in this regard, any supplier/consultant who provides, directly or indirectly, a service of various kinds which is the subject of insurance protection.


2. Purpose of processing and legal basis.

2.1. Personal data and, if necessary and appropriate, particular personal data and/or judicial personal data are/can be processed by IMA ITALIA for the performance of the following (macro) processing purpose:
a. Execution, also at a distance, of the (pre)contractual/policy relationship insurance/a, including the performance of any contractual/regulatory fulfilment connected, directly or indirectly, to the fulfilment of the relevant insurance relationship/purpose (e.g. collection of premiums; completion of the management/payment of insurance assistance/coverage/practice, including the management/liquidation of the relevant claim/event subject to insurance cover; resolution of a dispute regarding compensation/payment of other benefits; customer due diligence, if necessary; prevention, detection and/or prosecution of insurance fraud; determination/assessment/management of an insurance risk; reinsurance; co-insurance; internal management activities within the business group to which IMA ITALIA belongs).
In compliance with art. 13 paragraph 2) letter e) of the GDPR, IMA ITALIA specifies that any failure to communicate (even partial, if necessary) personal data and, if necessary, particular personal data and/or judicial personal data may, if necessary, result in the impossibility for IMA ITALIA to perform, correctly and completely, the (macro) purpose of processing referred to in art. 2.1. letter a) above.
In compliance with art. 13 paragraph 2) letter c) of the GDPR (or in compliance with art. 14 paragraph 2) letter d) of the GDPR, if applicable), IMA ITALIA informs you of your right to revoke, at any time, any consent you may have given for the processing of particular personal data in order to execute the (macro) purpose of processing referred to art. 2.1. letter a), through the use of contact details described in art. 7, without such an event affecting the lawfulness of the processing based on the consent provided before the revocation: taking this into account, IMA ITALIA specifies, however, that any lack of consent or any revocation of consent previously provided affects, without any doubt, the possibility for IMA ITALIA to implement, fully and completely, the (macro) processing purpose referred to art. 2.1. letter a) (in particular, with regard to the execution of the insurance policy, including the management of the insurance assistance/coverage/practice, and the management/liquidation of the relevant claim/event subject to insurance cover).
In this regard, IMA ITALIA points out that the legal basis of the (macro) processing purpose referred to art. 2.1. letter a) is to be found in the following legal provisions, in addition to Legislative Decree n. 209/2005: art. 6 paragraph 1) letters b) c) of the GDPR, for personal data; art. 9 paragraph 2) letter a) of the GDPR, for any particular personal data; art. 4.7. of Recommendation n. R(2002)9 of the Committee of Ministers to member states on the protection of personal data collected and processed for insurance purposes, to be read in conjunction with art. 10 of the GDPR, and with art. 2 octies paragraph 3) letter d) of the amended Legislative Decree n. 196/2003 (Privacy Code), for any judicial personal data.

2.2. Personal data and, if necessary and appropriate, particular personal data and/or judicial personal data are/can be processed by IMA ITALIA for the performance of the following processing purpose:
b. Recognition/exercise/defence of a right/interest, including in court.
In this regard, IMA ITALIA specifies that the legal basis for the purpose of the processing referred to in art. 2.2. letter b) is to be found in the following legal provisions: art. 6 paragraph 1) letter f) of the GDPR, for personal data; art. 9 paragraph 2) letter f) of the GDPR, for any particular personal data; art. 4.7. of Recommendation R(2002)9 of the Committee of Ministers to Member States on the protection of personal data collected and processed for insurance purposes, to be read in conjunction with art. 10 of the GDPR, and with art. 2 octies paragraph 3) letter e) of the Privacy Code, for any judicial personal data.
In compliance with art. 13 paragraph 1) letter d) of the GDPR (or in compliance with art. 14 paragraph 2) letter b) of the GDPR, if applicable), IMA ITALIA specifies that the legitimate interest pursued, if necessary and appropriate, through this purpose of processing, is to protect its own rights/interests, including in court, in the face of potential (or alleged) conduct considered unlawful/illegal.

2.3. Personal data are/can be processed by IMA ITALIA for the following purposes:
c. Handling/resolving/addressing a complaint ;
d. Statistical activities, also aimed at improving knowledge of the insurance market;
e. Verification of the quality of the services offered (customer satisfaction), by means of a special questionnaire/interview.
In this regard, IMA ITALIA specifies that the legal basis for each processing purpose referred in art. 2.3. is found in the following specific regulatory provisions: for the execution of the processing purpose referred in art. 2.3. letter c): art. 6 paragraph 1) letter c) of the GDPR, to be read, in conjunction with (also by analogy, where necessary), ISVAP Regulation n. 24 of 19.5.2008; for the execution of the processing purpose referred to in art. 2.3. letter d): art. 6 paragraph 1) letters c) f) of the GDPR, to be read, in conjunction with (also by analogy), IVASS Regulation n. 36 of 28.2.2017; for the processing purpose referred to in art. 2.3. letter e): art. 6 paragraph 1) letter f) of the GDPR.
In compliance with art. 13 paragraph 1) letter d) of the GDPR (or in compliance with art. 14 paragraph 2) letter b) of the GDPR, if applicable), IMA ITALIA specifies that the legitimate interest pursued through the processing purpose described in art. 2.3. letter d) consists in improving (and deepening) knowledge of the insurance market; instead, the legitimate interest pursued through the processing purpose described in art. 2.3. letter e) consists in understanding any areas/scope for improvement in the services provided.

2.4. Personal data are/can be processed, by IMA ITALIA, for the performance of the following processing purpose, subject to the collection of a specific, informed and unambiguous consent from the data subject:
f. Advertising/promotional/commercial activities (including market research) of one or more insurance products, to be carried out, in compliance with the principles/prescriptions under Art. 182 of Legislative Decree n. 209/2005, either directly or through intermediaries, by automated/electronic/telematic means (e.g. e-mail; website; mobile app; social page; newsletter) or by non-automated/traditional means (e.g. paper mail; sms; articles).
In compliance with art. 13 paragraph 2) letter c) of the GDPR (or in compliance with art. 14 paragraph 2) letter d) of the GDPR, if applicable), IMA ITALIA informs you of your right to withdraw, at any time, any consent you may have given for the processing of your personal data in order to carry out the purpose of the processing described in art. 2.4. letter f), through the use of the contact data described in art. 7 below, without this event affecting the lawfulness of the processing based on the consent you gave before such withdrawal.
In this regard, IMA ITALIA specifies that the legal basis of the processing purpose referred to in art. 2.4. letter f) is found in the following regulatory provisions: art. 6 paragraph 1) letter a) of the GDPR, to be read, together with art. 82 and 83 of IVASS Regulation n. 40 of 2.8.2018, and art. 4.8. of Recommendation R (2002)9 of the Committee of Ministers to Member States on the protection of personal data collected and processed for insurance purposes.

2.5. Personal data are/can be processed by IMA ITALIA for the following purposes:
g. Recording of the (tele/video) consultation that is the object of the insurance benefit or recording of the telephone conversation with an operator acting in the name and on behalf of IMA ITALIA.
In compliance with art. 13 paragraph 1) letter d) of the GDPR (or in compliance with art. 14 paragraph 2) letter b) of the GDPR, where applicable), IMA ITALIA specifies that the legitimate interest pursued through the processing purpose described in art. 2.5. letter g) consists in verifying, witnessing and certifying the quality of the insurance service performed, also in favour of business partners. In this regard, IMA ITALIA specifies that the legal basis of the processing purpose referred to in Article 2.5 can be found in the following legal provision: Article 6 paragraph 1) letter f) of the GDPR .


3. Retention period.

3.1. In accordance with art. 13 paragraph 2) letter a) of the GDPR (or in accordance with art. 14 paragraph 2) letter a) of the GDPR, if applicable), IMA ITALIA communicates the following retention periods/criteria, after which the personal data and/or any "special" personal data and/or any "judicial" personal data will be subject to deletion, destruction or anonymisation, unless further retention is necessary to comply with a legal/regulatory obligation, even if one has arisen, or to protect the data subject's rights. judicial data will be subject to deletion, destruction or anonymisation, unless further storage is necessary in order to comply with a legal/regulatory obligation or in order to protect/establish a right/interest, including in court: (i) for the performance of the (macro) processing purpose referred in art. 2.1. letter a): in general, 10 years pursuant to art. 2220 paragraph 1) Italian Civil Code, to be read in conjunction (and by analogy, if necessary) with art. 5 paragraph 5) and 8 paragraph 1) of ISVAP Regulation n. 27 of 14.10.2008 (to be read, in turn, in conjunction with art. 101 and 165 of Legislative Decree n. 206/2005); (ii) for the performance of the processing purpose referred in art. 2.2. letter b): in general, n. 10 years, starting from the final termination of any judicial/ extrajudicial litigation (see by analogy: document "National archiving system - guidelines for the selection and discarding of documents", signed by the Revenue Agency); (iii) for the processing purpose referred in art. 2.3. letter c): in general, n. 5 years from the final settlement of the claim, in accordance with the provisions of the relevant organisational procedure drawn up by IMA ITALIA in accordance with ISVAP Regulation n. 24 of 19.5.2008; (iv) for the processing purpose referred in art. 2.3. letter d): in general, 2 years; (v) for the performance of the processing purpose under art. 2.3. letter (e): in general, n. 1 year; (vi) for the performance of the processing purpose under art. 2.4. letter (f): until the revocation of the consent, previously given; (vii) for the performance of the processing purpose under art. 2.5. letter (g): in general, up to no. 3 months after the final termination of the relevant contractual relationship.


4. Target audience.

4.1. In accordance with art. 13 paragraph 1) letter e) of the GDPR (or in accordance with art. 14 paragraph 2) letter b) of the GDPR, if applicable), IMA ITALIA specifies that personal data and/or any particular personal data and/or any judicial personal data may be the subject of communication, if necessary and appropriate, to one or more recipients pursuant to art. 4 n. 9) of the GDPR, identified as follows, by category judicial data may be subject to communication, if necessary and appropriate, to one or more recipients pursuant to art. 4 n. 9) of the GDPR, identified, in general, by category as follows: (i) for the performance of the (macro) processing purpose referred in art. 2.1. letter a): parties authorised to process data pursuant to art. 4 n. 10), 29 and 32 paragraph 4) of the GDPR by IMA ITALIA (hereinafter "subjects authorised to the processing by IMA ITALIA"); subsidiaries/parent companies/facilitators that are part of the business group of IMA ITALIA (e.g. IMA SERVIZI S.c.a.r.l.), in compliance with Recital n. 48) of the GDPR, and art. 30 septies of Legislative Decree n. 206/2005 (to be read, together with IVASS Regulation n. 38 of 3.7.2018); subjects/suppliers who are part, for various reasons, of the so-called insurance chain, as better described in the Italian Privacy Guarantor's Order of 26.4.2007 [web doc. no. 1410057] or whose professional (and non-professional) services are necessary/functional for the complete preparation/management of the insurance file/practice (e.g. intermediary/distributor/agent/broker; adjuster; reinsurer; co-insurer; liquidator; doctor (insurance fiduciary); craftsman/specialist; health/social (social) worker/team); companies/companies/professionals providing services connected, directly or indirectly, to the performance of the (macro) processing purpose in question (e.g. ICT company; legal/tax advisor); IVASS; ANIA; subjects legitimately operating within the SIC (Credit Information System), as provided for by the Code of Conduct for information systems managed by private parties on consumer credit, reliability and punctuality in payments, as per Italian Privacy Guarantor Provision no. 163 of 12.9.2019 [web doc. no. 9141941]; (ii) for the performance of the processing purpose referred in art. 2.2. letter b): subjects authorised to the processing by IMA ITALIA; subsidiaries/parent companies/facilitators that are part of the business group of IMA ITALIA; companies/companies/professionals that provide services connected, directly or indirectly, to the performance of the processing purpose in question (e.g. legal counsel); (iii) for the performance of the processing purpose referred to in art. 2.3. letter c): subjects authorised to the processing by IMA ITALIA; subsidiaries/parent companies/faculty members of the business group of IMA ITALIA; IVASS; companies/companies/professionals who provide services connected, directly or indirectly, to the performance of the processing purpose in question (e.g. legal counsel); (iv) for the performance of the processing purpose referred to in art. 2.3. letter d): subjects authorised to the processing by IMA ITALIA; companies/companies/professionals who provide services connected, directly or indirectly, to the performance of the processing purpose in question (e.g. legal counsel); (iv) for the performance of the processing purpose referred to in art. 2.3. letter d): subjects authorised to the processing by IMA ITALIA; subsidiaries/parent companies/facilitators that are part of the business group of IMA ITALIA; IVASS; (v) for the performance of the processing purpose referred to in art. 2.3. letter e): subjects authorised to the processing by IMA ITALIA; subsidiaries/parent companies/factors that are part of the business group of IMA ITALIA; companies/firms/professionals that provide services connected, directly or indirectly, to the performance of the processing purpose in question (e.g. call centre/customer care companies); (vi) for the performance of the processing purpose referred to in art. 2.4. letter f): subjects authorised to the processing by IMA ITALIA; subsidiaries/parent companies/firms that are part of the business group of IMA ITALIA; companies/firms/professionals that provide services connected, directly or indirectly, to the performance of the processing purpose in question (e.g. distributor; (web) marketing company/agency); (vii) for the performance of the processing purpose referred to in art. 2.5. letter g): subjects authorised to the processing by IMA ITALIA; subsidiaries/parent companies/facilitators that are part of the business group of IMA ITALIA (e.g. IMA SERVIZI S.c.a.r.l.); subjects/suppliers that are part, in various ways, of the so-called insurance chain, better described in the Order of the Italian Privacy Guarantor of 26.4.2007 [web doc. 1410057] or whose professional (and non-professional) services are necessary/functional for the complete preparation/management of the insurance dossier/practice; IVASS; companies/companies/professionals providing services connected, directly or indirectly, to the performance of the processing purpose in question (e.g. ICT companies).


5. Transfer.

5.1. Personal data and/or any particular personal data and/or any judicial personal data are/may be stored in automated/partially automated/non-automated files belonging to, or in any case traceable, even indirectly, to IMA ITALIA, and located within the European Economic Area (EEA).


6. Rights of the data subject.

6.1. In relation to personal data and/or any particular personal data and/or judicial personal data, IMA ITALIA informs you of your right to exercise the following rights, which may be subject to the further limitations provided for in Articles 2 undecies and 2 duodecies of the Privacy Code: right of access pursuant to Article 15 of the GDPR: right to obtain confirmation of whether or not personal data is being processed, as well as the information referred to in Article. 15 of the GDPR (e.g. purpose of processing, storage period); right of rectification under Art. 16 of the GDPR: right to correct, update or supplement personal data; right to erasure under Art. 17 of the GDPR: right to obtain the erasure or destruction or anonymisation of personal data, where the conditions listed in the same article apply; right to restriction of processing under Art. 18 of the GDPR: the right to obtain the limitation of processing where the conditions set out in art. 18 apply; right to data portability under art. 20 of the GDPR: the right to obtain the personal data provided to IMA ITALIA in a structured, commonly used and machine-readable format (and, where required, to transmit it directly to another data controller), where the specific conditions set out in the article exist (e.g. legal basis for consent and/or execution of a contractual agreement and/or execution of a contractual agreement). legal basis of consent and/or performance of a contract; personal data provided by the data subject); right of objection under Art. 21 of the GDPR: right to obtain the cessation, on a permanent basis, of a certain processing of personal data; right to lodge a complaint with the Supervisory Authority (i.e. the Italian Data Protection Authority) under Art. 77 of the GDPR: right to lodge a complaint where it is considered that the processing under analysis violates national and EU data protection legislation.

6.2. In addition to the rights described in art. 6.1. above, IMA ITALIA points out that there is, if possible and conferring, the right to exercise, on the one hand, the (sub)right provided for in art. 19 of the GDPR ("The data controller shall inform each of the recipients to whom the personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Articles 16, 17(1) and 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of such recipients if the data subject so requests"), to be considered connected and related to the exercise of one or more of the rights governed by Articles 16, 17 and 18 of the GDPR; on the other hand, IMA ITALIA specifies that there is, if possible and conferrable, the option of exercising the right provided for by Art. 22 paragraph 1) of the GDPR ("The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way"), subject to the exceptions provided for in paragraph 2) below.

6.3. In compliance with Article 12 paragraph 1) of the GDPR, IMA ITALIA undertakes to provide the communications referred to in Articles 15 to 22 and 34 of the GDPR in a concise, transparent, intelligible, easily accessible form and in plain and clear language: this information will be provided in writing or by other electronic means, or, at the request of the person concerned, will be provided orally provided that the identity of the latter is proven by other means.

6.4. In compliance with art. 12 paragraph 3) of the GDPR, IMA ITALIA informs that it undertakes to provide information regarding the action taken in respect of a request under articles 15 to 22 of the GDPR without undue delay and, in any case, no later than one month after receipt of the request; this period may be extended by 2 months if necessary, taking into account the complexity and number of requests (in this case, IMA ITALIA undertakes to inform of such extension and the reasons for the delay, no later than one month after receipt of the request).

6.5. The aforementioned rights (with the exception of the right pursuant to Art. 77 of the GDPR) may be exercised by means of the contact details set out in Art. 7 below.


7. Contact details.

7.1. IMA ITALIA can be contacted at the following address: ufficioprotezionedati@imaitalia.it

7.2. The Data Protection Officer (DPO) under Article 37 of the GDPR, appointed by the business group to which IMA ITALIA belongs, can be contacted at the following address: dpoimaitalia@imaitalia.it

Sesto S. Giovanni (MI), there 20.5.2024 (date of last update).


IMA ITALIA ASSISTANCE S.p.A.
(in the person of its legal representative pro tempore)

COOKIE POLICY

IMA ITALIA ASSISTANCE S.p.A., (Fiscal Code: 09749030152 – IMA Italia Assistance Group VAT number 13145490960) (hereinafter "IMA ITALIA"), in the person of its legal representative pro tempore, with registered office in Sesto S. Giovanni (MI), Piazza Indro Montanelli, 20, in its capacity as Data Controller pursuant to art. 4 n. 7) and 24 of EU Regulation n. 2016/679 (GDPR), illustrates below the cookie policy ("Policy") referring only to this website www.imaitalia.it (Site).

1. Legal framework

1.1. The Policy is based on the following EU and/or national (first and/or second level) regulatory provisions: (i) Directive n. 2002/58/EC of 12.7.2012 (ePrivacy Directive), as amended by Directive n. 2009/136/EC; (ii) art. 122 of the amended Legislative Decree n. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into the national legal system; (iii) GDPR: art. 4 (11), 7, 12, 13, 25 and 95 (in addition, in particular, to Recital n. 30, 32 and 173); (iv) Guidelines n. 5/2020 adopted on 4.5.2020 by EDPB, replacing Guidelines of 10.4.2018 signed by WP Art. 29; (v) Measure n. 231 of 10.6.2021 [web doc. no. 9677876] signed by Italian Data Protection Authority; (vi) Recommendation n. 2/2001 of WP Art. 29; (vii) Opinion n. 2/2010 of WP Art. 29; (viii) Opinion n. 4/2012 of WP Art. 29; (ix) Guideline n. 8/2020 of EDPB; (viii) Measure n. 224 of 9.6.2022 [web doc. no. 9782890], n. 243 of 7.7.2022 [web doc. no. 9806053] and n. 254 of 21.7.2022 [web doc. no. 9808698] signed by Italian Data Protection Authority.

2. Cookies and other tracking tools: definition and classification

2.1. The "cookies"1 are, as a rule, strings of text that a website ("publisher" or "first party") visited by the user or a different website ("third party") places and stores, directly (in the case of the first party website) or indirectly (through the latter, in the case of the third party website), in a terminal device available to the user. 4 n. 1) of GDPR (e.g. IP address; user name; e-mail address; unique identifier) as well as non-personal data ex art. 3 n. 1) of EU Regulation no. 1807/2018 (e.g. language; type of device used). Alongside (or in addition to) them, 'other tracking tools' may exist (and therefore be used), which can be subdivided into 'active' (which have almost the same characteristics as cookies) and 'passive' (e.g. finger printing).


2.2. In addition to the described intrinsic characteristics, cookies (and other tracking tools) may have different peculiarities in terms of time (and, therefore, be considered "session"2 or "permanent"3, depending on their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a "third party") and, finally (but in particular), depending on the purpose of the processing pursued, so that they can be divided into two different (macro) categories:

  • 'technical', used for the sole purpose of 'carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide such service' (art. 122(1) of Privacy Code). In this regard, the Privacy Guarantor pointed out, within Provision n. 231 of 10.6.2021 (in continuity with the previous Measure on the subject of 2014), that the "analytics cookies"4 may well be included within the scope of cookies (or other tracking tools) of a "technical" nature (and, therefore, may be used in the absence of the prior acquisition of consent by the data subject), provided that certain conditions are met, aimed at precluding the possibility that, through their use, the direct identification of the data subject (single out) is achieved5.
  • “profiling"/"marketing” (so called non-technical), used to link specific actions or recurring behavioural patterns in the use of the offered functionalities (patterns) to specific identified or identifiable subjects, in order to group the various profiles within homogeneous clusters of different sizes, so that the data controller can, among other things, also modulate the provision of the service in an increasingly personalised manner beyond what is strictly necessary for the provision of the service, as well as send targeted advertising messages (i.e., in line with the preferences expressed by the user when surfing the web).

1 See Recital 30) of GDPR ('Natural persons may be associated with online identifiers produced by the devices, applications, tools and protocols used, such as IP addresses, temporary markers (cookies) or other identifiers such as radio frequency identification tags. Such identifiers may leave traces which, in particular when combined with unique identifiers and other information received from the servers, can be used to create profiles of natural persons and identify them"), and art. 122(1) and (2) of Privacy Code ("1. The storage of information in the terminal equipment of a contractor or user or access to information already stored is permitted only on condition that the contractor or user has given his consent after being informed in a simplified manner. This shall not prohibit any technical storage of or access to information already stored if this is for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide such a service. For the purposes of determining the simplified modalities referred to in the first sentence, the Garante shall also take into account the proposals formulated by the most representative associations at national level of the consumers and economic categories involved, also with a view to ensuring the use of methodologies guaranteeing the effective awareness of the contracting party or user. For the purpose of expressing the consent referred to in paragraph 1, specific configurations of computer programmes or devices that are easy and clear for the contracting party or user to use may be used..."); cf, also, p. 15) of Provision n. 231 of 10.6.2021 signed by Privacy Guarantor: "...there is not yet, to date, a universally accepted system of semantic coding of cookies and other tracking tools that allows to objectively distinguish, for example, the technical ones from the analitycs or from those of profiling, if not based on the indications made by the owner himself in the privacy policy [...] the hope that a general coding will be reached quickly".
2 Cookies designed to collect and store data while a user accesses a website, and disappear once the user has closed the relevant browsing session.
3 Cookies designed to last for a set period of time (e.g. minutes; months; years).
4 Analytical cookies are usually used to assess the effectiveness of an information society service provided by a publisher, for the design of a website or, finally, to help measure traffic (i.e. the number of visitors, also possibly broken down by geographic area, time of connection).
5 Cf. Provision n. 231 of 10.6.2021 signed by Privacy Guarantor, p. 13/14: 'The structure of the analytics cookie must then provide for the possibility that it is referable not only to one, but to several devices, so as to create reasonable uncertainty as to the computer identity of the person receiving it. As a rule, this effect is achieved by masking appropriate portions of the IP address within the cookie. Taking into account the 32-bit representation of IP version 4 (IPv4) addresses, which are usually represented and used as a sequence of four decimal numbers between 0 and 255 separated by a dot, one of the measures that could be implemented in order to benefit from the exemption consists in masking at least the fourth component of the address, an option that introduces an uncertainty in the attribution of the cookie to a specific data subject equal to 1/256 (about 0.4%). Similar procedures should be adopted with regard to IP version 6 (IPv6) addresses, which have a different structure and a much larger address space (being made up of binary numbers represented with 128 bits). The Garante also emphasises the need for the use of analytics cookies to be limited solely to the production of aggregate statistics, and for them to be used in relation to a single site or a single mobile application, so as not to allow the tracking of a person's browsing using different applications or surfing different websites. It is therefore understood that the third parties that provide the publisher with the web measurement service shall not combine the data, even if minimised in this way, with other processing (customer files or statistics on visits to other websites, for example) or pass them on to other third parties, otherwise the risk of user identification would be unacceptably increased, unless the production of statistics by them using the minimised data involves several domains, websites or apps that can be traced back to the same publisher or business group. It is, however, possible to consider lawful, even in the absence of the adoption of the prescribed minimisation measures, the use of statistical analyses relating to more than one domain, website or app attributable to the same data controller, provided that the latter carries out the statistical processing itself, without such analyses resulting in an activity which, going beyond the boundaries of a mere statistical count, actually takes on the characteristics of a processing aimed at making decisions of a commercial nature".

3. Cookies installed on the Site

3.1. Within the Site, the following types of cookies have been installed (or may be installed, subject to obtaining the specific consent of the user):

Name Type Function First/third part Duration
_UTMB Analytical It retains the user's visit time. Part One 10/2022
_UTMT Analytical Stores the number of requests. Part One 4/2023
_UTMZ Analytical It stores how the user reached the website. Part One 10/2022
_UTMC Analytical Stores user activity on the website. Part One Session
_UTMA Analytical Used to identify the visitor. Part One 11/2023
PHPSESSID Analytical Allows information on session status to be stored. Part One Session
YT.INNERTUBE::NEXTLD
YT.INNERTUBE::REQUESTS		 Analytical It records a unique ID for statistics related to which YouTube videos have been viewed by the user. Part Three (YouTube) Persistent
YTIDB::LAST_RESULT_ENTRY_KEY
YT-REMOTE-CAST-AVAILABLE
YT-REMOTE-CAST-INSTALLED
YT-REMOTE-CONNECTED-DEVICES
YT-REMOTE-DEVICE-ID
YT-REMOTE-FAST-CHECK-PERIOD
YT-REMOTE-SESSION-APP
YT-REMOTE-SESSION-NAME		 Analytical Stores user's video player preferences using embedded YouTube video. Part Three (YouTube) Persistent
Session
Session
Persistent
Persistent
Session
Session
Session

4. Browser settings

4.1. IMA ITALIA points out the possibility for the user to delete and block the operation of the cookies described in art. 3 above at any time by using the appropriate settings features within the browser used: in this regard, IMA ITALIA adds that, where the user decides to disable the technical cookies referred to in art. 2.2. point i), the quality and speed of services and features offered and made available on the Site may deteriorate.
You can find information on how to manage cookies with some of the most popular browsers by visiting the following web pages:
https://support.google.com/chrome/answer/95647?hl=it
https://support.mozilla.org/it/kb/Gestione%20dei%20cookie?redirectlocale=enUS&redirectslug=Cookies
https://support.microsoft.com/it-it/help/17442
https://support.microsoft.com/it-it/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy
https://support.apple.com/it-it/guide/safari/sfri11471/mac
https://support.apple.com/it-it/HT201265
https://help.opera.com/en/latest/security-and-privacy/#clearBrowsingData
Finally, IMA ITALIA indicates the website link of the third party described in art. 3 above: www.youtube.com

5. Data subject’s rights

5.1. In relation to the user's personal data, IMA ITALIA informs that the relevant data subject pursuant to art. 4 n. 1) of GDPR has the right to exercise the following rights which may be subject to the limitations provided for in art. 2 undecies and 2 duodecies of Privacy Code: right of access pursuant to art. 15 of GDPR: right to obtain confirmation as to whether or not personal data concerning the data subject are being processed, as well as the information referred in art. 15 of GDPR (e.g. purpose of processing, storage period); right to rectification under art. 16 of GDPR: right to correct, update or supplement personal data; right to erasure under art. 17 of GDPR: right to obtain erasure or destruction or anonymisation of personal data, where, however, the conditions listed in the same article apply; right to restriction of processing under art. 18 of GDPR: right to obtain the restriction of the processing of personal data in the cases governed by art. 18 of the GDPR; right to data portability under art. 20 of GDPR: right to obtain the personal data provided to IMA ITALIA in a structured, commonly used and machine-readable format (and, where required, to transmit them directly to another Data Controller), where the specific conditions set out in that article are met (e.g. legal basis of consent and/or execution of a contract; personal data provided by the data subject); right to object under art. 21 of GDPR: right to obtain the cessation, on a permanent basis, of a specific processing of personal data; right to lodge a complaint with the Privacy Guarantor under art. 77 of GDPR: right to lodge a complaint where it is considered that the processing under analysis violates national and EU legislation on the protection of personal data.

5.2. In addition to the rights described in art. 5.1. above, IMA ITALIA specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise, on the one hand, the (sub)right provided for art. 19 of GDPR ("The controller shall communicate to each of the recipients to whom the personal data have been transmitted any rectification or erasure or restriction of processing carried out pursuant to article 16, article 17(1) and article 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of such recipients if the data subject so requests"), to be considered connected and related to the exercise of one or more of the rights regulated in articles 16, 17 and 18 of GDPR; on the other hand, IMA ITALIA specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise the right provided for in art. 22(1) of GDPR ("The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning him or her or significantly affects him or her in a similar way"), subject to the exceptions provided for in paragraph 2 below.

5.3. Pursuant to article 12 paragraph 1) of GDPR, IMA ITALIA undertakes to provide the User with the communications referred in art. from 15 to 22 and 34 of GDPR in a concise, transparent, intelligible, easily accessible and plain language form: such information shall be provided in writing or by other electronic means, or, at the User's request, orally provided that the User's identity is proven by other means.

5.4. In accordance with article 12 paragraph 3) of GDPR, IMA ITALIA informs you that it undertakes to provide you with information regarding the action taken in respect of a request pursuant to art. from 15 to 22 of GDPR without undue delay and, in any event, at the latest within one month of receipt of such request; this period may be extended by n. 2 months if necessary, taking into account the complexity and number of requests (in this case, the Controller undertakes to inform the user of such extension and the reasons for the delay, within one month of receipt of the request).

5.5. The user may exercise the above-described rights at any time (with the exception of the right under Art. 77 of GDPR) by using the contact details set out in art. 6.

6. Contact details

6.1. IMA ITALIA can be contacted at the following address: ufficioprotezionedati@imaitalia.it

6.2.The Data Protection Officer (DPO) ex art. 37 of GDPR, appointed by IMA ITALIA, can be contacted at the following address: dpoimaitalia@imaitalia.it

7. Social plug-ins

7.1. In accordance with EDPB Guidelines n. 8/2020, IMA ITALIA also specifies that it acts as a joint data controller under Articles 4(7) and 26 of the GDPR with certain social media providers (e.g. Linkedin), by virtue of the installation of the relevant social plug-ins within the Site, which can be easily viewed and used on the Site.

Sesto S. Giovanni (MI), 17.10.2022 (date of last update).

IMA ITALIA ASSISTANCE S.p.A. (in the person of its legal representative pro tempore)