Declaration of Authorization for the Processing of Personal Identification, Sensitive and Judicial Data former D.Lgs. N. 196/2003 and EU Regulation 2016/679

The User, also referred to as “Interested” in the meaning of the letter “i” of art. 4 D.Lgs No. 196/03, that is, “physical person, legal entity, entity or association to which personal data refers”,

Given that

  • The User/Interested is the person who accesses the website (below for brevity even just WEB SITO) performing activities of registering his Personal Data for the use of the features allowed by the website, of age and possessing the ability to understand and want, that is, subjects legally represented by parents of responsibility, guardians or curators or administrators of support or otherwise authorized representatives of the law;
  • Article 23 (“Consensus”) of D.Lgs. N. 196/03 The processing of personal data by individuals is allowed only with the express consent of the Interested provided freely and with specific reference to a treatment identified, as well as documented in writing and preceded by the information referred to in art. 13 D.Lgs. N. 196/03; similarly, the application of the EU Regulation 2016/679 for “Consensus” refers to any manifestation of the free, specific, informed and unequivocal will of the Person with whom he expresses his consent, by unequivocal declaration or positive action, that the personal data concerning him is the subject of treatment; always in accordance with art. 23 (“Consensus”) of the D.Lgs. N. 196/03 if the treatment also concerns, or only, “sensitive” data, consent must be expressed in written form except in the following: 26 paragraph 4 letter “c” whose content claims to know and whose text it acknowledges to be the one referred to at the bottom of this authorization;
  • EU Regulation 2016/679 the term “Interested” is to refer to any identified or identifiable physical person, considering identifiable the individual who can be identified, directly or indirectly, with particular reference to an identifier such as name, identification number, location data, an online identifier or one or more elements characteristic of his physical, physiological, genetic, psychic, economic, cultural or social identity;
  • EU Regulation 2016/679 “Personal Data” is understood as information, of any type, concerning the Interested, for “Genetic data” refers to data on the hereditary or acquired genetic characteristics of an individual who provide unique information about the person’s physiology or health and resulting from the examination of a biological sample, to “Biometric data” refers to personal data obtained from a specific technical treatment related to the physical, physiological or behavioral characteristics of an individual that allow or confirm unique identification, such as facial image or type data, and for “Health data” refers to personal data relating to a physical person’s physical or mental health, including the provision of health care services, which reveal information about their health.
  • EU Regulation 2016/679 for “Treatment” it is any operation or set of operations, also carried out with the help of automated processes, applied to the personal data, including collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction; For “Cross-border treatment”It is understood to be the processing of personal data that takes place within establishments (understood as a place of directional choice of the Controller and place of effective execution of the main processing activities by the Treatment Manager) in more than one EU member state or in establishments located in a single Member State but which can have a substantial impact on stakeholders of multiple Member States;
  • EU Regulation 2016/679 for “Profiling” it refers to any form of automated processing of personal data consisting of the use of such personal data to assess certain personal aspects relating to an individual, in particular to analyse or predict aspects relating to the professional performance, economic situation, personal preferences, health, interests, reliability, behaviour, location or movements of the Person;
  • EU Regulation 2016/679 for “Pseudonymisation” it is understood to be the processing of personal data in such a way that it can no longer be attributed to a specific person without the use of additional information, provided that that additional information is stored separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable individual;
  • EU Regulation 2016/679 for the implementation of the EU Regulation 2016/679 “Treatment owner” refers to the physical or legal entity, the public authority, the service or other body which, individually or together with others, determines the purpose and means of processing personal data, in order to “Treatment Manager” refers to the physical or legal entity, the public authority, the service or other body that deals with data on behalf of the Treatment Holder, for “Recipient” refers to the physical or legal entity, the public authority, the service or another body that receives communications of personal data, whether it is third parties or not, to “Third” refers to a person other than the Interested, the Treatment Owner, the Treatment Manager, the persons authorized for treatment by the Owner or the Manager and the Recipient;
  • The application of the EU Regulation 2016/679 for “Control Authority” means each authority responsible for verifying the correct application of the EU Regulation 2016/679 in the Italian Republic, in particular the Rome-based Guarantee for the Protection of Personal Data, Piazza di Monte Citorio n. 121 – pec: [email protected].

In accordance with the regulatory order referred to in Article 13 (“Disclosure”) of D.Lgs No. 196/03, the content of which claims to know and whose full text recognizes to be the one referred to the note 2 at the bottom of this authorization, and under art. 7 (“Conditions for Consent”) art. 12 of the 2016/679 EU Regulation, states that it has been informed of the following before:

The identification details of the Treatment Owner are:

Massimiliano Sermisoni
Via Monte Grappa 7
24121 Bergamo BG

The Treatment Manager can be contacted at the following e-mail address: [email protected]

Any change to the name of the Treatment Manager will also be communicated at the same time as the renewal of this consent, by amending the name of the Treatment Manager.

Personal Data is treated in a lawful, correct, transparent manner and for the sole purpose of exercising the features allowed by the WEB SITE.

WEB SITE collects, records, organizes, preserves, processes, edits, selects, extracts, uses, interconnects, communicates, deletes and blocks personal data being processed for the purposes of SITO WEB, for the provision of online services offered by SITO WEB and for administrative, management, organizational, tax and accounting activities of the Treatment Holder.

Personal Data will also be collected for commercial purposes in accordance with the purpose for which the User/Interested has registered with the WEB SITO and, in any case, for purposes related and/or instrumental to the management activities of the WEB SITE, excluding – therefore – any use different and/or conflicting with the interests of the User/Interested, subject to the legal obligations of the Controller of Treatment or the Manager of Treatment.

The Personal Data processed will be exclusively limited and relevant to the exercise of the functionality of the WEB SITE to which the User/Interested has registered.

The Personal Data will be accurate and, if necessary, updated according to the instructions of the User/Interested in the registration.

Personal Data will be retained for the period necessary for the activities subject to the permitted treatment and for a maximum period of additional ten (years) ten from the termination of the allowed treatment. In any case, the treatment may never exceed that period, unless the Person agrees to renew his consent.

Personal data will be processed in ways that ensure its safety and exclude even partial loss or destruction (e.g. Firewalls, incremental and differential system backups of daily and weekly character, storage of copies on icloud or network spaces, antivirus and similar systems, modification of data access passwords for those in charge of the Appropriate Periodic Treatment Holder at least six months, Continuity Group).

To this end, it is specified that the treatment by SITO WEB does not present a high risk to the rights and freedoms of individuals; in any case, the treatment does not cover racial or ethnic origin, political views, religious beliefs, union membership, genetic or biometric data suitable to uniquely identify an individual, data relating to health, sexual life or sexual orientation or convictions for criminal offences; the profiling and marketing activities will therefore not be conducted on the basis of these data, but solely on the basis of preferences related to the product purchased or viewed through the SITO WEB platform.

The acquisition and processing of Personal Data will also be used for the purposes of anti-money laundering legislation as introduced by Community Directive No. 2001/97 Ce, from The Legislative Decree No. 56/2004 and succ. Mod. and int. ministerial implementation decrees, and is aware of the possibility of the same data being communicated to the Italian UIC Change Office to verify that the obligations are properly fulfilled.

The awarding of Personal Data is mere faculty and not obligation, except expressed legal forecasts, but it is necessary for registration to the WEB SITE and the relevant consent to treatment is a condition for registration. The awarding of Personal Data occurs whenever the person enters the WEB SITE for registration and accesses it for the management/use of the services offered by it or links his account on a third-party site to his account of the WEB SITO where allowed by the latter.

If the Person is authorized to use mobile applications linked to the WEB SITO, data relating to the person’s location is also conferred, stored and processed, including general information (e.g. IP address, postal code) and more specific information (e.g. GPS-based features on mobile devices used to access the platform or specific features of the web). If the Person accesses the WEB SITE from a mobile device and does not want the device to provide location information, he can disable GPS or other location tracking features on the device, provided this is allowed by the device.

User/Interested is aware of the Processing of “Log Data”, which are automatically recorded by our servers or server spaces, even sites at Terzi, whenever the User/Interested accesses the WEB SITE or uses it, regardless of whether or not he is a registered user or has logged in to his account; this data is, but is not limited to, the IP address, the date and time of access, text fonts, the hardware and software used for access, the sites and URLs from which it comes and exit, the number of clicks, the pages displayed and the order of those pages, as well as the amount of time spent on particular pages. This data is also the subject of a separate consent that the Interested person already issues to the Treatment Holder who carries out search engine activities in the web so browser (e.g. Google) and can be used for analytics services and to track user/interested activities resulting from interaction with the WEB SITE.

No personal user data is acquired by the WEB SITE through so-called cookies. Cookies are not used to transmit personal information, nor are persistent cookies of any kind used, i.e. systems for tracking users. The use of session cookies (which are not persistently stored on the user’s computer and vanish with the browser closure) is strictly limited to the transmission of session identifiers (consisting of random server-generated numbers) necessary to enable safe and efficient site browsing. The session cookies used on this site avoid the use of other computer techniques potentially detrimental to the confidentiality of users’ browsing and do not allow the acquisition of personal data identifying the user. Cookies to integrate third-party software products and features (Google Maps, YouTube videos, integrations with social networks, online payments, etc.) integrate features developed by third parties within the pages of the site in order to share the contents of the site or for the use of third-party software services (such as software to generate maps and additional software that offer additional services). These cookies are sent from third-party domains and partner sites that offer their functionality across the pages of the website. You can view the management of your browser’s cookies on its manufacturer’s website (e.g. Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).

The Interested person can disable the use of cookies through his browser settings, but the practices and processing of the data will be changed as a result of a “Do Not Track” signal in the http header coming from his browser or mobile application. The activities of the Interested are tracked if he clicks on an advertisement for the services of the WEB SITO on third-party sites or platforms such as search engines and social networks.

The WEB SITE may allow Third Parties to collect information about Users’ online activities.

The Interested agrees to the transmission of Personal Data to Third Parties, also sensitive and judicial (e.g. Accountant for accounting and tax needs related to the operation of the owner’s business).

The WEB SITE may use social plugins provided and managed by Third Parties (such as the Facebook Like button, or similar Apps of Instagram, Linkedin, Google Plus or Pinterest); With the use of such plugins, the Interested person may send to Third Party the information he is viewing on a certain part of the WEB SITE. If you have not logged into your account with Third Party, the Third Party should not be aware of your identity unless you have any prior consent to the Personal Data Processing provided by the Interested directly to the Third Party. If you have logged into your account at the Third Party, then the Third Party may be able to link information relating to the Interested Person’s visit to the WEB SITE to his account at the Third Party. Similarly, its interactions with the social plugin could be recorded by the Third Party. Such ways of accessing the interested person’s data by the Third Party are unrelated to the functionality of the WEB SITE and the treatment is not carried out by the Controller or the Head of Treatment of the WEB SITE, but by the Third Party to which the Person should have allowed the data to be processed. You claim to know the privacy policy of these Third Parties and their practices in the processing of personal data and declares that you have validly authorised their treatment, exempting the Owner and the Treatment Manager for the WEB SITE from liability.

In the absence of the data necessary for registration and navigation, membership of the WEB SITE will not be accepted and/or continued and the account will not be enabled or will be deleted if consents to the renewal of the authorization for the Processing of Personal Data are denied.

The WEB SITE may allow the collection by Third Parties, prior to your permission/ Interested, of information about the online activities of the Users also for the profiling of purchases made by the User and for commercial purposes.

WEB SITE also collects and treats data for its own and Third Party commercial purposes, including, for example, user profiling (e.g. Google Analytic, Google Font), the analysis of preferences in purchase, the appearance of prices and offers, the comparison of products, marketing activities and commercial promotion, as well as the need to customize the offer of SITO WEB to the tastes and needs of the User/Interested.

If the processing of personal data, of any nature including sensitive or judicial, genetic, biometric or health-related data, is authorized, it may be available within the limits and for the purposes related to the authorised treatment, it may be available to Italian Public Persons and the relevant Italian Judicial Authorities for the institutional purposes of their own and, therefore, of those in those same locations responsible for their implementation and/or treatment.

The Controller owner does not transfer data from the Interested Person abroad or to third countries.

The Interested agrees to the processing of health, judicial, sensitive, genetic, biometric, photographic and audiovisual data.

All rights will be guaranteed as well as best specified in art. 7(“Right to access personal data and other rights”) D.Lgs. N. 196/03 whose content claims to know and whose full text recognizes to be the one reported in Note 5 at the bottom of this authorization.

You/Interested are guaranteed, under the EU Regulation 2016/679, to be exercised with a request to the Treatment Manager:

– the right of access (Article 15 of that EU Regulation) to data to verify the existence of ongoing data processing and to verify the purpose of processing, category of data processed, recipients of any communications of the given treaty, the period of retention of the given treaty, the possible existence of an automated decision-making process, including the profiling referred to in art. 22, paragraph 1 and 4 of the 2016/679 EU Regulation;

– the right to adjustment, including the integration of incomplete data (Article 16 of the EU Regulation);

– the right to the deletion (Article 17 of the EU Regulation) of data without delay at the request of the Person and obligatory if:

  • are no longer needed for treatment purposes;
  • consent for treatment is revoked;
  • The Person is opposed to the treatment under art. 21 of the EU Regulation;
  • The data was processed illegally;
  • the cancellation requirement is imposed by Italian or EU regulations.

The obligation to cancel does not apply in the case of the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation that imposes treatment, for reasons of public interest or public order that impose treatment, for the purpose of justice justifying the treatment.

– the right to the limitation of treatment (Article 18 of that EU Regulation) when the Person disputes the accuracy of the personal data processed for the period necessary for the subsequent checks, the treatment is unlawful and the Person opposes the cancellation, the Controller does not need to continue the treatment but the Person requires the continuation for the purpose of justice and for the exercise of the rights of defence in court and when the Expert has opposed the treatment. legitimate reasons for the Treatment Owner.

– the obligation for the Owner of the Treatment to communicate (Article 19 of that EU Regulation) to any Recipients of personal data processed any cancellations, adjustments, restrictions on treatment.

– the right to the portability of personal data (art. 20 of the EU Regulation) as the right to hand over to the Person on a structured format of common and durable use, readable by automatic devices, even in multiple examples, by e-mail to the address specifically indicated by the User/Interested free of charge, and as the right to transfer personal data to another Controller of treatment, without impediments, if the treatment is carried out by automated means;

– the right to object to the processing of your Personal Data (Article 21 of that EU Regulation), except for the right of the Treatment Holder to prove that there are legitimate reasons for treatment;

– the right not to be subject to automated decisions, including profiling, unless such a decision-making mode is necessary for the conclusion of the contract or the execution of the same between The Concerned and the Owner of the Treatment, is permitted by the source of national or COMMUNITY law, it may already be considered allowed by the explicit consent of the Person (Art. 22 of that EU Regulation).

The Controller Holder declares that there are no specific risks related to the treatment of the Personal Data of the Interested, to have assessed every burden and risk of preservation and treatment, and to have carefully selected the best types of precautions to ensure the confidentiality and intangibility of the personal data of the Person.

The Treatment Holder reserves the right to use any best mode of data security including encryption, pseudonymization, encryption of the personal data treated.

However, the Controller owner declares that he uses suitable anti-intrusion systems (e.g. video surveillance and alarm system) and anti-breach systems even at servers, or server spaces, in its availability or otherwise used by third parties.

The processing of sensitive and judicial personal data will be carried out within the legal limits as set out in art. 25 D.Lgs. N. 196/03 whose content claims to know and whose text recognises to be the one reported in Note 6 In the case of this authorisation, and the EU Regulation 2016/679, as well as for the purposes on display, they may also be subject to communication and/or dissemination in technical significance as best illustrated in the letters “a”, “l” and “m” of section 1 of art. 4 D.Lgs. N. This is the first time in the debate that the European Parliament has been able to reach a new level of the rules of the European Parliament.

The Treatment Holder and owner of the WEB SITE may be involved in mergers, mergers, acquisitions, demergers and in that case may divest assets of his company, including the personal data of the Interested, who acknowledges and accepts it; In this case, the Person will be informed before his personal data is transferred or otherwise subject to different policies and/or authorizations to the processing of personal data.

You are committed to keeping your personal data up-to-date and will notify the Treatment Owner of any need for change or update.

All of the above, the User/Interested spontaneously declares to authorize, in accordance with the above and more generally as provided by D.Lgs. N. 196/03 and the 2016/679 EU Regulation, the processing of your personal data.


All of the above, the User/Interested spontaneously declares to authorize, in accordance with the above and more generally as provided by D.Lgs. N. 196/03 and the 2016/679 EU Regulation, the processing of your personal data for commercial purposes, including profiling, marketing and sending commercial and promotional communications.


Legislative Decree Notice No.196 of June 30, 2003

1. ART.26 paragraph 4 letter “c” – GARANZIE FOR THE SENSITIVE DATA: “(…) 4. Sensitive data may be processed even without consent, subject to the Guarantor’s permission: c) When treatment is necessary for the conduct of the defensive investigations referred to in law 7 December 2000 n. 397 or – in any case – to assert or defend a right in court, provided that the data are processed solely for those purposes and for the period strictly necessary for their prosecution. If the data is suitable to reveal the state of health and sex life the right must be of equal rank to that of the person concerned or consisting of a right of personality or another fundamental and inviolable right or freedom (…)”.

2. ART.13 – INFORMATION: 1. The person or person with whom the data is collected are informed orally or in writing about: (a) the purpose and manner of the data’s processing; (b) the obligatory or optional nature of data delivery; (c) the consequences of possible rejection; (d) the subjects or categories of persons to whom personal data may be disclosed or who may become aware of it as managers or appointees, and the scope of dissemination of the data; (c) the rights referred to in Article 7; (f) the identifying details of the holder and, if designated, the representative in the territory of the State under art. 5 and the manager. When the holder has designated at least one of them, at least one of them is indicated, indicating to the website of the communication network the ways in which the updated list of managers is easily known. When a person has been appointed to respond to the person concerned in the case of the exercise of the rights referred to in art. 7 is indicated as a responsible person. 2. The information in paragraph 1 also contains the elements provided for by specific provisions of this code and may not include the elements already known to the person providing the data or whose knowledge may hinder a concrete performance by a public entity of inspection or control functions carried out for the purposes of defense or security of the state or prevention , investigating or cracking down on crimes. 3. The Guarantor can identify by its own measure simplified ways for the information provided in particular by telephone assistance and information services to the public. 4. If the personal data is not collected from the person concerned, the information in paragraph 1, including the categories of data processed, is given to the person concerned when the data is recorded or, when it is provided for, no later than the first communication. 5. The provision in paragraph 4 does not apply when: (a) the data are processed on the basis of an obligation under the law, regulation or Community law; (b) the data are processed for the purposes of the defensive investigations referred to in law 7 December 2000 n. 397 or, in any case, to assert or defend a right in court, provided that the data are processed solely for those purposes and for the period strictly necessary for their prosecution; (c) the information to the person concerned involves the use of means which the Guarantor – prescribing any appropriate measures – declares manifestly disproportionate to the protected right, or proves – in the judgment of the Guarantor – impossible”.

3. ART.4 – DEFINITIONS: (…) b) < personal >data, any information relating to an individual, legal entity, entity or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number; c) < identification >data , personal data that allows the direct identification of the person concerned; d) < sensitive >data , personal data to reveal racial and ethnic origin, religious, philosophical or other beliefs, political views, membership of religious, philosophical, political or trade union parties, trade unions, associations or organisations, as well as personal data to reveal health status and sex life; (e) < judicial data >, the personal data suitable to disclose provisions in art. 3 paragraph 1, letters from a) to (a) and from r) to u) of D.P.R. 14.11.2002 n. 313, in relation to the criminal record, the record of administrative penalties dependent on crime and the related pending charges, or the quality of a defendant or suspect under Articles 60 and 61 of the Criminal Procedure Code.”

4. ART.4 – DEFINITIONS: (…) (f) < owner >, the individual, the legal entity, the public administration and any other body, association or body to which they compete – also together with the other holder, decisions on the purpose, the manner in which personal data is processed and the tools used, including the security profile; (g) < responsible >, the individual, the legal entity, the public administration and any other body, association or body responsible for the holder to process personal data; h) < > persons authorized to carry out treatment by the owner or manager.”

5. ART. 7 – RIGHT OF PERSONAL DATA AND OTHER RIGHTS: 1. The person has the right to obtain confirmation of the existence of personal data that concerns him even if they have not yet been registered and their communication in an intelligible form. 2. You have the right to obtain an indication: (a) the source of personal data, (b) of the purpose and manner of treatment; (c) of the logic applied when treated with electronic instruments; (d) of the identification details of the holder, those responsible and the designated representative under art. 5 paragraph 2; (e) of the subjects or categories of persons to whom personal data may be disclosed or who may become aware of it as a designated representative in the territory of the State, of managers or appointees.3. You have the right to obtain: (a) updating, rectifying or – when it is of interest – data integration; b) the deletion, anonymous transformation or blocking of data processed in violation of the law, including those which do not need to be retained in relation to the purposes for which the data was collected or subsequently processed; (c) the claim that the transactions referred to in the letters ‘a’ to ‘b’ have also been made aware of their content as to those to whom the data has been disclosed or disseminated, except where such compliance proves impossible or involves the use of means manifestly disproportionate to the protected law. 4. You have the right to object in all or in Part: (a) for legitimate reasons for the processing of personal data concerning it, although relevant to the purpose of the collection; (b) to the processing of personal data relating to it for the purpose of sending advertising or direct sales material or for the completion of market research or commercial communication.”

6. ART.25 – COMUNICATION and DIFFUSION BANS: “1. Communication and dissemination are prohibited, as well as in the case of a prohibition ordered by the Guarantor or the Judicial Authority: (a) in reference to the personal data for which the deletion was ordered, i.e. when the period of time specified in art. 11 paragraph 1, letter “e”; (b) for purposes other than those indicated in the notification of the treatment, where prescribed. 2. The communication or dissemination of data requested, in accordance with the law, by police forces, the judicial authority, training and security bodies, other public entities under art. 58, paragraph 2, for the purpose of defence or security of the state or the prevention, investigation or repression of crimes”.”

7. ART.4 – DEFINITIONS: (…) > treatment < any operation or complex of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, preservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, deletion and destruction of data even if not recorded in a database (…); l) < communication > to give knowledge of personal data to one or more determined persons, other than the person concerned, the representative of the holder in the territory of the state, the manager and those in charge in any form, including through their provision or consultation; m) < diffusion > to give knowledge of personal data to indeterminate persons, in any form even through their provision or consultation.”