COOKIE POLICY
CROMACAP S.r.l. (Tax Code and VAT No. 11380420965) in the person of its legal representative, with registered office in Via Paolo Veronese 2 – 20145 – Milano (MI), in its capacity as Data Controller pursuant to Articles 4 no. 7) and 24 of the EU Regulation no. 2016/679 (GDPR), hereby illustrates the cookie policy (“Policy”) referring to this website https://cromacap.it/en/ (“Website”).
1. Legal Framework.
1.1. The Policy is based on the following EU and/or national (first and/or second level) regulatory provisions: (i) Directive no. 2002/58/EC of 12.7.2012 (the “ePrivacy Directive”), as amended by Directive no. 2009/136/EC; (ii) Art. 122 of the amended Legislative Decree no. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into the national legal system; (iii) GDPR: Articles 4 no. 11), 7, 12, 13, 25 and 95 (as well as, in particular, Recitals no. 30, 32 and 173); (iv) Guidelines no. 5/2020 adopted on 4.5.2020 by the EDPB, replacing the Guidelines of 10.4.2018 signed by WP Art. 29; (v) Measure No. 231 of 10.6.2021 [web doc. no. 9677876] signed by the Italian Data Protection Authority (Garante Privacy); (vi) Recommendation No. 2/2001 of WP Art. 29; (vii) Opinion No. 2/2010 of WP Art. 29; (viii) Opinion No. 4/2012 of the WP Art. 29; (ix) Guideline No. 8/2020 of the EDPB; (x) Guideline No. 8/2020 of the EDPB; (viii) Measures No. 224 of 9.6.2022 [web doc. no. 9782890], No. 243 of 7.7.2022 [web doc. no. 9806053] and No. 254 of 21.7.2022 [web doc. no. 9808698] signed by the Privacy Guarantor.
2. Cookies and other tracking tools: definition and classification.
2.1. “Cookies” are, as a rule, strings of text that a website (“publisher” or “first party”) visited by the user or a different website (“third party”) places and stores, directly (in the case of the first party website) or indirectly (through the latter, in the case of the third party website), in a terminal device available to the user: in this regard, the Privacy Guarantor has specified the fact that the information, encoded in cookies, may include both personal data under Article 4 No. 1) of the GDPR (e.g. IP address; user name; email address; unique identifier) as well as non-personal data ex art. 3 no. 1) of EU Regulation no. 1807/2018 (e.g. language; type of device used).
Alongside (or in addition to) them, ‘other tracking tools‘ may exist (and therefore be used), which can be subdivided into ‘active’ (which have almost the same characteristics as cookies) and ‘passive’ (e.g. finger printing).
2.2. In addition to the described intrinsic characteristics, cookies (and other tracking tools) may have different peculiarities in terms of time (and, therefore, be considered “session” or “permanent” , depending on their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a “third party”) and, finally (but in particular), depending on the purpose of the processing pursued, so that they can be divided into two different (macro) categories:
- “technical”, used for the sole purpose of ‘carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide such service’ (Art. 122(1) of the Privacy Code).
In this regard, the Privacy Guarantor highlighted, within Provision no. 231 of 10.6.2021 (in continuity with the previous Measure on the subject of 2014), that the “analytics cookies” may well be included within the scope of cookies (or other tracking tools) of a “technical” nature (and, therefore, may be used in the absence of the prior acquisition of consent by the data subject), provided that certain conditions are met, aimed at precluding the possibility that, through their use, the direct identification of the data subject (single out) is achieved.
- “profiling”/”marketing” (so-called non-technical), used to link specific actions or recurring behavioural patterns in the use of the offered functionalities (patterns) to specific identified or identifiable subjects, in order to group the different profiles within homogeneous clusters of different sizes, so that the Data Controller can, among other things, also modulate the provision of the service in an increasingly personalised manner beyond what is strictly necessary for the provision of the service, as well as send targeted advertising messages (i.e., in line with the preferences expressed by the user when surfing the web).
3. Cookies installed on the Website.
3.1. Within the Website, the following types of cookies can/will be installed:
|
Name |
Type |
Function/Collected data |
First/third party |
Duration |
|
CookieLawInfoConsent cookielawinfo-checkbox-advertisement cookielawinfo-checkbox-analytics cookielawinfo-checkbox-functional cookielawinfo-checkbox-necessary cookielawinfo-checkbox-others cookielawinfo-checkbox-performance
|
Technical |
To store whether or not the user has consented to the use of cookies. |
First Party |
1 year |
|
_ga |
Analytical |
It records a unique ID used to generate statistical data on how the visitor uses the Website. |
First Party |
2 years |
|
viewed_cookie_policy |
Technical |
To store whether a message has been shown. |
First Party |
Persistent |
4. Browser settings.
4.1. DATA CONTROLLER highlights the possibility for the user to delete and block the operation of the cookies described in Article 3 above at any time by using the appropriate setting features within the browser used: in this regard, DATA CONTROLLER adds that, where the user decides to disable the technical cookies referred to in Article 2.2. point i), the quality and speed of the services and features offered and made available on the Website may deteriorate.
You can find information on how to manage cookies with some of the most popular browsers by visiting the following web pages:
https://support.google.com/chrome/answer/95647?hl=it
https://support.mozilla.org/it/kb/Gestione%20dei%20cookie?redirectlocale=enUS&redirectslug=Cookies
https://support.microsoft.com/it-it/help/17442
https://support.microsoft.com/it-it/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy
https://support.apple.com/it-it/guide/safari/sfri11471/mac
https://support.apple.com/it-it/HT201265
https://help.opera.com/en/latest/security-and-privacy/#clearBrowsingData
DATA CONTROLLER illustrates, below, the web pages of the third parties described in Article 3 above:
https://www.cookiebot.com
https://www.google.com
5. Rights of the data subject.
5.1. In relation to the user’s personal data, DATA CONTROLLER informs that the relevant data subject pursuant to Art. 4 no. 1) of the GDPR has the right to exercise the following rights, which may be subject to the limitations provided for in Articles 2 undecies and 2 duodecies of the Privacy Code: right of access pursuant to Art. 15 of the GDPR: right to obtain confirmation as to whether or not personal data concerning the data subject is being processed, as well as the information referred to in Art. 15 of the GDPR (e.g. purpose of processing, storage period); right to rectification ex art. 16 of the GDPR: right to correct, update or supplement personal data; right to erasure ex art. 17 of the GDPR: right to obtain the erasure or destruction or anonymisation of personal data, where the conditions listed in the same article apply; right to restriction of processing ex art. 18 of the GDPR: right to obtain the limitation of the processing where the cases governed by Art. 18 exist; right to data portability under Art. 20 of the GDPR: right to obtain personal data, provided to the DATA CONTROLLER, in a structured, commonly used and machine-readable format (and, where required, to transmit them directly to another data controller), where the specific conditions set out in that article exist (e.g. legal basis for consent and/or execution of a contractual agreement and/or execution of a contractual agreement). legal basis of consent and/or performance of a contract; personal data provided by the data subject); right of objection under Art. 21 of the GDPR: right to obtain the cessation, on a permanent basis, of a given processing of personal data; right to lodge a complaint with the Supervisory Authority (i.e. the Italian Data Protection Authority) under Art. 77 of the GDPR: right to lodge a complaint where it is considered that the processing under analysis violates national and EU data protection legislation.
5.2. In addition to the rights described in Art. 5.1. above, the DATA CONTROLLER points out that, in relation to the personal data of the data subject, there is, where possible and conferrable, the right to exercise, on the one hand, the (sub)right provided for in Art. 19 of the GDPR (‘The controller shall communicate to each of the recipients to whom the personal data have been transmitted any rectification or erasure or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of such recipients if the data subject so requests”), to be considered connected and related to the exercise of one or more of the rights regulated in Articles 16, 17 and 18 of the GDPR; on the other hand, DATA CONTROLLER specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise the right provided for in Art. 22 paragraph 1) of the GDPR (“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way”), subject to the exceptions provided for in paragraph 2) below.
5.3. In compliance with Article 12 paragraph 1) of the GDPR, DATA CONTROLLER undertakes to provide the user with the communications referred to in Articles 15 to 22 and 34 of the GDPR in a concise, transparent, intelligible, easily accessible form and in simple and clear language: such information will be provided in writing or by other electronic means, if any, or, at the user’s request, will be provided orally provided that the user’s identity is proven by other means.
5.4. In compliance with Article 12 paragraph 3) of the GDPR, DATA CONTROLLER informs that it undertakes to provide the user with information regarding the action taken in respect of a request pursuant to Articles 15 to 22 of the GDPR without undue delay and, at the latest, within one month of receipt of the request; this period may be extended by no. 2 months if necessary, taking into account the complexity and number of requests (in which case, the Controller undertakes to inform the user of such extension and the reasons for the delay, within one month of receipt of the request).
5.5. The user may exercise the above-described rights (with the exception of the right under Art. 77 of the GDPR) at any time by using the contact details set out in Art. 6.
6. Contact details.
6.1. DATA CONTROLLER can be contacted at the following address: privacy@cromacap.com
7. Social plug-ins.
7.1. In compliance with the EDPB Guidelines No. 7/2020, DATA CONTROLLER also specifies that it holds the status of co-processor pursuant to Articles 4 no.7) and 26 of the GDPR with one or more social media providers (e.g. Facebook), by reason of the installation, within the Website, of the relevant social plug-in, easily viewable and usable on the Website.
Milan (MI) there 26 August 2024 (date of last update).
CROMACAP S.r.l.
(in the person of its legal representative pro tempore)