Privacy Policy

PRIVACY POLICY – E-COMMERCE

Information document pursuant to and for the purposes of art. 13 of Regulation (EU) 2016/679 (GDPR)

WHY THIS INFORMATION?

In accordance with Regulation (EU) 2016/679 (hereinafter "GDPR"), this page describes the methods of processing personal data. This information is provided pursuant to art. 13 GDPR. The information is not to be considered valid for other third-party websites, which may be consulted via links on this website, for which no responsibility is assumed.

Processable personal data

Personal data : any information relating to an identified or identifiable natural person (' data subject '); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (C26, C27, C30 GDPR).
Contractor/user data
Browsing data : the computer systems and software procedures used to operate this site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by users, URI/URL (Uniform Resource Identifier/Locator) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's computer environment.
Data communicated voluntarily : the optional, explicit and voluntary sending of messages to the contact addresses indicated on this site and/or the completion of data collection forms entails the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data entered.

Information about the processing of personal data carried out through Social Media platforms

Regarding the processing of personal data carried out by the managers of the Social Media platforms used by the Data Controller (such as YouTube, LinkedIn, Facebook), please refer to the information provided by them through their respective privacy policies. The Data Controller processes the personal data provided by users through the pages of the dedicated Social Media platforms, to manage interactions with users (comments, public posts, etc.) and in compliance with current legislation.

Specific information

Specific information may be present on the pages of the Site in relation to particular services or processing of the data provided.

COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY USED FOR?

For Cookies and other tracking systems, see the cookies policy reported in the footer of the site and at the following link .

1. WHO IS THE DATA CONTROLLER? HOW TO CONTACT HIM?

The Data Controller is ICAM SPA , with registered office in Lecco – Via Pescatori 53, 23900 Lecco (LC), in the person of its Legal Representative pro-tempore, who you can contact for any information via e-mail: privacy@icamcioccolato.it .

2. PURPOSE OF THE PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF THE PROVISION

PURPOSE OF THE PROCESSING

LEGAL BASIS

DATA RETENTION PERIOD

NATURE OF THE PROVISION

Browsing this website.

The data necessary for the use of web services are also processed for the purpose of:

• obtain statistical information on the use of services (most visited pages, number of visitors per time slot or day, geographical areas of origin, etc.);

• check the correct functioning of the services offered.

The data will be used to ascertain responsibility in the event of hypothetical computer crimes against the site.

The processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the functioning of the site and navigation itself.

(Art. 6, par. 1 letter f and C47 of the GDPR)

Interested parties are guaranteed the possibility of obtaining, upon request, information on the balancing test performed.

Browsing data will be stored for the duration of the browsing session. In any case, they will not persist for more than seven days (except for any need to ascertain crimes by the Judicial Authority).

Providing data is necessary for browsing the website.

Use of cookies and similar technologies.

See the cookies policy in the footer of the site.

For cookies and similar non-technical technologies, the processing is based on consent to the processing of personal data (art. 6 par. 1 lett. ae C42, C43 of the GDPR).

Consent is given through the banner and the site's cookie policy.

See the cookies policy in the footer of the site.

In addition to navigation, personal data will be processed for:

PURPOSE OF THE PROCESSING	LEGAL BASIS	DATA RETENTION PERIOD	NATURE OF THE PROVISION
A) ONLINE PURCHASES AND RELATED ADMINISTRATIVE-ACCOUNTING ACTIVITIES (e.g. order management, invoicing, payments, shipping processing and management of any returns, management of related pre-contractual/contractual obligations).	The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Art. 6 par. 1 lett. b) GDPR	10 years from purchase for administrative accounting purposes.	The transfer is necessary. Failure to provide the necessary data will make it impossible to conclude the contract and execute it.
B) CONTACTS AND CUSTOMER SERVICE: through the contact details indicated or by filling out the appropriate form on our website, we will collect and respond to the interested party's requests, we will provide assistance for any need related to the use of this e-commerce, the purchase of our products, the use of our services and for after-sales assistance.	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44). Art. 6 par. 1 lett. b) GDPR.	Maximum 12 months.	The transfer is necessary. Failure to provide the necessary data will make it impossible to be contacted, receive information and assistance.
C) SOFTSPAM - automated direct marketing via email: we will use, for the purposes of direct sales of our products or services, the email addresses provided by the interested party in the context of the sale of a product or service, without requesting consent, for promotional and commercial communications and newsletters on products and services similar to those being sold. The interested party may refuse such use, initially or on the occasion of subsequent communications. At the time of collection and on the occasion of sending each communication carried out for the purposes referred to in this paragraph, the interested party is informed of the possibility of objecting to the processing at any time, easily and free of charge. The Owner, to compare and possibly improve the results of communications, uses systems for sending newsletters and promotional communications with reports. Thanks to the reports, the Owner will be able to know, for example: the number of readers, openings, unique "clickers" and clicks; the devices and operating systems used to read the communication; the details of the activity of individual users; the details of the emails sent, emails delivered and not, of those forwarded. All this data is used for the purpose of comparing, and possibly improving, the results of communications.	Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (C47-C50). Art. 6 par. 1 lett. f) GDPR	Until opposition (opt-out).	The provision is optional. Failure to provide the necessary data will make it impossible to receive direct marketing communications via email (soft-spam).
D) DIRECT MARKETING: for sending advertising or direct sales material or for carrying out market research, commercial and promotional communications, newsletters, via automated means (email, SMS messages, fax, instant messaging, chat, chatbot, video messages, direct messaging from social networks or other types of messages). ) and traditional means (telephone call with operator and paper mail ). The communications may contain promotional activities and/or logos of third-party partners. There will be no transfer of personal data. For the complete list of group companies and partners, interested parties can write to privacy@icamcioccolato.it . The Owner, to compare and possibly improve the results of automated communications, uses reporting systems. Thanks to the reports, the Owner will be able to know, for example: the number of readers, openings, unique "clickers" and "clicks"; the devices and operating systems used to read the communication; the details of the activity of individual users; the details of the emails sent, emails delivered and not, of those forwarded. All this data is used for the purpose of comparing, and possibly improving, the results of communications.	The processing is based on consent to the processing of personal data (C42, C43). A rt. 6 par. 1 lett. a) GDPR.	Until consent is revoked (or opt-out).	The provision is optional. Failure to provide the necessary data will make it impossible to receive direct marketing communications.
E) NON-AUTOMATED PROFILING : personal data will be processed in order to carry out analyses, evaluations and to divide the interested parties into homogeneous groups for specific characteristics of company activity for better management of services and for sending targeted promotional communications.	The processing is based on consent to the processing of personal data (C42, C43). Art. 6 par. 1 lett. a) GDPR	Until consent is revoked and in any case for a maximum of 12 months.	The provision is optional. Failure to provide the necessary data will make it impossible to perform analyses and send targeted communications.
F) CUSTOMER SATISFACTION: sending surveys to verify the interested party's level of satisfaction in order to improve the offer of products and services (no marketing)	Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (C47-C50). Art. 6 par. 1 lett. f) GDPR	Until opposition (opt-out).	The provision is optional. Failure to provide the necessary data will make it impossible for the owner to process the data for the purpose of customer satisfaction.
G) RESERVED AREA : for the use of services reserved for registered users (including the creation and cancellation of the e-commerce account and technical support assistance)	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44). Art. 6 par. 1 lett. b) GDPR	Until the account is deactivated and for the technical time needed to disable the credentials.	The transfer is necessary. Failure to provide the necessary data will result in the impossibility of accessing the reserved area.
H) MANAGEMENT OF YOUR REQUESTS and requests from other interested parties, pursuant to articles 15 et seq. of the GDPR (rights of the interested party).	Processing is necessary for compliance with a legal obligation to which the controller is subject (C45). Art. 6 par. 1 lett. c) GDPR	5 years from the closure of the request, barring disputes	The provision of personal data is mandatory, as it is essential to be able to fulfill legal obligations.
I) Prevention and conduct of disputes and other legal matters and for defense in the event of litigation.	Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (C47-C50). Art. 6 par. 1 lett. f) GDPR	10 years, unless objected to and except for the time necessary for the defense in court.	Providing data is necessary. Failure to provide such data will prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this point. The refusal must be balanced with the legitimate interest of the Data Controller indicated in the purposes of this point.

PURPOSE OF THE PROCESSING

LEGAL BASIS

DATA RETENTION PERIOD

NATURE OF THE PROVISION

A) ONLINE PURCHASES AND RELATED ADMINISTRATIVE-ACCOUNTING ACTIVITIES (e.g. order management, invoicing, payments, shipping processing and management of any returns, management of related pre-contractual/contractual obligations).

The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Art. 6 par. 1 lett. b) GDPR

10 years from purchase for administrative accounting purposes.

The transfer is necessary.

Failure to provide the necessary data will make it impossible to conclude the contract and execute it.

B) CONTACTS AND CUSTOMER SERVICE: through the contact details indicated or by filling out the appropriate form on our website, we will collect and respond to the interested party's requests, we will provide assistance for any need related to the use of this e-commerce, the purchase of our products, the use of our services and for after-sales assistance.

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44).

Art. 6 par. 1 lett. b) GDPR.

Maximum 12 months.

The transfer is necessary.

Failure to provide the necessary data will make it impossible to be contacted, receive information and assistance.

C) SOFTSPAM - automated direct marketing via email: we will use, for the purposes of direct sales of our products or services, the email addresses provided by the interested party in the context of the sale of a product or service, without requesting consent, for promotional and commercial communications and newsletters on products and services similar to those being sold. The interested party may refuse such use, initially or on the occasion of subsequent communications. At the time of collection and on the occasion of sending each communication carried out for the purposes referred to in this paragraph, the interested party is informed of the possibility of objecting to the processing at any time, easily and free of charge.

The Owner, to compare and possibly improve the results of communications, uses systems for sending newsletters and promotional communications with reports. Thanks to the reports, the Owner will be able to know, for example: the number of readers, openings, unique "clickers" and clicks; the devices and operating systems used to read the communication; the details of the activity of individual users; the details of the emails sent, emails delivered and not, of those forwarded. All this data is used for the purpose of comparing, and possibly improving, the results of communications.

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (C47-C50). Art. 6 par. 1 lett. f) GDPR

Until opposition

(opt-out).

The provision is optional.

Failure to provide the necessary data will make it impossible to receive direct marketing communications via email (soft-spam).

D) DIRECT MARKETING: for sending advertising or direct sales material or for carrying out market research, commercial and promotional communications, newsletters, via automated means (email, SMS messages, fax, instant messaging, chat, chatbot, video messages, direct messaging from social networks or other types of messages). ) and traditional means (telephone call with operator and paper mail ).

The communications may contain promotional activities and/or logos of third-party partners. There will be no transfer of personal data.

For the complete list of group companies and partners, interested parties can write to privacy@icamcioccolato.it .

The Owner, to compare and possibly improve the results of automated communications, uses reporting systems. Thanks to the reports, the Owner will be able to know, for example: the number of readers, openings, unique "clickers" and "clicks"; the devices and operating systems used to read the communication; the details of the activity of individual users; the details of the emails sent, emails delivered and not, of those forwarded. All this data is used for the purpose of comparing, and possibly improving, the results of communications.

The processing is based on consent to the processing of personal data (C42, C43). A rt. 6 par. 1 lett. a) GDPR.

Until consent is revoked (or opt-out).

The provision is optional.

Failure to provide the necessary data will make it impossible to receive direct marketing communications.

E) NON-AUTOMATED PROFILING : personal data will be processed in order to carry out analyses, evaluations and to divide the interested parties into homogeneous groups for specific characteristics of company activity for better management of services and for sending targeted promotional communications.

The processing is based on consent to the processing of personal data (C42, C43). Art. 6 par. 1 lett. a) GDPR

Until consent is revoked and in any case for a maximum of 12 months.

The provision is optional.

Failure to provide the necessary data will make it impossible to perform analyses and send targeted communications.

F) CUSTOMER SATISFACTION: sending surveys to verify the interested party's level of satisfaction in order to improve the offer of products and services (no marketing)

Until opposition

(opt-out).

The provision is optional.

Failure to provide the necessary data will make it impossible for the owner to process the data for the purpose of customer satisfaction.

G) RESERVED AREA : for the use of services reserved for registered users (including the creation and cancellation of the e-commerce account and technical support assistance)

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44).

Art. 6 par. 1 lett. b) GDPR

Until the account is deactivated and for the technical time needed to disable the credentials.

The transfer is necessary.

Failure to provide the necessary data will result in the impossibility of accessing the reserved area.

H) MANAGEMENT OF YOUR REQUESTS and requests from other interested parties, pursuant to articles 15 et seq. of the GDPR (rights of the interested party).

Processing is necessary for compliance with a legal obligation to which the controller is subject (C45). Art. 6 par. 1 lett. c) GDPR

5 years from the closure of the request, barring disputes

The provision of personal data is mandatory, as it is essential to be able to fulfill legal obligations.

I) Prevention and conduct of disputes and other legal matters and for defense in the event of litigation.

10 years, unless objected to and except for the time necessary for the defense in court.

Providing data is necessary.

Failure to provide such data will prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this point.

The refusal must be balanced with the legitimate interest of the Data Controller indicated in the purposes of this point.

3. TO WHOM WILL THE PERSONAL DATA BE COMMUNICATED? DATA RECIPIENTS

Personal data will be communicated to subjects who will process the data as independent Data Controllers or Data Processors (art. 28 GDPR) and processed by natural persons (art. 29 GDPR) who act under the authority of the Data Controller and the Processors on the basis of specific instructions provided in order to the purposes and methods of processing. The data will be communicated to recipients belonging to the following categories:

Entities that provide services for the website and communication networks, including electronic mail, website hosting and management, newsletter system;
Entities that support the Data Controller in the management of direct marketing activities, subject to the consent of the interested party;
Freelance professionals, firms or companies in the context of assistance and consultancy relationships in relation to the purposes indicated in the information and e-commerce activities;
Entities that provide services for the management of the activities indicated above in the purposes (such as communication entities, press agencies, websites, e-commerce platforms, payment platform providers, etc.);
Commercial partners of the Data Controller, entities belonging to the distribution network, third parties for support of online purchases and related administrative-accounting activities and service and logistics companies, shippers and couriers (for more information click here);
Competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request;

The list of Data Processors pursuant to art. 28 is available by writing to privacy@icamcioccolato.it .

4. WILL THE DATA BE TRANSFERRED TO NON-EEA COUNTRIES?

Personal data will be transferred to non-EEA countries in compliance with the limits and conditions set out in Articles 44 and following of the GDPR. In particular, the Data Controller relies on suppliers who provide adequate guarantees, specifically: Shopify (for the e-commerce platform and to process order payments) for which the transfer is based on standard contractual clauses (SCC) of the European Commission (Article 46, paragraph 2, letter c and letter d GDPR) and also to countries for which the European Commission has intervened with an adequacy assessment – Canada (Article 45 GDPR). For more information click here; Paypal (to process order payments) for which the transfer is based on the BCR – Binding Corporate Rules (Article 46 GDPR) and on standard contractual clauses (SCC) of the European Commission (Article 46, paragraph 2, letter c and letter d GDPR). For more information click here

For information on the guarantees relating to the transfer of data outside the EEA, interested parties can write to privacy@icamcioccolato.it .

5. IS THERE AN AUTOMATED PROCESS?

Personal data will be subjected to traditional manual, electronic and automated processing. It is specified that no fully automated decision-making processes are carried out. With reference to the profiling activity, possibly carried out with the express consent of the interested party as indicated in the purposes, it will be carried out through the intervention of the operator who will develop the profile of the interested party and analyze his/her habits and consumption choices, in order to improve the commercial offer and the owner's services (non-automated profiling).

6. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?

Interested parties may assert their rights as expressed in articles 15 et seq. of the GDPR by contacting the Data Controller at the email address privacy@icamcioccolato.it . The Data Controller guarantees interested parties the possibility of requesting, at any time, access to their personal data (art.15), rectification (art.16), erasure (art.17), and limitation of processing (art.18). The Data Controller communicates (art. 19) any rectifications, erasures or limitations of processing carried out to each of the recipients to whom the personal data have been transmitted. The Data Controller communicates to interested parties who request it, such recipients. The Data Controller guarantees the right to portability (art.20) and, in the event of requests pursuant to art.20, will provide interested parties with the data in a structured, commonly used and machine-readable format. The interested parties have the right to object (art. 21), at any time, to the processing of data based on legitimate interest or on the performance of a task of public interest or connected to the exercise of public powers vested in the data controller, by writing to the contacts listed above with the subject “opposition”. In the event of exercising the right to object to the processing based on legitimate interest, the controller recognizes the interested parties the possibility of obtaining, upon request, information on the balancing test carried out. The interested parties have the right to withdraw the consent given, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal. In order to no longer receive automated direct marketing communications (email, SMS messages, telefax, instant messaging, chat, chatbot, video messages, direct messaging from social networks or other types) the interested parties are invited to write an e-mail to privacy@icamcioccolato.it with the subject “cancellation from automated” or to use our automatic cancellation systems provided for e-mails only (opt-out). To stop receiving traditional direct marketing communications (telephone calls with operator and postal mail) interested parties are invited to write an email to privacy@icamcioccolato.it with the subject “unsubscribe from traditional”. To stop receiving any marketing communications interested parties are invited to write an email to privacy@icamcioccolato.it with the subject “unsubscribe from marketing”. At any time interested parties are free to revoke consent to profiling (not automated) by writing an email to privacy@icamcioccolato.it with the subject “no profiling”.

In the event that the interested parties believe that the processing of personal data carried out by the Data Controller is in violation of the provisions of Regulation (EU) 2016/679, they are free to submit a complaint to the national supervisory authority , in particular in the Member State in which they habitually reside or work, or in the place where the alleged violation of the Regulation occurred (Data Protection Authority). https://www.garanteprivacy.it/ ), or to take legal action.

7. CHANGES TO THE INFORMATION NOTICE

The Owner may change, modify, add or remove any part of this Privacy Policy. In order to facilitate the verification of any changes, the information will contain the date of update of the information itself.

Updated: October 01, 2024

-->