Privacy Policy

Pursuant to Art. 13 EU Regulation 2016/679 and Art.3 (4) Data Protection Act 2018

Dear Data Subject,

Cosaporto considers the protection of the personal data of its actual and/or potential users to be of fundamental importance.

With this document (the “Privacy Policy“), we intend to renew our commitment to you to ensure that the processing of personal data collected through browsing on our platform is carried out in full compliance with the protections and rights recognized by the Regulation (EU) 2016/679 (“GDPR” or “Regulation“) and the Data Protection Act 2018 (the “Data Protection Act”), by the additional applicable rules on the protection of personal data (the “Privacy Law“).

The term personal data refers to the definition contained in Article 4 paragraph 1 of the Regulations and art.5 of the Protection Data Protection Act, “any information concerning an identified or identifiable natural person; an identifiable person is any natural person who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more features of his or her physical, physiological, genetic, mental, economic, cultural, or social identity” (“Personal Data”). This Disclosure Statement – drafted on the basis of the principle of transparency and including all the elements required by Article 13 of the Regulations and article 3 of the Data Protection Act – is intended to describe how the site is managed www.cosaporto.it (“Web Site”), in reference to the processing of Personal Data of users/visitors.

We will also provide you, in a simple and intuitive way, with all the useful and necessary information so that you can give your Personal Data in a conscious and informed way and, at any time, exercise your rights under the GDPR.

THE DATA CONTROLLER

The company that will process your Personal Data for the purposes set out in this Notice and, therefore, will play the role of data controller, ossia “la persona fisica o giuridica, l’autorità pubblica, il servizio o altro organismo che, singolarmente o insieme ad altri, determina le finalità e i mezzi del trattamento dei dati personali” is Cosaporto UK Limited, with registered office in 38 Craven Street, London – United Kingdom, Vat N. 12845570 (“Cosaporto UK”).

Cosaporto UK is held by Cosaporto S.r.l., with headquarter in Via Sardegna n. 40, 00187 – Rome, VAT n. 14202471000 (“Cosaporto”).

JOINT CONTROLLERS

With regard to the processing of Personal Data carried out for the purposes of Direct Marketing, Non-Direct Marketing, Cosaporto and Cosaporto UK hold the role of a Co-Processor within the meaning and effect of Article 26 of the Regulations.

To this end, the Joint Data Controllers have entered into a co-processing agreement by which they have undertaken to:

  1. jointly determine certain purposes and methods of processing the Personal Data of the data subjects;

  2. to jointly determine, in a clear and transparent manner, the procedures for providing you with timely feedback should you wish to exercise your rights, as provided for in Articles 15, 16, 17, 18 and 21 of the Regulation as well as in the cases of portability of Personal Data provided for in Article 20 of the Regulation, as better described within the appropriate Section of this Policy;

  3. jointly define this Policy in the parts of common interest, indicating all the information required by the Regulation.

The essential content of the agreement is available from each Data Controller and can be provided upon special request by the Data Subjects, to be forwarded to the contacts in the appropriate Section of this Policy.

DATA PROTECTION OFFICER

Cosaporto, in order to facilitate relations with stakeholders, has appointed its own Data Protection Officer (“DPO”), identified in SAPG Legal Tech S.r.l. with headquarter in Corso Europa n. 7, 20122 – Milano (MI).

As provided in Article 38 of the GDPR and articles 69,70 and 71 of the Data Protection Act, you may freely contact the DPO for all matters related to the processing of your Personal Data and/or in case you wish to exercise your rights as provided in this Notice, by sending a written communication to the e-mail address: dpo.privacy@sapglegal.com.

PURPOSE AND LEGAL BASIS FOR PROCESSING

While browsing the Site, Personal Data may be processed according to the purposes and related legal bases set forth below.

  1. Improving the browsing experience and monitoring the proper functioning of the Site

    The computer systems and software procedures used to operate the Site acquire, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes, but is not limited to: IP addresses, the type of browser used, operating system, domain name and addresses of websites from which access or exit was made, information about the pages visited by users within the Site, access time, length of stay on the individual page, internal path analysis, and other parameters related to the user’s operating system and computer environment.

    Such technical/informational data are collected and used only in an aggregate, non-identifying manner and could be used to ascertain liability in the event of hypothetical computer crimes against the Site.

    The processing will be legally based on the legitimate interest of the Data Controller in the best operation of its systems, optimization and improvement of the browsing experience, avoidance of fraudulent activities and improvement of the security of the Site (art. 6, paragraph 1, letter f) of GDPR).

  2. Allow you to enjoy the service requested as a result of filling out an online form, i.e., by way of example but not limited to purchasing the products and services offered on the Site, or subscribing to the platform, which allows you to manage your profile and preferences

    In order for the Controller to carry out the processing activities for this purpose, it will be necessary to provide the Personal Data requested in the appropriate forms. If you fail to fill in even one of the fields marked as mandatory, it may not be possible to process your Personal Data and, consequently, provide you with the requested information and services.

    This purpose of processing is legitimized by the execution of pre-contractual measures or the contract to which you are a party (ex art. 6 paragraph 1 (b) GDPR).

  3. Establish, exercise or defend a right of the Data Controller in judicial and/or extrajudicial proceedings

    The legal basis for the Holder’s exercise or defense of a right will be that of legitimate interest, as defined in Article 6(1)(f) of the GDPR.

  4. Joint Controllers Direct Marketing

    This term means the performance of promotional activities (by both automated and traditional methods) of the services of your interest provided by the Controller. With regard to this direct marketing purpose, it should be clarified that, by virtue of Article 6 paragraph 1 letter f) of the Regulations and Article 130 paragraph 4 of the Privacy Code (so-called soft spam exception), the Controller may carry out this activity based on its legitimate interest, regardless of your explicit consent, as better explained in Recital 47 of the Regulations in which it is “considered a legitimate interest of the Controller to process personal data for direct marketing purposes.” This will be possible as a result of the evaluations made by the Controller regarding the possible and possible prevalence of your interests, fundamental rights and freedoms requiring the protection of Personal Data over its own legitimate interest in sending direct marketing communications. Moreover, you may lawfully and at any time (even partially) object to receiving promotional communications, without in any way affecting the processing for the other purposes.

    Such processing, therefore, will be legally based on the legitimate interest of the Controller in accordance with Article 6(1)(f) of the Regulations.

  5. Communication of your data to third parties for their Direct Marketing purposes. In particular, for sending – by automated contact methods (such as sms, mms e-mail) and traditional methods (such as telephone calls with operator) – promotional and commercial communications, advertising material related to offers of services/products, reporting of company events, as well as carrying out market studies and statistical analysis by third parties specified above, with respect to the Data Controller, to whom the data are communicated.

    This purpose of processing is legitimized by your optional, free and revocable consent at any time (pursuant to Art. 6(1)(a) of the GDPR).

  6. Direct Marketing Activities by the Data Controller in favor of third parties: sending – by automated methods of contact (such as sms, mms, e-mail) and traditional (such as telephone calls with operator) – promotional and commercial communications, advertising material related to offers of services/products, reporting of company events, as well as carrying out market studies and statistical analysis by the Data Controller on behalf of third parties.

    This purpose of processing is legitimized by your optional, free and revocable consent at any time (pursuant to Art. 6(1)(a) of the GDPR).

  7. Profiling Purposes, i.e. analysis of habits, preferences, behaviors, interests inferred, by way of example, from online actions on profiles and/or sections of the Site in order to send you commercial communications.

    The processing of your personal data for profiling purposes will take place, in case of your consent, with data processing tools that, following cross-referencing, will create a commercial and behavioral profile of you on the web. Such data processing tool will relate the data collected during your browsing on the Site through the use of first-party profiling cookies accepted by you with the data collected through the completion of the online form. In addition, such data and/or information, will be associated with any and/or additional data and/or information already in our possession as a result of your membership in our services.

    If you have given consent (in whole or in part) to the processing of your Personal Data for the above purposes, you may at any time revoke it in whole and/or in part without affecting the lawfulness of the processing based on the consent given prior to revocation. Any revocation of consent will require the Data Controller to cease the processing activities of your Personal Data for these purposes. The procedures for revoking consent are very simple and intuitive: all you need to do is contact the Controller using the contact channels reported to you within this Notice.

    This purpose of processing is legitimized by your optional, free and revocable consent at any time (pursuant to Art. 6(1)(a) of the GDPR).

  8. Contact us

    If requested by you through the completion of the appropriate form, Personal Data will be processed to respond to your requests for information on the services provided by Cosaporto S.r.l. The Data Controller, in order to proceed with generic marketing activities and those with respect to which you have given consent, will create a master profile referring to you internally in its centralized management system (CRM). Your possible request to opt-out with respect to generic marketing activities and/or the revocation of any consents you may have given will not result in the deletion of the aforementioned master profile from the CRM as well, unless you exercise your right to deletion in the manner provided for in this policy in the section entitled “Rights of the Data Subject.” Once the above retention periods have elapsed, the Personal Data will be destroyed, deleted or anonymized, consistent with the technical procedures for deletion and backup and with the accountability requirements in the hands of the Data Controller.

    Please note that consent is free, optional and revocable. Therefore, where only one consent is requested under any form, where it is given, it will be understood to be specific to that purpose and no other purpose that provides the legal basis for consent.Si ricorda che il consenso è libero, facoltativo e revocabile. Pertanto, laddove sotto un qualsiasi form venga richiesto un solo consenso, laddove venga rilasciato, si intenderà specifico per quella finalità e nessun’altra finalità che preveda la base giuridica del consenso.

    This purpose of processing is legitimized by the execution of pre-contractual measures or the contract to which you are a party (ex art. 6 paragraph 1 (b) GDPR).

SUBJECTS TO WHOM PERSONAL DATA MAY BE COMMUNICATED

Your Personal Data may be managed, on behalf of the Data Controller, exclusively by personnel expressly authorized to process it (pursuant to art. 29 of the Regulations and art. 2 – quarter decies of the Privacy Code and by third parties expressly appointed as data processors (pursuant to art. 28 of the Regulations and art.83 of the Data Protection Act), in order to properly carry out all processing activities necessary to pursue the purposes set out in this Notice.

For the purpose of explanation only, the following are some categories of parties to whom your Personal Data may be disclosed:

  1. business partners of the Controller who provide services, as data controllers or autonomous data controllers, for the purposes referred to in Article 6 paragraph 1 letter b) of the Regulation

  2. third party providers of support and advisory services as data controllers or autonomous data controllers, for the purposes referred to in Article 6 paragraph 1 letter b) of the Regulations;

  3. subjects and authorities whose right of access to Personal Data is expressly recognized by law, regulations or measures of competent authorities;

  4. transferees of company or business unit, companies resulting from possible mergers, demergers or other transformations of the Holder’s company.

Should you wish to become aware of which parties have come into possession of your Personal Data as a result of your dealings with the Controller, you may contact the Controller by sending a communication to the e-mail address below.

RETENTION TIME OF PERSONAL DATA

In accordance with the principle of storage period limitation (Art. 5.1 letter e) of the Regulations and Art.39(1) of Data Protection Act, your Personal Data will be processed by the Data Controller only to the extent necessary to fulfill the purposes set out in this Notice.

Specifically, your Personal Data will be stored:

  1. For the purposes of Paragraph 2(a), for the time necessary for the provision of services on the Site; in the case of the purchase of products or services, the data will be kept for an additional 10 years after the conclusion of the contract, in accordance with the relevant legal requirements;

  2. For the purposes of Paragraph 2(b), until you opt out, if any, while data detailing the promotional and commercial activities carried out will be kept for 10 years after the collection of each data item;

  3. For the purposes referred to in Paragraph 2, letter c), for the duration of the complaint and/or the out-of-court and/or judicial proceedings until the time limits for the availability of judicial protection and/or appeals have been exhausted;

  4. For the purposes of Paragraph 2(d), regarding master and contact data until you opt-out, while data regarding the details of promotional and commercial activities carried out will be kept for 10 years after the collection of each data;

  5. For the purposes set forth in Paragraph 2(e) until your revocation of the consent given. Revocation of consent does not affect the lawfulness of processing based on consent before revocation;

  6. For the purposes set forth in Paragraph 2(f), until your revocation of the consent given. Revocation of consent does not affect the lawfulness of the processing based on the consent before revocation;

  7. For the purposes set forth in Paragraph 2(g), until your revocation of the consent given. Revocation of consent does not affect the lawfulness of processing based on consent prior to revocation;

  8. For the purposes of Paragraph 2(h), after the request has been processed, for the ordinary limitation period of 10 years.

Once the aforementioned retention periods have elapsed, the Personal Data will be destroyed, deleted or anonymized, compatible with the technical cancellation and backup procedures and with the Data Controller’s accountability requirements. In particular, following your opposition and/or your possible revocation of consent, the Data Controller will continue to process your Personal Data in order to have evidence that you will no longer need to be sent informative and promotional marketing material (directly and/or on behalf of third parties) and/or that your data should no longer be disclosed to third parties.

RIGHTS OF DATA SUBJECTS AND HOW TO EXERCISE THEM

You may at any time exercise your rights under Article 45 of Data Protection Act and Articles 15 and following of the Regulations against the Controller. In particular, you have the right to obtain:

  1. Confirmation that your Personal Data is or is not being processed and to obtain access to the data and the following information: purpose of the processing, categories of Personal Data, recipients and/or categories of recipients to whom the data has been and/or will be disclosed as well as the relevant retention period;

  2. The rectification of your inaccurate Personal Data and/or the integration of incomplete Personal Data, including by providing a supplementary statement

  3. The deletion of your Personal Data and the restriction of processing in the cases provided for by the GDPR and current privacy legislation ove applicabile,

  4. the portability of your Personal Data and, in particular, the possibility to request the direct transmission of your Personal Data to another data controller;

  5. the opposition to the processing at any time, for reasons related to your particular situation, to the processing of your Personal Data in full compliance with current privacy regulations.

To exercise your rights, you can contact the Data Controller at the following e-mail address, attaching a copy of your ID: info@cosaporto.it.

In any case, if you believe that the processing of Personal Data is contrary to the Privacy Policy, you will always have the right to lodge a complaint with the competent supervisory authority (Guarantor for the Protection of Personal Data) pursuant to art. 77 GDPR and art.99 of the Data Protection Act.

PLACES OF PROCESSING

Your Personal Data will be processed by the Data Controller within the territory of the United Kingdom and the European Union.