Privacy policy

 

 

PRIVACY POLICY UNDER ART. 13 EU REGULATION 2016/679 (General Data Protection Regulation or “GDPR”)

 

DATA CONTROLLER

Azienda agricola Ota Ilija

 

PURPOSES

a.       Purchasing of goods and provision of services, replying to customers’ queries.

b.      Direct marketing, sending commercial e-mails and newsletters.

c.       Statistical purposes.

d.      Legal obligations.

LEGAL BASIS

 a.       Performance of a contract to which the data subject is party, including the provision of services, or in order to take steps at the request of the data subject prior to entering into a contract.

b.      Consent.

c.       Legittimate interest.

d.      Comply with a legal obligation.

 

DATA RECIPIENTS

a.       Hosting and e-commerce services providers.

b.      web marketing service providers.

c.       Delivery companies.

d.      Payment service providers.

e.       consulting companies or firms that provide assistance in accounting, administrative, fiscal, law, tax and financial matters.

 

CATEGORIES OF PERSONAL DATA

a.       Information sent through online forms or by e-mail.

b.      Information automatically collected through the website.

 

TRANSFER OF PERSONAL DATA

 United States

 DATA STORAGE CRITERIA

 Criteria to evaluate data storage time of personal data

 

DATA SUBJECT RIGHTS

 Access, rectify, restrict processing, object to processing, data portability, data erasure, as further explained under this privacy policy.

 DATA CONTROLLER IDENTITY AND CONTACT

 Name: Azienda agricola Ota Ilija

Office location: Bagnoli della Rosandra 357, 34018 Trieste

Telephone: +39 3393727162

E-mail address: info@otaoliveoil.com

 PURPOSES OF DATA PROCESSING

A.     Allow users to purchase the Products sold through the website, provision of services and answer queries sent by the data subject.

Data Controller will process users’ personal data to offer its services, including the use of the website and the purchase of products online. Data Controller will also process personal data to answers queries from customers. If users do not accept and agree to such processing, Data Controller will not able to provide the requested services, products and information.

 

B.     Direct marketing purpose

Data Controller may process personal data for marketing purposes which may include sending data subjects e-mail or traditional mails related to its products.

 

C.     Statistical purposes

Data Controller reserves the right to monitor the use of the website by using Google Analytics, to understand how users browse the website and to improve its usability.

 

D.    Legal reasons or complying with legal obligations

 Data Controller may be required to process certain personal data for legal reasons or complying with legal obligations.

LEGAL BASIS

 a.      Taking steps at the request of the data subject prior to entering into a contract and for the performance of a contract, including provision of services.

 Data Controller will process users’ personal data collected through the website forms, by e-mail or telephone or automatically collected when the website is visited. Such processing is required for the conclusion and performance of the sale contract, in order to take steps at the request of the data subject prior to entering into a contract, including to allow proper functioning of the website.

 b.      Consent

 With users’ consent, Data Controller may also process personal data for direct marketing purposes, namely sending e-mails and newsletters. Users will always have the opportunity to opt-out and withdraw their consent, by contacting Data Controller directly by e-mail at info@otaoliveoil.com or by clicking the cancellation link (“unsubscribe”) found at the bottom of each e-mail received.

Users are free to give their consent or refuse it without any consequences on the services provided.

 c.      Legitimate interest

 According to article 6, paragraph 1, letter f) of GDPR, Data Controller reserves the right to monitor the use of the website to improve the quality of the site and services, according to the cookie policy. In compliance with article 13 paragraph 2 of Directive 2009/136/EC, as well as with reference to Recital (27) of REGULATION 2016/679.

Data Controller may use the e-mail address obtained through the online forms and in the context of the sale of its products, to send users electronic communications concerning the direct marketing of its products or services and as long similar to those users have purchased. Users may object immediately to receiving promotional e-mails by sending a request to the Data Controller and will have the right, at any time and free of charge, to oppose this processing for direct marketing purposes by clicking the cancellation link (“unsubscribe”) found at the bottom of each e-mail received.

d.      Legal reasons or complying with legal obligations

According to article 6, paragraph,  letter f) of the GDPR, in some circumstances, Data Controller may be required to process certain personal data for legal reasons or complying with legal obligations, regulations, laws, a government authorities orders, including for tax and accounting purposes.

 

DATA RECIPIENTS

 I.                   Hosting and e-commerce service providers

 Name: Squarespace Ireland Ltd.

Data Processor

II.                Marketing and data analytics service providers

 The following service providers process personal data according to a data processor contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

 a.       The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA (“Mailchimp”). The Rocket Science Group is the owner of a marketing automation platform known as “MAILCHIMP”. Newsletters will be sent using Mailchimp platform. The provision of the services by Mailchimp involves it in processing the personal data on behalf of the Data Controller. Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. Therefore, the Data Controller has entered into a data processing agreement with MailChimp (“Data Processor”) to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller. You can find more information on how Mailchimp is processing your personal data at the following link: https://mailchimp.com/legal/privacy/?_ga=2.212925458.74393180.1526551979-315691423.1526306073.

b.      Google LLC, having its registered office at 1600 Amphitheatre Parkway. Mountain View, CA 94043, is providing analytics services. Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. Therefore, the Data Controller has entered into a data processing agreement https://privacy.google.com/businesses/processorterms/ to ensure compliance with the said provisions of the GDPR in relation to all processing of the personal data by the data processor on behalf of the Data Controller. Here data subject can find more information on how Google is processing personal data at the following link: https://policies.google.com/privacy?hl=it

III.             Delivery companies

Data Controller will need to communicate personal data to third party providers that deliver the Products to the Data Subjects.

 

IV.              Payment Processors

Payment data collected on the website will not be stored on Data Controller’s servers but directly on payment processor’s servers. Data Controller uses both Paypal and Stripe as payment options on the website. Here data subject can find more information on how Paypal is processing personal data at the following link: https://www.paypal.com/it/webapps/mpp/ua/privacy-full

Payments will also be processed through Stripe Payments Europe Limited, which may transfer personal data to Stripe, Inc. holding company located in the United States. To ensure adequate protection of personal data, Stripe, Inc., has obtained certification from the EU-U.S. and Swiss-U.S. Privacy Shield Framework. To check how Stripe processes data subject personal data, refer to the following link https://stripe.com/privacy-shield-policy

V.                 Consulting companies or firms that provide assistance and consulting in accounting, administrative, fiscal, law, tax and financial matters.

Data Controller may need to disclose personal to accounting, tax and law firms that provide assistance and consultancy services, in order to comply with legal obligations as required by the law. Data Controller will take steps to ensure that personal data is handled safely, securely, and in accordance with data subject rights.

 

CATEGORIE DI DATI TRATTATI

Information user send us through online forms and e-mail

Personal data collected when purchasing goods online: full name, e-mail address, contact data, address, address, fiscal code, VAT number, payment data. These data if freely given by users through the online forms or by e-mail and are necessary for the contract performance.

 

Information We collect automatically

The information systems and software procedures relied upon to operate this website acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols. This data category includes the IP addresses, visited pages, visitors by time/date, geographical areas of origin. These data are necessary to use web-based services and are also processed in order to extract statistical information on service usage (most etc.) and check functioning of the services.

 

DATA TRANSFER TO THIRD COUNTRIES

Data Controller will only store or transfer personal data within the European Economic Area Data. Controller will transfer persona data to a third party based in the US, as long as the data recipient is part of the EU-US Privacy Shield. This requires that third party to provide data protection to standards similar to those in Europe.

 

DATA STORAGE CRITERIA

Data storage may vary depending on the purpose of processing. All data collected for contractual purposes will be kept only for the time strictly necessary to perform our services and thereafter deleted.

Personal data may be stored, to the extent strictly necessary, for a longer period following specific regulatory obligations, including for the fulfillment of tax and accounting obligations.
When processing subject to your consent, the Data Controller will keep the data until user object to such processing and withdraw consent.

 

DATA SUBJECT RIGHTS

The exercise of the data subject's rights is free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on request. Under the GDPR, data subjects have the following rights:

 

a)            The right to obtain from Data Controller confirmation as to whether or not personal data concerning him/her are being processed.

b)            The right to access personal data.

c)            The right to have personal data rectified if any of his/her personal data held by data controller is inaccurate or the right to have incomplete personal data completed, including by means of providing a supplementary statement.

d)            The right to be forgotten, including to delete the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or because data subject withdraws consent on which the processing is based.

e)            The right to restrict the processing of personal data according to article 18 of GDPR.

f)             The right to object to Data Controller using personal data for a particular purpose or purposes.

g)            The right to data portability. This means that, if data subjects have provided personal data to Data Controller directly, the latter is using it with his/her consent or for the performance of a contract, and that data is processed using automated means, data subject can ask Data Controller for a copy of that personal data to re-use with another service or business in many cases.

h)            Rights relating to automated decision-making and profiling.

i)             Right to file a complaint with a supervisory authority.

 

 HOW DO YOU ENFORCE YOUR RIGHTS?

Data subjects can enforce their rights at any time by sending an e-mail to the following address: info@otaoliveoil.com

Data Controller has a duty to respond to requests at the latest within one month of receiving them. This deadline may be extended by two additional months if necessary, considering the complexity and the number of requests received. In case of extension data subjects will be informed of the delay and the reasons. If data subjects do not take action on their request, Data Controller will inform them without delay and at the latest within one month of receipt of their request of the reasons for not taking action and on the possibility of filing a complaint with a supervisory authority and seeking a judicial remedy.