Privacy Policy – ​​Data Collected via Websites and Social Media

(Pursuant to EU Regulation 2016/679 (GDPR) and Legislative Decree 101/2018)

Pursuant to ARTICLES 13-14 OF THE GDPR, the personal data of users visiting the website will be processed in accordance with the principles of fairness, lawfulness, transparency, and protection of your privacy and rights.

Pursuant to Article 13 of EU Regulation 2016/679 and in relation to the information acquired, for the purposes of protecting individuals and other subjects regarding the processing of personal data, we hereby inform you of the following:

INFORMATION COLLECTED BY THE WEBSITE (www.ciemmealimentari.it)

The company manages and operates its own showcase website, which serves as a company presentation and presentation of the various product types, as well as contact information for users to request information. However, the website is not intended to be used for online purchases and transactions for the supply of specific products and/or services. The website serves as an information portal for the products manufactured and marketed. A “customer support” or “contact” function is also provided, allowing the collection of information such as name, email address, subject, and message body.

The company website is organized into different navigation pages that users can browse according to the content and information they require. Specifically, the sections include the following:

• “Home”: This serves as a public presentation of the site and its main news and navigation topics;
• “About Us”: This section presents the company, including details regarding its core business and mission. It also displays data of public interest that helps provide users with an overview of the company’s size. Details include production facilities, global presence, the number of employees, as well as references that define the company and its business relationships.
• “Our Gnocchi”: This section presents the company’s products, divided into three main categories: “fresh products,” “ambient products,” and “frozen products,” depending on their type of preservation (temperature-controlled or otherwise), or whether they are deep-frozen.
• “Production”: This section focuses on production methods, the product manufacturing chain, and the production lines that enable the production and marketing of different product types.
• “Quality and Certifications”: The company implements certification protocols that demonstrate its high level of attention to management and production processes. This commitment is reflected in the company’s ongoing achievement of the appropriate certifications, which are constantly maintained and updated in accordance with current regulations.
• “Blog”: The blog section allows the company and customers to share recipes, video recipes, photo galleries, and culinary updates. There is also a sub-section called “Magazine,” which allows users to consult news, events, and in-depth articles.
• “Investor Relator”: The company maintains and provides users with documentary evidence pertaining to its operations, some of which are public, such as the publication of annual financial statements, while other documents are private. Access to these documents requires authentication, with users receiving access credentials after registration.
• “Contacts”: This section allows users to contact the company using the contact information provided, such as telephone and fax numbers as direct contact details, or by sending a message using the email address “info@ciemmealimentari.it” or by completing the contact form. This form requires the user to flag their acceptance of the company’s privacy policy. Furthermore, the customer service section offers the option to consult the subsections “Customer Service,” “Contacts,” “Careers,” “Privacy Policy,” and “Cookie Policy.”

The following are the main ways in which the site collects information from users:

• By requesting information about the company’s services and products;
• By correspondence, using the contact details provided;
• By subscribing to the newsletter.

It is therefore necessary that the user be able and required to have read the privacy policies before starting the data acquisition and management process. Therefore, this operating method is also proposed during the newsletter subscription phase, through which the user can register their email address.

PURPOSE OF PROCESSING COLLECTED DATA

The personal data collected may be used for a variety of purposes:

• Purposes related to the supply of products;
• Purposes related to the development of statistics and interaction with social networks/external platforms;
• Purposes aimed at ensuring the legitimate processing of data and necessary to provide the user with a service that meets their needs and expectations.

LEGAL BASIS FOR PROCESSING

The processing of personal data carried out via the website platform is based on measures aimed at fulfilling a legal obligation with the consent given by the data subject, which may be freely withdrawn at any time. The following are the main uses of the user’s personal data and the legal bases on which they are based, for activities related to the “contacts” and “newsletter” website platforms.

DATA PROTECTION

The protection of collected data is achieved through appropriate security measures, taking into account the nature, scope, context, and purposes of the processing, as well as the likelihood and/or severity of infringement of the rights and freedoms of natural persons.

All personal data is processed in full compliance with the law: it is updated and retained for the time strictly necessary to provide the services requested by the data subject, in accordance with the maximum timeframes established by law.

The processing is carried out in complete security, preventing access by third parties. At the same time, the rights of the data subject are guaranteed and never neglected, including:

• the right to access their personal data;
• the right to verify the accuracy of their data;
• the right to rectification and/or integration of their data;
• the right to erasure, restriction of processing, or objection to processing;
• the right to withdraw consent, even for individual types of processing, as well as guarantee the portability of the personal data collected.

Although the website does not offer the option of online purchases or transactions, it still uses blocking and security systems (“https”), i.e., security protocols that allow user identification (for example, Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL)). This processing is similar to the acquisition of data relating primarily to customers, identifiable as legal entities (companies and the like) and (depending on the requests received) as natural persons. The above process aims to identify the acquired data as information necessary to achieve the purposes described for commercial purposes. Commercial relationships between the company and its customers are conducted primarily within Italy, but potentially also abroad, with potential parties not operating in member states and therefore similar to third-party countries. Therefore, the acquisition and management of data for commercial purposes, and where necessary, personal data, is carried out within Italy in accordance with and in application of the provisions of EU Regulation 2016/679 and Legislative Decree 101/2018. Therefore, no data is transferred to third countries; rather, it is true that data is acquired from economic entities and operators (similar to customers) from third countries. It is specified that, in accordance with the provisions of the relevant legislation, the transfer of personal data from EU countries to “third” countries (non-EU or non-EEA countries) is prohibited (Article 25, paragraph 1, of Directive 95/46/EC), unless the country in question guarantees an “adequate” level of protection. In this regard, the European Commission has established this adequacy through specific decisions (see Article 25, paragraph 6, of Directive 95/46/EC). By way of derogation from this prohibition, transfers to third countries are also permitted in the cases mentioned in Article 26, paragraph 1, of Directive 95/46 (consent of the data subject, necessity of the transfer for contractual/pre-contractual measures, overriding public interest, etc.), as well as on the basis of contractual instruments that offer adequate guarantees (Article 26, paragraph 2, of Directive 95/46). The European Commission may determine that the level of protection offered in a given country is adequate (Article 25, paragraph 6, of Directive 95/46/EC), and therefore it is possible to transfer personal data there. The decisions adopted by the European Commission define specific agreements with the countries listed below, through the Commission decisions published on the adequacy of third countries. Below are the third-party countries concerned and the related decisions and actions taken by the European Commission, specifying that if the transfer of data to third countries becomes necessary, the operational instructions set out in the following European Commission decisions will be implemented:

• Andorra (2010/625/EU: Commission Decision of 19 October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra);
• Argentina (Commission Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection of personal data provided in Argentina – 30 June 2003);
• Australia (Europe – Australia Agreement, PNR);
• Canada (2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act);
• Faroe Islands (2010/146/: Commission Decision of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by Faroese law on the processing of personal data);
• Guernsey (2003/821/EC: Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey);
• Isle of Man (Commission decision of 28 April 2004 on the adequate protection of personal data in the Isle of Man);
• Israel (2011/61/EU: Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data);
• Jersey (2008/393/EC: Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey);
• New Zealand (COMMISSION DECISION 2013-65-EU-New Zealand);
• Switzerland (Commission Decision on the adequacy of the protection of personal data in Switzerland pursuant to Directive 95/46/EC – 26 July 2000);
• Uruguay (2012/484/EU: Commission Implementing Decision of 21 August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data);
• USA: Commission Implementing Decision (EU) 2016/1250 of July 12, 2016, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield. (Privacy Shield);
• USA (USA – PNR: Commission – Decision of May 14, 2004, Customs and Border Protection);
• Commission Implementing Decision (EU) 2016/2295 of 16 December 2016 amending Decisions 2000/518/EC, 2002/2/EC, 2003/490/EC, 2003/821/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU, 2010/625/EU, 2011/61/EU, and Implementing Decisions 2012/484/EU and 2013/65/EU as regards the adequacy of the protection of personal data by certain countries, pursuant to Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council;

The data processing process is carried out in complete security, preventing access by third parties.

WHAT PERSONAL DATA IS COLLECTED

Personal data that may be collected through the website includes:

• First name, last name;
• Email;
• Message;
• Email address for subscribing to the dedicated newsletter.

The aforementioned information will be used for the following purposes:

• Purposes related to the supply of products;
• Purposes related to the development of statistics and interaction with social networks/external platforms;
• Purposes aimed at ensuring the legitimate processing of data and necessary to provide the user with a service that meets their needs and expectations.

TERMS OF RETENTION OF THE USER’S PERSONAL DATA

Personal data is retained, in compliance with legal obligations, to respond to requests for clarification/resolution of any disputes and to protect legitimate interests.

PARTIES WITH WHOM PERSONAL DATA MAY BE SHARED

Your personal data may be shared with the following parties:

• Third parties who need it to provide the requested products: for example, those involved in the organization of the website (administrative, sales, marketing, legal, and system administrators) or external parties (such as third-party technical service providers, hosting providers, IT companies, and communications agencies);
• Where we are required to disclose or share your personal data to comply with a legal obligation, enforce it, or investigate actual or suspected violations with the relevant law enforcement agencies.

RIGHTS OF THE DATA SUBJECT

The data subject has the right to request at any time:

• Access to personal data (and/or a copy of such personal data), as well as further information on the processing being carried out on such data;
• The rectification or updating of personal data processed, if it is incomplete or out of date;
• The deletion of personal data from databases, if you believe the processing is unnecessary or unlawful;
• The restriction of the processing of personal data, if you believe it is incorrect, unnecessary, or unlawfully processed, or if you have objected to its processing;
• To exercise your right to data portability, i.e., to obtain a copy of the personal data concerning you provided in a structured, commonly used, and machine-readable format, or to request its transmission to another Data Controller;
• To object to the processing of personal data;
• To withdraw your consent for purposes other than statistical analysis and direct marketing.

To allow for a more expedited response to requests made in exercising the aforementioned rights, requests may be made by sending a copy of an identity document to the postal address of the registered office or to the email address: info@ciemmealimentari.it.

PROTECTION OF MINORS

To ensure the protection of minors, contact via the website is reserved for individuals legally capable, under applicable law, of entering into any contractual obligations. Pursuant to Article 8, paragraph 1, of Regulation (EU) 2016/679, minors who have reached the age of sixteen may consent to the processing of their personal data. With regard to these services, the processing of personal data of minors under the age of sixteen, based on Article 6, paragraph 1, letter a), of Regulation (EU) 2016/679, is lawful provided that it is performed by the person exercising parental responsibility. (Article 2-quinquies – Consent of minors in relation to information society services).

In compliance with the provisions regarding the protection of minors, it should be noted that Legislative Decree 101/2018, implementing the provisions of EU Regulation 2016/679, has effectively lowered the age limit to fourteen years for requesting the consent of the person exercising parental responsibility for minors under this age.