Data Privacy Security

The company IMAC S.p.A., based in Montefiore dell’Aso, Via Menocchia 27, with VAT No. 00985500446, the Data Controller, pursuant to European Regulation 679/2016 and, as applicable, Legislative Decree 196/2003, (hereinafter, for the sake of brevity, referred to as the Data Controller)

HEREBY INFORMS
both registered and unregistered users who connect to the website www.imac-italia.it that the personal data collected by the company, acquired by third parties or spontaneously granted by the data subjects via the various options shown on the website (work with us, newsletters, competitions and events, etc.), shall be processed in a lawful and correct manner, in accordance with the principles set out by EC and Italian law.

The Data Controller has appointed a Data Protection Officer. The updated list of personal data processors is available and can be consulted at the administrative office. Applications and requests addressed to the Personal Data Protection Officer can be sent to the address: dpo@imac-italia.it

Data subject to processing
Browsing data:
IP address, operating system and browser used for browsing, data and time of connection and disconnection, time spent on the website, pages visited, activity carried out, location (if the relevant service is active) and any other data provided by your computer, based on its security settings.

Personal data:
name, surname, email address, telephone or radiotelephone, fax, physical address, where available, CV data, if submitted via the section “work with us”.

Purposes and legal basis of the processing
The collection and any other processing activity on the data subjects’ data acquired via the website shall be carried out by the Data Controller at the company’s offices, in accordance with the security measures and requirements set out by European Regulation 679/2016 and, as applicable, by Legislative Decree 196/2003, or by parties delegated by the Data Controller (duly selected or equipped with the necessary professionalism), using manual and computerised procedures, to enable the user to have a simple and rewarding browsing experience, to collect useful elements to improve the product range and services via the web, to execute specific requests made by the data subjects, for pre-contractual and contractual obligations, for ordinary administrative, financial and accounting activities, to ensure the proper management of customers during the marketing and sale of products, for after-sales support and to comply with legal obligations.
The processing is also intended for preparing statistics in an anonymised or pseudonymised form.
The processing, at the request of the data subject or after acquiring specific consent, may also be carried out via CRM and customer care, to find out the degree of satisfaction, tastes, preferences and habits of data subjects, for sending commercial information or marketing material, for direct marketing campaigns, for participation in games, competitions or prize draws, for involvement in events and exhibitions, for the provision of services, for market research and other procedures that are directly or indirectly attributable to the marketing activity.
The Data Controller is lawfully responsible for the legal bases of processing, for managing users’ browsing data to improve the supply of products and services via the website, for the express consent of data subjects and the obligations relating to the pre-contractual and contractual phases of the relationship. In any case, it is always possible to ask the Data Controller to clarify the specific legal basis for each processing and, in particular, to specify whether the processing is based on the law, required by an agreement or necessary to execute an agreement.

Sources and type of data
Data collection can be carried out via the company's website, by means of browsing analysis or spontaneous entry by the data subject, using the specifically created forms.
As regards registered users, the Data Controller shall process their personal details, telephone numbers and email addresses and any bank details provided for payments, in addition to other essential data for fulfilling the requests of data subjects or complying with the commitments made. Submission is therefore mandatory; in the event of failure to issue consent or withdrawal of said consent, processing cannot be carried out.
It must be emphasised that any incorrect or insufficient disclosure of the required data may result in the total or partial impossibility to execute the requests of the data subjects or obligations related to the commitments made, resulting in a possible non-correspondence between the processing results and the agreements made or with the obligations imposed by rules and regulations.
Other data, however, are collected for the sole purpose of adapting promotional campaigns, offers and, in general, the business activity, to the interests of customers and other parties that may be involved. Therefore, the submission of said data is not mandatory and any objection to processing or withdrawal of consent shall not jeopardise the establishment or continuation of the main relationship.

Data concerning children
Children under 16 years of age cannot provide data with the consent of their parent or guardian. The Data Controller shall not be responsible in any way for any false statements that may be provided by children and, should it ascertain the falsity of said statements, it shall immediately delete all personal data and any information acquired. In any case, consent to data processing by children under the age of sixteen is authorised for children aged between fourteen and eighteen solely for access to information society services. However, children under 18 years of age cannot approve or sign terms and conditions of service.

Browsing data
During their normal functioning, the IT system and software used for the corporate website acquire certain personal data, the submission of which is implicit in the use of Internet communication products.
This information cannot be stored to identify the data subjects but, by their nature, can, through processing and association with other data managed by third parties, enable the user to be identified.
This category of data concerns the IP addresses and domain names of the computer used by the user to connect to the website, the URL (Uniform Resource Locator) addresses of the requested resource, the time of the request, the method used to send the request to the server, the size of the file received, the numerical code used to specify the status of the response provided by the server (executed or error, etc.) and other parameters related to the user's operating system and computer.
These data are used only to create anonymous statistics on the use of the website and to check its correct functioning. They are normally deleted immediately after processing. They can be used and provided to law enforcement agencies and to the judiciary to ascertain responsibility in the event of damage to the website or offences perpetrated via the network.

Data transferred by the user
The compilation of any forms on the pages of the website involves the acquisition of data in the system's memory. The information is protected by an authentication system and can only be used by those in possession of the access credentials. They are also adequately updated and protected, based on the best practices available.
Requests for information via email involve storing the user’s email address, which is necessary to respond to the sender's requests. The data stored in the message are included.
The Data Controller suggests to its customers, during their requests for services and information, not to submit personal data or information concerning third parties, unless absolutely necessary.

Cookies
As with most websites, information regarding browsing on the website is stored for statistical reasons. Information can be collected thanks to the use of cookies. Cookies are small files that are transferred to your computer's hard drive when you connect to a website.
These data are not personal data, given that they do not enable the user to be identified. The data collected concern the geographical location of the service provider, the type of browser used, the IP address, the pages visited, etc. The information collected in the manner show the frequency of visits to a website and the activity carried out during browsing.
In this way, over time, it is possible to improve the contents of the website and facilitate its use.
Even companies that submit contents to the website, or whose websites can be access via link, may use cookies when the user selects the relevant link.
In these cases, the use of cookies is not under the direct control of the Data Controller. Most browsers automatically accept cookies, but it is possible to reject them or select only a few of them, according to the preferences set by the user. However, if the user prevents the uploading of cookies, some components of the website may stop working and some pages may be incomplete.

Essential technical cookies
These cookies are necessary to ensure the website’s correct and smooth operation: they enable pages to be browsed, the sharing of content, the storing of access credentials to speed up entry to the website and to keep preferences and credentials active during browsing and to improve the browsing or purchasing experience. Without these cookies is to possible to fully or partially provide the services for which the users access the website.

Statistical cookies
These cookies enable an understanding of how users use the website to be able to then assess and improve its operation and to create more content that is more appropriate to users’ preferences. For example, these cookies provide an understanding of which are the most commonly and less frequently visited, how many visitors are visiting the website, how much time is spent on the website by the average user and how visitors arrive at the website. In this way, it is possible to identify the optimal operations and most welcomed content and how the content and operation of the pages can be improved. All information collected by these cookies is anonymous and is not linked to the user’s personal data.

Third-party profiling cookies
These are cookie used by third parties that are not directly controlled by the Data Controller. The company cannot provide guarantees regarding the use that will be made of the data, the processing of which is directly operated by an external party.
Cookies from these third-party operators offer advanced features, as well as more information and personal functions. This includes the possibility of sharing content through social networks and having a personalised experience of the website, based on preferences expressed through the pages visited.
If you have an account or use the services of said other data controllers, they may be able to know that user has visited the company’s website. The use of data collected by these external operators through cookies is subject to their privacy policies. Third-party profiling cookies are identified with the names of the respective operators and can be deactivated.

Managing cookies
By selecting the OK button shown on the superimposing banner, the installation of cookies on the device used by the data subject is authorised. It is possible to change the settings of downloaded cookies through the browser's features. In this way, it is also possible to prevent the installation of third-party cookies and remove previously installed cookies, including those containing preferences regarding cookies. To adjust or change the browser settings, the software or application manufacturer's guide must be referred to. Deactivating cookies may result in the malfunctioning of the website or a part thereof.

Third-party websites
The website, even only periodically, may contain links to third-party websites and applications (Widget by Google AdWords, Analytics, YouTube, Vimeo, etc.), to provide the user with additional services and information. When the user uses these links, he or she leaves the company website and accesses other resources that are not under the direct control of the Data Controller, which, therefore, shall not be responsible for browsing-related procedures, the security and processing of personal data operated by the other websites, even in the presence of co-branding or even if the company logo is displayed. A careful examination of security and confidentiality procedures of the visited website is recommended, given that the website may transmit additional cookies, read those already present on the user's hard drive and request/acquire further personal information.

Newsletter management services
The newsletter is managed by a software that uses a database of email addresses to send notifications to registered users (via the specific section of the website), which also provides for an automatic deletion procedure which the data subject can use independently, referred to by each notification submitted by this application.

Interaction with social networks and external platforms
The website, via widgets and buttons, can interact with external platforms and social networks. In this case, the information acquired depends on the settings of the profiles used by the user on each social network and not by this website's administrator.
Facebook's “Like” button, Twitter’s “tweet” button, LinkedIn’s “Post” button, etc., enable pages or topics of the website to be shared with the respective social platforms and acquire the data subject's data. Additional information can be acquired through the websites of the companies providing the service. In this case, data are not managed by the website of the Data Controller, which links these buttons only to provide the data subject with an additional service but has no control over them.

Communication and dissemination
The data processed via the website are exclusively of a common nature and are not intended for dissemination. The Data Controller does not require and has no interest in collecting and processing data classified by the Regulation as “specific” (medical, genetic, biometric, etc.) or “criminal” , notwithstanding its legal obligations.
Data must be transferred to third parties in the fulfilment of obligations resulting from laws or regulations (Institutions, Law Enforcement Agencies, Judicial Authorities, etc.) or for activities directly or indirectly associated with the relationship established. This includes, by way of example, but is not limited to, the following:

• Parties that need to access the data subject’s data for purposes associated with the relationship with the Data Controller (Credit Institutions, Financial Intermediaries, Electronic Money and Payment Management Institutions, Debt Collection Companies, Customer Verification Companies, Carriers, etc.);
• Consultants, collaborators, service companies, within the limits necessary to carry out the task assigned by the Data Controller;
• Subsidiaries and/or associated companies that may access the data, within the limits strictly necessary to carry out tasks assigned by the Data Controller.

Data retention times
The data processed by the Data Controller, notwithstanding its legal obligations, shall be kept until its express request for deletion by the data subject and, in any case, periodically verified, including with the use of automatic procedures, in order to ensure the updating of said data and effective compliance with the processing purposes. If the purpose for which they were acquired is no longer applicable, the data shall be deleted, unless they are to be processed to protect rights in court, due to regulatory obligations or due to the express request of the data subject. On completion of the processing and following deletion, the data subject's rights can no longer be exercised.

Rights of the data subject
ata subjects are entitled to the rights referred to in Articles 15 to 22 of the GDPR 679/2016 and, insofar as is applicable, those referred to in Article 7 of Legislative Decree 196/2003. The data subject is specifically entitled to withdraw his or consent to data processing at any time, to request its rectification, updating, transformation into anonymous form, including partially limiting its use, requesting its portability and possible deletion. The rights can be exercised within the limits in which the processing is mandatory for legal or regulatory provisions. Requests relating to exercising the rights of the data subject can be addressed to the Data Controller at the following address: privacy@imac-italia.it. If the data subject is not satisfied with the Data Controller’s or Data Protection Officer's reply to his or her requests, may make a complaint to the Personal Data Protection Authority, based in Rome, Piazza di Monte Citorio no. 121, www.garanteprivacy.it