Privacy notice on the processing of personal data pursuant to Regulation (EU) 679/2016 carried out through the Internet website * .gianlucavacchi .com (hereinafter the “Website”) also using COOKIES

(version no. [1] of [3 December 2019])

The version applicable from time to time is available at https://gianlucavacchi.com/en/privacy

The following privacy notice (hereinafter “Website Privacy Notice”) is provided by GVLIFESTYLE S.R.L., in its capacity as Data Controller (hereinafter “Controller”), to the Data Subject, in compliance with the provisions of Regulation (EU) 679/2016 (hereinafter “Regulation”).

The Website Privacy Notice is provided by the Controller to the Data Subject also in accordance with the provision on cookies issued by the Italian Data Protection Authority (hereinafter “Provision on Cookies”), available at the following URL: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3118884 .

With this document the Controller wishes to provide all Data Subjects with information on the processing of any personal data concerning them carried out through the Website and the Cookies used by the Website, while stressing its commitment and attention to the protection of the rights of the Data Subject.

Furthermore, the Website Privacy Notice provides information on how to manage cookies.

The Website Privacy Notice is provided solely for the Website and therefore does not concern other websites, pages, or online services accessible via hyperlinks published on the Website but referring to resources external to the domain.

The Controller reserves the right to amend the Website Privacy Notice at any time and at its own discretion. Any change shall take effect as of the date of publication of the amended version of the Website Privacy Notice on the Website.

Additional and more detailed clarifications on the purposes of processing and on other useful information are outlined in the policies of each service.

In any case, the Controller guarantees that the processing of personal data will be based on the principles of correctness, lawfulness, transparency, protection of confidentiality and protection of the rights of the Data Subject.

By accessing the Website and using its services, the User confirms that he or she has read and understood the Website Privacy Notice.

Table of contents

Data Controller and contact details........ 2

Data Protection Officer (DPO) and contact details........ 2

Types of data processed, methods of processing, purposes of processing, retention periods and/or criteria to determine retention periods, legal basis.......... 2

(i) Browsing data........... 2

(i).1. Purposes of processing..... 2

(i).2. Retention periods........ 2

(i).3. Legal basis.......... 3

(ii) Data provided by the Data Subject........ 3

(ii).1. Purposes of processing..... 3

(ii).2. Retention periods........ 3

(ii).3. Legal basis.......... 3

(iii) Data acquired through cookies, methods of processing, purposes of processing, retention periods, and legal basis 4

(iii).1. How to disable and/or reject cookies........ 5

(iii).2. Additional information on third-party cookies........ 5

(iii).3. Purposes of processing (summary of the data outlined in the table above).........

(iii).4. Retention periods (see table above)......... 6

(iv).5. Legal basis.......... 6

Voluntary provision of personal data........... 6

Recipients and categories of recipients of personal data, and type of data known to them..

Rights of the Data Subject........ 7

Amendments..... 8

Data Controller and contact details

Name: GVLYFESTYLE S.R.L.

Italian tax code: 03320921202

Registration with the Business Register of Bologna: no. 509866

Registered Office: Castenaso, Via Tosarelli, 184 (BO), Italy

e-mail: info@gianlucavacchi.com

Certified e-mail address: gvlyfestyle@legalmail.it

Tel.: +39 340 4624 950

For any requests concerning the processing of personal data, use the following contact details:

e-mail: info@gianlucavacchi.com

Certified e-mail address: gvlyfestyle@legalmail.it

Tel.: +39 340 4624 950

Data Protection Officer (DPO) and contact details

The Controller has not appointed a Data Protection Officer (DPO) because the Controller believes that the processing carried out or the types of data processed do not fall within the scope of the cases provided for by Article 37 et seq. of Regulation 679/2016.

Types of data processed, methods of processing, purposes of processing, retention periods and/or criteria to determine retention periods, legal basis

The categories of personal data subject to processing are as follows: (i) browsing data; (ii) data provided by the Data Subject; (iii) data acquired through cookies.

The data is processed using automated means and IT systems owned by and/or available to the Controller.

(i) Browsing data

During normal operation, the IT systems, applications and software procedures responsible for the functioning of the Website, collect personal data the transmission of which is implicit in the use of Internet communication protocols.

This category of personal data includes: (a) IP address or domain name of the computer and terminal used by the Data Subject; (b) the URI/URL addresses of the resources requested; (c) the time of the request; (d) the method used to submit the request to the server; (e) the size of the file obtained in response to the request; (f) the numerical code indicating the status of the response given by the server; (g) the search engine used to find the link to the Website, subsequently used to access the site; (h) other parameters related to the OS and the IT environment used by the Data Subject to access and browse the Website.

(i).1. Purposes of processing

The browsing data referred to in item (i) is processed in order to:

(a) allow for the use of the Website

(b) check the correct operation of the Website and maintain the Website

(c) establish responsibility in the case of offences against the Controller committed through the Website or against the Website

(d) obtain statistical information on the use of the Website in aggregate and anonymous form

(i).2. Retention periods

The browsing data referred to in item (i) is retained for a period not longer than thirty days and is erased immediately after its aggregation and anonymisation, except in the case when the judicial authority needs this data to ascertain the occurrence of offences.

(i).3. Legal basis

The legal basis for the processing of the browsing data referred to in item (i) consists of the following alternative and/or concurrent criteria: (1) legitimate interest of the Controller, in accordance with Article 6(1)(f) of the Regulation, in ensuring proper use of the Website and in preventing possible computer crimes; (2) consent by the Data Subject pursuant to Article 6, paragraph 1, letter a) and, if applicable, Article 9, paragraph 2, letter a) of the Regulation, also expressed through relevant behaviour, including the continued browsing of the Website [As for the expression of consent through this type of behaviour, see the provision of the Data Protection Authority of 8.5.2014, paragraph 1, letter e)].

(ii) Data provided by the Data Subject

When the Data Subject voluntarily sends messages to the Controller’s addresses, also via e-mail, or fills out forms that he or she later submits to the Controller, the latter acquires the contact details of the Data Subject as well as any other data provided by the Data Subject (for example, data contained within the message sent). The disclosure by the Data Subject of personal data of a particular nature and/or personal data concerning third parties is prohibited.

It is understood that the Controller, should it wish to acquire personal data for other specific purposes, shall provide the privacy notices required pursuant to Articles 13 and 14 of the Regulation, in relation to said further purposes.

(ii).1. Purposes of processing

The data provided by the Data Subject is processed (1) to fulfil the communication requirements between Controller and Data Subject, in accordance with the needs of the latter, and possibly also to (2) send requests for information in addition to that which is already on the Website. In the event of further and more specific processing operations carried out through the Website by the Controller, the latter shall from time to time provide to the Data Subject an additional and more detailed policy on the protection of personal data (for example, in relation to the services requested or if the Website contains specific processing such as the subscription to newsletters or the submission of CVs in response to job postings). Only in the case where there is a material and effective risk of dispute or offences committed through the abovementioned means of communication, can the data be processed (3) to defend or establish legal claims or (4) to allow the competent public authorities to make the necessary inquiries.

(ii).2. Retention periods

The data provided by the Data Subject as referred to in item (ii) is retained for the time strictly necessary to fulfil the communication requirements, as well as the requests, of the Data Subject in relation to the content specified therein, unless there is a need to establish or defend legal claims, or a dispute (in these cases the retention periods are linked with the abovementioned defensive needs and the deadlines may take into account evidentiary needs, limitation and prescription periods, even ten-year periods, as well as any need to establish the occurrence of offences, also on the part of the competent authorities). Furthermore, it is understood that the Controller shall have the right to provide for different retention periods within specific policies issued with reference to additional services provided through the Website or for other purposes, for which it shall provide a specific and separate policy on the protection of personal data including the retention periods thereof.

(ii).3. Legal basis

The processing referred to in item (ii) is founded on the following legal grounds, concurrent and/or alternative depending on the individual case: (A) legitimate interest of the Controller, in compliance with the provisions set forth in Article 6(1)(f) of the Regulation, in allowing for the performance of communication activities related to its business activity or for the purposes of requests of additional information or to react to any offences committed through its IT systems; (B) consent by the Data Subject pursuant to Article 6, paragraph 1, letter a) and, if applicable, Article 9, paragraph 2, letter a) of the Regulation, given by clicking on the consent button next to the policy on the protection of personal data within the message submission form, or in any case expressed through relevant behaviour, including the conscious and voluntary submission of the message to the Controller, through the tools made available on the Website that also contain this privacy notice; (C) establishment or defence of legal claims or in any case in the event of dispute, whenever the need arises in relation to the messages submitted by the Data Subject [Article 9, paragraph 2, letter f), of the Regulation].

(iii) Data acquired through cookies, methods of processing, purposes of processing, retention periods, and legal basis

Cookies can be defined as «small strings of text that websites visited by a user send to his or her terminal (generally the browser), where they are stored and then retransmitted to the same websites the next time the user visits them. When browsing a website, the user may receive on his or her terminal also cookies sent by other websites or web servers (so called “third parties”), which may contain some elements (such as images, maps, sounds, links to pages of other domains) hosted on the website that he or she is visiting. Cookies, usually present in users’ browsers in very large numbers and sometimes even for a considerable amount of time, are used for different purposes: computer authentication, session monitoring, storage of information on specific configurations concerning users accessing the server, etc.» (see Provision on Cookies)

It is necessary to take into account that there are different categories of cookies, classified according to objective (non-persistent cookies, also known as session or browsing cookies; persistent or functionality cookies; analytical cookies with anonymised IP and analytical cookies without anonymised IP; profiling cookies) and subjective (cookies installed by the Controller or the Website manager, so called “editor” or “first party”; cookies installed by others, so called third parties) criteria.

More specifically, this Website uses the following cookies, for the purposes and retention periods outlined below.

Nome del Cookie

Breve descrizione

Tecnico non persistente

Tecnico persistente

Prima parte

Terza parte

Profilazione

IP Address anonimizzato

Finalità

Tempo di conservazione

_ga

Used by Google to distinguish users.

X

X

X

Used by Google to distinguish users.

2 years

_gid

Used by Google to distinguish users.

X

X

X

Used by Google to distinguish users.

24 hours

_gat

Used by Google to throttle request rate.

X

X

Used by Google to throttle request rate.

1 minute

_fbp

This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising.

X

X

Used by Facebook to deliver a series of advertisement products on Facebook.

3 months

fr

This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising.

X

X

Used by Facebook to deliver a series of advertisement products on Facebook.

3 months

/tr

This pixel will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising.

X

X

Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.

player

Vimeo’s embeddable video player uses cookies essential to the video player experience.

X

X

We use Vimeo to embed videos onto our website. These cookies are used by Vimeo to collect analytics tracking information.

1 year

vimeo

Vimeo’s embeddable video player uses cookies essential to the video player experience.

X

X

We use Vimeo to embed videos onto our website. These cookies are used by Vimeo to collect analytics tracking information.

1 month

vimeo_gdpr_optin

Vimeo’s embeddable video player uses cookies essential to the video player experience.

X

X

We use Vimeo to embed videos onto our website. These cookies are used by Vimeo to collect analytics tracking information.

10 years

vuid

Vimeo’s embeddable video player uses cookies essential to the video player experience.

X

X

We use Vimeo to embed videos onto our website. These cookies are used by Vimeo to collect analytics tracking information.

2 years

continuous_play_v3

Vimeo’s embeddable video player uses cookies essential to the video player experience.

X

X

We use Vimeo to embed videos onto our website. These cookies are used by Vimeo to collect analytics tracking information.

1 year

.AspNetCore.Antiforgery.{xyz}

Used to secure users’ sign-in .

X

X

X

Per session

.AspNetCore.Cookies

Used to remember users’ credentials for next login.

X

X

X

14 days

This Website does not use cookies that are not expressly listed in the table above.

(iii).1. How to disable and/or reject cookies

Generally, the Data Subject has the possibility, at any time, to set his or her browser in such a way as to accept all cookies, or only some of them, as well as to reject them, by disabling their use by the Website.

Furthermore, the Data Subject can normally set the preferences on his or her browser so as to be warned any time a cookie is stored in the memory of his or her device.

Also, at the end of each browsing session, the Data Subject can delete from his or her hard disk both the browser cache and the cookies stored. The deactivation of cookies by the Data Subject on his or her device does not compromise nor affect in any way his or her interaction with the Website.

Below are the links that explain how to disable cookies on the most popular browsers (for other browsers we recommend users look for this option in the software help section).

- Internet Explorer: https://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies#ie=ie-10

- Edge: https://support.microsoft.com/it-it/help/4027947/windows-delete-cookies
- Google Chrome: https://support.google.com/chrome/answer/95647?hl=it

- Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie?redirectlocale=en-US&redirectslug=Cookies

- Opera: http://help.opera.com/Windows/10.00/it/cookies.html

- Apple Safari: http://www.apple.com/it/privacy/use-of-cookies/

The functions of individual cookies can also be deactivated through a specific page provided by the EDAA (European Interactive Digital Advertising Alliance) available for consultation at the following URL http://www.youronlinechoices.com/

Even if the user withdraws his or her consent to the use of third-party cookies, the cookies may have already been stored on the user’s device before withdrawal of consent. Due to technical reasons, it is not possible to delete these cookies, however the user’s browser allows the Data Subject to delete them through the privacy settings. These include the option “Clear browsing history” that can be used to delete cookies and other site and plug-in data.

(iii).2. Additional information on third-party cookies

As for third-party cookies installed through the Website, the obligation to issue the privacy notice and request the user’s consent lies with the third parties, but the Controller (the Website), as technical intermediary between third parties and data subjects (the Website’s users), is required to include in its extended privacy notice the updated links to the privacy notices and consent forms of the said third parties.

- Google: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

- Vimeo: https://vimeo.com/cookie_policy

- Facebook: https://en-us.facebook.com/policies/cookies/

- LeadPages: https://www.leadpages.net/privacy

(iii).3. Purposes of processing (summary of the data outlined in the table above)

(a) allow for the use of the Website

(b) monitor the correct operation of the Website and maintain the Website

(c) obtain statistical information in aggregate and anonymous form on the use of the Website

(d) prevent and/or counter computer crimes committed using the Controller’s Website

(e) optimise the business offer also through target and selected analyses

(f) send ads and/or business proposals based on the user’s data profiling to provide information and business proposals in line with the Data Subject’s interests

(iii).4. Retention periods (see table above)

As for the retention periods of the data processed using cookies, see the information outlined in the table above (Note: session cookies are only retained for the duration of a browsing session, while other cookies are retained for a longer period of time, as outlined in the table).

(iv).5. Legal basis

The legal basis for the processing of data for the purposes referred to in items (iii).3.a. and (iii).3.b. is as follows: (1) legitimate interest of the Controller, in compliance with the provisions of Article 6(1)(f) of the Regulation, in ensuring proper use of the Website, improving the browsing experience and the interaction with the user, and preventing and/or countering any computer crimes committed using the Website; (2) consent to the processing of personal data – pursuant to Article 6, paragraph 1, letter a) and Article 9, paragraph 2, letter a), of the Regulation – given by clicking the corresponding button or by adopting a behaviour that manifests said consent, in accordance with the provision on cookies issued on 8.5.2014 by the Data Protection Authority, such as continuing to browse by accessing another area of the Website or by clicking an element contained within the Website (e.g. an image or link or the abovementioned button) or any other element (without prejudice to the right of the user to deny or limit the use of cookies by properly setting his or her browser or following the directions provided in this extended privacy notice).

The use of cookies for the purposes referred to in item (iii).3.c. does not constitute processing of personal data and therefore no legal basis is required for cookies that only process anonymous – hence non personal – data. Where cookies process personal data anonymising it through one or more automated technical operations in order to obtain aggregate and anonymous statistics on the use of the Website, the legal basis is the consent to the processing of personal data.

The legal basis for the processing of data for the purposes referred to in items (iii).3.e. and (iii).3.f. is the free, explicit and informed consent given by the Data Subject. Said consent can be withdrawn at any time.

Voluntary provision of personal data

Unless specified otherwise, the provision of personal data by the Data Subject is optional. However, failure to provide personal data may hinder or prevent: as for the data referred to in items (i) and (iii), the full and correct browsing of the Website or the delivery of a better service when interacting with the Website; as for the data referred to in item (ii), the correct communication between Data Subject and Controller, hence the fulfilment of the requests voluntarily submitted by the Data Subject through the Website’s communication channels.

Although the deactivation (or restriction of the operation) of third-party cookies does not compromise the use of the Website by the Data Subject, it may, as explained above, hinder its overall function or the browsing experience.

Recipients and categories of recipients of personal data, and type of data known to them

In order to fulfil the purposes described above, the personal data of the Data Subject shall be disclosed to the Controller’s employees, persons treated as such and collaborators, who shall act as data processors and/or persons in charge of the processing.

The following entities, appointed by the Controller as data processors, pursuant to Article 28 of the Regulation, are also recipients of the data collected:

Linxs srl, as service provider for the development, delivery, operational management and maintenance of the Website’s technological platforms.

The complete and updated list of data processors can be requested at the registered office of the Controller or by contacting the Controller using the contact details listed on this Website Privacy Notice.

The personal data of the Data Subject may also be disclosed, as part of their tasks and duties, to the Data Protection Officer (DPO) appointed by the Controller. Finally, the user’s personal data may also be disclosed to the competent authorities whenever specific legal requirements exist, namely in the case of offences committed by the users, if the Controller is aware of them, without this implying a general duty of surveillance by the Controller.

If there are third-party cookies, any data processed through them may be processed by the said third parties, if so envisaged by the privacy notice (namely, for the provision of the service), without prejudice to the right of the Data Subject to block the use of these cookies through the settings of his or her browser or in the ways explained in this extended privacy notice [see paragraph (iii).2 above].

Rights of the Data Subject

Furthermore, in accordance with the provisions of the Regulation, the Data Subject may exercise the rights set forth in articles 15 to 21 of the Regulation, namely:

- right of access pursuant to Article 15 of the Regulation, which gives users the right to obtain confirmation that their personal data is being processed and, if so, to obtain access to the said data – and a copy thereof – as well as the following information: a) purposes of processing; b) categories of personal data processed; c) recipients to which the data has been or will be disclosed; d) retention period of the data or criteria used; e) rights of the Data Subject (rectification and erasure of personal data, restriction of processing, and right to object); f) right to lodge a complaint; g) right to receive information on the origin of his or her personal data, if it is not acquired from the Data Subject; h) the existence of an automated decision-making process, including profiling (where applicable);

- right to rectification pursuant to Article 16 of the Regulation, meaning the right of the Data Subject to obtain, without undue delay, the rectification of inaccurate personal data and/or the integration of incomplete personal data;

- right to erasure (so called “right to be forgotten”) pursuant to Article 17 of the Regulation, that is, the right of the Data Subject to obtain, without undue delay, the erasure of his or her personal data if: a) the data is no longer necessary in relation to the purposes for which it is has been collected or otherwise processed; b) the Data Subject withdraws his or her consent and there is no other legal ground for processing; c) the Data Subject successfully objects to the processing of personal data; d) the data is unlawfully processed; e) the data has to be erased to fulfil a legal requirement; f) the personal data has been collected in relation to the offer of information society services referred to in Article 8, paragraph 1, of the Regulation. The right to erasure does not apply if the processing is necessary to comply with a legal obligation or to carry out a task in the public interest or to establish, exercise or defend legal claims;

- right to restriction of processing pursuant to Article 18 of the Regulation, which is the right of the Data Subject to obtain restriction of processing when: a) the Data Subject contests the accuracy of personal data; b) the processing is unlawful and the Data Subject objects to the erasure of personal data and request restriction of its use instead; c) the personal data is necessary to the Data Subject for the establishment, exercise and defence of legal claims; d) the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject;

- right to data portability pursuant to Article 20 of the Regulation, namely the right of the Data Subject to obtain, in a structured, commonly used and machine-readable format, his or her personal data provided to the Controller and the right to transmit said data to another Controller without hindrance, where the processing is based on consent and is carried out using automated means. The Data Subject shall also have the right to have his or personal data transmitted directly by GVLIFESTYLE S.R.L. to another Controller, where technically feasible;

- right to object pursuant to Article 21 of Regulation, which gives the Data Subject the right to object, at any time, to the processing of his or her personal data which is based on a condition of legitimacy of the legitimate interest, including profiling, unless the Controller has legitimate grounds for processing which override the interest, rights and freedom of the Data Subject, or for the establishment, exercise or defence of legal claims;

- right not to be subject to an automated decision-making process pursuant to Article 22 of the Regulation, which means that the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless said decision is necessary to enter into or perform a contract or the Data Subject has given his or her consent. In any case, an automated decision-making process shall not concern the personal data of the Data Subject and the User may, at any time, obtain human intervention of the Controller, express his or her point of view, and contest the decision;

- right to withdraw consent at any time. The withdrawal must be as easy as giving consent and shall not affect the lawfulness of processing based on consent before its withdrawal.

The Data Subject shall also have the right to lodge a complaint with the Italian Data Protection Authority, Piazza Venezia no. 11 - 00187 Rome (Italy), or to refer the case to the judicial authorities.

The Data Subject may exercise the abovementioned rights towards the Controller by using the contact details provided herein.

Pursuant to Article 12 of the Regulation, the exercise on the part of the Data Subject of the abovementioned rights is free of charge. However, in the event of manifestly unfounded, excessive or repetitive requests, the Controller may charge a reasonable fee taking into account the administrative costs of managing or denying the request.

The Controller, also through designated structures, shall act on the request and provide without undue delay – and in any case within one month of receipt of the request – information on action taken on the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

Finally, if the Controller has doubts on the identity of the natural person making the request, the Controller may request any additional information necessary to confirm the identity of the Data Subject.

Amendments

The Controller may make changes to this privacy notice. Users are therefore invited, either when accessing the Website and/or at any time, to read the privacy notice on the processing of personal data in its updated version, made available to the data subjects for consultation.