Privacy and Cookie Policy – Selk’nam Cycles

Marco Giovannenze (hereinafter referred to as the “Manager” of Selk’nam Cycles, hereinafter referred to as the “Site”) informs that he is the Data Controller pursuant to Articles 4, n. 7) and 24 of EU Regulation 2016/679 of April 27, 2016, relating to the protection of individuals with regard to the processing of personal data (hereinafter referred to as the “Regulation”) of personal data collected on this website (“Site”). Hereinafter, the terms “Data Subject” or “User,” whether in singular or plural, shall collectively refer to individuals over the age of majority; individuals aged sixteen acting on their own; and minors under sixteen authorized by those exercising parental authority.

Personal data processing refers to any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, even if not recorded in a database, such as collection, registration, organization, structuring, storage, processing, selection, blocking, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination, or any other form of making available, comparison or interconnection, restriction, deletion, or destruction.

The data will be processed for the following purposes, manually and/or with the support of IT or telematic means.

Identification details and contact information of the Data Controller

As required by the Transparency Guidelines WP 260/2017, the identification details of the Data Controller and all information to contact him quickly are provided below:

Marco Giovannenze, Via Aurora Fornaciari, 11 – Formigine (Italy), P.IVA 04040210363, Pec: marco.giovannenze@timpec.it

Purposes of processing

The processing we intend to carry out has the purposes listed below. In the following list, a suitable and comprehensive notice regarding the purposes of processing is provided, which will be carried out only if the user intends to take advantage of the services offered. Therefore, if the user does not make use of specific services or their navigation within the Site does not necessitate the processing of their personal data, the related processing operations will not be carried out, even though all possible purposes are specified below for informational purposes.

Below are the purposes of processing:

  • Privacy Service: to receive requests for the purchase of the services specified in the relevant section; to identify the requester and their request following the completion of a specific electronic form; to proceed with the management of the Service in accordance with the supply conditions;
  • E-Commerce Service: to receive requests for the purchase of the services specified in the relevant section; to identify the requester and their request following the completion of a specific electronic form; to proceed with the management of the Service according to the specified supply conditions;
  • Other Services: to manage all other requests received by the Controller through the various contact forms and email addresses available to users on the various pages of the Site in view of providing specific services and/or the requested information.

To allow the Manager to fulfill its obligations under any requested services, the related personal data of the interested users will be processed. Furthermore, the processing of the personal data of the interested party may also pursue pre-contractual purposes, such as responding to specific requests from the interested party (for example, through the “Contacts” section of the Site).

The categories of personal data subject to processing are represented by common personal data.

Data Retention Period

The data will be retained for the timeframes defined by the applicable regulations, specifically for ten years from the termination of the contractual relationship.

Exercise of Rights by the Data Subject

Pursuant to Articles 13, paragraph 2, letters (b) and (d), and Articles 15 to 22 of the Regulation, the data subject is informed that:

  • they have the right to request access to their personal data, rectification, or deletion of the same, or to limit the processing concerning them or to object to their processing, in the cases provided;
  • they have the right to lodge a complaint with the Italian Data Protection Authority, if competent, following the procedures and instructions published on the official website of the Authority at www.garanteprivacy.it;
  • alternatively, they have the right to lodge a complaint with another competent European data protection authority located in the place of habitual residence or domicile in Europe of the individual contesting a violation of their rights, following the relevant procedures and instructions;
  • any rectifications or deletions or limitations of processing carried out at the request of the data subject—unless this proves impossible or involves a disproportionate effort—will be communicated by the Manager to each of the recipients to whom the personal data were disclosed. The Manager may inform the data subject of such recipients if the data subject requests it.

The exercise of rights is not subject to any formal constraints and is free of charge. Only in the case of requests for additional copies of the data requested by the data subject may the Manager charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, and unless otherwise indicated by the data subject, the information will be provided in a commonly used electronic format. The specific address of the Manager to send requests to exercise the rights recognized by the Regulation is as follows: info@selknamcycles.com. No other formalities are required. The response will be provided within the timeframes set forth in Article 12, paragraph 3 of the Regulation (“The data controller shall provide the data subject with information regarding the action taken in response to a request under Articles 15 to 22 without undue delay and, in any case, no later than one month after receipt of the request. This period may be extended by two months if necessary, taking into account the complexity and number of requests. The data controller shall inform the data subject of such extension and the reasons for the delay within one month of receipt of the request. If the data subject submits the request electronically, the information shall be provided, where possible, by electronic means, unless otherwise indicated by the data subject.”)

In accordance with the Transparency Guidelines WP 260/2017 issued by the European Data Protection Authorities Group, when indicating the rights of the data subject, the data controller must specify a summary/overview of each right in question and provide separate indications regarding the right to data portability.

Specific Information on the Right to Data Portability

The Manager informs the data subject about the specific right to data portability. Article 20 of the General Data Protection Regulation introduces the new right to data portability. This right allows the data subject to receive personal data provided to the Manager in a structured, commonly used, and machine-readable format, and—under certain conditions—to transmit them to another data controller without hindrance.

Only personal data that (a) concerns the data subject, (b) has been provided by the data subject to the Manager, and (c) is processed electronically in the context of entering into a contract are portable.

Data portability includes the right of the data subject to receive a subset of the personal data concerning them processed by the Manager and to retain it for further personal use. Such retention may occur on a personal device or on a private cloud, without necessarily involving the transmission of data to another controller. Portability is a kind of enhancement and strengthening of the different right of access to personal data, also provided for in Article 15 of the Regulation.

In the event that the data subject requests portability along with the direct transmission of their data to another data controller, it is important to note that this right is subject to the condition of technical feasibility: Article 20, paragraph 2 of the Regulation states that data can be transmitted directly from one controller to another at the request of the data subject, provided that this is technically possible. The technical feasibility of transmission from one controller to another must be evaluated on a case-by-case basis. Recital 68 of the Regulation clarifies the limits of what is “technically feasible,” specifying that “there should be no obligation for controllers to adopt or maintain technically compatible processing systems.” Therefore, the direct transmission of data from the Controller to another controller may occur if it is possible to establish communication between the systems of the two controllers (transmitting and receiving) in a secure manner, and if the receiving system is technically capable of receiving incoming data. If technical barriers prevent direct transmission, the Controller will provide complete information and a detailed explanation to the data subject. Regarding the interoperability of formats aimed at ensuring portability, the Controller will comply with what is stipulated in paragraph 1021, letter (b) of Law 205/2017 (“presence of adequate infrastructures for the interoperability of formats with which data is made available to data subjects”) if applicable after May 25, 2018, and in any case within the limits clarified by the Guidelines on data portability WP242 issued by the European Data Protection Board (“The expectation is that the controller transmits personal data in an interoperable format, but this does not impose any obligation on other controllers to support that format”).

It is also informed that according to the Guidelines on data portability WP242, controllers who comply with a portability request have no specific obligation to verify the quality of the data before transmitting it. Furthermore, portability does not impose any obligation on the Controller to retain data for a period longer than necessary or beyond what is specified. Above all, it does not impose any additional obligation to retain personal data solely for the purpose of fulfilling a potential portability request.

The exercise of the right to data portability (or any other right under the Regulation) does not prejudice any of the other rights. The data subject can continue to enjoy and benefit from the service offered by the Controller even after a portability operation is completed. Portability does not result in the automatic deletion of data stored in the Controller’s systems and does not affect the originally intended retention period for the transmitted data. The data subject can exercise their rights as long as the processing carried out by the Controller continues.

The Controller commits to responding to portability requests within 30 days of receiving the request, reserving the right, under Article 12, paragraph 3 of the Regulation, to extend the response period to three months in cases of greater complexity. The portability request should be addressed to the following specific email address: info@selknamcycles.com

Summary Information on the Other Rights of the Data Subject

The Regulation grants the data subject a series of rights that, according to the Transparency Guidelines WP 260, must be summarized in their main content within the information provided. Below are these rights summarized and synthesized:

  • Right of access (to one’s own personal data): the right to obtain confirmation from the data controller as to whether or not personal data concerning the data subject is being processed and, if so, to obtain access to the personal data and to be informed about the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients are in third countries or international organizations; where possible, the retention period for the personal data or, if not possible, the criteria used to determine that period; if the data has not been collected from the data subject, the right to receive all available information on its origin; the right to be informed about the existence of automated decision-making, including profiling, and significant information about the logic involved, as well as the significance and expected consequences of such processing for the data subject.
  • Right to rectification and integration: The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning them without undue delay. Considering the purposes of the processing, the data subject has the right to obtain the completion of incomplete personal data, including by providing a supplementary statement. The data controller communicates to each of the recipients to whom the personal data have been disclosed any rectifications, unless this proves impossible or involves a disproportionate effort. The data controller informs the data subject about such recipients if requested.
  • Right to erasure: the data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay (and where there are no specific grounds for retention as outlined in Article 17, paragraph 3 of the Regulation that exempt the controller from the obligation to erase) if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or if the data subject withdraws consent and there is no other legal basis for processing; or if the data subject objects to the processing for marketing purposes or profiling, even revoking consent; if the personal data have been unlawfully processed or relate to information collected from minors in violation of Article 8 of the Regulation. The data controller communicates to each of the recipients to whom the personal data have been disclosed any erasures unless this proves impossible or involves a disproportionate effort. The data controller informs the data subject about such recipients if requested.
  • Right to restriction of processing: the data subject has the right to obtain from the data controller the restriction of processing (i.e., according to the definition of “restriction of processing” provided in Article 4 of the Regulation: “the marking of stored personal data with the aim of limiting their processing in the future”) when one of the following occurs: the data subject contests the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data; the processing is unlawful and the data subject opposes the erasure of personal data and instead requests that its use be restricted; although the data controller no longer needs the personal data for processing, they are necessary for the data subject for the establishment, exercise or defense of a right in court; the data subject has objected to processing for marketing purposes, pending verification as to whether the legitimate grounds of the data controller override those of the data subject. If the processing is restricted, such personal data are processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for important public interest reasons. The data subject who has obtained the restriction of processing is informed by the data controller before that restriction is lifted. The data controller communicates to each of the recipients to whom the personal data have been disclosed any restrictions, unless this proves impossible or involves a disproportionate effort. The data controller informs the data subject about such recipients if requested.
  • Right to object: the data subject has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them carried out by the controller or for the performance of a task in the public interest or related to the exercise of public powers vested in the data controller or carried out for the pursuit of the legitimate interests of the data controller or third parties (including profiling). Furthermore, the data subject, if personal data are processed for direct marketing purposes or commercial profiling, has the right to object at any time to the processing of personal data concerning them carried out for such purposes.

Right not to be subjected to automated decision-making, including profiling: the data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except in cases where the automated decision is necessary for the conclusion or performance of a contract between the data subject and a data controller; is provided for by law, with respect to safeguards; or is based on the explicit consent of the data subject.

Cookie Policy – Definition of “cookie”

Cookies are short text fragments (letters and/or numbers) that allow the web server to store information on the client (the browser, e.g., Internet Explorer, Chrome, Firefox, Opera…) for reuse during the same visit to the site (session cookies) or later, even after several days (persistent cookies). Cookies are stored, according to user preferences, by each browser on the specific device used (computer, tablet, smartphone).

Similar technologies, such as web beacons, transparent GIFs, and all forms of local storage introduced with HTML5, can be used to collect information about user behavior and service usage.

A cookie cannot retrieve any other data from the user’s hard drive, nor transmit computer viruses or acquire email addresses. Each cookie is unique to the user’s web browser. Some functions of cookies may be delegated to other technologies. The term ‘cookies’ refers to cookies and all similar technologies.

Based on their characteristics and usage, various types of cookies can be distinguished:

  • Strictly necessary technical cookies. These are essential cookies for the proper functioning of a website, used to manage various services related to the sites (such as login or access to restricted functions on the sites). The duration of these cookies is strictly limited to the work session, or they may have a longer retention time to remember visitor choices. Disabling strictly necessary cookies may compromise the usability and navigation experience of the website.
  • Analytics and performance cookies. These are cookies used to collect and analyze traffic and usage of a website anonymously. These cookies, while not identifying the user, allow, for example, the detection of whether the same user connects again at different times. They also enable monitoring of the system and improving its performance and usability. Disabling these cookies can be done without any loss of functionality and will be addressed in detail later.
  • Profiling cookies. These are permanent cookies used to identify (anonymously or not) user preferences and improve their browsing experience. For more information about these cookies not used by the Website, we invite you to visit the dedicated section on the website www.garanteprivacy.it/cookie.

Purpose of processing and aims of session technical cookies

The cookies used on the Website serve solely to perform computer authentications, monitor sessions, and store specific technical information regarding users accessing the data controller’s servers managing the Website. In this context, certain operations on the Website may not be performed without the use of cookies, which in such cases are therefore technically necessary. For example, accessing any restricted areas of the Website and the activities that can be carried out there would be much more complex and less secure without cookies that allow identifying the user and maintaining their identification within the session.

“Technical” cookies may also be used in the absence of the data subject’s consent. Moreover, the same European body that brings together all the Data Protection Authorities of the various Member States (the so-called “Article 29” Working Party) clarified in Opinion 4/2012 (WP194) entitled “Exemption from Consent for the Use of Cookies” that the following cookies do not require the prior and informed consent of the user:

  • cookies with user-filled data (session identifier), for the duration of a session or persistent cookies limited to a few hours in certain cases;
  • authentication cookies, used for authenticated services, for the duration of a session;
  • security cookies focused on users, used to detect authentication abuse, for a limited persistent duration;
  • session cookies for multimedia players, such as cookies for “flash” players, for the duration of a session;
  • session cookies for load balancing, for the duration of a session;
  • persistent cookies for user interface customization, for the duration of a session (or slightly longer);
  • cookies for content sharing via third-party social plug-ins, for members of a social network who have logged in.

The data controller informs that only technical cookies (like those listed above) necessary for navigating the Website are operational, as they enable essential functions such as authentication, validation, management of a browsing session, and fraud prevention. They allow, for example: to identify if the user has accessed the areas of the site requiring prior authentication or validation, to manage sessions related to various services and applications, to securely store data for access, or to perform fraud control and prevention functions.

For maximum transparency, we provide below a list of technical cookies and specific operational cases on the Site:

  • The cookies implanted in the user’s/contractor’s terminal directly (which will not be used for further purposes) include session cookies used to “fill the cart” during online bookings on the Site, authentication cookies, cookies for multimedia content such as flash player that do not exceed the duration of the session, and personalization cookies (for example, for choosing the browsing language, recalling IDs and passwords with the typing of the first characters, etc.);
  • The cookies used to statistically analyze accesses/visits to the site (the so-called “analytics” cookies) pursue exclusively statistical purposes (and not profiling or marketing) and collect information in an aggregated form without the possibility of identifying individual users. In these cases, since current regulations require that clear and appropriate indications of simple methods to opt-out of their installation (including any anonymization mechanisms for the cookies themselves) be provided to the interested party, we specify that it is possible to deactivate analytics cookies as follows: open your browser, select the settings menu, click on internet options, open the privacy tab, and choose the desired level of cookie blocking. If you wish to delete cookies already saved in memory, simply open the security tab and delete the history by checking the “delete cookies” box.

Third-Party Cookies

While visiting a website, you may receive cookies from sites managed by other organizations (“third parties”) that may reside in Italy or abroad.

An example present on most websites includes the presence of YouTube videos, Google APIs, the use of Google Maps, and the use of “social plugins” for Facebook/Instagram, Twitter, and LinkedIn. These are parts of the visited page generated directly by the aforementioned sites and integrated into the hosting site’s page. The most common use of social plugins is aimed at sharing content on social networks to enhance the visitor’s user experience.

The presence of these plugins involves the transmission of cookies to and from all sites managed by third parties. The management of information collected by “third parties” is governed by their respective privacy policies, which we encourage you to refer to. For greater transparency and convenience, we provide below the web addresses of various privacy policies and how to manage cookies, specifying that the Data Controller has no responsibility for the operation of third-party cookies on this Site.

Analytics Cookies

The Site uses the Google Analytics service but provides for the anonymization of IPs using the tools offered by Google. Please see the Google cookie policy for Google Analytics at the following link http://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage and learn more about how Google – a third party – uses user data at https://support.google.com/analytics/answer/6004245.

As clarified by the General Provision of the Privacy Authority on cookies dated May 8, 2014, analytics cookies are assimilated to technical cookies when used directly by the site manager to collect information, in aggregated form, about the number of users and how they visit the site: these are exactly the functionalities and purposes of processing on this Site.

You can still opt-out by visiting the website http://tools.google.com/dlpage/gaoptout?hl=en. Additionally, you can refuse consent and block third-party cookies using browser plugins. By searching Google for “block and delete third-party cookies,” you will find many guides that vary depending on the operating system and browser used.

Responsibility for the Operation of Third-Party Cookies

We refer to what is stated in the General Provision of the Privacy Authority on cookies dated May 8, 2014: “There are multiple reasons why it is not possible to impose on the publisher the obligation to provide the information and obtain consent for the installation of cookies within their site, including those installed by “third parties.” Firstly, the publisher should always have the tools and the economic-legal capacity to take responsibility for the obligations of third parties and should also be able to verify from time to time the correspondence between what is declared by third parties and the actual purposes they pursue with the use of cookies. This is made very difficult by the fact that the publisher often does not directly know all the third parties that install cookies through their site and, therefore, does not know the logic underlying their treatments. Moreover, often there are subjects acting as intermediaries between the publisher and third parties, making it very complex for the publisher to control the activity of all the parties involved. Third-party cookies could also be modified over time by third-party providers, and it would be unproductive to require publishers to track even these subsequent changes.”

As stated by the Privacy Authority, this Site cannot control third-party cookies if it uses third-party services (YouTube, Google Maps, “social buttons”) for which only third parties have responsibility. Furthermore, we remind users that they can delete and block the operation of cookies at any time using browser plugins and changing settings as indicated in the various manuals contained in the browsers.

Mandatory or Optional Consent for the Operation of Cookies That Do Not Pursue Marketing Purposes

It is not mandatory to obtain consent for the operation of technical cookies or third-party or analytical cookies assimilated to technical cookies. Their deactivation and/or refusal of their operation will result in the inability to navigate the Site correctly and/or to access the services, pages, functionalities, or content available there.