Privacy Policy

The Data Controller

The Data Controller is CARLO SESTINI S.R.L., with registered office in Milan, VIA AURELIO SAFFI 21, 20123; C.F. and P.IVA 12744310967 (hereinafter, the “Data Controller”). The Owner can be contacted at the following email addresses: info@sestini.com and / or pec: carlosestinisrl@legalmail.it

Types of Data Processed

1. Navigation data
   • The computer systems and software procedures responsible for the operation of this Site acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.
   • This is information that is not collected to be associated with identified data subjects, but which by its very nature could, through processing and associations with data held by third parties, allow Users to be identified. This category of data includes the IP addresses or domain names of the computers used by Users who connect to the Site, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (suit, error, etc.) and other parameters related to the operating system and the computer environment of the Users.
   • These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning.
2. Cookies and other tracking tools
   • Please see the extended cookie policy.
3. Data provided voluntarily by the user or collected by the Data Controller
   • The optional, explicit and voluntary sending of messages to the contact addresses of the Data Controller published on the Site, as well as the compilation and forwarding of forms on the Site, involve the acquisition of the sender’s contact data, necessary to respond to requests, and of any personal data voluntarily included in the text of the communication.
   • The Data Controller also processes the personal data of the interested parties who access the Site in order to purchase a product present therein, such as: name, surname, tax code, home and / or residence address, scale and extension, e-mail, telephone number, possible billing address, certified e-mail address, as well as payment data, i.e. only information relating to the amount of the transaction and the status of the payment of a relative Order.
4. Third-party data provided by the data subject
   • Personal data of third parties provided by Users who make a purchase in order to give away a product on the Site, such as: name, surname, address of domicile and / or residence, scale and extension, telephone number.
   • The user who communicates the aforementioned data of the third party is directly and exclusively responsible for their collection, communication and / or dissemination, thus relieving the Owner from any liability towards third parties and from any dispute and claim that may come to the Owner himself from third parties.

Methods and purpose of the processing

Personal data will be processed by the Data Controller in paper format and/or with automated tools for the time strictly necessary to achieve the purposes for which they were collected.

Apart from what is specified for cookies (the latter regulated in the extended information) the personal data provided by Users are processed for the following purpose:

1. navigation and verification of the correct technical functioning of the Site;
2. respond to any requests from Users;
3. conclude purchase contracts relating to products on the website and to manage all phases of sale, shipping, payment, invoicing, delivery, as well as, in general, for all activities related to the execution of a contractual relationship with the Owner;
4. subject to the consent of the interested party, send to the same promotional and informative material, by email, on products marketed by the Owner, even if not similar to those already purchased by the user (marketing).

The legal basis of the processing for the purposes referred to in no. 1) is the legitimate interest of the Data Controller to offer the possibility of accessing the Site and evaluating its correct functioning pursuant to art. 6, paragraph 1, lett. f), GDPR.

The provision of data for the purpose in point 1) is necessary, any refusal by the interested party to provide personal data makes it impossible to access and navigate the Site.

The legal basis for the processing referred to in no. 2) is the legitimate interest of the Data Controller to find and follow up on the requests of the interested parties pursuant to art. 6, paragraph 1, letter f), GDPR.

The provision of data for the purpose referred to in point 2) is optional, but the refusal of the interested party to provide personal data will make it impossible for the Data Controller to process the requests received and follow up on the requested service.

The legal basis for the processing referred to in no.3) is the performance of a contract to which the data subject is a party and of any pre-contractual measures taken at the request of the data subject pursuant to Article 6(1)(b) GDPR.

Similarly, the provision of data for the purpose referred to in point 3) is optional, however the possible refusal of the interested party to provide the data makes it impossible for the Data Controller to formulate contractual proposals, manage business relations and conclude any contracts.

The legal basis for the processing referred to in paragraph 4) is the consent of the data subject pursuant to Article 6(1)(a) GDPR. The provision of data for marketing purposes is optional, but failure to grant consent will prevent the Owner from sending information and advertising material, without prejudice to the purposes of purchase or navigation.

Retention period of personal data

The navigation data are deleted immediately after their processing and, in any case, are not kept for more than 7 days from the time of collection, except for any need for the detection of crimes by the Judicial Authority.

The personal data provided through the form on the Site are processed for the time necessary to carry out the activities of management and processing of requests received and deleted after 7 days from the time of collection.

The personal data provided by the interested parties for the performance of pre-contractual activities and for the conclusion of the purchase contract are kept for the time strictly necessary to conduct the pre-contractual negotiations, and in the case of conclusion of a contract, for a maximum period of 10 years from the termination of the contract in place between the interested party and the Data Controller, where this is meant the date of issue of the last invoice issued in relation to it. If no contract is concluded, the personal data collected will be deleted immediately.

The data provided by the data subjects for marketing purposes is 24 months, from the date of granting the consent by the interested party, unless the consent given is revoked or opposed to the processing. The consent given for the marketing purposes referred to in point 4) above may be revoked freely and at any time by writing to the following email address: info@sestini.com, or through the cancellation link available in each communication made by e-mail.

Categories of recipients and areas of dissemination of personal data

The personal data of the interested parties will not be disseminated for a purpose other than that for which they were collected, but may be communicated:

1. to any collaborators of the Data Controller, designated authorized to process by written deed;
2. to third parties, independent controllers or appointed Processors or sub-processors, with which specific confidentiality agreements are concluded, such as by way of example but not limited to Authorities and supervisory and control bodies and, in general, subjects, including private individuals, entitled to request the data, Public Authorities that expressly request it to the Data Controller for administrative or institutional purposes, in accordance with the provisions of current, national and European legislation, to consultants, third-party companies of supply and IT assistance, to companies that offer maintenance services of websites and information systems, to companies that perform management services and maintenance of the Data Controller’s database, committed to the correct and regular pursuit of the purposes described and to any other person whose intervention is required.

The complete and updated list of data processors, as well as other subjects to whom personal data may be communicated, is available at the headquarters of the Data Controller and can be freely consulted upon request.

Place of processing and transfer of data

The treatments take place at the aforementioned headquarters of the Data Controller.

Personal data is stored on servers located within the European Union. In any case, it is understood that the Data Controller, where necessary, will have the right to transfer personal data also to non-EU countries. In such a case, the Data Controller assures from now on that the transfer of non-EU data will take place in accordance with the applicable legal provisions. In the absence of an adequacy decision by the European Commission, any processing of personal data in non-EU countries will only be possible in the presence of adequate guarantees of a contractual or pattitious nature, including binding corporate rules and standard contractual data protection clauses, by the Data Controllers and Managers involved.

In the absence of an adequacy decision or other appropriate measures as described above, the transfer and processing of personal data outside the European Union will only be carried out with the prior consent of the data subject.

Rights of the interested party

The interested party may assert their rights as expressed by EU Regulation 2016/679 (GDPR), by contacting the Data Controller at the contact details indicated above.

In particular, the Data Controller shall inform the data subject of the existence of the following rights:

• obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and their communication in an intelligible form;
• obtain the updating, the rectification of inaccurate personal data or, when interested, the integration of incomplete data, as well as the limitation of processing in the cases provided for by art. 18 GDPR;
• obtain the erasure of personal data and the anonymization or blocking of data processed in violation of the law, including those whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
• object, at any time, for reasons relating to your particular situation, to the processing of personal data concerning you, pursuant to Article 6(1)(e) or (f) GDPR, to the processing of data for direct marketing purposes, including profiling;
• receive in a structured, commonly used and machine-readable format the data provided to the Data Controller, as well as, if technically feasible, transmit them to another Data Controller without hindrance;
• withdraw the consent given at any time without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal;
• lodge a complaint with the competent supervisory authority;
• obtain a statement that the operations of erasure, rectification and limitation have been brought to the attention, including as regards their content, of those to whom the data have been transmitted, unless such fulfilment proves impossible or involves the use of means manifestly disproportionate to the right protected;
• not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which similarly significantly affects his person.