INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA OF WEBSITE USERS
The owner of this website, Boadicea Srl, in compliance with the obligations deriving from national and Community legislation (hereinafter GDPR or Regulation) and subsequent amendments, respects and protects the confidentiality of users/visitors, putting in place appropriate and proportionate security measures so as not to infringe their rights.
This information applies exclusively to the online activities of this site, in particular to the filling in of forms, requests for information or any other form of interaction with the site that involves the communication of personal data by the user. With this, the Owner pursues the objective of providing maximum transparency regarding the information that the site collects and how it uses it.
The processing will be based on the principles of lawfulness, correctness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability.
Pursuant to Articles 13 and 14 of the GDPR and current legislation, the following information is provided regarding the processing that the entity/company will carry out with the personal data:
- Data subjects
The Data Controller is Boadicea Srl, with administrative headquarters in Student and Visitor Entrance – Via XXV Luglio, Fagnano Olona (VA), C.F./P.IVA 07606900962, contactable using the e-mail address email@example.com.
- Processing methods and type of data collected
The Data Controller adopts all the technical and organisational measures necessary to secure the personal data processed. In particular, these measures are aimed at preventing unauthorised access, disclosure, modification or destruction of data, which will be collected, processed and stored in the archives, both paper and electronic, of the Data Controller and/or authorised internal subjects and external managers expressly authorised for this purpose. The processing will be carried out with the aid of both hard copy and computerised or electronic means with the logic of organising and processing personal data in such a way as to guarantee security and confidentiality.
The Owner may process some personal data of the users who interact with the web services of the site, in particular:
- browsing data: the IP address, the addresses in URI notation, the type of browser and the parameters of the device used to connect to the site, the name of the Internet Service Provider (ISP), the visitor’s origin and exit web pages, as well as details relating to the date and time of the visit, the requests sent to the site server and which make it possible to browse the site, may be acquired automatically by computer systems during use of the site. Surfing data may also be used to compile anonymous statistics that allow us to understand how the site is used and to improve its structure. Navigation data may possibly be used to ascertain illegal activities, such as computer crimes, to the detriment of the site;
- personal contact data (name and surname, e-mail address, company name and telephone number), possibly of an economic and fiscal nature (if, for example, an invoice is requested), necessary for the performance of existing or future contractual relations with users.
No “special categories” of personal data, i.e. data that can be qualified as sensitive, are collected and processed in any way.
- Purpose of data processing
The data provided by the user or communicated by third parties will be processed for the following purposes:
- registration to the website, to the services developed or made available by the Owner, use of the related information services, management of contact or information requests;
- Establishment of contractual relationships and consequent administrative, legal and fiscal fulfilments, as well as to allow an effective management of financial and commercial relationships;
- fulfilment of obligations provided for by EU and national regulations;
- verification of the proper functioning of the site and for security reasons, in order to block attempts to damage the site itself or to cause damage to other users and in any case to ascertain and repress harmful or criminal activities.
By accessing the “Contacts” section, the site allows the visitor/user to enter messages and other information. The voluntary and explicit forwarding of such information does not require any request for consent, and the filling in of forms specifically prepared for this purpose entails the subsequent acquisition of the address and data of the visitor/user, which are necessary to respond to the requests made and/or to provide the service requested.
The information that users of the site decide to make public by means of the services and tools made available to them is provided by the user knowingly and voluntarily, thus exempting the Data Controller from any liability regarding possible violations that may be committed as a result. In fact, it is up to the user to obtain any permission to enter personal data of third parties or content protected by national and international regulations.
- Legal basis of personal data processing
The provision of personal data for the purposes referred to in points 3-1) and 3-2) is compulsory, as the processing is related to a pre-contractual and/or contractual phase or functional to a request of the interested party or required by a specific regulation. Failure by the Data Subject to provide certain personal data in relation to the aforementioned purposes may prevent the Data Controller from providing its services.
The data collected and processed for the purposes of site security and prevention of abuse and illegal activities referred to in paragraph 3-4), as well as data for the analysis of site traffic (statistics) in aggregate form, are processed on the basis of the legitimate interest of the Owner to protect the proper functioning of the site, as well as to protect the users themselves. In such cases, the user may exercise the right to object at any time (see paragraph 9. “Rights of the Data Subject”).
- Recipients of personal data
The data will not be disseminated by the Controller, giving knowledge to unspecified subjects in any way, not even by making them available or consulting them.
The data will be stored at the Data Controller’s headquarters and may instead be communicated to specific subjects as follows
- authorised parties involved in the organisation of the site;
- external parties delegated for this purpose to specific processing activities and duly appointed as Data Processors pursuant to art. 28 of the Regulations, in compliance with the applicable legislation and limited to the purposes of the professional services requested and necessary;
- subjects whose right to access the data is recognised by law or by orders of the authorities;
- any third countries or international organisations, if for technical and/or operational reasons it is necessary to transfer part of the data collected to technical systems and services managed in the cloud and located outside the European Union. In this case, the processing will be regulated according to the provisions of Chapter V of the GDPR and authorised on the basis of specific decisions of the European Union and the Italian Data Protection Authority.
A complete list of all the Data Processors and those authorised to process personal data can be requested by writing to the email address firstname.lastname@example.org, or by regular mail to Ingresso Studenti e Visitatori – Via XXV Luglio, Fagnano Olona (VA).
- Place of processing
The data collected from the site are processed at the headquarters of the Data Controller and at the Web Hosting datacenter. The Web Hosting (Aruba S.p.A.), in its capacity as Data Processor, processes the personal data on behalf of the Data Controller in accordance with European legislation.
- Period of storage of personal data
The data collected will be processed exclusively for the purposes indicated above and stored for the time strictly necessary to provide the requested service. In any case, this period of time may not exceed 10 years, at the end of which the Controller will automatically delete the personal data collected.
- Rights of the interested party
The Regulations reserve specific rights to users/concerned parties. In particular, the interested party may at any time exercise the right to:
- access their personal data, obtain confirmation as to whether or not personal data concerning them are being processed and, if so, be informed of the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom the data may be communicated, the applicable retention period, the existence of automated decision-making processes;
- obtain the rectification of inaccurate personal data concerning him/her without undue delay;
- obtain, in the cases provided for, the deletion of personal data concerning him/her without undue delay;
- obtain, in the cases provided for, the limitation of processing;
- to request the portability of the data he/she has provided to the Controller, i.e. to receive them in a structured, commonly used and machine-readable format, also for the purpose of transmitting such data to another Controller without hindrance from the Controller to whom he/she has provided them, within the limits established by Article 20 of the Regulation;
- to object at any time, for reasons related to his or her particular situation, to the processing of personal data concerning him or her, in the cases provided for in the Regulation
withdraw his consent at any time, as easily as if it had been given;
- lodge a complaint with the Data Protection Supervisor;
- obtain all available information on the source of the personal data, if such data have not been collected by the data subject himself/herself;
- to be informed without undue delay in case of a ‘data breach’, i.e. if the breach of their personal data presents a high risk for their rights and freedoms;
- to be informed of the existence of adequate safeguards if personal data are transferred to a third country or to international organisations.
All the above rights may be exercised at the request of the interested party by writing directly to email@example.com.
This information notice may be subject to periodic updates.
Personal data controller
 D. Legislative Decree No. 196/2003, Personal Data Protection Code, as novated by Legislative Decree 101/2018;
 European Data Protection Regulation No. 2016/679;
 Uniform Resource Identifier;
 pursuant to Article 4 of the Code and Article 9 of the GDPR;
 e.g. employees of the Data Controller and possibly of the Data Processor, including administrative staff, sales staff, system administrators;
 e.g. third party technical service providers, lawyers, hosting providers, IT companies, communication agencies;
 in particular with Google, Facebook, Twitter, Microsoft, LinkedIn, through social plug-ins and the Google Analytics service.