Lume Restaurant | Privacy Policy
Eredità & evoluzione sono il fil-rouge di tutti gli elementi che compongono l’esperienza LUME, a partire dalla filosofia gastronomica, il design, il menu, il servizio così come il complesso W37 in cui il ristorante risiede. La cucina dello Chef Luigi Taglienti si basa sull’intuizione, sulla sensibilità e capacità di leggere la materia prima con l’aggiunta dell’utilizzo della tecnica per arrivare a un’idea finale, mai per concepirla.
Ristorante Lume, Lume Milano, Ristorante Stellato Milano, Chef Luigi Taglienti, Luigi Taglienti, Orto di Lume, Lume via Watt, Ristorante Gourmet Milano, miglior ristorante Milano, Catering Milano, Eventi Milano, Stella Michelin Milano, Chef stellati Milano, W37,
16316
page-template-default,page,page-id-16316,qode-restaurant-1.0.2,,qode-title-hidden,qode_popup_menu_push_text_right,transparent_content,qode-theme-ver-16.8,qode-theme-bridge,disabled_footer_bottom,wpb-js-composer js-comp-ver-5.5.2,vc_responsive

PRIVACY POLICY

1. INTRODUCTION

This statement provides information as required by Regulation (EU) 2016/679 about the purposes and methods of processing personal data to those who consult the pages of www.lumemilano.com, a website of Aurea S.r.l., which is the data controller.
This statement only applies to this website (www.lumemilano.com) and not to any other websites that may be consulted via links posted on this site; this data controller may in no way be deemed responsible for such 3rd party websites.
Users are informed that the hosting of this website is provided by Flywheel (Fancy Chap Inc.), whose registered office is in 1111 N. 13th St #208 Omaha, NE 68102 (U.S.A.) and whose servers hosting the website are located Germany.

 

2. TYPES OF DATA PROCESSED

 

Navigation data
Regarding aspects of a technical/protocol nature only, please note that:
• The information systems and software procedures used to manage this site may acquire certain personal data during normal operations, transmission of which is implicit in using Internet communication protocols.
• Such information is not collected in order to be associated with identified data subjects but could by its very nature enable Users to be identified by processing of and association with data kept by third parties.
• This category of data includes the IP addresses or domain names of Users’ computers connecting to the site, URI (Uniform Resource Identifier) addresses of requested resources, time of request, method used to submit requests to the server, size of the file obtained in response, numerical code indicating the response state of the server (done, error, etc.) and other parameters relating to the User’s operating system and IT environment.
• Such data may be used to ascertain liability in the case of alleged computer crimes affecting this site.

 

Cookies
Cookies are small text files that are sent by the website visited to the User’s device (usually the browser), where they are stored in order to be able to recognize that device on the next visit. On each visit, in fact, cookies are re-sent to the site by the User’s device.
Each cookie usually contains: the name of the server from which the cookie was sent, the expiry date and a value, usually a unique random number generated by a computer. The server of the website that transfers the cookie uses this number to recognize the User when he or she visits the site again or navigates from one page to another.
Cookies may be installed not only by the manager of the site being visited by the user (1st party cookies) but also by a different site that installs cookies via the 1st site (3rd party cookies) and is able to recognize them. This happens because the site being visited may contain elements (images, maps, sounds, links to web pages in other domains, etc.) residing on servers other than the one being visited.
In general, cookies are classified on the basis of:
A. Duration:
• session cookies (temporary) automatically erased when the browser is closed;
• persistent cookies active till their expiry date or being erased by the user.
B. Origin:
• 1st party cookies sent directly to the browser by the site that’s being visited;
• 3rd party cookies sent to the browser by sites other than the one being visited.
C. Purpose:
• Technical cookies
 navigation / strictly necessary / performance / process or security cookies help the site to work by making it possible, for example, to navigate across pages or access protected areas; if these cookies are blocked, the site may not work properly;
 function / preferences / localization / session status cookies make it possible to store information that modifies the site’s behaviour or appearance (preferred language, size of text and characters, current geographical area); if these cookies are blocked, the experience is less functional but not compromised;
 statistical/analytic cookies are a) 1st party or b) 3rd party with IP masking and without data cross-checking (similar to technical cookies in purpose) and serve to collect information and generate website usage statistics for understanding how visitors interact;
• Non-technical cookies
 3rd party statistical/analytic cookies without IP masking and with data cross-checking serve to collect information and generate usage statistics, with possible identification and tracking of the user of the website, for understanding how visitors interact;
 profiling/advertising/tracking cookies or those used for conversion for selection of advertising by user relevance (personalized ads); profiling cookies serve to create user profiles for sending advertising messages in line with preferences manifested by the user when navigating the web.

Aurea S.r.l. has fulfilled the obligations provided for in the Data Protection Authority Order entitled Identification of simplified procedures for privacy statements and acquisition of consent to use of cookies – 8 May 2014 (published in the Gazzetta Ufficiale, no. 126, 3 June 2014)” and in subsequent rulings on cookies issued by Authority.
Full information on the cookies installed via this site and how Users can manage their preferences regarding such cookies is provided below.

Aurea S.r.l. wishes to inform Users that its website www.lumemilano.com may use the following types of cookies:

 

• Cookies Tecnici di Prima Parte, che non richiedo il consenso dell’Utente;
• Cookies Analitici di Terza Parte, assimilati ai cookies tecnici in quanto sono stati adottati strumenti che riducono il potere identificativo dei cookies (mediante il mascheramento di porzioni significative dell’indirizzo IP) e, la terza parte non incrocia le informazioni raccolte con altre di cui già dispone.

 

Further, it’s important to note that our website www.lumemilano.com uses:

 

• 1st party technical cookies, which do not require User consent;
These cookies are necessary for our website to work properly, as they serve for navigation and providing the service requested by the User; they are not used for ulterior motives and are installed directly by the data controller. Without these cookies, certain operations might not be carried out or could be more complex and/or less secure. The table below provides short descriptions of these cookies used on our website:

• 3rd party analytic cookies, similar to technical cookies
Our website uses 3rd party cookies to manage statistics, and Google Analytics in particular, a web analysis service provided by Google Inc. (“Google”) that uses the cookies left on the User’s computer to carry out statistical analysis in an aggregate form regarding use of the website visited. We have adopted instruments to restrict cookies’ identification capacity (by masking significant portions of the IP address), and the 3rd party doesn’t cross-check the information with other data it already has. We provide the names of the 3rd parties that manage these cookies and a link to the page where the User can receive information on processing and grant consent.

 

A brief description of these cookies used on our our website is given below.

 

Cookie Domain Expiration 3rd party Cookie Permanent Cookie Section Cookie
__utmz .lumemilano.com May 16th, 2019 at 00:48 182 days Permanent Cookie
__utmc .lumemilano.com May 16th, 2019 at 00:48 182 days Permanent Cookie
__utmb .lumemilano.com November 14th, 2018 at 12:18
__utma .lumemilano.com November 13rd, 2020 at 11:48 729 days Permanent Cookie
__utmt .lumemilano.com November 14th, 2018 at 11:58

 

Last update November 14th, 2018

 

Info about cookies

__utmz
The __utmz cookie is part of the Google Analytics analysis and tracking service. This is a persistent cookie that expires, generally, 6 months after the creation or update (this value may vary depending on the configurations of the webmaster, refer to the table to know the real deadline). The __utmz cookie contains an alphanumeric value that identifies your Google account, a numerical value (timestamp) of its creation, some parameters related to the number of site visits and a series of information on the source, the campaign and keywords typed. It stores the source of traffic or the campaign that explains how the user has reached the site. The cookie is created by running the javascript library and is updated every time data is sent to Google Analytics.
developers.google.com › cookie-usage

__utmc
The __utmc cookie is part of the Google Analytics analysis and monitoring service. This is a session cookie that is deleted when the browser is closed. This cookie operates synchronously with __utmb, which travels at the same time but expires after 30 minutes from its creation. Through these two cookies Analytics is able to calculate, for example, the average time spent on the pages.
developers.google.com › cookie-usage

__utmb
Il cookie __utmb fa parte del servizio di analisi e monitoraggio Google Analytics. Si tratta di un cookie di sessione che viene eliminato dopo 30 minuti dalla sua creazione e contiene il valore numerico (timestamp) del momento in cui siete entrati nel sito. Questo cookie opera in maniera sincrona con __utmc, il quale viaggia di pari passo ma scade quando fisicamente chiudete il browser. Attraverso questi due cookie Analytics è in grado di calcolare, ad esempio, il tempo medio di permanenza sulle pagine. Se riaprite il browser entro i 30 minuti – quindi non esiste utmc ma solo utmb, viene ugualmente avviata una nuova sessione.
developers.google.com › cookie-usage

__utma
The __utmb cookie is part of the Google Analytics analysis and monitoring service. This is a session cookie that is deleted after 30 minutes from its creation and contains the numeric value (timestamp) of the moment you entered the site. This cookie operates synchronously with __utmc, which travels at the same time but expires when you physically close the browser. Through these two cookies Analytics is able to calculate, for example, the average time spent on the pages. If you reopen the browser within 30 minutes – so there is no utmc but only utmb, a new session is also started.
developers.google.com › cookie-usage

__utmt
The __utmt cookie is part of the Google Analytics analysis and monitoring service. Indicates the type of request that is made on the site (eg event, transaction, item or custom variable). Very often this cookie comes with the addition of a suffix that identifies its meaning, so you can find it in the form __utmtxxx where xxx is a series of alphanumeric characters or words that identify certain actions.
developers.google.com › cookie-usage

 

• Social network buttons
The Social Buttons on the website are social network icons (Facebook, Twitter, etc…) and enable Users to interact with social platforms with a single click. The Social Buttons used by our website https://www.lumemilano.com sono are links to the accounts of the data controller on the social networks represented. Using these buttons does not, therefore, enable 3rd party cookies to be installed via our site. We in any case provide details of the Social Network buttons used by the site https://www.lumemilano.com and links enabling the User to view the privacy & cookie policies of the relative social media.

Facebook button (Facebook Inc.)
This button is a service provided by Facebook Inc. for interaction with the Facebook social network.
Processing location: USA
Privacy Policy: https://www.facebook.com/privacy/explanation

Instagram button(Instagram Inc.)
This button is a service provided by Facebook Inc. for interaction with the Instagram social network.
Processing location: USA
Privacy Policy: https://help.instagram.com/519522125107875

Twitter button(Twitter Inc.)
This button is a service provided by Facebook Inc. for interaction with the Twitter social network.
Processing location: USA
Privacy Policy:: https://twitter.com/it/privacy

 

In general and irrespective of the types of cookies used by this website, we would like Users to know that in addition to the forms of protection provided by the law there are certain options for navigating without cookies, such as the following, by way of example.
• Blocking 3rd party cookies, which are not usually strictly necessary for navigating and can be rejected by default using the relevant functions on your browser.
• Activating Do Not Track, an option on most new generation browsers; websites designed to include this option should automatically stop collecting certain navigation data when this option is activated. As stated however, not all websites are configured to provide this option (discretional).
• Activating “anonymous navigation”, a function making it possible to navigate without leaving a navigation data track on the browser. Websites will not remember the User, pages that are visited will not be stored in the history and new cookies will be erased. The anonymous navigation function does not however guarantee Internet anonymity because it only serves to not maintain navigation data on the browser, whereas the User’s navigation data will continue to be available to website managers and connectivity providers.
• Eliminating cookies directly: there are special functions on all browsers for doing this. It should be remembered though that new cookies are downloaded every time an Internet connection is made, so erasure would have to be carried out periodically. Some browsers offer an automatic function for periodically erasing cookies.

For further information about cookies, we recommend consulting this site: http://www.garanteprivacy.it/cookie
And to find out how to restrict, block and/or remove cookies set on your device, we recommend visiting the following site: http://www.aboutcookies.org
As already mentioned, Users may also manage their cookie preferences using their own browsers. To find out what type and version of browser you’re using, click on “Help” at the top of the browser window to access all the necessary information. If you already know the type and version of your browser, just click on the link corresponding to the one you’re using to access the cookie management page.

• Microsoft Internet Explorer
http://windows.microsoft.com/en-us/windows-vista/block-or-allow-cookies
• Google Chrome
https://support.google.com/accounts/answer/61416?hl=it
• Mozilla Firefox
http://support.mozilla.org/en-US/kb/Enabling%20and%20disabling%20cookies
• Safari
http://www.apple.com/legal/privacy/

Information on managing cookies can also be found on the following web pages:
http://www.youronlinechoices.eu, http://www.allaboutcookies.org, https://tools.google.com/dlpage/gaoptout, http://aboutads.info/choices, http://www.networkadvertising.org/choices.

 

Data provided voluntarily by users
Following consultation of this website data relative to identified or identifiable persons may be processed. Such processing may be in relation to personal data voluntarily provided by Users who send the data controller their information using the contacts on this website (www.lumemilano.com), such as, for example, corporate e-mail addresses, and/or by compiling the forms on the website that collect information. The explicit and voluntary sending of e-mails to addresses indicated on this website entails the acquisition of the sender’s address, which is necessary for replying to requests, and of any other personal data included in the e-mail. Pages that contain forms to collect visitors’ data display detailed privacy statements regarding the processing of such data pursuant to art. 13-14, Regulation (EU) 2016/679. Such statements define the limits, purposes and methods of processing involved in each data collection form, and visitors may freely express their consent and authorize collection and subsequent use of their data.
There are no sections or functions on this website whose access requires the provision of “special categories of personal data” and/or “personal data relating to criminal convictions and offences” as defined by art. 9 and 10, Regulation (EU) 2016/679. Should the User voluntarily send the data controller information of said type, the data controller will provide that such data be processed in compliance with current personal data protection legislation (Regulation (EU) 2016/679) and within the limits strictly necessary in relation to the User’s requests.
Regarding data voluntarily provided by the User in general, we wish to inform Users that Regulation (EU) 2016/679 (and legislative decree 196/2003 and subseq. amendments and integrations where compatible) provide for the protection of natural persons with respect to processing of their personal data. Under said legislation, such processing will be disciplined by the principles of fairness, lawfulness and transparency and your confidentiality and your rights will be protected.

Pursuant to the aforementioned articles 13-14, Regulation (EU) 2016/679 and legislative decree 196/2003, we are therefore providing you with the following information:

a) the processing that the Data Controller may carry out will be by automated processes and/or collection of paper documentation;
b) the User is free to provide personal information by sending it to the data controller via the contacts posted on the website (www.lumemilano.com) and/or by compiling the information collection forms on the site; in the latter case, failure to provide certain data may, depending on each case, make it impossible to initiate the activities requested by the User (see the “obligatory fields”, for example, marked by an * [asterisk] in such forms);
c) Users’ personal data will be processed by subjects appointed by the controller as processors and/or anyone else acting under its authority and having access to personal data; such subjects will process your data only when necessary for the purposes for which they were provided and only in the context of performing the tasks assigned to them by the data controller, and will only process the data necessary for carrying out such tasks and perform only the operations necessary for carrying out same.
Further, personal data may only be communicated to 3rd party subjects when this is strictly necessary for the provision of the services or information requested by the User.
Lastly, the data controller may avail itself of internal or external IT specialists for occasional maintenance or updating operations or assistance in the event of malfunctioning of the website. No data deriving from the web service will in any case be communicated or disseminated outside the company.
The data communications described above are strictly linked to normal business operations serving management of the relationship and strictly necessary for the purposes for which the data were provided;
c1) the Data Controller may transfer personal data to a third country or an international organization, in which cases it undertakes to carry out processing only if appropriate guarantees are in place;
c2) in compliance with “Measures and expedients for electronic data controllers regarding the assignment of system administration functions – 27 November 2008” (Gazzetta Ufficiale no. 300, 24 December 2008) and relative integrations and amendments, the data controller has appointed “System Administrators” who in the performance of their functions may directly or indirectly access services or systems that process or enable the processing of information of a personal nature;
c3) data will not be communicated to other 3rd party subjects unless you have been asked for and have granted your express consent.

Your personal data will not be disseminated.
d) Data will be stored for the time necessary to achieve the purposes for which they were provided; data will be stored in a form enabling the data subject to be identified for no longer than is necessary for the purposes for which they were collected or subsequently processed, after which they will be erased unless expressly reconfirmed by the data subject or transformed into an anonymous form.
e) Personal data will not be processed for the purpose of creating an automated decision-making process (profiling).
f) Should personal data need to be processed for purposes other than or further to those indicated above, the Data Controller will inform you about such other purposes and any other relevant matters.

The Data Controller has taken into account the state of the art and implementation costs and the nature, within the scope of the application, of the context and purposes of the processing both at the time of determining the means of processing and at the time of the processing itself (risk analysis – accountability) and has put in place adequate technical and organizational measures to effectively follow the principles of data protection and build into the processing the guarantees needed to satisfy the requisites of Regulation (EU) 2016/679 and protect the data subject’s rights.

Data processing will be carried out using methods and instruments capable of guaranteeing security (art. 24, 25 and 32, Reg. EU 2016/679) and involving an automatic process and non-automatic means (paper archives) which will be subject to all the technical and organizational measures guaranteeing an adequate level of security against risk, thus ensuring on a permanent basis their confidentiality and integrity and the availability and resilience of the processing systems and services (by way of non-exhaustive example: checks on both the assignments conferred on processors and on the classification of the actual data; procedures, if sustainable, for pseudonymization and encryption, disaster recovery mechanisms, etc.).

The processing of data complies with the provisions of art. 6, clause 1a) Reg. EU 2016/679 and the User is free to provide his or her personal information by sending it to the data controller via the contacts posted on the website (www.lumemilano.com) and/or by compiling the information collection forms on the site; in the latter case, failure to provide certain data may, depending on each case, make it impossible to initiate the activities requested by the User (see the “obligatory fields”, for example, marked by an * [asterisk] in such forms).

 

The data controller is: Aurea S.r.l., whose registered office is in Via Giacomo Watt n. 37, Milan (MI), tax code/VAT no. 092092409690, Tel: 02.8088.8737, Mail privacy@aureafood.com, Legal mail aurea_srl1@legalmail.it.

 

Pursuant to art. 28, REG. EU 2016/679, the Data Controller may avail itself of 3rd parties which process data on its behalf and which are formally engaged by the Data Controller as processors. A full and updated list of designated processors may be consulted by the data subject on request.
Pursuant to art. 29, REG. EU 2016/679, the Data Controller may avail itself of anyone acting under its authority and/or that of the processor; such subjects will be duly instructed.
The Data Controller has not designated a D.P.O. (art. 37, REG. EU 2016/679 and WP Guidelines, article 29, 13.12.2016) in that such a figure is not necessary in its structure, given that the characteristics of the processing do not fall within the categories indicated in the aforementioned article 37.
Further, the Data Controller specifies that:

g) the data subject is entitled to ask the Data Controller for access to his or her personal data and for rectification or erasure of same or restriction of processing concerning him or her and to object to their processing, and also has the right of data portability (art. 15, art. 16, art. 17, art. 18, art. 20, REG. EU 2016/679); by exercising the right of access the data subject is entitled to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, whereas the right of portability entitles the data subject to obtain his or her personal data from the data controller in a structured, commonly used and machine-readable format and transmit those data to another controller (see WP 242, 13.12.2016);
h) the data subject is entitled in cases where the processing is based on article 6, paragraph 1a) or article 9, paragraph 2a) to withdraw consent at any time without prejudicing the lawfulness of the processing based on consent granted before such withdrawal;
i) the data subject is entitled to lodge complaints with a supervisory authority;
j) the data subject is entitled to be informed by the Data Controller without undue delay of any personal data breach likely to result in a high risk to the rights and freedoms of natural persons (art. 34, REG. EU 2016/679).

The full text of the articles of REG. EU 2016/679 regarding your rights (articles 15 to 22 and 34) is given at the end of this privacy statement or can alternatively be supplied to you by the Data Controller in response to a simple request you may send to the contacts indicated above.

 

DATA SUBJECT’S RIGHTS UNDER REGULATION (EU) 2016/679

Right of access by the data subject (Article 15 – considering 63-64)
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others

 

Right to rectification (Article 16 – considering 65)
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement

 

Right to erasure (‘right to be forgotten’) (Article 17 – considering 65-66)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

 

Right to restriction of processing (Article 18 – considering 67)
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

 

Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 – considering 31)
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

 

Right to data portability (Article 20 – considering 68)
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

 

Automated individual decision-making, including profiling (Article 22 – considering 71-72)
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

 

Communication of a personal data breach to the data subject (Article 34 – considering 86-88)
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

 

Right to object (Article 21 – considering 69 – 70)
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6(1) point (e) editor’s note: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (f)  editor’s note: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The latter point shall not apply to processing carried out by public authorities in the performance of their tasks, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

Regarding, specifically, the right to object, the law provides that this may be exercised in whole or part and for legitimate reasons:
a) to processing of personal data that concern you, even if relevant to the purpose of collection;
b) to processing of personal data that concern you for the purposes of sending advertising or direct sale material or for conducting market research or commercial communication by means of automated calling systems without the intervention of an operator, e-mail and/or traditional marketing methods (phone and/or normal mail) provided you have consented to such processing. Please note that your right to object to processing for direct marketing purposes by means of automated systems, as indicated in the preceding point, extends to traditional methods and that you may in any case also exercise your right to object only partially. You may therefore decide to receive communications only by traditional methods or only automated communications or neither of the two types of communication.
The data you provide will not in any case be used for marketing purposes unless you express free, specific, informed and unequivocal consent.

 

Please remember that if you wish to exercise the rights indicated in the articles above or ask questions or make comments or requests about anything in this privacy statement or want more information about the data controller and/or processor/s, you may send a request to the data controller at the following e-mail address: privacy@aureafood.com

 

We in any case invite Users to tell us about any difficulties they have in visualizing this Privacy & Cookies Policy so we may provide alternative forms of information if need be.

 

The data controller is Aurea S.r.l., whose registered office is in (20143) Milan (MI), Via G. Watt n. 37, VAT no. 09209240960 (a wholly owned subsidiary of Carol Invest S.r.l., based in (41124) Modena (MO), via Gaetano Moreali n. 11); e-mail: privacy@aureafood.com

 

Aurea S.r.l.

 

 

Latest update: November 2018