Privacy Policy

Information pursuant to Article 13 of Regulation (EU) No. 2016/679 ("GDPR")

INFOSET SRL protects the confidentiality of personal data and provides them with the necessary protection from any event that could put them at risk of violation.

As required by the European Union Regulation No. 2016/679 ("GDPR"), and in particular Article 13, below we provide the user ("Data Subject") with the information required by the legislation regarding the processing of their personal data.

SECTION I

Who we are and what data we process (Art. 13(1)(a), Art. 15(b) GDPR)

INFOSET SRL, in the person of its legal representative p.t., headquartered in Milan Via Andrea Palladio12, operates as the Data Controller and can be contacted at contatti@infoset.it and collects and/or receives information concerning the Data Subject, such as:

Data category	Exemplification of data types
Biographical data	first name, last name, physical address, nationality, province and municipality of residence, landline and/or mobile phone, fax, social security number, e-mail address(es)
Bank data	IBAN and bank/postal information (except credit card number)
Telematics traffic data	Log, source IP address.

INFOSET SRL does not require the Interested Party to provide so-called "special" data, i.e., according to the provisions of the GDPR (art. 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or sex life or sexual orientation of the person. In the event that the service requested from INFOSET requires the processing of such data, the Interested Party will receive appropriate information in advance and will be asked to give appropriate consent.

For any information or requests, the Interested Party may contact the address

email: contatti@infoset.it
phone: +39 02 89368915

SECTION II

For what purposes we need the data of the Data Subject (art. 13, 1st paragraph GDPR)

The data are used by the Data Controller to follow up on the request for master registration and the contract for the supply of the chosen Service and/or the purchased Product, manage and execute the contact requests forwarded by the Interested Party, provide assistance, and fulfill the legal and regulatory obligations to which the Data Controller is bound by virtue of the activity performed. Under no circumstances does INFOSET resell the Data Subject's personal data to third parties or use them for unstated purposes.

Specifically, the Data Subject's data will be processed for:

(a) master registration and requests for contact and/or informational materials

The processing of the Data Subject's personal data is carried out in order to give effect to the activities preliminary and consequent to the request for master registration, the management of requests for information and contact and/or sending of information material, as well as for the fulfillment of any other obligations arising from it.

Legal basis for such processing is the fulfillment of services inherent in the request for registration, information and contact and/or sending of information material and compliance with legal obligations.

(b) the management of the contractual relationship

The processing of the Data Subject's personal data is carried out to give effect to the activities preliminary and consequent to the purchase of a Service and/or a Product, the management of the related order, the provision of the Service itself and/or the production and/or shipment of the purchased Product, the related invoicing and management of payment, the processing of complaints and/or reports to the support service and the provision of the support itself, the prevention of fraud as well as the fulfillment of any other obligation arising from the contract.

Legal basis for such processing is the performance of services inherent in the contractual relationship and compliance with legal obligations.

c) promotional activities on Services/Products similar to those purchased by the Data Subject (Art. 47 Recital of the GDPR - Privacy Regulation EU/2016/679)

The data controller, even without your explicit consent, may use the contact information disclosed by the Data Subject, for the purpose of direct sales of its own Services/Products, limited to the case of Services/Products similar to those being sold, unless the Data Subject explicitly objects.

d) the activities of commercial promotion on Services/Products different from those purchased by the Interested Party

The Data Subject's personal data may also be processed for purposes of commercial promotion, surveys and market research with regard to Services/Products that the Data Controller offers only if the Data Subject has authorized the processing and does not object to it.

Such processing may take place, in an automated manner, in the following ways:

e-mail;
text message;
telephone contact

And can be carried out:

If the Data Subject has not revoked his or her consent for the use of the data;
If, in the event that the processing is carried out through contact with a telephone operator, the Interested Party is not registered in the opposition register referred to in Presidential Decree No. 178/ 2010;

The legal basis for such processing is the consent given by the Data Subject prior to the processing itself, which is revocable by the Data Subject freely and at any time (see Section III).

(e) information security

The Data Controller, in line with the provisions of Recital 49 of the GDPR, processes, including through its suppliers (third parties and/or recipients), the Data Subject's personal traffic data to the extent strictly necessary and proportionate to ensure network and information security, i.e., the ability of a network or information system to withstand, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted.

The Data Controller will promptly notify Data Subjects if there is a particular risk of a breach of their data subject to the obligations under Article 33 of the GDPR regarding personal data breach notifications.

The legal basis for such processing is compliance with legal obligations and the legitimate interest of the Data Controller in carrying out processing inherent in the purposes of protecting the company's assets and the security of INFOSET SRL's offices and systems

(f) profiling

The personal data of the Interested Party may also be processed for profiling purposes (such as analysis of the data transmitted and the Services/Products chosen, proposing advertising messages and/or commercial proposals in line with the choices manifested by the users themselves) exclusively in the event that the Interested Party has provided explicit and informed consent. The legal basis of such processing is the consent given by the Data Subject prior to the processing itself, which is revocable by the Data Subject freely and at any time (see Section III).

(g) fraud prevention (Art. 47 Recital of GDPR - Privacy Regulation EU/2016/679 et Art. 22 GDPR)

the data subject's personal data, excluding special data (Art 9 GDPR) or judicial data (Art 10 GDPR) will be processed to enable checks with the purpose of monitoring and preventing fraudulent payments, by software systems that perform a check in an automated manner and prior to the negotiation of Services/Products;
passing these checks with negative results will result in the impossibility of carrying out the transaction; the Interested Party may in any case express its opinion, obtain an explanation or contest the decision by giving reasons to the Customer Service Department or to the contact contatti@infoset.it
personal data collected for anti-fraud purposes only, as opposed to data required for the proper performance of the requested service, will be immediately deleted upon completion of the control phases.

(h) the protection of minors

The Services/Products offered by the Owner are reserved for individuals who are legally capable, based on the relevant national legislation, to conclude contractual obligations.

The Owner, in order to prevent illegitimate access to its services, implements preventive measures to protect its legitimate interest, such as checking the social security number and/or other verifications, when necessary for specific Services/Products, the correctness of the identification data of identity documents issued by the competent authorities.

Communication to third parties and categories of recipients (art. 13, 1st paragraph GDPR)

The communication of the Data Subject's personal data is mainly to third parties and/or recipients whose activities are necessary for the performance of activities inherent to the established relationship and to respond to certain legal obligations, such as:

Categories of recipients	Purpose
INFOSET SRL	Administrative, accounting, and contract performance-related tasks,
THIRD-PARTY SUPPLIERS^[1]	Provision of services (support, maintenance, product delivery/shipping, provision of additional services, providers of electronic communication networks and services) related to the requested performance
Credit and digital payment institutions, banking/postal institutions	Management of collections, payments, reimbursements related to contractual performance
External professionals/consultants and consulting firms	Fulfillment of legal obligations, exercise of rights, protection of contractual rights, credit recovery
Financial Administration, Public Bodies, Judicial Authority, Supervisory and Control Authority	Fulfillment of legal obligations, defense of rights; lists and registers kept by public authorities or similar bodies under specific regulations, in connection with contractual performance
Persons formally delegated or having recognized legal title	Legal representatives, curators, guardians, etc.

SECTION III

What happens if the Data Subject does not provide his/her data identified as necessary for the performance of the requested service? (Art. 13, 2nd paragraph, lett. e GDPR)

The collection and processing of personal data is necessary to follow up on the services requested as well as the provision of the Service and/or the supply of the Product requested. If the Interested Party does not provide the personal data expressly envisaged as necessary within the order form or the registration form, the Controller will not be able to follow up on the processing related to the management of the requested services and/or the contract and the Services/Products related thereto, nor on the fulfilments that depend on them.

What happens in case the Data Subject does not provide consent to the processing of personal data for commercial promotion activities on different Services/Products than those purchased?

In the event that the Interested Party does not give consent to the processing of personal data for these purposes, such processing will not take place for those purposes, without affecting the provision of the requested services, nor for those for which He has already given consent, if requested.

In the event that the Interested Party has given consent and should subsequently revoke it or object to the processing for commercial promotion activities, his or her data will no longer be processed for such activities, without any detrimental consequences or effects on the Interested Party and the services requested.

How we process the data of the Data Subject (Art. 32 GDPR)

The Data Controller arranges for the use of appropriate security measures in order to preserve the confidentiality, integrity and availability of the Data Subject's personal data and imposes similar security measures on third-party vendors and Processors.

Where we process the data of the Data Subject

The Data Subject's personal data are stored in paper, computer and telematic archives located in countries where the GDPR is applied (EU countries).

How long is the data of the Data Subject kept? (Art. 13, 2nd paragraph, lett. a GDPR)

Unless he or she explicitly expresses his or her wish to remove it, the Data Subject's personal data will be retained as long as it is necessary in relation to the legitimate purposes for which it was collected.

In particular, they will be retained for the duration of your registry entry and in any case no longer than a maximum period of 12 (twelve) months of your inactivity, or if, within that period, no Services are associated and/or Products purchased through the registry itself.

In the case of data provided to the Data Controller for the purposes of commercial promotion for services other than those already acquired by the Data Subject, for which He initially gave consent, such data will be retained for 24 months, unless the consent given is revoked.

In the case of data provided to the Owner for profiling purposes, these will be kept for 12 months, unless the consent given is always revoked.

It should also be added that in the event that a user forwards to INFOSET personal data that is not requested or not necessary for the purpose of the performance of the requested service or the provision of a service closely related to it, INFOSET cannot be considered the owner of these data, and will delete them as soon as possible.

Regardless of the Interested Party's determination to remove them, personal data will in any case be retained in accordance with the terms provided for by current legislation and/or national regulations, for the exclusive purpose of guaranteeing the specific fulfillments, peculiar to certain Services (by way of example but not limited to, Certified Electronic Mail, Digital Signature, Substitute Storage - in this regard see the relevant section).

Likewise, personal data will in any case be retained for the fulfillment of obligations (e.g., tax and accounting) that remain even after the termination of the contract (Art. 2220 Civil Code); for these purposes, the Data Controller will retain only the data necessary for the relevant pursuit.

This is without prejudice to cases in which rights arising from the contract and/or registry should be asserted in court, in which case the personal data of the Interested Party, only those necessary for such purposes, will be processed for the time essential to their pursuit.

What are the rights of the Data Subject? (Art. 15 - 20 GDPR)

The data subject has the right to obtain the following from the data controller:

(a) confirmation as to whether or not personal data concerning him or her is being processed, and if so, to obtain access to the personal data and the following information:

the purposes of processing;
the categories of personal data in question;
The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients in third countries or international organizations;
when possible, the intended retention period of personal data or, if not possible, the criteria used to determine this period;
the existence of the data subject's right to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing;
The right to file a complaint with a supervisory authority;
where the data are not collected from the data subject, all available information about their origin;
the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the logic used, as well as the significance and expected consequences of such processing for the data subject.
The adequate safeguards that the third country (non-EU) or an international organization provides to protect any data transferred

(b) the right to obtain a copy of the personal data undergoing processing, provided that this right does not infringe the rights and freedoms of others; In the case of further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

(c) the right to obtain from the data controller the rectification of inaccurate personal data concerning him/her without undue delay

(d) the right to obtain from the data controller the erasure of personal data concerning him/her without undue delay, if the grounds provided for by the GDPR in Article 17 exist, including, for example, if they are no longer necessary for the purposes of the processing or if the processing is assumed to be unlawful, and provided that the conditions provided for by law are met; and in any case if the processing is not justified by another, equally legitimate reason;

e) the right to obtain from the data controller the restriction of processing, in the cases provided for in Article 18 of the GDPR, for example where you have disputed its accuracy, for the period necessary for the data controller to verify its accuracy. The Data Subject must also be informed, in a reasonable time, of when the period of suspension has expired or the cause of the restriction of processing has ceased to exist, and thus the restriction itself lifted;

(f) the right to obtain communication from the owner of the recipients to whom requests for any rectification or cancellation or restriction of processing carried out, unless this proves impossible or involves a disproportionate effort.

(g) the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her and the right to have such data transmitted to another controller without hindrance by the controller to whom he or she has provided them, in the cases provided for in Article 20 of the GDPR, and the right to obtain the direct transmission of personal data from one controller to another, if technically feasible.

For any further information and in any case to send your request you should contact the Data Controller at contatti@infoset.it. In order to ensure that the above rights are exercised by the Data Subject and not by unauthorized third parties, the Data Controller may request the Data Subject to provide any additional information necessary for this purpose.

How and when can the Data Subject object to the processing of his/her personal data? (Art. 21 GDPR)

For reasons related to the special situation of the Data Subject, the Data Subject may object at any time to the processing of his or her personal data if it is based on legitimate interest or if it is carried out for commercial promotion activities, by sending a request to the Data Controller at contatti@infoset.it.

The Interested Party has the right to the deletion of his or her personal data if there is no overriding legitimate reason of the Data Controller with respect to the reason that gave rise to the request, and in any case in the event that the Interested Party has objected to the processing for commercial promotion activities.

To whom can the Data Subject complain? (Art. 15 GDPR)

Without prejudice to any other action in administrative or judicial proceedings, the Data Subject may lodge a complaint with the competent supervisory authority on the territory of Italy (Data Protection Authority) or with the one performing its duties and exercising its powers in the Member State where the GDPR violation occurred.

Any updates to this Notice will be communicated promptly and by appropriate means, and also will be communicated if the Data Controller processes the Data Subject's data for purposes other than those set forth in this Notice before proceeding to do so and following the Data Subject's manifestation of the relevant consent if necessary.

SECTION IV

This Section provides the Data Subject with particular information regarding the processing of his or her personal data for each of the Services set forth below, in addition to that set forth in the preceding Sections.

HOSTING SERVICES

Disclosure to third parties and categories of recipients

Personal data, for purposes strictly related to the provision of the service, will be disclosed to third parties (Registration Authorities and related accredited entities) based in countries where the GDPR is not applied (non-EU countries), and in any case for which an adequacy provision on the level of data protection by the European Commission is in force.

Furthermore, the Interested Party is informed that the registration of a domain name entails the inclusion of its personal data within a publicly accessible register ("Whois") kept at the competent Registration Authority for the chosen extension, except in cases where the Interested Party has requested the obscuring of personal data in the manner provided for by the competent Registration Authority or by the contractual conditions relating to the Service.

Legal basis for such processing is the performance of services inherent to the relationship established, compliance with legal obligations and regulations and the legitimate interest of INFOSET SRL to carry out processing necessary for these purposes.

CLOUD SERVICES.

Disclosure to third parties and categories of recipients

In the exclusive context of the provision of CLOUD services, which enables the registration of a domain name, personal data, for purposes strictly related to the registration of the domain name itself, will be disclosed to third parties (Registration Authorities and related accredited entities) based in countries where the GDPR is not applied (non-EU countries), and in any case for which an adequacy provision on the level of data protection by the European Commission is in force.

OFFICE 365 SERVICES

Disclosure to third parties and categories of recipients

As part of the provision of the "Office 365" Service, the data subject's personal data may be disclosed to third parties that are based in countries where the GDPR does not apply (non-EU countries), and in any case for which an adequacy provision on the level of data protection by the European Commission is in force or which have otherwise provided all the appropriate safeguards referred to in Article 46 GDPR.

E-SECURITY SERVICES/PRODUCTS

All services that have an impact on the security of data processing are handled by Infoset according to current regulations.

Data of customers joining hosting, housing, backup, disaster recovery and security services are encrypted and the access/encryption key is expressly handed over to the customer who has full ownership. All unified voice services (voip termination and data connectivity) are issued through authentication policies based on SSL certificates generated by trusted certification bodies and automatically renewed."

SECTION V

COOKIES - General Information

Cookies are data that are sent from the website and stored by the Internet browser in the user's computer or other device (e.g., tablet or cell phone).

For everything related to cookie information, please refer to the specific information posted on the COOKIE POLICY page

^[1] The Data Controller imposes on its Third Party Providers and Processors compliance with security measures equal to those adopted with respect to the Data Subject by restricting the scope of the Responsible Party's actions to processing related to the requested service.

The Controller does not transfer your personal data to countries where the GDPR does not apply (non-EU countries) unless specifically stated otherwise for which you will be informed in advance and your consent will be sought if necessary.

The legal basis for such processing is the performance of services inherent to the relationship established, compliance with legal obligations and the legitimate interest of INFOSET SRL in carrying out processing necessary for these purposes.