This statement will attempt to explain who and how will be processing the data of the Data Subject
(also referred to as the User), what his/her data are, and what his/her rights are and how he/she can
exercise them. For specific clarifications, where the User does not understand or does not consider
what is included in the statement to be sufficient, please write to the following address:
2: SOME IMPORTANT FACTS ABOUT PERSONAL DATA
What do we mean by personal data? Personal data are any information that relates to an
identifiable natural person. An email address is personal data. The text of a message, if it reveals
information about a person in its content, is personal data.
3: WHO PROCESSES THE DATA?
The Data Controller is the person who makes the decisions on how to process the data, i.e. -
among other things - what precautions to take in order to protect them, where to store them
(whether on a server or in the cloud, etc.), what data to ask of the user, what to process and for what
purpose, etc. Therefore, since the Data Controller is very important, the user should know that it is:
Head office: Strada Caminata, 28-14036 Moncalvo (AT)
VAT No. and Tax Code: 01610380055
Furthermore, Orsolina can avail itself of internal subjects authorised to process data (also called
appointees) or external subjects mostly as Data Processors, as Autonomous Controllers or Joint
Controllers, as the case may be.
3/a: TO WHOM ARE THE DATA COMMUNICATED (or WHO IS ALLOWED ACCESS
TO THE DATA)?
The data are communicated to persons working for the Data Controller (employees and
collaborators) who cooperate in the executive, administrative and technical management of the
They may be further communicated in compliance with disclosure obligations in case of a request
by a public authority (e.g. request by the court, tax assessment, etc.).
In addition, the data are communicated to the hosting service, the newsletter service provider, third-
It is important to know that Orsolina can manage and control only the data stored and processed in
its own system: data transferred or disclosed to third parties will be, in the manner and to the extent,
independently processed by the third parties to whom they are disclosed according to their own
4: WHERE ARE THE DATA PROCESSED?
Orsolina processes Users' personal data at its own premises and in the cloud located in the EU area.
5: WHAT DATA ARE PROCESSED?
Based on the significant quality of the data, one can identify:
- Contact data: email and telephone;
- Identification data: name, surname;
- Content data: the content of the communication sent by the User through the appropriate
6: FOR WHICH PURPOSES ARE THE DATA PROCESSED, AND INDICATION OF THE
LEGAL BASIS AND STORAGE PERIODS?
ORSOLINA processes user data for the following purposes:
1. Responding to requests sent by the user (information, exercising rights, etc.): this consists
of responding to contacts made by the user (by email or other form of contact). Legal basis:
performance of the service requested by the user in the communication (such as exercising a
right, answering a question, etc.);
Duration: ten years (obligation to keep business correspondence).
Data processed: contact, identification and other data depending on the content of the
request (e.g. the information contained in the text of the request may refer to persons, and as
such are personal data).
2. Sending newsletters for own (or third party) marketing purposes: The user's email
address is used to send periodic emails containing operational and promotional content of
the services provided by Orsolina (or also third-party services not processed by Orsolina,
so-called third-party marketing: the content will, in any case, be included in emails
containing primarily information relating to Orsolina).
Data used: contact.
Legal basis: consent given by entering the e-mail in the appropriate form.
Duration: until cancellation from the newsletter service through the appropriate function.
The data will be kept after this revocation only in order to prove the revocation, but not for
sending new marketing communications.
Mailing frequency: weekly;
Service used for the newsletter: Mailchimp;
Please note: consent can always be revoked. Withdrawal of consent means that the
processing of data for the purpose for which consent was given ceases from that moment
(but not retroactively).
3. Social sharing: The service hosts functions (widgets, link and share buttons or similar) that
enable the user to quickly share a web page or other event. It is up to the user to share these
events, but sharing alone may involve the transmission of data to the social, and in
particular, navigation on the Orsolina website, as well as in some cases the device and IP
address from which the registration or sharing is made. These data are then managed by
social networks according to their own logic and policies.
Data processed: shared page;
Legal basis: performance of the sharing service and legitimate interest of the Data
Controller in connecting with social pages and - indirectly - in the consequent promotion of
its service. The legitimate interest is deemed to prevail over the interests and rights of users
for the following reasons:
- The shared event is of little importance (one can only share the page or other event);
- The event is shared with positive and conscious action by the user;
- The event is shared on social platforms to which the user is already subscribed;
- The user has the option to delete the post shared on the social platform at any time
(according to the settings of most of these platforms);
Duration: instantaneous in the case of Orsolina. The duration of the processing carried out
by the social platform depends on its policies regarding the processing of personal data.
4. Create subscriber databases: ORSOLINA creates a database of contacts received via
forms on the site. The database is used for the following purposes: A) as a backup copy of
the addresses from which the communications were received;
B) to send offers or other content via newsletter (see point 6.2 above).
Legal basis: A) legitimate interest of the Data Controller in the storage of contact data
(which is deemed to prevail over contrary interests in that it guarantees the availability of
the data to Orsolina and, on the other hand, since the data is of little danger or significance,
does not prejudice the user, who can, moreover, well assume that his address is in the
database of the operator of the site he is writing to);
B) consent of the interested party expressed by means of a flag at the bottom of the contact
form (or by entering the e-mail address in the appropriate field);
Duration: A) until the request for deletion (see clause on exercising rights) by sending an
email to firstname.lastname@example.org; B) until consent is revoked;
Data processed: A) email, identification;
B) email, identification.
7: HOW ARE THE DATA PROVIDED?
The data are provided directly by the User by filling in the form on the site, entering their email
address or, in some cases, by browsing alone.
8: WHICH DATA ARE COMPULSORY AND WHICH ARE OPTIONAL (AND WHAT
ARE THE CONSEQUENCES OF A REFUSAL TO PROVIDE DATA)?
The contact and identification data of the User is mandatory for those who wish to activate the
services (newsletter, form response). Failure to provide this information will make it impossible to
provide the requested service (newsletter delivery, response to contact).
In addition, optional, but essentially physiological, data is formed in the drafting of the
communication (e.g. what is written in the text of the message communicated). As regards the latter,
it is not possible to discriminate between mandatory and optional, as they are formed as a natural
consequence of drafting the communication.
9: HOW WILL THE SERVICE "DISTURB" THE USER?
ORSOLINA will "disturb" the User in the following ways:
● The User may receive emails, telephone calls, messages or other communications from
Orsolina: these will be operational communications or in any case in response to
communications sent by the User. These communications are essential for the regular
management of the relationship with the User.
● Newsletter: frequency: weekly; content: operational, promotional relating to products or
services of Orsolina or third party companies; service provider: Mailchimp;
10: WHAT ARE THE RIGHTS OF USERS?
Users have a number of rights.
Rights to information about:
● Categories of data processed (see points 2 and 5);
● Origin of the data, i.e. knowing where the service obtained the data (see point 7);
● Purpose of data processing, i.e. for what purposes the data are processed (see point 6);
● Contact details of the Data Controller and of any data processors (see point 3);
● Persons to whom the data are disclosed (see point 3/a);
● Data retention and processing time (see point 6);
● Right to lodge a complaint with the Italian Data Protection Authority by accessing the
following link: http://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri- dati-personali
● Legal basis for processing (see point 6);
Then there are rights that are not simply for information but are operational. They are of various
kinds. In brief:
● The Data Subject has the right to a copy of the data he or she has provided. If the data have
been processed by automated methods and on the basis of his/her consent or on the basis of
a contract, the user may request - if technically possible - that the data be transmitted to the
same Data Subject or to a possible new Data Controller (portability), provided that this
operation does not violate the rights (and the data) of other people. This right cannot be
exercised in this case, therefore, in relation to communications containing data of third
parties, industrial secrets or otherwise protected content. In this case, you may also request
the deletion of the data (unless the law does not require the Data Controller to retain it, as in
the case of commercial communications).
● If the personal data are inaccurate or incomplete, the Data Subject may ask for them to be
corrected or supplemented, providing information to that effect. If the Data Controller has
to verify the accuracy of the data challenged by the Data Subject, the Data Subject may, in
the meantime, obtain the restriction of the challenged data (restriction means that the data is
only stored and no further processing is carried out except with the specific consent of the
Data Subject or if the data is needed to exercise or defend a right in court).
● If personal data are no longer necessary for the purposes for which they were collected or
otherwise processed, the Data Subject may request that they be erased. If, however, the
Data Subject needs the data in order to exercise his or her rights in court, he or she may
request that the data be restricted (i.e. stored only).
● If the processing is unlawful because the data are processed in the absence of consent, a
legitimate interest of the Controller, a contract for the performance of which the processing
is necessary, or a legal obligation of the Controller to process the data, the Data Subject may
request their erasure or restriction.
11: HOW CAN YOU EXERCISE YOUR RIGHTS?
Procedure for exercising rights: The User's rights may be exercised by sending an email to
The Data Controller must reply within thirty days (which may be extended by a further two months,
but the Data Controller must give the user reasoned notice of the delay). The Data Controller may
only refuse to comply with the user's request (which must be communicated to the user within one
month) if the request is manifestly unfounded or repetitive. He must then give a reasoned reply. In
any case, the user may appeal to the "Italian Data Protection Authority” (see link below) or to the
The Data Controller must respond using the same channel (email, telephone, etc.) used by the user
for the request, unless the user requests a response by a different means. In the event of a request
coming from an email address other than the one indicated in the account, the applicant must prove
that he/she is the Data Subject.
If the Data Controller has doubts about the identity of the person making the request or exercises
one of the rights listed below, he/she may request further information to confirm the identity of the
applicant. In the event of a request coming from an email address other than the one indicated in the
account, the applicant must prove that he/she is the Data Subject.
Requests and replies are free of charge unless they are repetitive. In the latter case, the Data
Controller may charge the costs he/she incurs for the reply (i.e. personnel costs, material costs, etc.).
In any case, the Data Subject may contact the Italian Data Protection Authority (http://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri-dati-personali) or the competent Judicial Authority to exercise his/her rights.
12: WHAT ARE THE DUTIES AND OBLIGATIONS OF USERS?
The User is obliged to communicate truthful data.
It is the User's responsibility to inform the Data Controller of any change in the personal data
previously communicated. Finally, it is the User's responsibility, where the functionalities allow it,
not to enter excessive data. For example, if the form requires you to enter non-mandatory data
(usually marked with an asterisk), it is recommended that you enter them only if you consider it
necessary. Similarly, if you write a message through the service, please avoid explicit references to
identifiable persons, if not necessary.
17: CASES OF DATA BREACH
If one or more of the following events should occur with respect to the User's data: unauthorised
access, theft, loss, destruction, disclosure or modification (so-called data breach), ORSOLINA,
without prejudice to the urgent technical measures to be implemented to block the event (as far as
possible) and to reduce its harmful effects, undertakes to:
- restore the service as soon as possible in an efficient manner, recovering the data available from
the last useful backup made;
- inform Users, either directly if circumstances permit or generically (by means of a notice on the
website home page or by means of a communication sent to all users, including those for whom
there may have been no data events) of the type of event, the time when it occurred, the measures
adopted (without going into detail in order not to facilitate possible new attacks) to reduce damage
and avoid new similar events, as well as the measures and precautions that Users should - on their
part - adopt to reduce the probability of new events and limit the consequences of those that have