top of page

Privacy Policy

​

PRIVACY POLICY
pursuant to Articles 13-14 of EU Regulation No. 679/2016

 

Introduction

Tridi Sas di Cancellieri Silvio (hereinafter the "Data Controller"), in accordance with Articles 13 and 14 of EU Regulation No. 679/2016, provides this notice to inform users about the processing of personal data in relation to the provision of its services.

This privacy notice is also inspired by Recommendation No. 2/2001, adopted on May 17, 2001, by the European data protection authorities gathered in the Group established under Article 29 of Directive No. 95/46/EC. The recommendation aims to define certain minimum requirements for the online collection of personal data, particularly regarding the methods, timing, and nature of the information that data controllers must provide to users when they access web pages. This applies regardless of the purpose of the connection, as personal data relating to identified or identifiable individuals may be processed as a result of visiting a website.

This notice applies solely to the Data Controller's website and does not extend to any other websites that users may access via links.

 

Art. 1. Data Controller – Data Processing and Protection Officer
The Data Controller of your data is Gelateria Pasticceria Tridi Sas, Tax Code 04213830138, with registered office at Via Tridi, 1, 22020 Torno CO, email tridisas@pec.it.
The collaborators and employees of the Data Controller (administrative and commercial staff), in their capacity as data processors and persons in charge of processing, are all specifically assigned to data processing tasks.

 

Art. 2. Location of Data Processing
Personal data is processed at the premises of the Data Controller, as well as on electronic media using software provided by various partners and devices made available to authorized data processing personnel.
Processing related to web services of the websites is carried out with the assistance of Wix and possibly Meta, whose privacy policies are referenced. These processes are managed solely by designated technical personnel and, if necessary, maintenance staff.

 

Art. 3. Types of Data Processed
The Data Controller processes only data voluntarily provided by the user or data acquired from third parties with the user's explicit consent; data strictly necessary to fulfill any request, whether informational or related to service provision.

For the provision of services and/or pre-contractual activities, the Data Controller processes the following categories of data:

Common Personal Data
Any information relating to an identified or identifiable natural person, including but not limited to personal identification data, banking/financial data, and contact details (phone and online).

a) Browsing Data
The IT systems of the website and blog collect certain personal data whose transmission is implicit in the use of Internet communication protocols. These data are not collected for association with the user but, through processing and associations with third-party data, could potentially identify them.

Such data are used for statistical purposes, to ensure the website’s proper functionality, to provide requested features, and for security and liability assessment in case of cybercrime. Each time a user accesses the website, the following data are stored in server log files: access date and time, website name, IP address, referrer URL, amount of data transmitted, browser product information, and version. User IP addresses are deleted or anonymized after use to prevent identification unless an excessive effort in terms of time, cost, and labor is required.

The analysis of these anonymized log files helps improve services, identify and eliminate errors faster, and monitor server capacity. Users are encouraged to refer to the Cookies section, which is an integral part of this privacy notice.

b) Voluntarily Provided Data
Through the website, users may voluntarily provide personal data such as name, surname, email, or banking details for payment purposes. The Data Controller processes these data in compliance with applicable regulations, assuming that they pertain to the user or authorized third parties.

Users act as autonomous data controllers in such cases, assuming all legal obligations and responsibilities. The user indemnifies the Data Controller against any claims or damages related to unauthorized third-party data processing.

c) Data Processed through Social Media Interactions
Users may submit service requests via social media profiles such as Facebook or Google by clicking "Register with Facebook" or "Register with Google." In such cases, Facebook or Google will automatically send the Data Controller specific data detailed in the pop-up window displayed during the request process, eliminating the need to complete additional forms.

d) Special Categories of Data
The App is based on a platform that allows users to access their data, content, programs, and results anytime and anywhere. Consequently, the Data Controller may process data that reveal personal details and fall within the special categories of personal data defined under Article 9 of the Regulation.

The App provides a service that involves processing personal data such as name, surname, date of birth, email address, and additional information necessary for providing evaluations.

e) Geolocation Data
The website offers a service that allows users to view their geographical location (subject to user consent) within a map. These location data are not transmitted or made accessible outside the user’s mobile device.

However, the App, with explicit authorization, processes location data to provide the service, as described in the App’s Terms and Conditions. Users can always disable the App's access to location data through their mobile device settings. Images and videos collected during a session are not processed using technical devices capable of identifying individuals.

 

Art. 4. Purpose of Data Processing
The Data Controller informs that personal data will be processed strictly to fulfill the following purposes:

  1. a) Purposes related to the execution of a contract in which you are a party or to the execution of pre-contractual measures adopted at your request;

  2. b) Purposes related to compliance with a legal obligation to which the Data Controller is subject;

  3. c) Purposes necessary to ascertain, exercise, or defend a right in legal proceedings or whenever judicial authorities perform their judicial functions;

  4. d) Enable website navigation and the provision of the Data Controller’s services;

  5. e) Respond to specific requests addressed to the Data Controller;

  6. f) Fulfill any obligations required by current laws, regulations, or community legislation, or to comply with requests from authorities;

  7. g) Carry out direct marketing via email for services similar to those you have subscribed to, unless you explicitly refuse to receive such communications, which you can express during registration or at any later time;

  8. h) Conduct marketing/newsletter activities, such as: developing studies, research, and market statistics; sending informational and promotional material related to the activities, services, and products of the Data Controller and its commercial partners (without any communication of personal data owned by the Data Controller to such partners); sending surveys to improve service ("customer satisfaction"). These communications may be carried out via email, SMS, postal mail, phone calls with an operator, through the official pages of the Data Controller on social networks, or via push notifications through the App. It should be noted that the Data Controller collects a single consent for the marketing purposes described herein, in accordance with the General Provision of the Italian Data Protection Authority "Guidelines on promotional activities and spam prevention" of July 4, 2013. However, if you wish to object to the processing of your data for marketing purposes using the means indicated, you may do so at any time by contacting the Data Controller at the contact details provided in the "Contacts" section of this policy, without affecting the lawfulness of processing based on consent given before withdrawal;

  9. l) For statistical or research purposes, without the possibility of identifying you.

The user has the right at any time to revoke their authorization for the use of personal data for these purposes, either partially or for specific communication methods. This operation does not involve any additional costs and can be carried out by sending a communication to the known contact details of the Data Controller.

 

Art. 5. Data Processing Methods
Information systems and software programs are configured to minimize the use of personal and identifying data, ensuring their processing only when necessary and when the purposes can be achieved through anonymous data or methods that allow identification only if needed.

To access the service offered by the Data Controller, the user will initially provide only common personal data, which will be processed by administrative staff.

The Data Controller implements all possible security measures to prevent the processing of unnecessary data. Personal data will be recorded, processed, managed, and stored using electronic IT tools and, where necessary, in paper format.

Regardless of the method chosen, data security and confidentiality remain ensured. Personal data is managed using automated tools for the time strictly necessary to achieve processing purposes. Specific security measures are in place to prevent data loss, unlawful or incorrect use, and unauthorized access.

Responsibilities are widely distributed, and data-related activities are defined through regulations and operational instructions for authorized personnel. The Data Controller commits to providing training and updates on privacy issues, potential risks, and legal responsibilities related to data processing. Furthermore, all operators accessing IT systems are identifiable, bound by professional and/or official secrecy, and authorized for processing.

Where specific laws require anonymous data processing (e.g., protection of victims of sexual violence and pedophilia, HIV-positive individuals, substance and alcohol abuse, voluntary pregnancy termination, anonymous childbirth, family counseling services, responsible procreation choices, etc.), data is anonymized at the time of creation in compliance with applicable regulations and is not subject to further processing.

The Data Controller does not perform profiling on processed data.

 

Art. 6. Security Measures
The processing of personal data is safeguarded by appropriate and preventive security measures that minimize the risk of destruction or loss (even accidental), unauthorized access, or unauthorized or non-compliant processing.

Organizational choices and operational procedures regarding personal data security are also defined for sensitive data processing using electronic tools.

The personal data security system establishes organizational choices and operational procedures related to data security, particularly concerning:

  • The list of personal data processing activities;

  • Access granted to authorized personnel based on processing purposes;

  • Risk analysis associated with data;

  • Measures to ensure data integrity and availability;

  • Criteria and procedures for restoring data availability after destruction or damage;

  • Training programs for processing personnel, educating them about data-related risks, preventive measures, key aspects of data protection laws relevant to their activities, related responsibilities, and methods to stay updated on security measures implemented by the Data Controller;

  • Criteria for ensuring the adoption of minimum security measures in case of outsourced or international data transfers;

For personal data related to health status and sexual life, identification of encryption or data separation criteria from other personal data of the data subject.

 

Art. 7. Recipients of Data Processing
The entities processing your personal data are:

  • Personnel within the Data Controller's structure, necessary for service provision;

  • Entities acting as data processors, including:

    1. i) Individuals, companies, or professional firms providing assistance and consultancy in accounting, administrative, legal, tax, and financial matters;

    2. ii) Entities assigned to perform technical maintenance activities;

    3. iii) Credit institutions, insurance companies, and brokers;

    4. iv) Parent, subsidiary, and affiliated companies of the Data Controller, limited to administrative-accounting purposes related to organizational, financial, and accounting activities;

  • Individuals authorized by the Data Controller who are committed to confidentiality or bound by a legal obligation of confidentiality (e.g., employees and collaborators of the Data Controller);

  • Entities, bodies, or authorities required by law or official orders to receive your personal data;

  • Judicial authorities exercising their functions as required by applicable regulations.

Personal data is only accessible to authorized personnel following specific procedures defined in the contract signed by the data subject, in compliance with the previously described purposes. Designation is formalized through an "appointment act" included in agreements, conventions, or contracts involving external data processing.

7.1 Internal Data Processors
Due to the complexity and multiple institutional functions of the company, the Data Controller designates the following as internal data processors:

  • Each Head of an Operational Unit for both physical and electronic databases;

  • The IT Service Manager for centrally managed electronic databases;

  • All external entities handling the Data Controller’s database on its behalf for business-related functions (Art. 9).

The appointment of internal processors is linked to the assignment of structural responsibilities and is deemed accepted upon contract signing. The Data Controller must inform each processor of their responsibilities under the applicable regulations.

Each internal processor must ensure:

  • Full compliance with the company's legal obligations, including security measures;

  • Adherence to this Regulation and the specific instructions from the Data Controller;

  • Cooperation with the Data Protection Authority when requested;

  • Adoption of appropriate measures to protect the rights, freedoms, and dignity of data subjects, including professional secrecy;

  • Implementation of security measures concerning sensitive data processing and minimum security standards.

The data processing manager, regarding security measures, is responsible for:

  • Updating the list of data processing types (census – Art. 16);

  • Requesting IT Service to assign non-reusable individual identification codes for data access;

  • Safeguarding access passwords;

  • Verifying the effectiveness of security programs and antivirus systems;

  • Ensuring security measures are applied internally and externally;

  • Informing the Data Controller about identified risks.

Individuals managing personal data independently within different company units assume the role of autonomous "Data Controllers."

7.2 External Data Processors
All external entities performing data processing on behalf of the company for business-related functions are appointed as "External Data Processors."

External processors must:

  • Process data lawfully and fairly, in full compliance with privacy regulations;

  • Implement security measures to prevent data breaches, unauthorized access, or non-compliant processing;

  • Appoint internal data handlers;

  • Ensure data is accessed only by authorized personnel;

  • Process personal and sensitive health data solely for contractual purposes;

  • Adhere to the Data Controller’s instructions;

  • Specify the physical locations where data is processed.

Failure to comply with these provisions results in external processors being considered autonomous "Data Controllers," fully liable for any violations.

7.3 Data Handlers
Employees assigned to specific services and carrying out technical data processing operations are considered "Handlers" under Article 30 of the Privacy Code.

Handlers must:

  • Follow the Data Controller’s and Data Processor’s instructions;

  • Implement security measures to prevent unauthorized access, loss, or unauthorized data disclosure;

  • Report potential risks related to data processing;

  • Ensure data is processed lawfully, collected for explicit and legitimate purposes, and stored for no longer than necessary.

Handlers must maintain complete confidentiality regarding the data they process, sharing it only with authorized entities as required by law or company operations.

Designation as a handler occurs through formal employment assignment or service order, specifying processing scope. Handlers receive appropriate instructions regarding their assigned tasks and responsibilities.

 

Art. 8. Nature of Data Provision and Consent
Consent to the processing of personal data is both voluntary and essential for the provision of the requested service, which is the primary purpose of data processing (including related administrative activities). Without consent, the service cannot be provided.

Below are specific cases requiring consent based on special laws or specific data categories:

  1. a) Minors
    Consent for processing the data of a minor under 16 must be signed by at least one parent exercising parental authority.

  2. b) Persons Under Guardianship
    The guardian submits the consent form on behalf of the protected individual, signing it in the user's name and providing their own personal details and signature, along with court-issued documentation or a self-declaration of guardianship.

  3. c) Persons Unable to Sign
    A user unable to sign due to illiteracy, temporary or permanent physical impairment, and without a legal representative, may provide verbal or non-verbal (gesture-based) consent. This consent is recorded via audiovisual tools for documentation and dispute resolution purposes.

8.1. Marketing Purposes
If explicit consent is provided, the user's contact details may be used by the Data Controller to promote products or services similar to those previously purchased or subscribed to. The user may receive advertising material or commercial communications exclusively related to these services.

By granting consent to processing for marketing purposes under Article 6(1)(a) of the Regulation, the data subject explicitly acknowledges and authorizes promotional and marketing activities, whether via traditional methods (operator calls, postal mail) or automated electronic means (email, SMS, MMS, automated systems, digital platforms).

According to the General Provision of the Privacy Authority dated May 15, 2013, regarding "Consent to the processing of personal data for direct marketing through traditional and automated contact tools," the following aspects are emphasized:

  1. Consent given for electronic and telematic marketing communications extends to traditional methods such as postal mail and operator calls.

  2. Consent will be collected as a unified and comprehensive agreement, covering all marketing communication channels. Separate, express, documented, and voluntary consent is required to proceed with marketing activities.

  3. Users can withdraw their marketing consent at any time, partially or entirely, via email at info@lapliniana.it. Withdrawal does not affect the provision of services.

  4. The Data Controller may share data with third-party commercial partners only with additional, specific, and documented consent from the user.

Under the Privacy Authority’s General Provision of July 4, 2013, recipients of marketing data may include entities from various commercial and economic sectors, such as publishing, sports, electronic communication services, insurance, financial services, tourism, energy, and retail industries. Data sharing for marketing purposes is always voluntary and revocable.

If a user refuses marketing consent, they may not be able to access specific services, but this will not impact other contractual or service-related interactions.

 

Art. 9. Data Transfer Abroad
Personal data may be transferred to other EU countries to enable employees of the Data Controller to perform their work under contract execution.
Personal data may also be transferred to the United States exclusively for contract execution. No sensitive data will be transferred. Data transfers to the U.S. are safeguarded under the European Commission’s "adequacy decision" regarding U.S. privacy laws.

 

Art. 10. Data Subject Rights
As a data subject, you may exercise the rights granted under Article 13(2)(a-e) of EU Regulation 679/2016, including:

  • Right to confirmation and access – to verify the existence of personal data and receive a copy upon request.

  • Right to object – to object to personal data processing for legitimate reasons.

  • Right to rectification – to modify and update personal data.

  • Right to erasure ("right to be forgotten") – to request data deletion, subject to legal and contractual limitations.

  • Right to restriction of processing – to limit data processing under specific conditions, such as contesting data accuracy or processing lawfulness.

  • Right to data portability – to receive personal data in a common format.

  • Right to withdraw consent – at any time, for both primary data processing and marketing purposes. Withdrawal does not affect prior lawful processing.

  • Right to lodge a complaint – with the Privacy Authority for any suspected regulatory violations.

Requests can be sent via email to tridisas@pec.it.

 

Art. 11. Data Retention Period
Personal data will be retained for 10 years from the last legally relevant processing action or consent acquisition.

bottom of page