The Data Controller of personal data is Veneziani & Co Srl, Via R. Morandi, 9 - 30126 Lido di Venezia (VE) - P.iva 03909220273, email: dpo_es@outly.it for Spanish customers and privacy@outly.it for everyone else, in the person of legal representative pro tempore.

Visiting and consultation of the site does not generally entail the collection and processing of the user's personal data. In addition to the so-called browsing data, personal data voluntarily provided by the user when interacting with the functionality of a website or asking to use the services offered on the site may be subject to processing. The data processed by the Data Controller is personal data of common type, identification and demographic data, as well as specific data (such as those revealing the racial or ethnic origin, biometric data, data related to the status of health) to the extent that is necessary for the activity requested and in accordance with the provisions of Articles. 9 and the other provisions referring to it, in any case subject to adequate written consent if necessary.

The Data Controller will carry out the data processing for the following purposes:

a) to allow the user to use the services and features on the site;

b) to respond to user’s request via the contact form;

c) to send newsletters and sales offers;

d) to research and/or to conduct statistical analysis on aggregated or anonymous data without the ability to identify the user, intended to measure the functioning of the site, the traffic and to assess site usability and interest (without the processing of data by the Data Controller);

e) to fulfil legal obligations to which the Data Controller is subject;

The legal bases of the processing are the following, divided into data categories:

a) browsing data and first-party cookies and anonymous statistics: legitimate interests of the Data Controller;

b) Identifying, personal and possibly sensitive data provided by the user upon request through the contact form: fulfillment of pre-contractual measures implemented on request and/or on the basis of the user's consent;

The site uses exclusively non-third-party technical and statistical analysis cookies subjected to anonymisation. Cookies are small files stored on the hard disk of the user’s computer. There are two macro-categories of cookies: technical cookies and profiling cookies.

Technical cookies are necessary for the correct functioning of a web site and to enable the user’s browsing; the user may not be able to properly view the pages or use certain services without them.

Profiling cookies have the task of creating user profiles in order to send advertising messages in line with the preferences expressed by the user when browsing.

Cookies can also be classified as:

- session cookies: these are deleted immediately after the browser is closed;

- Persistent cookies: these remain within the browser for a specific period of time. They are used, for example, to recognize the device that connects to a site facilitating the authentication procedures for the user;

- Cookies: generated and managed by the operator of the website that the user is browsing;

- third-party cookies: generated and managed by persons other than the operator of the website that the user is browsing.

The Site may contain links to other sites (third-party sites). The Data Controller has no access to or control over cookies, web beacons and other user tracking technologies that could be used by third party sites that the user can access from the site; the Data Controller exercises no control over content and materials published by or obtained through third-party sites nor to the related mode of processing of user’s personal data, and expressly disclaims any responsibility relative to such eventuality. The user is required to check the privacy policy of third party sites that are accessed through the site and to inform themselves about the conditions applicable to the processing of their personal data. This Privacy Policy applies only to the site as defined above.

We use the following techniques to reduce the identifying power of cookies:

IP anonymization

Configuration of the service to prevent the remaining portion of the IP address from being associated with other services.

The visitor can decide whether to accept cookies by using the general settings of their browser and/or by installing the special add-on to Google Analytics.

The personal data will be:

a) collected electronically;

b) recorded in digital form on a server available to the Data Controller and Processor;

c) protected from risk of destruction, modification, cancellation and unauthorized access through efficient security measures of a physical, logical and organizational nature;

d) additional processing, also by paper, to the extent and in the time strictly necessary to implement the purposes as indicated above.

Specific security measures are taken by the Data Controller to prevent loss, modification or elimination of the data, illegal and/or incorrect use and unauthorized access or transmission. The Data Controller also agrees to take all further reasonable steps to ensure that the personal data is treated securely and in accordance with current legislation.

The data may also be stored and processed at all servers located outside of the European Union, but still respecting the processing procedures laid down GDPR.

The user can help the Data Controller and keep their personal data up-to-date and correctly by communicating any changes to them.

The data acquired through the site is communicated to recipients to the extent that is strictly necessary for the purposes listed above.

The categories of Recipients are as follows:

a) all parties to whom the right to access such data is recognized by legislative measures;

b) parties to whom the disclosure of information is necessary for the functioning and provision of services offered by the site, acting as Data Processors, under written agreement with the Data Controller;

c) persons appointed and authorized by the Data Controller, who have committed themselves to confidentiality or are subject to an adequate legal obligation of confidentiality (eg employees and collaborators of the Data Controller);

d) individuals and/or legal individuals, public and/or private entities when data communication is necessary or relevant to Data Controller’s activity via the methods and for the purposes illustrated above.

The Data Controller may also have to disclose information to third parties to fulfill legal obligations or to comply with orders from public Authority.

The communication of personal data to the categories listed above can involve the transfer of personal data both within the EU and outside the EU (in the latter case exclusively concerns countries adhering to the Privacy Shield protocol, that is, countries that ensure an adequate level of protection in accordance with what is provided for in GDPR).

No personal data will be disclosed.

Personal data is stored and processed via the Data Controller's computer systems and managed by the Data Controller or third party technical service providers. The data is processed exclusively by specifically authorized personnel, including the personnel responsible for carrying out special maintenance operations.

The Data Controller retains data for the minimum time necessary to the purposes referred to in point 3.

Save for the above, the Data Controller will retain any personal data up to the maximum time allowed by law to protect their rights and/or interests.

The provision of some personal data by the user is required to allow the Data Controller to manage communications, requests received from the user or recontact the user to follow up on a demand that could not be fulfilled if they failed to do so. On the contrary, the collection of other data is optional: failure to provide such data has no consequence for the user.

The communication of browsing data is mandatory and indispensable to allow the Data Controller to allow the user to use the site.

The communication of identifying, personal and special data provided by the user in the requests through the contact form is optional.

The user cannot decline to supply browsing data in so far as they consist of personal data.

Where the user refuses to communicate identifying and personal data, and possibly particulars in the requests via the contact module, the Data Controller may not be able to process such requests, in whole or in part.

The interested party has the right, at any time, ask the Data Controller confirmation as to whether or not there is any ongoing processing of their personal data and in which case to obtain access to such data and ask for the data to be made available to them in an intelligible manner; to update, amend and integrate personal data; cancellation of such data (right to be forgotten) without undue delay or restriction of their processing if it is one of the motives set out by GDPR; notification by the Data Controller in cases of updating/amending/cancellation/restricting personal data; the portability of personal data in processing events carried out by automated means under consent or contractual relationship; to oppose, in whole or in part to their processing, for reasons connected to their specific situation, and to refuse the automated decision-making process, including profiling, without prejudice to the limits resulting from the legal obligations of retention of personal data.

To the extent that the processing of personal data is based on their consent, they will also also right to withdraw consent at any time without affecting the lawfulness of the treatment based on the consent given before the revocation. In such case, their personal data will be removed from the files in the shortest time possible.

These rights may be exercised in the manner and within the terms laid down in article 12 GDPR by a written request accompanied by a photocopy their identity document, sent by return registered mail to the headquarters of the Data Controller at the address Porto4- Associazione Professionale, Marghera – Venezia, Centro Direzionale Torre Uno, Banchina Molini, n. 8, Cap 30175 or to the email address dpo_es@outly.it for Spanish customers and privacy@outly.it for everyone else. Before being able to provide or modify any information you may need to verify your identity and answer a few questions. The Data Controller will give an appropriate response as soon as possible and in any case, within one month of receiving the request.

They are also have the right to submit a complaint in accordance with article 77 GDPR to an authority in control, that for the Italian State is set forth in the Authority for the Protection of Personal Data.

The forms, the procedures and the terms of the filing of the complaint are provided for and regulated by national legislation. The complaint is without prejudice to administrative and jurisdictional actions, which for the Italian State can be alternatively proposed to the same Guarantor or the Court in charge.

The conditions of this policy may change over time or vary depending on the purpose of processing: any material changes to this statement will be posted on this web site www.outly.it and from that moment the updated version of such information will be a binding: the interested party is therefore invited to visit this section with regularity.

If the user is interested in receiving more information about the processing of their personal data, to contribute with their own suggestions or in filing complaints or raising objections to the Outly’s Privacy Policy, they can do so informally by sending communication to the email address: dpo_es@outly.it for Spanish customers and privacy@outly.it for everyone else.