Data protection statement
- Name and address of the responsible party
The responsible party within the meaning of the general data protection regulation and other national data protection laws of the member states as well as other data protection regulations is:
Villa Poggio ai Piani S.S.A
Via Aurelia Nord n. 60
Managing Director: Christian Sprenger
- General notes on data processing
- Scope of personal data processing
As a matter of principle, we collect and utilize our users’ personal data only to the extent necessary for providing a functional website as well as our content and services. As a routine, users’ personal data are collected and utilized only after the users have provided their consent. An exception here are cases in which obtaining consent in advance is not possible for tangible reasons, and processing of data is permitted by legal regulations. Further information in this regard is provided in the following statement.
- Legal basis for processing personal data
Article 6, Paragraph 1, Item a) of the EU’s general data protection regulation (GDPR) serves as the legal basis for processing personal data, insofar as we have obtained the concerned person’s consent to processing of such data.
Article 6, Paragraph 1, Item b) of the GDPR serves as the legal basis for processing personal data needed to fulfil a contract to which the concerned person is party. This also applies to processing operations needed to implement pre-contractual measures.
Article 6, Paragraph 1, Item c) of the GDPR serves as the legal basis for processing personal data needed to fulfil a legal obligation to which our company is subject.
Article 6, Paragraph 1, Item d) of the GDPR serves as the legal basis for cases in which vital interests of the concerned person or another natural person require processing of personal data.
Article 6, Paragraph 1, Item f) of the GDPR serves as the legal basis for processing if this is needed to safeguard a legitimate interest of our company or a third party, and this interest is not outweighed by the interests or basic rights and freedoms of the person concerned.
- Data deletion and storage duration
An individual’s personal data are deleted or blocked once the need for storage has expired. Storage beyond this scope is possible if provided for by European or national legislation as part of the EU’s legal ordinances, laws or other regulations to which the responsible party is subject. Blocking or deletion of data takes place also when a storage deadline prescribed by the mentioned standards expires, unless there is a need for continued storage of data for contract conclusion or fulfilment.
III. Website provision and creation of log files
- Description and scope of data processing
Each time our website is invoked, our system automatically registers data and information from the invoking computer’s system.
The following data are collected here:
(1) Information about the browser type and version being used
(2) The user’s IP address
(3) Date and time of access
(4) Websites from where the user’s system arrives at our Internet page
(5) Content / the page requested
(6) Operating system and its interface
These data form part of the information saved in our system’s log files. The data are not stored together with the user’s remaining personal data.
- Legal basis for data processing
Article 6, Paragraph 1, Item f) of the GDPR serves as the legal basis for temporary storage of data and log files.
- Purpose of data processing
Temporary storage of IP addresses by the system is needed to ensure website access from the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.
Log files are used for storage to ensure the website’s functionality. In addition, the data allow us to optimize the website and to ensure the security of our information technology systems. Data analysis for marketing purposes does not take place in this context.
These purposes also contain our legitimate interest in data processing according to Article 6, Paragraph 1, Item f) of the GDPR.
- Duration of storage
Data are deleted as soon as they are no longer necessary for achieving the purpose of their collection. For data collected in order to make the website accessible, this is the case when the session is finished.
For data stored in log files, this is the case after no later than seven days. Storage beyond this scope is possible. In this case, the user’s IP address is deleted or modified so that association with the invoking client is no longer possible.
- Possibility of objection and removal
Collection of data to enable website access, and storage of data in log files are absolutely necessary for website operation. The user is therefore not able to raise any objections in this regard.
- Use of technically required cookies
- a) Description and scope of data processing
We utilize cookies to make our website more user-friendly. Some elements of our website require the invoking browser to be identifiable even after a change of page.
For this purpose, the following data are saved in the cookies and communicated for the duration of the website visit:
(1) Language settings, search expressions
(2) Login details
- b) Legal basis for data processing
Article 6, Paragraph 1, Item f) of the GDPR serves as a legal basis for processing of personal data using cookies.
- c) Purpose of data processing
(1) Noting search expressions
(2) Registering log-in details for the duration of website usage
User data collected by technically necessary cookies are not employed to create user profiles.
- d) Duration of storage; possibility of objection and removal
Cookies are stored on the user’s computer and transmitted from it to our website. As a user, you therefore have full control of the utilization of cookies. You can disable or restrict transmission of cookies by changing their settings in your Internet browser. Cookies already stored can be deleted at any time. This task can also be automated. Disabling cookies for our website might prevent full use of all the website’s functions in future.
- Google Analytics
Our website uses Google Analytics, a web analysis service of Google Inc. (“Google”). This service is offered by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
– browser type / version
– employed operating system
– referrer URL (previously visited page)
– host name (IP address) of the accessing computer
– time of server request
and is usually transmitted to, and stored on, a Google server in the USA. The website furthermore uses Google Analytics with the extension “_anonymizeip()” so that data are only processed anonymously. The IP address is truncated here by the last three digits, so that unique association of the IP address is no longer possible. Only in exceptional cases is a full IP address transmitted to a Google server in the USA and truncated there.
Google uses this information on our behalf to evaluate your use of the website, compile reports on website activity, and provide further services relating to website and Internet usage. Google may also transfer this information to third parties if required to do so by law, or if such third parties process the data on Google’s behalf. Google will not associate your IP address with other data held by Google. These purposes also contain our legitimate interest in processing personal data according to Article 6, Paragraph 1, Item f) of the GDPR.
Data processing is carried out on the basis of Article 6, Paragraph 1, Item f) of the GDPR. After they have been statistically analyzed, data are deleted automatically within 26 months at the latest.
You can prevent installation and storage of cookies by appropriately setting your browser software. In this case however, please note that you might not be able to fully use all the website’s functions.
You can also prevent data generated by the cookie and relating to your use of the website (including your IP address) from being collected and processed by Google by downloading and installing a browser plug-in from the following link:
As an alternative to the browser add-on, especially for browsers on mobile devices, you can prevent acquisition by Google Analytics by setting an opt-out cookie in your browser, thereby preventing future acquisition of your data when you visit this website. The opt-out cookie is stored on your device, and valid only in the relevant browser, and only for our website. If you delete the cookies in that browser, you must set the opt-out cookie again.
Setting the Google Analytics opt-out cookie Link
By using this website, you consent to processing of data collected about your person by Google in the manner and for the purposes mentioned above. Further information on Google Analytics can be obtained from the manufacturer Google at the following Internet link: https://support.google.com/analytics/answer/6004245?hl=en.
- Google reCAPTCHA
We use “Google reCAPTCHA” (hereafter referred to as “reCAPTCHA”) on our websites. Provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”).
With reCAPTCHA we want to check if the data entry on our websites (for example in a contact form) is done by a human or by an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis, reCAPTCHA evaluates various information (for example, the IP address, the website visitor’s visit time on the website, or user mouse movements). The data collected during the analysis will be forwarded to Google.
The reCAPTCHA analyzes are completely in the background. Site visitors are not advised that an analysis is taking place.
The data processing is based on Art. 6 para. 1 lit. f DSGVO. The Web site operator has a legitimate interest in protecting its web sites from abusive automated spying and SPAM.
VII. Implementation of YouTube-Videos
YouTube videos are included on our site and are stored on YouTube (responsibility lies at Google Inc., Amphitheater Parkway, Mountain View, CA 94043, USA), but are directly playable on our website.
To protect your privacy, you must first activate the videos on our pages. When you activate or play the videos, YouTube or DoubleClick cookies may be stored and / or read on your device, and data may be transmitted to YouTube or DoubleClick (USA, Google), e.g. Your IP address and cookie ID, the specific address of the page accessed by us, system date and time of the call, identifier of your browser. (§§ 12 Abs.1, 15 Abs.3 TMG).
For information about the purpose and extent of data collection and processing by YouTube or DoubleClick, please refer to the information on Google: https://www.google.com/intl/en/policies/privacy/.
If you do not want YouTube or DoubleClick to receive data about you through the use of our website, you should not activate the videos.
The data transfer takes place after activation of the video, regardless of whether you have a user account on YouTube or Google that you are logged in to, or if you have no user account.
If you are logged in, this data can be immediately assigned to your account. If you want to avoid this, you must log out of your account before activating the video.
Google has submitted to the EU Privacy Shield (certificate available at: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI).
VIII. Google Web Fonts
This site uses so-called web fonts, provided by Google, for the uniform representation of fonts. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.
To do this, the browser you use must connect to Google’s servers. As a result, Google learns that our website has been accessed via your IP address. The use of Google Web Fonts is in the interest of a consistent and attractive presentation of our online services. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
If your browser does not support web fonts, a default font will be used by your computer.
- Google Maps
Our website uses the map service of Google Maps via an API.
This service is offered by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
To enable use of the functions of Google maps, it is necessary to save your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this website has no influence on this data transfer.
A use of Google Maps is intended for an appealing representation of our online offer and easy localization of the places specified by us at the website. This is a legitimate interest within the meaning of Article 6, Paragraph 1, Item f) of the GDPR.
- SSL & TLS Encryption
This website uses, for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as a site operator, an SSL or. TLS encryption. You can recognize an encrypted connection by changing the address line of the browser from “http: //” to “https: //” and the lock symbol in your browser line.
If SSL or TLS encryption is enabled, the data you submit to us cannot be read by third parties.
- Contact form and e-mail contact
- Description and scope of data processing
A contact form available at our website can be used for establishing electronic contact. If a user avails of this possibility, the data specified in the input screen are transmitted to us and stored.
At the time of the sending of the message, the following data are also stored:
(1) The user’s IP address
(2) Date and time of registration
For the purpose of data processing, the user’s consent is obtained and this data protection statement is referred to during the sending procedure.
Alternatively, it is possible to establish contact via the e-mail address provided. In this case, the user’s personal data communicated in the e-mail are stored.
In this context, there is no transfer of data to third parties. The data are used exclusively for processing the conversation.
- Legal basis for data processing
Article 6, Paragraph 1, Item a) of the GDPR serves as a legal basis for data processing if the user has consented.
Article 6, Paragraph 1, Item f) of the GDPR serves as a legal basis for processing data communicated via e-mail messages or contact forms. If contact is aimed at concluding a contract, then Article 6, Paragraph 1, Item b) of the GDPR serves as an additional legal basis.
- Purpose of data processing
For us, processing of personal data from an input screen is intended solely as part of establishing contact. In case of contact establishment via e-mail, this also encompasses the required legitimate interest in data processing.
Other personal data processed during sending serve to prevent misuse of the contact form and ensure the security of our information technology systems.
- Duration of storage
Data are deleted once no longer necessary for achieving the purpose of their collection. For personal data from the contact form’s input screen, this is the case when the respective conversation with the user is finished. The conversation is finished when circumstances indicate that the concerned issue has been conclusively clarified.
Personal data collected additionally during dispatch are deleted after a period of 26 months at the latest.
- Possibility of objection and removal
The user is able to withdraw their consent to processing of personal data at any time. If the user has established e-mail contact with us, they can revoke storage of their personal data at any time. In such cases, the conversation cannot be continued.
Revocation is to be announced in writing (fax/e-mail being sufficient) to the contact whose details are provided in I.
All personal data stored in the course of establishing contact are deleted in this case.
kundentests.com allows us to integrate customer reviews on our website.
XIII. Rights of the concerned person
If your personal data are processed, you are a concerned person within the meaning of the GDPR, and have the following rights vis-à-vis the responsible party:
- Right to disclosure
You can request confirmation from the responsible party as to whether data concerning your person are processed by us.
If such processing has occurred, you can request the responsible party to disclose the scope and content of data processing as follows:
(1) The purposes for which personal data are processed.
(2) The categories of personal data which are processed.
(3) The recipients / categories of recipients to which data concerning your person have been, or will be, disclosed.
(4) The planned duration of storing data concerning your person or, if specific details are not possible here, criteria for determining the storage duration.
(5) The existence of a right to rectification or deletion of data concerning your person, right to restriction of processing by the responsible party, or right of objection to such processing.
(6) The existence of a right of complaint to a supervisory authority.
(7) All available information on the origin of any personal data collected from a source other than the concerned person.
(8) The existence of automated decision-making mechanisms, including profiling, in accordance with Article 22, Paragraphs 1 and 4 of the GDPR and – at least in these cases – meaningful information about the involved logic as well as the scope and intended effects of such processing for the person concerned.
You are entitled to request information on whether data concerning your person are communicated to a third-party country or an international organization. In this context, you may request information on the appropriate safeguards pursuant to Article 46 of the GDPR in connection with communication.
- Right to rectification
You have a right to rectification and/or completion vis-à-vis the responsible party, insofar as processed data concerning your person are incorrect or incomplete. The responsible party must perform the rectification immediately.
- Right to restriction of processing
You can request restrictions on processing of data concerning your person under the following conditions:
(1) If you dispute the correctness of the data concerning your person for a period which allows the responsible party to review the correctness of the personal data.
(2) If processing is unlawful and you refuse deletion of the personal data and instead call for restrictions on use of the personal data.
(3) If the responsible party no longer requires the personal data for processing, although you require these data to assert, exercise or defend legal claims.
(4) If you have issued an objection to processing pursuant to Article 21, Paragraph 1 of the GDPR and it is not yet definite whether the responsible party’s legitimate reasons outweigh your reasons.
If processing of data concerning your person has been restricted, these data – irrespective of their storage – may only be processed with your consent, or in order to assert, exercise or defend legal claims, or protect the rights of another natural or legal person, or for reasons of important public interest in the EU or a member state.
If processing has been restricted according to the requirements above, you will be informed by the responsible party before the restriction is lifted.
- Right to deletion
- a) Obligation to delete
You can request the responsible party to immediately delete data concerning your person, and the responsible party will be obliged to do so.
The following reasons must exist for this:
(1) The data concerning your person are no longer necessary for the purposes for which they were collected or processed in any other way.
(2) You withdraw your consent on which processing was based in accordance with Article 6, Paragraph 1, Item a) or Article 9, Paragraph 2, Item a) of the GDPR, and there is no other legal basis for processing.
(3) You object to processing as per Article 21, Paragraph 1 of the GDPR, and there are no overriding, legitimate grounds for processing, or you object to processing as per Article 21, Paragraph 2 of the GDPR.
(4) The data concerning your person have been unlawfully processed.
(5) Deletion of data concerning your person is required to fulfil a legal obligation according to the laws of the EU or a member state to which the responsible party is subject.
(6) The data concerning your person were collected in relation to information society services according to Article 8, Paragraph 1 of the GDPR.
- b) Information to third parties
If the responsible party has publicized the data concerning your person, and is obliged to delete them according to Article 17, Paragraph 1 of the GDPR, said party will take appropriate measures, also of a technical nature, taking into account available technology and implementation costs, to inform those responsible for processing personal data, that you as a concerned person have required them to delete all links to these personal data as well as any copies or replications of such data.
- c) Exceptions
There is no right to deletion insofar as processing is required
(1) to exercise the right to freedom of expression and information.
(2) to comply with a legal obligation which requires processing according to the law of the EU or the member states to which the responsible party is subject, or to fulfil a task which is in the public interest or carried out in the exercise of official authority to which the responsible person has been delegated.
(3) for reasons of public interest in the field of public health according to Article 9, Paragraph 2, Items h) and i), as well as Article 9, Paragraph 3 of the GDPR.
(4) for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Article 89, Paragraph 1 of the GDPR, insofar as the right mentioned in Section a) is expected to prevent or seriously impair achievement of the objectives of this processing.
(5) to assert, exercise or defend legal claims.
- Right to information
If you have asserted the right to rectification, deletion or restriction of processing vis-à-vis the responsible party, they are obliged to communicate this correction or deletion of data or restriction of processing to all recipients to whom the data concerning your person were disclosed, unless this proves impossible or requires disproportionate effort.
You are entitled vis-à-vis the responsible party to be informed about these recipients
- Right to data portability
You have the right to obtain, in a structured, conventional and machine-readable format, the data which concerns your person and which you provided to the responsible party. Furthermore, you have the right to convey these data to another responsible party without hindrance by the responsible party to whom the personal data were provided, if
(1) processing is based on consent pursuant to Article 6, Paragraph 1, Item a ) of the GDPR, or Article 9, Paragraph 2, Item a) of the GDPR, or a contract as per Article 6, Paragraph 1, Item b) of the GDPR.
(2) processing takes place using automated procedures.
In exercising this right, you are also entitled to have the data concerning your person be delivered directly by a responsible party to another responsible party insofar as this is technically feasible. The freedoms and rights of other persons must not be impaired as a result.
The right of data transfer does not apply to processing of personal data required for fulfilment of a duty lying in the public interest or carried out as part of exercise of official authority delegated to the responsible party.
- Right to objection
For reasons arising from your specific situation, you have the right to object at any time to processing of your personal data on the basis of Article 6, Paragraph 1, Item e) or f) of the GDPR; this also applies to profiling based on these provisions.
The responsible party no longer processes the data concerning your person, unless they can demonstrate compelling, defensible reasons for processing which outweigh your interests, rights and freedoms, or unless processing serves to assert, exercise or defend legal claims.
If data concerning your person are processed for the purpose of direct advertising, you are entitled at any time to object to the processing of your personal data for the purpose of such advertising; this applies also to profiling insofar as it is associated with such direct advertising.
If you object to processing for purposes of direct advertising, the data concerning your person will no longer be processed for these purposes.
In conjunction with the use of information society services, you are able to exercise your right of objection by means of automated procedures which make use of technical specifications – regardless of directive 2002/58/EC.
- Right to revoke the declaration of consent regarding data privacy
You have the right revoke your declaration of consent regarding data privacy at any time. Revocation of consent does not influence the legality of the processing carried out on the basis of the consent until revocation.
- Automated decision-making in individual cases, including profiling
You have a right not to be subjected to decisions which are based exclusively on automated processing – including profiling – and which have legal implications for you or affect you significantly in a similar way. This does not apply if a decision
(1) is necessary for conclusion or fulfilment of a contract between you and the responsible party.
(2) is permissible on the basis of the EU’s or a member state’s legislation to which the responsible party is subject, and this legislation contains appropriate measures to safeguard your rights and freedoms as well as your legitimate interests.
(3) is made with your explicit consent.
However these decisions must not be based on special categories of personal data pursuant to Article 9, Paragraph 1 of the GDPR, unless Article 9, Paragraph 2, Item a) or g) applies, and appropriate measures for protecting your rights and freedoms as well as your legitimate interests have been taken.
With regard to the cases mentioned in (1) and (3), the responsible party is to take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to effect human intervention on the part of the responsible party, to express one’s own point of view, and to contest the decision.
- Right of complaint to a supervisory authority
Irrespective of any other administrative or judicial appeal, you are entitled to file a complaint with a supervisory authority, in particular, in the member state containing your residence, your workplace or the location of the alleged infringement, if you believe that processing of data concerning your person is contrary to the GDPR.
The supervisory authority with which the complaint has been filed informs the complainant about the status and results of the complaint, including the possibility of legal remedy according to Article 78 of the GDPR.