PRIVACY NOTICE PURSUANT TO EU REGULATION 2016/679 ON THE PROTECTION OF PERSONAL DATA (Art. 13 GDPR)

​

Art. 1. Data Controller:

 

IIAC - International Institute of Coffee Tasters

 

Registered Office:        Galleria V. Veneto, 9, 25128, Brescia (BS)

 

Tax Code:        98051360174                      Tel.  +39 030 381558                         Email: info@iiac.coffee

 

Art. 2. Personal Data Processed: which data are collected

The personal data subject to processing are those voluntarily provided by the data subject via email.

​

Art. 3. Purpose and Legal Basis of the Processing: why personal data are processed and what justifies the processing

Purpose a) To respond to requests submitted by data subjects through the completion of the available forms or through other communications.

 

Legal Basis: Performance of a contract or pre-contractual measures. The collection and processing of data are necessary (and therefore mandatory). Refusal to provide the data prevents the achievement of the stated purpose and the handling of the related requests.

​

Purpose b) Use of data collected through “technical” cookies and anonymous, aggregated statistical cookies, such as navigation or session cookies, functionality cookies and analytical cookies, aimed at enabling and optimizing navigation within the website.

 

Legal Basis: Legitimate interest of the Data Controller aimed at providing users with the best possible browsing experience and collecting information on the number of users and visits to the website in order to assess its effectiveness (see cookie policy).

 

Purpose c) Use of data collected through preference and marketing cookies, only if selected.

 

Legal Basis: Consent. If consent is denied or withdrawn, no data will be collected and/or used for this purpose (see cookie policy).

​

Art. 4. Processing Methods: how personal data are processed

The personal data referred to in Art. 2 are processed strictly within the limits necessary to achieve the purposes set out in Art. 3 above.

 

For the purposes described above, no decisions are taken solely on the basis of automated processing that produce legal effects or significantly affect the life, rights, or freedoms of the data subject.

 

Processing is carried out using electronic tools (computers, cloud servers, smartphones, etc.) connected to networks, as well as with the support of paper archives stored in dedicated premises accessible only to authorized personnel at our offices.

 

Art. 5. Retention Period: where and how long personal data are stored

Personal data are processed and stored for the following periods:

• Purpose a): For the time necessary to respond to the requests made.

• Purpose b): For the time necessary to evaluate website performance, and in any case no longer than 1 year.

• Purpose c): Until any withdrawal of consent.

 

It is specified that the data will subsequently be deleted. In the event that data need to be restored via backup, their subsequent deletion is guaranteed.

​

Art. 6. Communication and Disclosure of Data: to whom data are disclosed

Personal data may be shared, exclusively for the purposes specified above, with the following categories of recipients:

• Collaborators of the Data Controller, such as individuals designated and authorized to process personal data, bound by confidentiality obligations;

• Individuals, companies, or other third parties, such as (by way of example and not limitation) professional firms, IT providers, marketing agencies, system administrators, service outsourcers, etc., each within their specific area of competence and bound by confidentiality, with whom the Data Controller maintains relationships necessary for carrying out its activities or to comply with legal obligations, and to whom a specific mandate has been assigned for the time necessary to achieve the purposes for which the data were collected;

• Judicial or supervisory authorities, public administrations, bodies and public organizations, in the exercise of their functions, when required by law.

 

These parties will process the data as “Data Processors”, duly appointed and authorized to process personal data under the direct authority of the Data Controller, or as Data Controllers or independent “Controllers” authorized to access the data pursuant to laws, regulations, and applicable provisions. In any case, the data will not be disseminated.

 

Art. 7. Transfer of Data to Non-EU Countries

Data are stored at our offices and in the cloud, in data centers located within the EU.

​

Email - The communication and transmission of data (e.g. attendance records and medical certificates, subsequently deleted) via personal email implies that conversations may also be stored on the servers of the email service provider (e.g. Gmail). If the provider has servers located outside the European Union, communications may also be stored on those servers, in accordance with the contractual terms and privacy policy of the provider, which users are invited to consult.

 

Art. 8. Rights of the Data Subject

• Right of access: to obtain confirmation as to whether or not personal data concerning them are being processed and, if so, to obtain access to such data and information on the purposes of the processing, the categories of personal data concerned, the retention period, and the recipients to whom the data may be disclosed;

• Right to rectification: to obtain, without undue delay, the rectification of inaccurate personal data and the completion of incomplete personal data;

• Right to data portability: to receive personal data provided to the Data Controller in a structured, commonly used and machine-readable format, and to have such data transmitted to another controller without hindrance;

• Right to erasure: to obtain, without undue delay, the erasure of personal data;

• Right to restriction: to obtain restriction of processing from the Data Controller;

• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

• Right to object: to object to the processing of personal data, unless there are legitimate grounds for the Data Controller to continue the processing;

• Right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) or other supervisory authorities.

 

To exercise these rights, data subjects may send a written request, registered letter with return receipt, or certified email (PEC) to the contact details provided in Art. 1. Please remember to attach a valid identification document.

 

This privacy notice may be subject to changes. The Data Controller reserves the right to modify or simply update its content, in whole or in part, including as a result of changes in applicable legislation.