Privacy Policy

EXTENDED PRIVACY NOTICE PURSUANT TO ARTS. 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR (REGULATION (EU) 2016/679) ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER, “GDPR”)

The Data Controller sets out below the privacy notice pursuant to Arts. 12, 13 and, where applicable, 14 of the GDPR concerning the processing of personal data provided by the Customer/Data Subject through the completion and signing of the Contract to purchase the products/services offered for sale by the Data Controller, by voluntarily uploading personal data on this website (in particular by completing forms) or simply by browsing it.

1. Data Controller and contact details

The Data Controller is BOUSSEMART MARJORIE CLAUDE LOUISE, with registered office at Via Lorenzo il Magnifico, 50 c/o Studio Baldinetti, VAT No. 07240381009, tel. +39 3358158228, email  marjorieboussemart@gmail.com, website https://www.osteopatiaromaviterbo.it/ (hereinafter, the “Website”).

2. Principles applicable to processing

In accordance with the GDPR, the Data Controller continuously works to ensure that personal data are:

• processed lawfully, fairly and transparently;

• collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;

• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

• accurate and, where necessary, kept up to date;

• kept for no longer than is necessary to achieve the purposes for which they are processed;

• processed using appropriate technical and organizational measures to ensure security;

• where processed on the basis of consent, processed following a freely given decision by the Customer/Data Subject, on the basis of a request clearly distinguishable from other matters, in an understandable and easily accessible form, using clear and plain language.
   

The Data Controller adopts appropriate technical and organizational measures to ensure data protection by design and to ensure that, by default, only the data necessary for each specific processing purpose are processed.
The Data Controller also collects and gives the utmost consideration to any indications, observations and opinions sent by the Customer/Data Subject to the contact details above, in order to implement a dynamic privacy management system that ensures effective protection of individuals with regard to the processing of their data.
This Notice may be amended in line with changes in applicable legislation and the technical and organizational measures adopted by the Data Controller. The Customer/Data Subject is therefore invited to visit this section of the Website periodically to review updates and the version of the Notice currently in force.

3. Methods of processing personal data

Personal data are processed manually and with electronic tools, using methods strictly related to the purposes indicated below and, in any case, in a manner that ensures the security and confidentiality of the data.

4. Purposes of processing personal data

(4a) Purposes for which processing is necessary
The personal data provided by the Customer/Data Subject are mainly processed to perform the Contract and manage credit and, more generally, the relationship arising from the Contract.
Providing the data in the Contract or subsequently during the contractual relationship for these purposes is mandatory. Therefore, failure to provide such data (in whole or in part) or providing inaccurate data makes it impossible to enter into and/or perform the Contract and, for the Customer/Data Subject, to use the products/services offered by the Data Controller, potentially exposing the Customer/Data Subject to liability for breach of contract.
The personal data provided by the Customer/Data Subject may also be processed where necessary to comply with a legal obligation to which the Data Controller is subject, to protect the vital interests of the Customer/Data Subject or another natural person, to perform a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the pursuit of the legitimate interests of the Data Controller or third parties, provided such interests are not overridden by the interests or fundamental rights and freedoms of the Customer/Data Subject. In these cases as well, provision of the data is mandatory, and failure to provide the data (in whole or in part) or providing inaccurate data may expose the Customer/Data Subject to liabilities and sanctions under applicable law.

(4b) Additional purposes based on specific and explicit consent

In addition to the purposes above, personal data provided/collected may be processed, subject to the Customer/Data Subject’s consent (to be given by selecting the box “Give consent” in the Contract or on the Website, or through other social/web applications of the Data Controller), also for conducting market research and for commercial and promotional communications by phone (including the mobile number provided) and automated contact systems (email, SMS, MMS, fax, etc.) regarding products/services of the Data Controller or companies of the group to which the Data Controller may belong.
Consent for the purposes in point (4b) is optional. Therefore, if consent is refused, the data will be processed only for the purposes set out in point (4a), subject to what is specified below regarding the legitimate interests of the Data Controller or third parties.

5. Categories of personal data processed

The Data Controller mainly processes identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, email addresses, tax/billing information, etc.) and, where commercial transactions are envisaged, financial data (bank details, in particular current account identifiers, credit card numbers, and other data connected to such transactions).
Processing carried out by the Data Controller, both for the performance of the Contract and on the basis of the Customer/Data Subject’s explicit consent, generally does not concern special categories of personal data (so-called sensitive data revealing racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation, etc.), nor genetic or biometric data, nor so-called judicial data (relating to criminal convictions and offences).
However, it cannot be excluded that, in order to perform obligations arising from the Contract, the Data Controller may have to store and/or need to process sensitive, genetic and biometric or judicial data of the Customer/Data Subject or third parties, where the Customer/Data Subject acts as a controller. In such a case, processing by the Data Controller takes place under the terms, conditions and limits of the appointment of the Data Controller as processor by the Customer/Data Subject.
The Data Controller also processes, as controller in relation to the Website and potentially as processor appointed by the Customer/Data Subject (under the terms above), so-called browsing data. The IT systems and software procedures used to operate websites acquire, during their normal operation, certain personal data, the transmission of which is implicit in the use of internet communication protocols. These are not collected in order to be associated with identified individuals, but by their very nature could allow identification of the data subject. This category includes geolocation data, IP addresses, browser type, operating system, domain name, addresses of websites from which access was made or to which exit occurred, information on pages visited, access time, time spent on each page, internal path analysis, and other parameters relating to the user’s operating system and IT environment.
The Website may also use cookies, both session cookies (not stored on the user’s computer and deleted when the browser is closed) and persistent cookies, for the transmission of personal information and/or for tracking systems.

6. Source of personal data

The personal data processed by the Data Controller are collected directly by the Data Controller from the Customer/Data Subject at the time of and during browsing of the Website (or through other social/web applications of the Data Controller), or also through the Data Controller’s sales staff, at the time of or after signing the Contract, during performance of the Contract, or from public sources.
As noted above, the Data Controller, as processor appointed for this purpose, in order to perform obligations arising from the Contract, may store and/or process data (in particular browsing data), potentially including sensitive, genetic and biometric or judicial data, of third parties where the Customer/Data Subject acts as controller, collected with the consent of those third parties at the time of and during their browsing of the Website (or other related applications).

7. Legitimate interests

The legitimate interests of the Data Controller or third parties may constitute a valid legal basis for processing, provided the interests or fundamental rights and freedoms of the data subject do not override those interests. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the controller and the data subject, for example when the data subject is a customer. In particular, it is a legitimate interest of the Data Controller to process personal data of the Customer/Data Subject for fraud prevention, for direct marketing purposes, to ensure the free flow of data within the corporate group to which the Data Controller may belong, or relating to traffic in order to ensure network and information security, i.e., a network or system’s ability to resist unforeseen events or unlawful acts that may compromise the availability, authenticity, integrity and confidentiality of data.

8. Disclosure and transfer of personal data
(8a) Disclosure of personal data – categories of recipients
In addition to employees and collaborators of the Data Co
ntroller (who are authorized to process data on the basis of adequate written operating instructions to ensure confidentiality and security), certain processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, for the purposes in point (4a), both for contractual and legal obligations. These may include, by way of example (non-exhaustive): commercial and/or technical partners; banking and financial service providers; document archiving companies; debt collection companies; auditing and financial statement certification firms; rating companies; professional assistance and consultancy providers; customer care companies; factoring, securitization or other credit assignees; companies of the group to which the Data Controller may belong; commercial information providers; IT service companies. These parties process personal data as independent controllers and/or as processors for specific processing operations within the services they provide. The Data Controller provides processors with appropriate written operating instructions, particularly regarding minimum security measures.
Certain processing operations may also be carried out by third parties for the purposes in point (4b), including (non-exhaustively): commercial and/or technical partners; marketing service providers; advertising agencies; and entities providing assistance and consultancy regarding competitions and prize promotions. These parties also process data as independent controllers and/or as processors, with appropriate instructions from the Data Controller.
A list of processors used by the Data Controller is available upon written request to the Data Controller’s registered office and is subject to periodic updates.
Personal data may also be disclosed, upon request, to competent authorities, in compliance with mandatory legal obligations.

(8b) Transfer of personal data to third countries

The Customer/Data Subject’s personal data may also be transferred abroad, both to EU countries and to countries outside the EU. In the latter case, transfers occur either on the basis of an adequacy decision, or with appropriate safeguards provided for by the GDPR (in particular, standard contractual clauses approved by the European Commission), or, where applicable, relying on one or more GDPR derogations (in particular, the Customer/Data Subject’s explicit consent, or where necessary for performance of the Contract, or for the performance of a contract between the controller and another natural or legal person in the Customer/Data Subject’s interest, specifically for activities entrusted by the controller for performance of the Contract). For transfers outside the EU, the Customer/Data Subject may request, in writing to the Data Controller’s registered office, information about the safeguards or derogations that legitimize cross-border processing. In any event, for any request regarding data, including the exercise of GDPR rights, the Customer/Data Subject may always contact the Data Controller.

9. Criteria to determine the retention period of personal data

For the purposes in point (4a), the retention period coincides with the statutory limitation period for rights/obligations (legal, tax, etc.) arising from the Contract, generally 10 years, unless limitation is interrupted, which may effectively extend this period.
For the purposes in point (4b), the retention period ends upon withdrawal of consent by the Customer/Data Subject or, in the absence of withdrawal, after one year from the end of any relationship between the Data Controller and the Customer/Data Subject.

10. Rights of the Customer/Data Subject

The Data Controller recognizes and facilitates the exercise of all rights provided by the GDPR, including: the right to access personal data and obtain a copy (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20, where applicable), and the right to object (Arts. 21 and 22, including objection to marketing and to automated decision-making, including profiling, where it produces legal effects or similarly significant effects).
Where processing is based on consent, the Customer/Data Subject also has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. The Customer/Data Subject may unsubscribe at any time on the Website (or other applications) or by using the link included at the bottom of each commercial communication received, or by contacting the Data Controller at the contact details above.
The Data Controller also informs the Customer/Data Subject of the right to lodge a complaint with the Italian Data Protection Authority and to bring judicial remedies both against a decision of the Authority and against the Data Controller and/or a processor.


11. Security of systems and personal data

Taking into account the state of the art and implementation costs, as well as the nature, scope, context and purposes of processing, and the risk (likelihood and severity) for individuals’ rights and freedoms, the Data Controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes ensuring the confidentiality, integrity, availability and resilience of processing systems and services on an ongoing basis (including encryption where necessary), and the ability to restore availability of data promptly in the event of a physical or technical incident, as well as internal procedures to regularly test, verify and assess the effectiveness of the measures adopted.
When assessing the appropriate level of security, account is taken of risks arising in particular from destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
The Data Controller works to ensure that anyone acting under its authority and having access to personal data does not process such data unless instructed by the Data Controller.
That said, the Customer/Data Subject acknowledges and accepts that no security system can guarantee absolute protection; therefore, the Data Controller is not liable for acts or events of third parties who, despite adequate safeguards, unlawfully access systems without authorization.

12. Automated decision-making processes, including profiling
 
The Data Controller may carry out automated processing, including profiling, for the purposes in point (4b), to optimize the Website’s navigation (or the usability of other social/web applications) and to improve the purchasing experience, subject to the rights to object and withdraw consent described above.
“Profiling” means any form of automated processing of personal data used to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects such as personal preferences, interests or location, including to create profiles or homogeneous groups based on characteristics, interests or behavior.

The Data Controller does not carry out automated processing that produces legal effects concerning the Customer/Data Subject or similarly significantly affects the Customer/Data Subject, unless it is necessary for the conclusion or performance of the Contract, authorized by law, or based on the Customer/Data Subject’s explicit consent, always recognizing the Customer/Data Subject’s right to obtain human intervention, to express an opinion and to contest the decision.