Privacy Policy under Article 13 of Regulation (EU) 2016/679

2. WHO IS THE DATA CONTROLLER

The Data Controller for the information and data collected through the the Site is the Consorzio del Formaggio del Parmigiano Reggiano.

The identification details and contact information of the Consorzio del Formaggio Parmigiano Reggiano are as follows:

Consorzio del Formaggio Parmigiano Reggiano
Via Kennedy 18 – 42124 Reggio Emilia - Italia
Email: privacy@parmigianoreggiano.it
Tel number +39 0522-307741

The Consorzio del Formaggio del Parmigiano-Reggiano has appointed the Data Protection Officer (also referred to as the “DPO”), an independent and guarantee figure, as required by Article 37 of the GDPR, who cooperates with the Personal Data Protection Authority (Garante) and constitutes the point of contact, for data subjects, regarding issues connected with the processing of personal data.

The data subject may contact the DPO to exercise the rights provided for in Articles 15 to 22 of the GDPR, further illustrated in point 6 below, and for any issues they may encounter in the processing of their personal data, using the following email address: DPO@PARMIGIANOREGGIANO.IT

3. TYPES OF DATA PROCESSED, PURPOSES, LEGAL BASIS, RETENTION PERIOD

3.1 Browsing and Website Security

The information systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This category of data includes, for example, the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment.

This data, necessary for the use of web services, is also processed for the purpose of:

• Obtaining statistical information on the use of the services (most visited pages, number of visitors per hour or day, geographical areas of origin, etc.);
• Checking the correct functioning of the services offered.

The legal basis that legitimizes the above-described processing is:

• The fulfilment of the contract or, as the case may be, the execution of pre-contractual measures adopted upon request of the data subject (Article 6.1.b) of the GDPR), with reference to the processing of browsing data necessary to allow the user to access the Website and use the publicly available content;
• The legitimate interest of the Data Controller, pursuant to Article 6.1.f) of the GDPR, with reference to the processing carried out to ensure the security and integrity of the Website, prevent abuses or malfunctions, and obtain statistics on the use of the service;
• The user's consent, with reference to statistical purposes, which are pursued through the use of analytical cookies and, specifically, the Google Analytics (GA4) cookie, a service provided by Google LLC. For all details in this regard, please refer to our Cookie Policy and the Google Privacy Policy.

The provision of browsing data is necessary to allow consultation of the Website and occurs automatically during the use of Internet protocols. The processing based on the Data Controller's legitimate interest has been evaluated as proportionate and not detrimental to the rights of users, as it is aimed at ensuring the security of the Website and preventing abuses. The provision of data for statistical purposes, on the other hand, is optional, meaning there is no obligation for the data subject to provide the data in question. The user may withdraw the consent given at any time via the "Manage cookie preferences" link in the Website footer.

Browsing personal data will be processed for the time strictly necessary to guarantee the protection and correct provision of services.

3.2 Data Provided by the User

The optional, explicit, and voluntary sending of messages to the Data Controller's contact address, published in the Website footer, as well as private messages sent by users to the Data Controller's profiles/pages on social media (where this possibility is provided) involves the acquisition of the sender's contact data, necessary to reply, as well as all personal data included in the communications.

The legal basis that legitimizes the processing of these is Article 6.1.b) of the GDPR (execution of pre-contractual measures adopted at the request of the data subject or execution of a contract to which the data subject is a party). The provision of personal data is optional, meaning there is no obligation for the data subject to provide the data in question. However, in the absence of data essential to manage the request, it will not be possible to respond, in whole or in part, to the user's request, even if such request is submitted.

In the event that the request concerns the exercise of a right (e.g., data subject rights, as regulated by the GDPR, and for which see Article 6 below), since the processing of data is necessary to enable the Data Controller to fulfil a legal obligation and the user to exercise the rights granted to them by law, the legal basis is the fulfillment of a legal obligation and the provision of data is mandatory. Any refusal to provide the data for this purpose will result in the user's inability to exercise such rights.

For the purpose in question, personal data will be kept for a maximum period of 3 years from the last interaction with the user, depending on the type of request made. For example, requests for the exercise of data subject rights provided for by the GDPR fall within the maximum retention period.

Please note that any requests received through the user's Facebook, Instagram, or WhatsApp channels and residing on these platforms will follow the retention periods provided by the platforms themselves.

3.3 Exercise or Defense of a Right

The Data Controller may process personal data collected during browsing to ascertain, exercise, or defend its right in court, as well as in the event of disputes related to the use of the Website.

The processing is based on the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, letter f) of the GDPR. The legitimate interest of the Data Controller is to seek remedies to demonstrate that it has fulfilled its obligations to ensure the security and correct functioning of the Website, as well as to prevent and defend against fraudulent activities or abuses.

The user, however, has the right to object, at any time and for reasons connected with their particular situation, to the processing of personal data carried out for the purposes indicated above (i.e., defense of a right or judicial purposes), by contacting the Consorzio del Formaggio del Parmigiano Reggiano at the addresses indicated in Article 2 above.

For the purpose in question, personal data will be processed according to the provisions of the laws on limitation periods with reference to contractual and/or non-contractual offences.

4. RECIPIENTS OF PERSONAL DATA

The personal data indicated in this privacy notice may be communicated to third parties, who provide services to the Data Controller and are specifically designated by the latter pursuant to Article 28 of the GDPR, as well as to employees and/or collaborators of the Data Controller, properly authorized and instructed, pursuant to Article 29 of the GDPR. A list of recipient categories is provided below:

• Companies or consultants in charge of the installation and/or supply and, in general, the management of the hardware and software used by the Data Controller for the activities described in this notice;
• Natural and/or legal persons (legal, administrative, and tax consulting firms), if the communication is necessary or functional for the correct fulfillment of contractual obligations, as well as obligations deriving from the law or in the case of the assessment, exercise, or defense of a right.

Finally, personal data may also be processed by subjects acting as autonomous data controllers such as:

• Google LLC, as the provider of the analytical cookie G4. For all details in this regard, please refer to our Cookie Policy and the Google Privacy Policy.

The list of recipients of personal data is available from the Data Controller.

5. TRANSFER OF DATA TO THIRD COUNTRIES

Personal data are processed using IT tools for which L’Erbolario is a licensee or, in any case, by virtue of a specific contract. The providers of these tools and/or of the services provided through the Website are based in the European Union. However, the management and/or maintenance of IT tools and/or the provision of certain services may entail the need for personal data to be transferred outside the European Union. In this case, the transfer will take place according to one of the methods provided for by the current law such as, in particular: (i) the existence of an adequacy decision by the European Commission or (ii) the selection of subjects adhering to international programs for the free circulation of data (e.g., EU-US Data Privacy Framework), pursuant to Article 45, paragraph 3 of the GDPR, or (iii) the adoption of contractual clauses approved by the European Commission (the so-called "Standard Contractual Clauses"), pursuant to Article 46 of the GDPR.

Further information is available, upon request, from the Data Controller.

6. DATA SUBJECT'S RIGHTS

The data subject may exercise, at any time, the rights provided for in Articles 15 - 22 of the GDPR. In particular, the data subject has the right to:

• Request access to their personal data, rectification or erasure thereof, restriction of processing in the cases provided for by Article 18 of the GDPR;
• Obtain their data in a structured, commonly used, and machine-readable format in the cases provided for by Article 20 of the GDPR (so-called right to data portability);
• Withdraw any consent given, pursuant to Article 7 of the GDPR;
• Formulate a request to object to the data processing, pursuant to Article 21 of the GDPR, in which they highlight the reasons that justify the objection: the Data Controller reserves the right to evaluate the request, which would not be accepted if there are compelling legitimate grounds for processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Requests to exercise the rights listed above must be sent to the Data Controller using one of the methods described below (or other methods provided in this notice):

• To the email address: DPO@PARMIGIANOREGGIANO.IT; or
• Via paper mail, to the addresses indicated in Article 2 above.

Requests for the exercise of data subject rights can also be addressed to the Data Protection Officer (“DPO”) at the address: dpo@erbolario.com .

The Data Controller will respond to the data subject's request without undue delay and, in any case, within one month of receiving the request. This period may be extended by two months, if necessary, taking into account the complexity and number of requests, after communicating the extension and the reasons for it to the data subject.

The data subject's right to lodge a complaint with the Italian Personal Data Protection Authority, pursuant to Article 77 of the GDPR, or to bring a judicial remedy, pursuant to Article 79 of the GDPR, remains unaffected, should they believe that the processing of their data is contrary to the provisions of the GDPR or current legislation.