Privacy and Personal Data Protection Information

This information is provided, in compliance with Articles 13 and 14 of EU Regulation 679/2016 (hereinafter “Regulation“), to users (hereinafter “Users” or “User“) of the website in desktop and mobile version bracio.it, (hereinafter “Site“) owned by Bracioleria S.r.l., Data Controller (hereinafter “Controller“) and aims to describe how the Site is managed with reference to the processing of personal data, as well as to allow Site Users to know the purposes and methods of processing personal data by the Controller in case of their provision.

The services offered by the Controller are intended for people over 18 years of age. If the Controller becomes aware of the processing of data of minors under 18 years of age without valid consent from parents or a legal guardian, it reserves the right to unilaterally terminate the use of the service offered and to delete the acquired data.

Principles Applicable to Personal Data Processing

The Controller, pursuant to and for the effects of the Regulation, makes it known that the aforementioned legislation provides for the protection of natural persons with regard to the processing of personal data, and that such processing will be based on principles of correctness, lawfulness, transparency and protection of confidentiality and fundamental rights.

Type of Users

In relation to the use of the Site, the following type of Users is identified:

Simple Users are private individuals – natural persons or legal entities – and are defined as such for the use of the site with the objective of searching for information and making reservations. Simple Users can access some services (e.g., enjoying Bracio’s culinary offering) anonymously, while for other services (e.g., table reservation) it is necessary to enter their data in the reservation form.

Purposes, Legal Basis of Processing and Optional Nature of Data Provision

The personal data provided by Users through the use of the Site will be processed with their consent, for the purposes described below:

A. Service provision for Simple Users:

1. In order to provide some services such as a reservation request, it is necessary for the User to enter some of their data. The data necessary for the reservation are limited to the provision of:

• • • Name
    • Surname
    • Email address
    • Phone number

B. Informational, promotional, and profiling activities:

In order to allow the User to obtain information on ongoing promotions, as well as advertising information, the User can join the Informational and promotional activities service to receive informational, promotional, and marketing communications based, in some cases, on the activity carried out on the Site.

It is possible not to register for the above communications by not selecting the following items, present in the reservation form of each Simple User:

1. • “Yes thanks, I want to receive gifts, previews, and exclusive news from you, I gladly accept the Marketing Conditions”.

The Controller may thus carry out analysis activities of the interests, habits, and choices of Users, also in order to be able to send them personalized promotional material on the services offered.

The processing of data for the purposes referred to in letters A and B finds its legal basis in Article 6 (a) of the Regulation ([…] the data subject has given consent to the processing of their personal data for one or more specific purposes).

The provision of data for the purposes referred to in letters A and B is optional, but any refusal by the User will make it impossible for the Controller to fulfill the requests or provide the services covered by the above letters.

In the case referred to in letter A (II), failure to provide will not compromise the provision of the service provided therein.

In particular, in the case of letter A (I), failure to provide the data necessary for the registration of the User’s reservation will make it impossible to provide the services referred to in the subsequent letter B.

Methods of Processing and Storage of Personal Data

The Controller ensures that personal data are processed in full compliance with the Regulation, through manual, computer, or telematic systems. Processing may also be carried out through automated tools designed to store, manage, and transmit the data.
The data collected and processed will be protected with physical and logical methodologies such as to minimize the risks of unauthorized access, dissemination, loss, and destruction of data, pursuant to Articles 25 and 32 of the Regulation.

The processing of data will have a duration not exceeding what is necessary to satisfy the purposes for which they were collected, such as the storage of search criteria, notification, and publication of announcements.

Pursuant to Article 7 paragraph 3 of the Regulation, the data subject has the right to obtain the withdrawal of consent to processing at any time.

If the Controller does not receive a request for cancellation, personal data will be kept for a term not exceeding 10 (ten) years, starting from the date of the User’s last access to the Site.

Recipients of Personal Data

The personal data collected may be processed by subjects or categories of subjects who act as Data Processors pursuant to Article 28 of the Regulation or who are authorized to process data pursuant to Article 29 of the Regulation.

In addition, for some services, the data may be communicated to companies that collaborate with or use the Controller’s services (for example, companies that own reservation management software and cash register systems), with the sole intent of providing the services requested by the User. In these cases, the companies are independent controllers, therefore the Controller is not responsible for the processing of data by them. The Controller is also not responsible for the content and compliance with the regulations on the protection of personal data by sites not managed by the Controller.

Outside of the above cases, personal data will not be communicated except to subjects, entities, and Authorities to whom communication is mandatory by law or regulation.

Transfer of Data to a Third Country or an International Organization

Personal data collected through the Site may be transferred outside the national territory, only and exclusively for the execution of services requested through the Site and in compliance with the specific provisions provided for by the Regulation.

Some personal data may be shared with recipients located outside the European Economic Area. The Controller ensures that the processing of personal data by these recipients takes place in compliance with the Regulation.

Collection of Browsing Data

The computer systems and technical and software procedures underlying the operation of the Site acquire, during their normal operation, some personal data whose transmission is implicit in the access and operation mechanisms and protocols in use on the Internet.

Every time the User connects to the Site and every time they recall or request content, the access data are stored in our systems, in the form of tabular or linear data files.

This category of data includes, for example, IP addresses, domain names of computers used by users who connect to the Site, the request by the User’s browser, in the form of addresses in URI (Uniform Resource Identifier) notation, the date and time of the request to the server, the method used in submitting the request to the server, the amount of data transmitted, the numerical code indicating the status of the response given by the server and other parameters relating to the operating system and the IT environment of the User.

These data may be used by the Controller for the sole purpose of obtaining anonymous statistical information on the use of the Site in order to identify the pages preferred by Users and thus provide increasingly adequate content and to control its correct functioning. Upon request by the Authority, the data could be used to ascertain responsibility in case of hypothetical computer crimes against the Site or its Users.

Information on Cookies, Search Engines, and Location Data

Cookies are intended to speed up the analysis of Internet traffic, facilitate Users’ access to the services offered by the Site and provide useful and relevant advertising to visitors. With the use of cookies, no personal data is transmitted or acquired and no User tracking systems are used. If you do not wish the information you provide to be collected through the use of cookies, the User can implement a simple procedure in their browser that allows them to refuse the cookie function.

The information present on the Site may be made available to third-party search engines as the Site allows the indexing of its contents by third-party engines.

In case some pages have already been removed from the Site, it is possible that the cache copy may remain among the search results for a few days. The search results are not managed by the Site, but the User can report the removal of the page and request the update of the cache copy directly to the search engine itself.

When using the Site with the location detection function active, the Site may collect and process information about the User’s current position. These data are processed anonymously, in a format that does not allow the User to be personally identified, and used only to facilitate the use of some functions of the Site based on position. Location services can be activated or deactivated by the User at any time by accessing the settings of their device.

For more information, please view the Use of Cookies page.

Rights of the Data Subject

Pursuant to articles 15 to 22 of the Regulation, the User, as a data subject, has the right to exercise specific rights concerning their Personal Data. In particular, the Data Subject has the right to obtain:

1. confirmation of whether or not personal data concerning them exists, even if not yet recorded, in a concise, transparent, intelligible, and easily accessible form, with simple and clear language;
2. indication of:
   1. the origin of the personal data;
   2. the purposes and methods of processing;
   3. the legitimate interests pursued by the Controller or by third parties;
   4. the recipients or categories of recipients of the personal data;
   5. the Controller’s intention to transfer personal data to a third country or to an international organization;
   6. the period of storage of personal data;
   7. the logic applied, as well as the importance and expected consequences of such processing for the data subject, in case of processing carried out with the aid of electronic tools as part of an automatic process of collection and/or profiling;
   8. the identification details of the Controller, the Processors, the designated Representative, and the Data Protection Officer (DPO);
   9. the subjects or categories of subjects to whom the personal data may be communicated or who can become aware of it as designated representative in the territory of the State, processors, or persons in charge;
3. the possibility of lodging a complaint with a supervisory Authority;
4. the updating, rectification or, when interested, integration of data;
5. the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
6. the limitation of processing;
7. the portability of personal data concerning them to another Data Controller;
8. the revocation of processing;
9. the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case where such fulfillment proves impossible or involves the use of means manifestly disproportionate to the protected right;
10. opposition, in whole or in part, for legitimate reasons, to the processing of personal data concerning them, even if pertinent to the purpose of collection.

Data Controller and Data Protection Officer

To exercise the rights in the previous point, the data subject may contact the Controller at any time for any communications regarding the processing of their Personal Data by sending a communication to the contacts listed below:

The Data Controller:

Bracioleria S.r.l. via Antonio Fogazzaro n. 9, 20135 Milan

Email: info@bracio.it

Changes

This information may be subject to changes. If substantial changes are made to the use of User data by Bracioleria S.r.l., it will notify the User by publishing them with maximum evidence on its pages.