CasatoS.r.l. (Tax Code and VAT No. 04736421001), with registered office in Roma (RM),Italy – 00196, Via Pasquale Stanislao Mancini No 12, certified e-mail addressamministrazione@pec.casatogioielli.com, in compliance with Article 13 of EURegulation 2016/679 (“GDPR”) and in relation to personal data (“Data”) collectedthrough the site https://casatogioielli.com/ (“Site”), hereby communicates the following. 

1. Data Controller and DataProtection Officer
1.1. The data controller isCasato S.r.l. (Tax code and VAT No. 04736421001), with registered office inRoma (RM), Italy – 00196, Via Pasquale Stanislao Mancini No 12, certifiede-mail address amministrazione@pec.casatogioielli.com ("Data Controller").
1.2. The Data Controller has not appointed a Data Protection Officer (“DPO”)and there are no legal requirements for the mandatory appointment of the DPO. 

2 - Types of Data subject to processing
- Navigation data, acquired by the computer systems and software used by the Website during normal operation, the transmission of which is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers used by users connecting to the Website, the date and time of access, the duration of the visit, the URI (Uniform Resource Identifier)addresses of the resources requested, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, failed, etc.) and other parameters relating to the operating system and computer environment.
- Data provided by the User (i) when purchasing one or more products, (ii) when registering on the Website and through its reserved area (iii) by sending specific requests and/or filling in the relevant forms. This category includes first name, last name, telephone number, e-mail address, home and shipping address, date of birth, gender, title and any additional information provided by the user through the above channels. Failure to provide such Data may result in the impossibility of (i) completing the purchase of one or more products and allowing their shipment, (ii) registering on the website and creating one's own reserved area, (iii) submitting requests and/or receiving feedback.

3. Purpose of the processing
3.1. Navigation data shall be processed for the purpose of: 

• ensuring the technical operation of theWebsite and the use of its content; 
• obtaining anonymous statistical information on the use of the Website.

The data provided by the user shall be processed in order to:

• process user requests and/or perform other pre-contractual activities;
• fulfil the obligations arising from the purchase;
• comply with any legal obligations imposed by the Data Controller (hereinafter collectively referred to as the "Primary Purposes").

3.2. The data provided by the user may also be processed for marketing purposes. The DataController may contact the User in order to provide them with commercial offers, information on news and promotions and to send them soft spam(hereinafter collectively referred to as "Marketing Purposes").

3.3. With the exception of the sending of soft spam, the processing of Data for Marketing Purposes is based on the user's consent, which the user is free to refuse. The sending of soft spam, on the other hand, does not require the user's consent but is based on the legitimate interest of the Controller. However, the user may at any time object to such processing by contacting the Controller at the addresses indicated in article 10 of this policy.

3.4. With the User's consent, the Data provided by the user may be automated to evaluate interests, habits and purchasing preferences and to make choices/send personalised marketing communications ("Profiling Purposes").

4. Legal basis for the processing
4.1. The Controller processes the Data lawfully where the processing: • is necessary for the performance of a contract to which the user is a party or for the performance of pre-contractual activities;

• is necessary to pursue the Controller's legitimate interest in relation to sending soft spam;
• is necessary to fulfil a legal obligation of the Controller;
• the User has given their consent, in reference to activities related to Marketing Purposes and Profiling Purposes.

4.2. The explicit consent of the user is not required when the processing concerns the preparation and performance of activities related to the Primary Purposes.

5. Methods of processing
The data shall be processed by computer and electronic means and on paper, in accordance with the principles of fairness, lawfulness, transparency and the protection of confidentiality. Appropriate security measures shall also betaken to prevent un authorised access, disclosure, modification or destruction of such Data. The Data can also be processed through the use of a Cloud management software.

6. Storage
6.1. Data processed for PrimaryPurposes shall be kept for as long as is necessary to achieve those purposes.More specifically:

• Navigation Data shall be processed for a maximum period of 24 months;
• The Data collected as a result of requests sent by the user shall be stored for as long as necessary to provide feedback;
• The Data collected during registration to the website and the creation of a reserved area shall be processed for as long as the user wishes to maintain registration;
• The Data collected in connection with purchases made by the user shall be stored for the time necessary to fulfil the contractual obligations and thereafter until the legal deadlines for exercising the rights deriving therefrom have been met.

According to Article 13 paragraph 2, letter a) of the GDPR, in cases where the Controller cannot precisely determine the length of time for which the Data will be stored, the Controller undertakes in any event to base the processing on the principles of adequacy, relevance and minimisation and to periodically assess the need for storage. 

6.2. Data processed for MarketingPurposes, collected on the basis of the user's consent, shall be stored until the consent is withdrawn, and in any case for a maximum period of 24 months.

6.3. Data processed for the purpose of sending soft spam, collected on the basis of the legitimate interest of the controller, shall be stored until the user objects to such processing.

6.4. Data processed for ProfilingPurposes, collected on the basis of the user's consent, shall be stored until the consent is withdrawn, and in any case for a maximum period of 12 months.

6.5. Data may be stored for a longer period if this is necessary to comply with legal obligations or to establish, exercise or defend legal claims.

7. Communication of Data
7.1. The data may becommunicated to:

1. a) external professionals, third party companies or other subjects providing services functional to the achievement of the Primary Purposes, Marketing Purposes andProfiling Purposes, who - if the legal conditions are met - are appointed as external data processors;
2. b) external professionals, third party companies or other subjects that provide services functional to the achievement of the Primary Purposes, Marketing Purposes andProfiling Purposes, who - if the legal conditions are met - are considered to be independent data processors;
3. c) employees, collaborators and coadjutors of the Controller in their capacity as data processors and/or internal data processors and/or system administrators;
4. (d) persons who process the Data in accordance with specific legal obligations.

7.2. The Controller may communicate the Data to a company specialising in the management of addresses and the sending of e-mails.

7.3. Payment processing services allow the Controller to process payments by credit card, bank transfer or other means. The data used for the payment are acquired directly by the operator of the requested payment service without being processed in any way by the Controller. Some of these services may also allow scheduled messages to be sent to the user, such as e-mails containing invoices or notifications regarding payment.

8. Transfer
8.1. The Data shall be stored on servers located at the Controller's headquarters, as well as on web/cloud platforms and in any other place where the parties involved in the processing are located. 

8.2. Without prejudice to communications and disclosures made to comply with legal obligations, the Data may be transferred abroad above for Primary Purposes, Marketing Purposes and/orProfiling Purposes.

8.3. Where Data are transferred to a third country or international organisation, the Controller shall take appropriate measures to ensure adequate data protection, in accordance with applicable legal requirements. 

9. Rights of the data subject
Therights of the data subject under the GDPR include:

• obtaining from the Controller the access to their data and to the information concerning them; the rectification of inaccurate data or the completion of incomplete data; the erasure of their data (upon the occurrence of one of the conditions indicated in art. 17, paragraph 1 of the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same article); the restriction of the processing of their Data (upon the occurrence of one of the events indicated in art. 18, paragraph 1 of the GDPR);
• requesting and obtaining from the Controller - where the legal basis of the processing is the contract or consent and the processing is carried out by automated means -their data in a structured and machine-readable format, also for the purpose of communicating such data to another data controller (so-called right to data portability);
• objecting, at any time, to the processing of their data upon the occurrence of special situations concerning them;
• withdrawing consent at any time, limited to cases where processing is based on consent for one or more specific purposes and concerns common personal data or certain categories of data. However, processing based on consent and carried out prior to the withdrawal shall remain lawful;
• lodging a complaint with a supervisory authority(Authority for the Protection of Personal Data – www.garanteprivacy.it). 

10. Exercising a right
The user may exercise their rights at any time by sending:
- a registered letter with return receipt to the address: Roma (RM) –00196, Via Pasquale Stanislao Mancini No. 12
- an e-mail to the certified e-mail address: amministrazione@pec.casatogioielli.com