Full notice pursuant to Articles 12 and 13 of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) relative to the protection of personal data of Site users
Swiss Chamber – Camera di Commercio Svizzera in Italia (Schweizerische Handelskammer in Italien) is committed to protecting and respecting the personal data collected in the scope of its institutional activities.
The purpose of this notice is to describe the methods for managing the website at www.swisschamber.it (the “Site”) in relation to the processing of the personal data of users who visit it and use its services and functions (the “User”), in accordance with the provisions of Articles 12, 13 and, where applicable, 14 of the GDPR.
This notice does not apply to other sites that the User may visit via links provided on its Site.
1. Data Controller
The Data Controller is Swiss Chamber – Camera di Commercio Svizzera in Italia (Schweizerische Handelskammer in Italien), with registered office at Via Palestro 2, 20121, Milan, telephone +39 02 7632031 and email segreteria@swisschamber.it (the “Controller” or “Swiss Chamber”).
Since the Controller is established in Italy, no representative has been named.
2. Type of personal data processed
2.1 Browsing data and environmental variables
The computer systems and procedures used to run the Site automatically acquire, in the course of their normal operation, some personal data relating to the user’s browsing history, including environmental variables. This category of data includes, but is not limited to:
The IP addresses of the computers used by service users;
- The number of visits
- The pages viewed
- The date and time of the visit
- The URL where the browser was before viewing our page
- The browser used
- The operating system used
Except as specified below and in the Cookie Policy (as defined below) regarding automatic browsing data, simply visiting the Site and its sections does not entail the processing of the User’s personal data.
The rules, purposes and methods for the processing of the User’s personal data collected or processed using cookies and other tracking tools – in compliance with the GDPR, Article 10 of Directive no. 95/46/EC and Directive 2002/58/EC, as updated by Directive 2009/136/EC, as regards cookies, as well as in accordance with Article 122 of the Italian Privacy Code and the “Guidelines for cookies and other tracking tools” adopted by the Italian Data Protection Authority on 10 June 2021 – are defined in detail in the “Cookie Policy” available on the Site at the following URL: https://www.swisschamber.it/cookie-policy (the “Cookie Policy”).
2.2 Personal data voluntarily provided by the User
Without prejudice to the provisions of para. 2.1 and in the Cookie Policy, the Controller only acquires and processes personal data that Users explicitly and voluntarily provide by:
- sending an email or letter to the addresses indicated on the Site;
- emailing their CV or other documents to info@swisschamber.it;
- filling in the form published on the Site under the header “Do you have any questions or need more information?” (the “Form”);
- subscribing to the newsletter in the appropriate section of the Site in the box “Stay up-to-date Subscribe to our newsletter”;
- filling in the form published on the Site at https://www.swisschamber.it/location/spazio-eventi/ and https://www.swisschamber.it/location/swiss-corner/
- sending a hard copy of the subscription form which can be downloaded at https://www.swisschamber.it/wp-content/uploads/2013/03/Domanda-associazione-Italia.pdf
The personal information that Users provide on such occasions may involve the Controller collecting their general personal data, such as email addresses, first and last names, home address or place of residence, telephone or mobile phone numbers or other personal data voluntarily provided by Users in their CV or request.
In particular, within the scope of ordinary or electronic correspondence or if a Customer submits a request to the Controller using the Form, in addition to the email address necessary for a reply, any other personal data contained in the correspondence will be processed. In this case, the data collected in this way will be stored and processed solely for the purpose of retaining correspondence and will not be used for any other purpose.
Newsletter subscription
The Site allows Users to subscribe to the newsletter that the Controller periodically prepares and sends, by entering their email address in the box “Stay up-to-date Subscribe to our newsletter” after accepting this notice.
In the newsletter subscription process, the User’s email address is the only data collected by the Site and the Controller.
To provide the newsletter service, the Controller will upload each User’s email address to the email marketing platforms of third-party partners based in the EU.
Sending requests using the Form
The User’s personal data collected via the Form are:
- First and last name
- Email address
- Any other personal data that Users include in the “How may we help you” section,
No special categories of personal data will be processed pursuant to Article 9 of the GDPR. If received, any such data will be deleted. Therefore, Users are asked to avoid including data that fall into special categories, including sensitive or highly sensitive personal data (e.g. data relating to one’s state of health), in the correspondence sent to the Controller using the Form.
Swiss Chamber membership application form
Users may download the membership application form – Swiss Chamber on the Site at https://www.swisschamber.it/chi-siamo/soci/ in order to join.
The only way to join is by duly completing the form and sending a copy to postal addresses indicated therein.
The membership application form may not be submitted on the Site.
The notice regarding the processing of the applicants’ personal data is given at the bottom of the application form.
3. Principles of processing
In accordance with the requirements of the GDPR, the Controller works continuously to ensure that personal data are:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; all reasonable steps must be taken to delete or rectify in a timely manner data that are inaccurate in relation to the purposes for which they are processed (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Controller implements appropriate technical and organisational measures to secure personal data by design and to ensure that, by default, only the data necessary for each specific processing purpose are processed.
This privacy policy is subject to change, in line with developments in the reference legislation and the technical and organisational measures that the Controller implements over time.
4. Processing methods
4.1 Types of cookies and tracking tools used
As better described in the Cookie Policy, the Site uses technical, statistics and non-technical (or profiling) cookies according to the definitions in the “Cookie Guidelines and other tracking tools” adopted by the Data Protection Authority on 10 June 2021, in order to ensure the proper functioning and optimise the performance of the Site, as well as for performance analysis and evaluation purposes as better described under paragraph 5.
Cookies are strings of text that the websites ( “publishers”, or “first parties”) visited by the user or other sites or web servers ( “third parties”) install and store – directly, in the case of publishers, and indirectly, i.e. through publishers, in the case of “third parties” – on a terminal device available to the same user.
The main types of cookies that this Site uses are:
- technical cookies, i.e. cookies used for the sole purpose of ‘sending a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide such service’ (see Article 122(1) of the Privacy Code). Technical cookies are necessary and help to make a website usable by enabling basic functions such as page navigation and access to protected areas of the site. The Site cannot function properly without these cookies.
- statistics cookies, i.e. cookies that collect information, in aggregate form, on the Site Users. They are similar to technical cookies provided that: (i) they are only used to produce aggregate statistics and in relation to a single website or mobile application only; (ii) at least the fourth component of the IP address is concealed for third-party cookies; (iii) third parties refrain from combining analytics cookies, which are therefore minimised, with other types of processing (customer files or statistics of visits to other sites, for example) or from sharing them with other third parties (although third parties may produce statistics with data relating to multiple domains, websites or apps attributable to the same publisher or business group). However, the Controller retains the right to carry out, on its own behalf, simple statistical processing of data relating to the Site and to multiple domains, websites and apps attributable to it, even using unencrypted data, as long as the purpose limitation requirement is met;
- profiling (or non-technical) cookies, i.e. cookies used to link specific actions or recurring habits in the use of the functions offered (patterns) to specific identified or identifiable subjects, in order to group the different profiles into clusters of different sizes, making it possible to tailor the provision of the service in an even more personalised way and to send targeted advertising, in line with the preferences shown by the user while browsing the web.
The detailed list of cookies and other tracking tools used by the Site, the type of data processed and their characteristics and purposes are detailed in the Cookie Policy.
Since cookies are normal text files, they can be accessed using word processing programmes. However, you can configure your browser to prevent it from processing cookies and delete or desable cookies by visiting the following web pages:
- Google Chrome: https://support.google.com/chrome/answer/95647?hl=it;
- Mozilla Firefox: https://support.mozilla.org/it/kb/protezione-antitracciamento-avanzata-firefox-desktop;
- Internet Explorer: https://support.microsoft.com/it-it/windows/eliminare-e-gestire-i-cookie-168dab11-0753-043d-7c16-ede5947fc64d
- Safari: https://support.apple.com/it-it/guide/safari/sfri11471/mac
4.2 Method of processing data voluntarily provided by Users
Users’ personal data are processed both manually and automatically using analogue, digital, telematic and electronic tools, according to logics strictly related to the purposes indicated in this notice and in the Cookie Policy and, in any case, in such a way as to ensure the security and confidentiality of such data.
5. Purpose and legal basis of processing. Optional nature of consent and consequences of non-consent
5.1 Purpose of processing and legal basis for processing
In relation to technical cookies and browsing data, the User’s personal data are processed so the Site can be properly used. These cookies are necessary to browse the Site and for it to function perfectly. In this case, the legal basis of the processing is the Controller’s legitimate interest and no prior consent from the User is necessary.
The processing of personal data by means of non-technical cookies makes it possible to personalise the browsing experience and to collect information on how Users use the Site in order to carry out statistical analyses, on an aggregate basis, on the number of users and how they browse the Site. In the case of the latter, the exclusive legal basis is the User’s express consent given in accordance with the Cookie Policy. Consent is optional and failure to provide it will prevent the processing of the relevant personal data and will only prevent the Controller from providing a personalised service. In this case, Users may browse the Site and use its services.
The processing of the personal data voluntarily provided by email makes it possible to respond to requests from Users. The legal basis of the processing is the Controller’s legitimate interest in responding to the data subjects and no prior consent from the User is necessary.
The personal data voluntarily provided by Users via the Form is processed on the basis of acceptance of this notice. The legal basis of the processing is the Controller’s legitimate interest in responding to the data subjects’ requests via the Form and no prior consent from the User is necessary.
The User’s free, express and informed consent constitutes the legal basis for subscription to the newsletter. It is given in the special section of the Site “Subscribe to our newsletter” and entails processing the User’s personal data in accordance with this Privacy Policy.
The legitimate interests of the Controller or third parties may constitute a valid legal basis for the processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the Controller and the data subject, for instance when the data subject is the Controller’s customer.
5.2 Methods of obtaining consent
Consent to the processing of personal data by means of non-technical cookies must be expressed
- by clicking, in the specific banner on the Site, either on (i) the “Accept All” button, or (ii) the “Accept Selected” button after having selected the “Statistics and Analysis” option in the list.
By merely scrolling or browsing the Site, you do not give your consent to the use and installation of tracking tools, with the sole exception of technical cookies.
Consent to the processing of personal data necessary to subscribe and subsequently receive the Swiss Chamber newsletter, for promotional and marketing purposes, must be given:
- by clicking on the appropriate box in the “Stay up-to-date Subscribe to our newsletter”.
6. Source of personal data
Without prejudice to the provisions of the Cookie Policy, only data provided by the User in accordance with this notice, collected on the Site or by sending an email or filling in the Form by the User, will be processed.
Data from publicly accessible sources will not be processed.
7. Transfer of personal data to third parties
The Controller may transfer personal data subject to Processing for the above-mentioned purposes:
- to those within the Controller’s organisation who need it as a result of their duties. These persons are the persons authorised to process the data under the direct authority of the Controller pursuant to Article 4(10) of EU Regulation 2016/679 (“Processors”);
- to subsidiaries or parent companies pursuant to Article 2359 of the Code that are authorised to process them for internal administrative purposes;
- to third parties to which the Controller may outsource certain activities and which consequently provide the Controller with certain instrumental services that are in any case related to the processing and the purposes described above, such as administrative services, Site hosting services, communications companies that perform communication activities on the Controller’s behalf, companies offering information society services and communication society service providers. These third parties carry out processing on behalf of the Controller and are authorised to process the data as processors pursuant to Article 28 of the GDPR.
Except as specified below, the transfer of personal data to such parties in a third country or to an international organisation, is carried out subject to an adequacy decision of the European Commission, which has verified that the third country, the territory or one or more specific sectors within the third country or the international organisation in question ensure an adequate level of protection of the rights of data subjects. In any event, the Controller – where it deems it appropriate – reserves the right to conclude specific separate agreements obliging such parties to adopt adequate security measures, including organisational measures, aimed at offering appropriate safeguards with regard to its rights.
The data may thus be transferred to the following countries: European Union and Switzerland. To obtain a copy of these data or the place where they were transferred, simply send your request to: segreteria@swisschamber.it.
However, as better described in the Cookie Policy, the Site uses, subject to the User’s express consent, Google Analytics analysis and performance cookies, which entail the transfer of data to the United States.
Under current EU law, the United States is a third country that does not provide an adequate level of protection under Article 45 of the GDPR and does not offer a similar level of data protection and protection of data subjects’ rights as within the EU. In particular, data, including personal data, collected by Google and regarding data subjects residing in the EU territory will be accessible by the Federal Public Security Agencies of the US Government.
By expressly consenting to the installation of non-technical cookies in the manner set out in the Cookie Policy, the User expressly accepts and authorises the transfer of personal data collected by Google Analytics’ non-technical cookies to the United States in accordance with Art. 49, para. 1(a) of the GDPR.
8. Personal data retention period
Unless otherwise provided for in the Cookie Policy, personal data processed and retained for all the purposes set out in this notice shall be processed and retained for a period not exceeding 24 months from the date of individual collection.
However, the Controller reserves the right to ask the data subject to renew their consent to the processing and/or to verify the previously granted consent.
9. Rights of the data subject
Pursuant to Article 7 of the Privacy Code and Articles 15 et seq. of the GDPR, the Controller wishes to inform the User of the existence of the following rights:
- Data subject’s right of access: The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the specific information, in accordance with Article 15 of the GDPR;
- Right to rectification: The data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, in accordance with Article 16 of the GDPR.
- Right to erasure, including the right to withdraw consent: The data subject has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller has the obligation to erase personal data without undue delay. Furthermore, the data subject has the right to withdraw consent if the conditions indicated in Article 17 of the GDPR apply. In this case, the right to withdraw consent may be exercised at any time without prejudice to the lawfulness of processing based on consent up until that time;
- Right to restriction of processing: The data subject shall have the right to obtain from the Controller the restriction of processing in the circumstances defined by Article 18 of the GDPR;
- Right to data portability: the data subject has the right to receive in a structured, commonly used and machine-readable format the personal data concerning him or her provided to the Controller and has the right to transmit such data to another data controller without hindrance from the Controller in the cases and under the conditions specified by Article 20 of the GDPR.
10. Exercise of rights
Requests to exercise the rights set out in this notice should be sent directly to the Controller at the following email address: segreteria@swisschamber.it.
Alternatively, you can exercise your rights by sending a registered letter with notice of receipt to Swiss Chamber – Camera di Commercio Svizzera in Italia, Via Palestro, 2 20121 Milan.
11. Accessibility of the notice
The notice is accessible at www.swisschamber.it and at the Controller’s registered office.