We are very pleased that you have shown interest in our company. Data protection is a particularly high priority for B.M.D. SRL. The use of the Internet pages of B.M.D. SRL is possible without any indication of personal data, however, if the person concerned wants to use our business services, including through our website, may require the processing of personal data. If the processing of personal data is necessary and there is no legal basis for such processing, B.M.D. SRL generally obtains the consent of the person concerned.

The processing of personal data, such as the name, address, e-mail address or telephone number of the person concerned, always complies with the General Data Protection Regulation (GDPR) and the specific national data protection regulations applicable to B.M.D. SRL. With this data protection policy, our company wishes to inform the public about the nature, scope and purpose of the personal data we collect, use and process. Moreover, the interested parties are informed, by means of this information on data protection, of the rights to which they are entitled.

As data controller, B.M.D. SRL has implemented numerous technical and organisational measures to ensure the fullest protection of personal data processed through this website. However, data transmissions via the Internet may in principle have security gaps, so it is not possible to guarantee absolute protection. For this reason, any interested party is free to transfer his or her personal data to us by alternative means, for example by telephone.

1. Definitions

B.M.D. SRL’s data protection policy is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection policy must be legible and comprehensible to the general public as well as to our customers and business partners. To this end, we prefer to first illustrate the terminology used.

In this data protection statement we use, among other things, the following terms:

a) Personal data

Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity; .

b) Interested

Data subject’ means any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing

Processing shall mean any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction.

d) Limitation of processing

Limitation of processing is the marking of personal data stored with the aim of limiting the processing in the future; .

e) Profiling

Profiling’ shall mean any form of automated processing of personal data consisting in the use of such personal data for the purpose of evaluating certain personal aspects relating to a natural person, in particular for the purpose of analysing or predicting aspects of that natural person’s occupational performance, economic situation, health, personal preferences, interests, reliability, conduct, location or travel.

f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures to ensure that such personal data are not attributed to an identified or identifiable natural person.

g) Owner or controller

The controller or other body which alone or jointly with others determines the purposes and means of the processing of personal data shall be the natural or legal person, public authority, agency or other body. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to his designation may be determined by Union or Member State law.

h) Controller

The data controller is the natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.

i) Consignee

The recipient is the natural or legal person, public authority, agency or other body receiving the communication of personal data, whether or not it is a third party. However, public authorities which may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by such public authorities shall comply with the applicable data protection rules for the purposes of the processing.

j) Third

“third party” means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the controller and persons authorised to process personal data under the direct authority of the controller or the controller;

k) Consent

The consent of the data subject is any free, specific, informed and unequivocal expression of the data subject’s will, with which the data subject gives his or her consent, by means of a declaration or unequivocal positive action, that the personal data relating to him or her be processed.

2. Name and address of the holder

The holder for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other data protection provisions is:

B.M.D. SRL

Via Quintino Sella, 19

84043 Agropoli (SA)

Italy

Telephone: +39 335 65 00 264

Email: info@caffecostablu.it

Website: www.caffecostablu.it

3. Name and address of Data Protection Officer

The Data Protection Officer of the owner is:

Francesco Mandetta
c/o B.M.D. SRL

Via Quintino Sella, 19

84043 Agropoli (SA)

Italy

Telephone: +39 335 65 00 264

Email: francesco.mandetta@caffecostablu.it

Website: www.caffecostablu.it

Any interested party may, at any time, contact our Data Protection Officer directly with any questions or suggestions regarding data protection.

4. Collection of data and general information

The website of B.M.D. SRL collects a series of data and information of a general nature when an interested party or an automated system recalls it. This data and general information is stored in the log files of the server. We may collect (1) the types and versions of browsers used, (2) the operating system used by the access system, (3) the website from which an access system reaches our website (the so-called referrers), (4) the sub-sites, (5) the date and time of access to the website, (6) an IP address (Internet Protocol Address), (7) the Internet service provider of the access system and (8) any other similar data and information that may be used in the event of attacks on our computer systems.

B.M.D. SRL does not draw any conclusions from the use of this general data and information. Rather, this information is necessary to (1) provide the content of our website correctly, (2) optimize the content of our website as well as its advertising, (3) ensure the long-term usability of our computer systems and website technology, and (4) provide law enforcement authorities with the information necessary for prosecution in the event of cyber-attacking. Therefore, B.M.D. SRL statistically analyzes the data and information collected anonymously, with the aim of increasing the protection and security of data of our company and to ensure an optimal level of protection of personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by the person concerned.

5. Periodic deletion and blocking of personal data

If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.

The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of retention, or to the extent permitted by the European legislator or other legislators in laws or regulations to which the controller is subject.

If the purpose of storage is not applicable, or if a retention period prescribed by the European legislator or another competent legislator expires, personal data are regularly blocked or deleted in accordance with legal requirements.

6. Rights of the data subject

a) Right of confirmation

Every data subject has the right, conferred by the European legislator, to obtain from the controller confirmation as to whether or not personal data concerning him exist. If the data subject wishes to exercise this right of confirmation, he or she may at any time contact any employee of the controller.

b) Right of access

Every data subject has the right, conferred by the European legislator, to obtain at any time from the controller free information on his or her stored personal data and a copy of that information. European directives and regulations also guarantee the data subject access to the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the period for retention of personal data or, if this is not possible, the criteria applied to determine such period;
  • the existence of the right to request the data controller to rectify or erase personal data or to limit the processing of personal data concerning him, or to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • in the event that personal data are not collected from the person concerned, any information available about their source;
  • the existence of an automated decision-making process, including profiling, as referred to in Article 22(1) and (4) of the GDPR and, at least in such cases, significant information on the underlying logic, as well as the importance and expected consequences of such processing for the data subject.
  • The data subject shall also have the right to obtain information on the transfer of personal data to a third country or an international organisation. In such a case, the data subject shall have the right to be informed of the appropriate safeguards implemented in the context of the transfer.

    If the data subject wishes to make use of this right of access, he or she may at any time contact an employee of the controller.

    c) Right of rectification

    Every data subject has the right, conferred by the European legislature, to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him. In view of the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by submitting a supplementary declaration.

    If a data subject wishes to exercise this right of rectification, he or she may at any time contact an employee of the data controller.

    d) Right to cancellation (right to forget)

    Every data subject has the right, conferred by the European legislator, to obtain from the controller the erasure of personal data relating to him or her without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds exists, provided that the processing is not necessary:

  • personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • the data subject revokes the consent underlying the processing pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and if there are no other legitimate reasons for the processing.
  • the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or objects to the processing pursuant to Article 21(2) of the GDPR.
  • the personal data were processed unlawfully.
  • personal data must be erased in order to comply with a legal obligation under Community law or a Member State to which the controller is subject.
  • personal data have been collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR.
  • If there is one of the reasons listed above and the person concerned wishes to request the deletion of personal data stored by B.M.D. SRL, he may at any time contact an employee of the data controller. Employees of B.M.D. SRL must promptly ensure that the request for cancellation is met immediately.

    If he has disclosed personal data and is required to provide for its cancellation, pursuant to the provisions of Article 17 paragraph 1, taking into account the technologies available to him and the costs of implementation, the data controller is required to do what is deemed necessary, including the adoption of technical measures, to inform other data controllers about the request for cancellation, submitted by the person concerned, relating to links to, copies or duplications of personal data, to the extent that such processing is not necessary. The employees of B.M.D. SRL prepare the necessary measures for each individual case.

    e) Right to limit processing

    Each data subject has the right, conferred by the European legislature, to obtain from the controller a restriction on processing where one of the following situations occurs

  • the accuracy of the personal data is contested by the data subject, for a period that allows the controller to verify it.
  • the processing is unlawful and the person concerned objects to the deletion of personal data instead requesting a limitation on their use.
  • the data controller no longer needs personal data for the purposes of processing, but requests them from the data subject for the establishment, exercise or defense of legal rights.
  • If one of the situations listed above occurs and the data subject wishes to request the restriction of the processing of personal data stored by B.M.D. SRL, he or she may at any time contact an employee of the data controller. The employees of B.M.D. SRL will provide for the limitation of the treatment.

    f) Right to data portability

    Every data subject has the right, conferred by the European legislator, to receive personal data relating to him/her which are supplied to a controller in a structured, commonly used and electronically readable format. He shall have the right to transmit such data to another controller without hindrance by the controller to whom the personal data were supplied, provided that the processing is based on consent in accordance with Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or under a contract within the meaning of Article 6(1)(b) of the GDPR, and the processing is carried out by automated means, provided that it is not necessary for the performance of an activity in the public interest or for the exercise of official authority vested in the controller.

    Furthermore, in exercising the right to data portability under Article 20(1) of the GDPR, the data subject shall have the right to obtain that personal data are transferred directly from one controller to another, where technically feasible and without prejudice to the rights and freedoms of others.

    To exercise the right to data portability, the person concerned may at any time contact an employee of B.M.D. SRL.

    g) Right of opposition

    Every data subject has the right, conferred by the European legislator, to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her as provided for in Article 6(1)(e) or (f) of the GDPR. This also applies to profiling based on these provisions.

    In case of opposition, B.M.D. SRL will no longer process personal data, unless it can demonstrate the existence of overriding and legitimate reasons for the treatment that prevail over the interests, rights and freedoms of the person concerned or for the assessment, exercise or defense of legal rights.

    If B.M.D. SRL processes personal data for direct marketing purposes, the person concerned has the right to object at any time to the processing of personal data concerning him for such commercial purposes. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing of data by B.M.D. SRL for direct marketing purposes, B.M.D. SRL no longer processes personal data for such purposes.

    In addition, the person concerned has the right, for reasons related to his particular situation, to object to the processing of personal data concerning him by B.M.D. SRL for purposes of scientific or historical research or for statistical purposes under Article 89, paragraph 1, of the GDPR, unless the processing is necessary for the performance of an activity carried out for reasons of public interest.

    To exercise the right of opposition, the person concerned may contact an employee of B.M.D. SRL. Furthermore, the data subject is free, in the context of the use of information society services and without prejudice to Directive 2002/58/EC, to exercise his right to object to the use of automated tools through the use of technical specifications.

    h) Automated individual decision-making process, including profiling

    Every data subject has the right, conferred by the European legislature, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for him or which significantly affects him in the same way, as long as the decision (1 ) is not necessary for its conclusion, the performance of a contract between the data subject and the controller is not authorised by Community law or the law of the Member State to which the controller is subject and which also lays down adequate measures to safeguard the rights and freedoms and legitimate interests of the data subject, or (3) is not based on the data subject’s explicit consent.

    If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is based on the explicit consent of the data subject, B.M.D. SRL shall implement appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, at least the right to obtain the human intervention of the controller, to express his views and to challenge the decision.

    If the data subject wishes to exercise the rights relating to the automated individual decision-making process, he or she may at any time contact an employee of B.M.D. SRL.

    i) Right to revoke consent to data processing

    Every data subject has the right, conferred by the European legislator, to withdraw his or her consent to the processing of personal data concerning him or her at any time.

    If the interested party wishes to exercise the right to revoke their consent, they can contact at any time an employee of B.M.D. SRL

    7. Legal framework for data processing

    Art. 6 para. 1 lit. a) of the GDPR provides the legal framework for the processing of data for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as in the case, for example, of processing operations necessary for the provision of goods or any other service, the processing is based on Article 6, paragraph 1, letter b) of the GDPR. The same applies to the processing necessary for the execution of pre-contractual measures, for example in the case of requests relating to our products or services. If our company is subject to a legal obligation according to which the processing of personal data is necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 paragraph 1 letter c of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This is the case, for example, if a visitor is injured in our company and his name, age, health insurance data or other vital information has to be passed on to a doctor, hospital or third party. In this case, the treatment would be based on Art. 6 para. 1 lit. d of the GDPR. Finally, treatment operations could be based on Article 6(1)(f) of the GDPR.This legal basis is used for processing operations which do not fall under any of the above legal bases, where the processing is necessary for purposes related to the legitimate interests pursued by our company or by third parties, unless those interests are outweighed by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data. Such processing is particularly allowed as it is specifically mentioned by the European legislator. The European legislator considers that a legitimate interest can be presumed if the data subject is a client of the data controller (Report 47, Period 2, GDPR).

    8. Legitimate interests of the data controller or third parties

    In the event that the processing of personal data is based on Article 6, paragraph 1, letter f) of the GDPR, our legitimate interest is to carry out our activities for the benefit of all our employees and members.

    9. Period of retention of personal data

    The criterion used to determine the period of retention of personal data is the respective retention period required by law. At the end of this period, the corresponding data are systematically deleted, provided that they are no longer necessary for the performance of the contract or for the conclusion of a contract.

    10. Provision of personal data as a legal or contractual obligation; requirement for the conclusion of a contract; obligation of the data subject to provide personal data; possible consequences of failure to provide such data.

    Please note that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contracting party). Sometimes it may be necessary to conclude a contract in which the person concerned provides us with personal data, which must be subsequently processed by us. For example, you must provide us with your personal data when our company enters into a contract with you. Failure to provide us with your personal data will result in the inability to conclude the contract with you. Before you provide us with your personal data, you must contact an employee. The employee clarifies to the person concerned whether the provision of personal data is required by law or by the contract or is necessary for the conclusion of the contract, whether there is an obligation to provide personal data and the consequences of the failure to provide personal data.

    11. Existence of an automated decision-making process

    As a responsible company, we do not use automated decision-making or profiling processes.