1. DEFINITIONS

In accordance with this information, the following definitions apply:

“System Administrator”: a person entrusted with overseeing the resources of the operating system of a computer or database system and allowing their use, whose activities and accesses are periodically monitored by the Controller.

“Personal Data”: any information concerning an identified or identifiable natural person, including but not limited to: name, surname, company name, business name, address, phone number, fax, email, images, video productions, banking and payment references.

“Recipients”: the natural or legal person, public authority, service, or other body to whom personal data is disclosed, whether or not they are third parties. However, public authorities that may receive personal data in the framework of a specific inquiry in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities complies with applicable data protection rules according to the purposes of the processing.

“Data Subject”: a natural or legal person, differently structured, who applies to the Company in order to receive the services offered by it.

“Profiling”: any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person.

“Third Country”: a country not belonging to the European Union.

“Data Controller”: a natural or legal person who processes personal data on behalf of the Controller.

“Authorized Person”: an individual employed by the Company who processes personal data.

“Data Controller” or “Controller”: a natural or legal person as a legal entity who determines the purposes and means of processing personal data.

“Processing”: any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, restriction, erasure, or destruction.

2. DATA CONTROLLER

From Lele S.r.l., with registered office at Via Gabriele D’Annunzio, No. 94/C, 47838 Riccione (RN), VAT/Tax Code: 04443450400, represented by its legal representative pro tempore.

3. AUTHORIZED PERSONS – DATA PROCESSOR – SYSTEM ADMINISTRATOR

Your data may be made accessible for the purposes outlined in the following articles:

To internal employees of the Data Controller referred to as “Authorized Persons,” authorized to process personal data for contractual purposes.

To third-party companies or other entities (including but not limited to: banks, professional firms, consultants, insurance companies for insurance services, data center service providers, web hosting companies, email service providers, etc.) performing outsourcing activities on behalf of the Controller, acting as “Data Processors.”

The Authorized Persons for data processing are: the owner and/or any delegates by written instrument, who are authorized to access and process personal data for Service and Marketing purposes. The legal representative of Lele S.r.l., with registered office at Via Gabriele D’Annunzio, No. 94/C, 47838 Riccione (RN), VAT/Tax Code: 04443450400, is also appointed as the System Administrator.

Currently, Lele S.r.l., with registered office at Via Gabriele D’Annunzio, No. 94/C, 47838 Riccione (RN), VAT/Tax Code: 04443450400, does not have any external Data Processor. In the event of the appointment of such a figure, a list will be made available directly at the Controller’s registered office.

4. APPLICABLE LEGISLATION

This information complies with the principles outlined in Article 13 of EU Regulation 2016/679 (concerning the protection of individuals with regard to the processing of personal data and the free movement of such data – GDPR) and Article 13 of Legislative Decree No. 196/2003 (Privacy Code).

5. SUBJECT OF PROCESSING

Like all websites, this website also uses log files in which information collected automatically during user visits is stored. The site uses Google Analytics for data processing. The collected information may include the following:

• Internet Protocol (IP) address;
• Type of browser and device parameters used to connect to the site;
• Name of the Internet Service Provider (ISP);
• Date and time of visit;
• Referral webpage and exit webpage;
• Country of origin;
• Possibly the number of clicks.

6. COOKIE

This website also acts as an intermediary for third-party cookies, used to provide additional services and functionalities to visitors and to improve the use of the site itself, such as social media buttons. This privacy policy does not apply to services provided by third parties, and this site has no control over their cookies, which are entirely managed by third parties, and has no access to the information collected through such cookies. The data transfer agreement takes place directly between the user/visitor and the third parties, while this site does not participate in any way in such transfer. As a result, information about the use of these cookies and their purposes, as well as how to disable them, is provided directly by the third parties on the pages indicated below.

In particular, this site uses cookies from the following third parties:

• Google (Google Analytics cookie): Google Analytics is a Google analytics tool that collects anonymous browsing data through the use of cookies (performance cookies) to examine the use of the site by users, compile reports on site activities, and provide other information, including the number of visitors and pages visited. Google may also transfer this information to third parties where required by law or where such third parties process the information on Google’s behalf. Google will not associate the IP address with any other data held by Google. The data transmitted to Google is stored on Google servers in the United States. Under a specific agreement with Google, which is designated as the data processor for users’ data, Google commits to processing the data according to the requests of the Data Controller, given directly through the software settings. According to these settings, advertising options and data sharing are disabled.

Further information about Google Analytics cookies can be found on the Google Analytics Cookie Usage on Websites page.

Users can selectively disable data collection by Google Analytics by installing the specific component provided by Google (opt-out) on their browser.

• Google (Youtube cookie): Youtube is a video-sharing platform owned by Google that uses cookies to collect information about users and browsing devices.

Most of the videos on the site do not deliver cookies upon page access, as the “advanced privacy (no cookie)” option has been set, which ensures that YouTube does not store visitor information unless they voluntarily play the video.

• For further information on the use of data and its processing by Google, it is recommended to review the information on the page provided by Google, and the page on Google’s Data Use Policies when using partner sites or apps.

7. SOCIAL NETWORK PLUGINS

This website also incorporates plugins and/or buttons for social networks to facilitate easy content sharing on your favorite social networks. These plugins are programmed not to set any cookies upon page access to safeguard user privacy. Cookies are only set, if provided by the social networks, when the user actively and voluntarily uses the plugin. Please note that if the user browses while logged into the social network, they have already consented to the use of cookies transmitted through this site at the time of signing up for the social network.

The collection and use of information obtained through the plugin are governed by the respective privacy policies of the social networks, to which please refer.

Facebook;

Twitter;

LinkedIn;

Google+.

8. PRINCIPLES AND PURPOSES OF PROCESSING

Your personal data are:

1. Processed lawfully, fairly, and transparently towards you;

2. Collected for specific, explicit, and legitimate purposes;
3. Processed in a manner that is adequate, relevant, and limited to the purposes for which you provided them;
4. Processed accurately and kept up to date as much as possible;
5. Stored for a period not exceeding the time necessary to achieve the purposes;
6. Stored in a manner ensuring appropriate security and protection through the use of suitable technical and organizational measures.

Your personal data are specifically processed without your express consent, pursuant to Article 6 letter b) of the GDPR, for the following Service Purposes:

• Conclusion of contracts for services provided by the Data Controller;
• Fulfillment of pre-contractual, contractual, and tax obligations arising from relationships with you;
• Compliance with obligations required by law, regulation, EU legislation, or an order of the Authority (such as anti-money laundering regulations);
• Exercise of the rights of the Data Controller, such as the right of defense in court;

The collection of data and information occurs for the following purposes:

• Solely in aggregated and anonymous form to verify the correct functioning of the site. None of this information is related to the individual user of the site, and it does not allow the identification of any person (from May 25, 2018, such information will be processed based on the legitimate interests of the Data Controller);

• For security purposes (anti-spam filters, firewalls, virus detection), automatically recorded data may also include personal data such as IP address, which may be used, in accordance with applicable laws, to block attempts to damage the site itself or to harm other users, or activities that are harmful or constitute a crime. Such data are never used for the identification or profiling of the user, nor are they cross-referenced with other data or provided to third parties, but are only used for the protection of the site and its users (from May 25, 2018, such information will be processed based on the legitimate interests of the Data Controller);

• Communicating data to third parties performing necessary or instrumental functions for the operation of the service, such as managing comments on the site.

The provision of data for the purposes of this point is optional. Therefore, you may decide not to provide any data or subsequently deny the possibility of processing data already provided: in this case, you will not receive newsletters, commercial communications, and advertising material related to the services offered by the Data Controller. You will, however, continue to have the right to the services described in the preceding point.

9. METHODS AND TIMES OF DATA PROCESSING

The processing of your personal data is carried out through the operations indicated in Article 4, no. 2) of the GDPR, namely: collection, including through electronic means, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Your personal data are subject to processing both in paper and electronic and/or automated form.

The Data Controller will retain your data for the time necessary to provide you with the services mentioned above, as well as to ensure compliance with legal obligations, resolve disputes, and enforce contractual agreements.

When it is no longer necessary to process your data for the purposes of this Privacy Policy, they will be deleted from the Data Controller’s systems.

Where permitted, the Data Controller will delete personal data collected upon your request.

The specific process and method of destruction that will be adopted are as follows:

• Personal data printed on paper will be shredded, burned, disintegrated, pulverized, or incinerated;
• Personal data stored in electronic format will be deleted using technology designed to prevent the restoration of the data.

10. COMMUNICATION OF DATA WITHOUT CONSENT

The Data Controller may communicate your data for the purposes mentioned in the above Article 6, paragraph 2, point A) to Supervisory Bodies, Judicial Authorities, insurance companies for the provision of insurance services, as well as to those subjects to whom communication is mandatory by law, for the fulfillment of the aforementioned purposes.

These entities will process the data as independent Data Controllers

11. RECIPIENTS OF PERSONAL DATA

The recipients of personal data correspond to the entities to whom the data will be communicated with whom they will be shared, also in order to perform the requested service.

The data will not be communicated to any subject but will simply be viewed by the Data Controller.

Personal data is primarily stored on servers of reputable companies specialized in web hosting and data centers deemed reliable.

12. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The Data Controller, if deemed necessary, may have the authority to move servers, and consequently, the personal data contained therein, to Third Countries. In such cases, the Data Controller ensures in advance that the transfer of data to Third Countries will take place in accordance with the provisions of Chapter V of the GDPR.

13. SECURITY

Lele S.r.l., with registered office at Via Gabriele D’Annunzio, No. 94/C, 47838 Riccione (RN), VAT/Tax Code: 04443450400, implements adequate technical and organizational security measures to ensure a level of security appropriate to the risk, which may include, among others, if applicable:

• The ability to ensure the permanent confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to promptly restore the availability and access to personal data in the event of a physical or technical incident;
• Implementation of periodic testing to verify and regularly evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

The Data Controller also implements appropriate technical and organizational measures to prevent unauthorized or unlawful processing of personal data and to prevent accidental and/or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. However, it should be noted that the Data Controller is unable to completely eliminate security risks associated with the storage and transmission of personal data.

Links to other websites: This Privacy Policy does not apply to companies not owned or controlled by the Data Controller or to individuals not bound by an employment relationship with the Data Controller. The Data Controller’s services may provide or imply a link, at your initiative, or otherwise provide access to third-party websites. These links are provided solely for your convenience. Therefore, the Data Controller does not exercise any control, review, or responsibility for third-party websites, their contents, and/or any goods and/or services available through third-party websites. The Privacy Policy adopted by the Data Controller does not apply to third-party websites and data provided to them, which you provide at your own risk. Therefore, you are encouraged to consult the Privacy Policies of all third-party websites with which you interact.

14. RECORD OF PROCESSING ACTIVITIES

In accordance with Article 30 of the GDPR, the Data Controller maintains a Record of processing activities carried out under its responsibility. This record contains all of the following information:

• The name and contact details of the Data Controller, and where applicable, the joint Data Controller, the Data Controller’s representative, and the Data Protection Officer;
• The purposes of the processing;
• A description of the categories of data subjects and the categories of personal data;
• The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
• Where applicable, transfers of personal data to a third country or international organization, including the identification of the third country or international organization and, for transfers referred to in Article 49(2) of the GDPR, documentation of suitable safeguards;
• Where possible, the envisaged time limits for erasure of the different categories of data;
• Where possible, a general description of the technical and organizational security measures referred to in Article 32(1) of the GDPR.

These records are kept in electronic format.

Under EU regulations, there is no obligation to maintain a record of activities for companies or organizations with fewer than 250 employees, unless: (i) the processing they carry out may present a risk to your rights and freedoms; (ii) the processing is not occasional or includes the processing of special categories of data referred to in Article 9(1) of the GDPR, or personal data relating to criminal convictions and offenses referred to in Article 10.

Lele S.r.l., with registered office at Via Gabriele D’Annunzio, No. 94/C, 47838 Riccione (RN), VAT/Tax Code: 04443450400, being not subject to the obligation to maintain the aforementioned record of activities, has determined not to adopt a paper and electronic document tracking the processing carried out on your data, always available for consultation, concerning your data, at the legal and administrative headquarters of the Data Controller.

15. NOTIFICATION OF PERSONAL DATA BREACHES

In accordance with Articles 33 and 34 of the GDPR, in the event of a personal data breach or data breach, the Data Controller:

• Notifies the breach to the competent supervisory authority without undue delay and within 72 hours from the moment it becomes aware of it;
• Notifies you of the breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of individuals. Under EU regulations, the aforementioned notification to you is not required if one of the following conditions is met: (i) the Data Controller has implemented appropriate technical and organizational measures to protect the data and these measures have been applied to the personal data affected by the breach, particularly those intended to render the personal data unintelligible to anyone not authorized to access it, such as encryption; (ii) the Data Controller has subsequently taken measures to mitigate the high risk to the rights and freedoms of the data subjects referred to in paragraph 1; (iii) such notification would require disproportionate effort. In this case, it is necessary to proceed with a public communication or similar measure, through which data subjects are informed with equivalent effectiveness.

16. RIGHTS OF THE DATA SUBJECT

As a Data Subject, you are entitled to the rights provided for in Articles of Regulation (EU) 2016/679 (GDPR), to which reference is made for full reading. Below are briefly listed the aforementioned rights:

Right of access to personal data (Art. 15 GDPR): the right to request confirmation of whether or not your personal data is being processed and to access personal data and related information on such processing (e.g., purposes of processing or categories of personal data involved).

Right to rectification (Art. 16 GDPR): the right to request the correction of personal data, to the extent permitted by law.

Right to erasure (Art. 17 GDPR): the right to request the erasure of your personal data, to the extent permitted by law. This right can be exercised, among other things: (i) when personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) when consent on which the processing is based under Art. 6(1)(a) or Art. 9(2)(a) GDPR has been withdrawn and there is no other legal basis for processing; (iii) when there is objection to processing under Art. 21(1) GDPR and there are no overriding legitimate grounds for processing or where there is objection to processing under Art. 21(2) GDPR; or (iv) when personal data has been processed unlawfully.

Right to restriction of processing (Art. 18 GDPR): the right to request the controller to restrict processing of data when: (i) you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of such personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and instead request restriction of its use; (iii) although the controller no longer needs it for processing purposes, the personal data is required by you for the establishment, exercise, or defense of legal claims; (iv) you have objected to processing under Art. 21(1) pending the verification whether the legitimate grounds of the controller override yours.

Right to data portability (Art. 20 GDPR): the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance.

Right to object (Art. 21 GDPR): the right to object to the processing of your personal data by the controller, to the extent permitted by law. The right is limited to processing based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions, and processing for direct marketing purposes. Once exercised, the controller will no longer process your personal data unless there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

Automated decision-making, including profiling (Art. 22 GDPR): the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right does not apply if the decision: (i) is necessary for entering into or performance of a contract between you and a data controller; (ii) is authorized by Union or Member State law to which the controller is subject and that also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests; (iii) is based on your explicit consent.

17. EXERCISE OF RIGHTS PROCEDURE

Please note that you may exercise the aforementioned rights at any time by sending a written request via:

• Registered mail with return receipt to: Da Lele s.r.l., headquartered at Via Gabriele D’annunzio n. 94/C 47838 Riccione (RN) CF/VAT number 04443450400;
• Email communication to the address: info@ristorantedalele.it

The Data Controller will process the requests as soon as possible and, in any case, within the time limits provided by the regulations. Under the GDPR, and only in exceptional cases, the Data Controller may require a fee for providing the service.

18. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY

We encourage you to contact the Data Controller directly to work together and address your needs, questions, and concerns. However, if you believe that the processing of your personal data violates the current data protection laws, you have the right to lodge a complaint with a competent supervisory authority for data protection, particularly in the European Union member state where the alleged violation occurred.

19. INFORMATION IF PERSONAL DATA HAVE NOT BEEN OBTAINED FROM THE DATA SUBJECT

If, according to Article 14 of the GDPR, the Data Controller has collected your personal data from third parties, they will provide you with all the information outlined in this Policy:

• Within a reasonable period from obtaining the personal data, but no later than one month, taking into account the specific circumstances in which the personal data are processed.
• In cases where the personal data are intended for communication with you, at the latest at the time of the first communication with you.
• In case the communication to another recipient is foreseen, no later than the first communication of the personal data.

If the Data Controller intends to further process the personal data for a purpose other than that for which they were obtained, they are required to provide you with information regarding this different purpose and any relevant information before such further processing.

The aforementioned provisions do not apply if and to the extent that:

• You already have the information.
• Communicating such information is impossible or would involve a disproportionate effort, as well as for the reasons specified in the legislation referred to in full.
• The obtaining or communication is expressly provided for by the law of the Union or of the Member State to which the Data Controller is subject and which provides appropriate measures to protect your legitimate interests.
• Personal data must remain confidential in accordance with a professional secrecy obligation governed by the law of the Union or of the Member States, including a statutory duty of confidentiality.

20. REFERRAL

For matters not expressly addressed and provided for in this information, explicit reference and referral will be made to the aforementioned EU Regulation 2016/679 available at the premises in hard copy format and at the address https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ITA&toc=OJ:L:2016:119:TOC, and, where applicable, to the current legislation and the relevant implementing decrees.