Privacy Policy

Privacy Notice under Article 13 of Regulation (EU) 2016/679 (GDPR)

This Privacy Notice has been prepared to inform you about how your personal data are collected and processed when you use this website or interact with Archivio Crepax S.r.l.

 

1) Identity and Contact Details of the Data Controller

The Data Controller is Archivio Crepax S.r.l., with its registered office in Milan (MI), Via Ariberto da Intimiano No. 31, VAT No. 08037820969.
Email: archiviocrepax@guidocrepax.it

 

2) Purposes of Processing and Lawful Basis

Your personal data are processed for the following purposes and under the lawful bases described below:

  1. a) Provision of requested services and management of the contractual relationship
    To respond to your requests for services, manage purchases and accounts, and fulfil pre-contractual, contractual and administrative obligations.
    Lawful basis: Performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Art. 6, para. 1, letter b) GDPR).
  2. b) Compliance with legal obligations
    To meet obligations arising from laws, regulations, or EU legislation (e.g., tax and accounting requirements).
    Lawful basis: Compliance with a legal obligation to which the Controller is subject (Art. 6, para. 1, letter c) GDPR).
  3. c) Ensuring proper website operation and browsing security
    Browsing data (e.g., IP addresses) are processed to guarantee website and information security and to prevent or detect cybercrime.
    Lawful basis: Legitimate interest of the Controller (Art. 6, para. 1, letter f) GDPR) in safeguarding its digital assets and system security.
  4. d) Aggregated statistical analysis
    To obtain anonymous statistical information about website usage (e.g., most visited pages, number of visitors by time slot) in order to improve usability and performance.
    Lawful basis: Legitimate interest of the Controller (Art. 6, para. 1, letter f) GDPR) in improving its online services. These data do not enable user identification.
  5. e) Direct marketing and newsletter distribution
    To send promotional communications, offers, and newsletters about products, events, and initiatives related to the Controller’s activities.
    Lawful basis: Your explicit, freely given, and revocable consent (Art. 6, para. 1, letter a) GDPR).
  6. f) Use of profiling and/or non-anonymised analytics cookies
    To analyse your preferences and browsing habits in order to offer personalised content and product recommendations.
    Lawful basis: Your explicit, freely given, and revocable consent (Art. 6, para. 1, letter a) GDPR).

Data Collected

Browsing Data

  1. a) The IT systems and software procedures that support the functioning of this website collect, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. These include, for example, IP addresses or domain names of the computers used by users connecting to the site, the numerical codes indicating the server response status (successful, error, etc.), and other parameters related to the user’s operating system and IT environment.
  2. b) Such data are processed solely for the purpose of obtaining anonymous statistical information on the use of the site and to verify its correct functioning. They are deleted immediately after processing. The data may be used to determine liability in the event of potential computer crimes against the website.

 

Data Voluntarily Provided by the User

  1. c) The voluntary, explicit, and optional sending of emails or messages to the addresses indicated on this website or through messaging applications implies the subsequent acquisition of the sender’s address and/or phone number, which are necessary to respond to requests, as well as any other personal data voluntarily provided in the message.
    Specific summary notices will be progressively displayed or made available on the site’s pages dedicated to particular on-demand services.

 

Direct Marketing

  1. d) With your specific, free, and optional consent, your personal data (such as name, surname, email address, telephone number) may be processed by the Data Controller for direct marketing purposes.
    These activities include sending promotional and commercial communications, newsletters, advertising material, offers, and invitations to events relating to the Controller’s products and services, through both automated channels (e.g., email, SMS, instant messaging) and traditional means (e.g., postal mail, operator-assisted phone calls).
    Lawful basis: Consent of the data subject under Art. 6, para. 1, letter a) GDPR.

Nature of the data provision: The provision of data for this purpose is entirely optional. Failure to provide consent will not affect your ability to use the requested services or any of the other purposes described in this Privacy Notice.
Case law clarifies that consent must be freely given and cannot be made a condition for the use of a service — for example, by making it mandatory to complete a registration or checkout process.

Withdrawal of consent: You have the right to withdraw your consent at any time, as easily as it was given. Withdrawal may be exercised by following the instructions at the bottom of each marketing communication, or by contacting the Data Controller using the details provided in section 1.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

 

Communications to Existing Customers (so-called Soft Spam”)

  1. e) Under Art. 130, paragraph 4 of Legislative Decree 196/2003, the email address you provided during the purchase of a product or service may be used by the Controller to send commercial communications about similar products or services to those purchased.
    Lawful basis: The legitimate interest of the Controller under Art. 6, para. 1, letter f) GDPR in maintaining and developing relationships with its customers. This interest has been balanced with your rights and freedoms, and the processing is considered proportionate and foreseeable.

Right to object (Opt-out): You have the right to object at any time, easily and free of charge, to such processing — either at the time of data collection or when receiving subsequent communications — by following the instructions included in each email.

3) Recipients of Personal Data

For the purposes described above, your personal data may be disclosed to:

  • companies and professional service providers that offer electronic data processing, software, IT consultancy, or information system management services related to the activities described above.

Such recipients will act, where appropriate, as Data Processors under Article 28 GDPR, or as independent controllers where applicable. In all cases, data will be processed only within the limits strictly necessary to achieve the purposes stated in this notice.

 

4) Transfer of Data to Third Countries

Your personal data may also be transferred to third parties, as indicated in section 3 above, located in countries outside the European Union.
In such cases, data transfers will take place in full compliance with the principles set out in Articles 45 and 46 of the GDPR, based on either:

  • an adequacy decision by the European Commission, or
  • the implementation of appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, ensuring that your data receive equivalent protection to that provided within the EU.

 

5) Data Retention Period

Your personal data will be retained only for as long as is strictly necessary to fulfil the specific purposes of processing, as described below:

  • For the purposes outlined in section 2(a), your data will be stored for the time required to process your request and, in any case, no longer than 10 years from the date of collection, in compliance with applicable legal and fiscal obligations.
  • For the purposes set out in sections 2(b) and 2(c), browsing data (such as IP addresses) will be retained for 30 days, and analytics data for 24 months.
  • For direct marketing purposes under section 2(d), your data will be retained until you withdraw consent. In the absence of withdrawal, data will be stored for up to 24 months from your last relevant interaction with the Controller, after which they will be deleted or anonymised.
  • For soft spam communications, data will be processed until you exercise your right to object (opt-out).

6) Data Subject Rights

As a data subject, you may exercise the following rights at any time:

Right of Access — to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to access details including: the purposes of processing, the categories of data, the recipients, the storage period, the right to lodge a complaint with a supervisory authority, and the right to request rectification, erasure, restriction, or objection to processing, as well as information on the existence of automated decision-making.

Right to Rectification, Erasure, or Restriction — to request the correction or deletion of your data, or to restrict its processing. “Restriction” means marking stored data to limit their future use.

Right to Object — to object, on grounds relating to your particular situation, to the processing of your data where such processing is carried out for the performance of a task in the public interest or in pursuit of the Controller’s legitimate interests.

Right to Data Portability — where processing is based on consent or on a contract and carried out by automated means, you have the right to receive your data in a structured, commonly used and machine-readable format (e.g., XML or similar) and to transmit those data to another controller.

Right to Withdraw Consent — to withdraw your consent at any time with regard to marketing activities (both direct and indirect), market research, and profiling. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.

Right to Lodge a Complaint — to file a complaint under Article 77 GDPR with the competent supervisory authority based on your habitual residence, place of work, or place of the alleged infringement. In Italy, the competent authority is the Garante per la protezione dei dati personali, whose contact details are available at www.garanteprivacy.it.

Requests to exercise the above rights may be submitted to the Data Controller using the contact details provided in section 1 of this Privacy Notice.

All requests will be handled without undue delay and, in any case, within one month of receipt. This period may be extended by up to two additional months in cases of particular complexity or multiple requests, in which case you will be duly informed.

 

7) Data Provision

The provision of your personal data is mandatory to enable the delivery of the requested services.
Failure to provide such data may result in the inability to provide the service, to the extent that those data are necessary for its performance.

 

8) Updates to this Privacy Policy

The Data Controller reserves the right to amend or update this Privacy Policy at any time, and such changes will be made available to users on this page.
You are therefore encouraged to check this page regularly and to take note of the date of the most recent update indicated at the bottom.

If you do not agree with the changes made to this Privacy Policy, you must discontinue use of this website and may request that the Data Controller delete your personal data.
Unless otherwise stated, the previous version of the Privacy Policy will continue to apply to all personal data collected up to that time.