- An identifier for the user's computer assigned by the Internet service provider;
- the IP address alone is not considered personal data because it is often assigned at random, i.e. it changes every time according to the connection;
- it may be used for diagnostic and optimising purposes by the service provider.
- strings of information, sent by the service provider server to the user's computer. They contain the user name, so that the administrator may identify the user's computer and track his/her favourite sites on the Web.
Cookies may be:
- - transient, also called session or "per-session" cookies , if they are erased when the user ends the connection. They are used to optimise navigation;
- - persistent, if they are stored on a user's hard drive, unless the user himself/herself deletes the cookies; they are used to collect a large variety of information, which can be tracked by the supplier of the service for different purposes.
Computer functions made up by smaller cookie strings, mainly used to record technical information such as user IP and browser type. They are also called invisible GIFs, clear GIFs, 1-by-1 GIFs or single-pixel GIFs.
- Files residing on the provider servers, also called log files, clickstream data, server logs; they may automatically register data relating to a connection for different purposes:
- - accounting-administrative functions
- - tracking of type of user access (e.g.: system administration, type of browser, date and time of visit, images or texts selected, purchases (if any), file download, screen set-up, etc.) also to improve the contents of the site.
Electronic mail service managed by a provider through the Internet.
- A list used for sending e-mails and/or newsletters.
- A list of addresses which automatically receives forwarded messages.
- The user is required to provide some data, either on an obligatory or a voluntary basis, to improve the relation, with possible contractual implications inherent to the type of services provided.
- Specific information and, if appropriate, the relevant consent are required.
The definitions below are drawn up with reference to Legislative Decree no. 196 dated 30 June 2003, "Personal Data Protection Code” and the following changes and updates.
"Processing" - Section 4, paragraph 1 (a)
‘Processing’ shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a database.
"Personal data" - Section 4, paragraph 1 (b)
‘Personal data’ shall mean any information relating to natural persons that are or can be identified, even indirectly, by reference to any other information including a personal identification number.
"Sensitive Data" - Section 4, paragraph 1 (d)
‘Sensitive data’ shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.
"Judicial Data" - Section 4, paragraph 1 (e)
‘Judicial data’ shall mean personal data disclosing the measures referred to in Section 3, paragraph 1 from (a) to (o) and (r) to (u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Sections 60 and 61 of the Criminal Procedure Code.
"Data Controller" - Section 4, paragraph 1 (f)
‘Data controller’ shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters.
"Data Processor" - Section 4, paragraph 1 (g)
‘Data processor’ shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf.
"Data Processor under Section 7 of Legislative Decree no. 196/2003"
‘Data processor under Section 7 of Legislative Decree no. 196/2003’ shall mean any person authorised by the data controller or processor to carry out processing operations in the event that Data subjects exercise their rights under Art. 7 of Legislative Decree no. 196/2003
"Person in charge of the processing" - Section 4, paragraph 1 (h)
‘Persons in charge of the processing” shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations.
"Information to Data Subjects" - Section 13, paragraph 1
The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to:
a) the purposes and modalities of the processing for which the data are intended;
b) the obligatory or voluntary nature of providing the requested data;
c) the consequences if (s)he fails to reply;
d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data;
e) the rights as per Section 7;
f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights as per Section 7 are exercised, such data processor shall be referred to.
"Data Subject" - Section 4, paragraph 1 (i)
‘Data subject’ shall mean any natural person that is the subject of the personal data.
"Right to Access Personal Data and other Rights" - Section 7
Right to Access Personal Data and Other Rights
1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controllers, data processors and the representative designated as per Section 5, paragraph 2;
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the right to obtain:
a) updating, rectification or, where interested therein, integration of the data;
b) erasure, anonymisation or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part:
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
"Consent" - Section 23
Processing of personal data by private entities or profit-seeking public bodies shall only be allowed if the data subject gives his/her express consent. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations thereof. The data subject’s consent shall only be deemed to be effective if it is given freely and specifically with regard to a clearly identified processing operation, if it is documented in writing, and if the data subject has been provided with the information referred to in Section 13. Consent shall be given in writing if the processing concerns sensitive data.
"Communication" - Section 4, paragraph 1 (l)
‘Communication’ shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data.
"Dissemination" - Section 4, paragraph 1 (m)
‘Dissemination’ shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data.
‘Outsourcer’ shall mean any external supplier entrusted with the Company’s activities and processes.