INFORMATION ON THE PROCESSING OF PERSONAL DATA (PRIVACY POLICY)
1) Introduction This information notice relates to the processing of data carried out by Criticalcase S.r.l., a company subject to the management and coordination of Critical Holding s.r.l., VAT number IT09733390018 – Via Chambery 93/107-V – 10142 Turin, Italy – Tel 011.5097366, email: info@criticalcase.com, certified email (PEC): criticalcase@pecmails.it, hereinafter referred to as the “Data Controller“, also in compliance with EU Regulation 2016/679 (hereinafter “GDPR“). The Data Controller, in fact, may process personal data relating to customers and users, whether they are data subjects and/or contracting parties, as defined by current legislation on personal data.
2) The Data Controller The Data Controller is Criticalcase S.r.l., a company subject to the management and coordination of Critical Holding s.r.l., VAT number IT09733390018, Via Chambery 93/107-V – 10142 Turin, Italy – Tel 011.5097366, email: info@criticalcase.com, certified email (PEC): criticalcase@pecmails.it.
3) Data Protection Officer (DPO) The Data Controller has appointed Massimiliano Calzia as its Data Protection Officer. His certified email (PEC) is m.calzia@pec.it.
4) Third-Party Data If the customer and/or user communicates personal data of third parties, their employees, and/or collaborators to the Data Controller for the purpose of executing the contract, the customer and/or user must inform the third party of this circumstance and provide this information notice to the third party.
5) Purposes and Legal Basis of Processing
Personal data will be processed for the following purposes:
- a) Contractual & Pre-contractual: For contractual purposes and/or related to the execution of pre-contractual measures adopted at your specific request, as well as to fulfill any legal obligations related to these purposes.
- Legal basis: The necessity to process data for the execution of a contract and/or for the management of pre-contractual relationships.
- b) Marketing: To send direct marketing communications, newsletters, and advertising material via traditional contact methods and automated IT systems, including commercial or promotional communications via email or SMS, or for market research and analysis.
- Legal basis: Consent, expressed in accordance with this privacy policy.
- c) Profiling: For activities aimed at determining habits and preferences through profiling processing.
- Legal basis: The data subject’s consent, expressed in accordance with this privacy policy.
- d) Legal Obligations: For purposes related to corresponding legal obligations when processing has been carried out for the purposes mentioned in paragraph 5a).
- Legal basis: The Data Controller’s legal obligation to process such personal data in compliance with applicable national law.
6) Methods of Processing
- For contractual/pre-contractual purposes (5a): Processing will be carried out using paper-based tools and/or automated logic and/or management software to best fulfill contractual obligations.
- For marketing purposes (5b): Processing will be carried out using automated software for sending commercial information.
- For profiling purposes (5c): Processing will be carried out using management software that allows the definition of tastes and preferences in order to offer customized services and communications. If consent is given for personalized services via profiling, the data may be subject to automated decision-making through a specific algorithm that decides which communications are best suited to your profile. Consequences include highly profiled commercial communications, discounts, event invitations, etc. The data subject always has the right to obtain human intervention from the Data Controller, express their point of view, obtain an explanation of the decision reached, and contest the decision.
- For legal purposes (5d): Processing will be carried out using paper-based tools and/or automated logic and/or management software.
7) Data Collection It is expressly stated that only data provided in accordance with this policy, collected at the Criticalcase Srl headquarters or sent via email, will be processed. Data processed for personalized profiling services may be correlated to derive further profiled information.
8) Recipients of Personal Data
Recipients of personal data may include:
- Communication companies performing commercial communication and profiling activities on behalf of the Data Controller (acting as Data Processors), provided consent has been given.
- Companies conducting statistical and market research, provided consent has been given.
- Companies offering newsletter drafting and sending services.
- Entities authorized to access personal data by law, regulation, and/or EU legislation.
- Authorized third parties designated by the Data Controller (employees, collaborators, consultants, accountants, lawyers, auditing firms, insurance institutions) providing functional services for the purposes listed in Section 5.
9) Special Categories of Data Under no circumstances will special categories of data (sensitive data) revealing racial or ethnic origin, health status, sex life, sexual orientation, genetic data, trade union membership, political opinions, or religious/philosophical beliefs be processed.
10) International Data Transfers
The Data Controller intends to transfer personal data to third countries or international organizations (e.g., communication companies, service providers, parent/subsidiary organizations). Such transfers to entities established in a third country or international organization are carried out in the presence of an adequacy decision by the European Commission ensuring an adequate level of protection. The Data Controller reserves the right to conclude specific agreements binding these entities to adopt adequate security measures. Data may be transferred to: Switzerland, USA, UK. To obtain a copy of this data or know where it has been made available, send a request to the Data Controller at the addresses in Section 1. Derogations provided by Art. 49 of the GDPR are expressly reserved.
11) Data Retention Periods
- Contractual/Pre-contractual (5a): Kept for no longer than 10 years from the termination of the contract, or 10 years from the end of pre-contractual negotiations.
- Marketing (5b): Kept until cancellation/revocation is requested by the data subject, or for a maximum of 24 months from registration.
- Profiling (5c): Kept for a maximum of 24 months from collection.
- Legal Obligations (5d): Kept for no longer than 10 years from the termination of the contract/negotiations, unless otherwise required by law.
12) Mandatory vs. Optional Provision of Data
- Contractual (5a): Mandatory. Failure to provide data means no contract or negotiation can take place.
- Marketing (5b): Optional. Failure to provide data means no marketing activities can be carried out.
- Profiling (5c): Optional. Failure to provide data means no personalization activities can be carried out.
- Legal Obligations (5d): Mandatory. Failure to provide data means the contract cannot be concluded.
13) Right to Object
The data subject has the right to object to data processing as follows:
- Personal Situations: Right to object at any time to processing under Art. 6(1)(e) or (f) of the GDPR, including profiling. The Data Controller will stop processing unless they demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms, or for legal defense.
- Direct Marketing: Right to object at any time to processing for direct marketing, including related profiling. This right can be exercised partially (e.g., objecting only to automated/digital communications while allowing paper ones).
- Research/Statistics: Right to object to processing for scientific, historical, or statistical purposes under Art. 89(1) of the GDPR, unless the processing is necessary for a task carried out in the public interest.
14) Data Subject Rights
The Data Controller informs you of the following rights:
- Right of Access (Art. 15 GDPR): Obtain confirmation of data processing and access to the data.
- Right to Rectification (Art. 16 GDPR): Correct inaccurate data or complete incomplete data.
- Right to Erasure / Revocation of Consent (Art. 17 GDPR): Request data deletion without undue delay. Consent can be revoked at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to Restriction of Processing (Art. 18 GDPR): Limit processing under specific conditions.
- Right to Data Portability (Art. 20 GDPR): Receive personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
- Right to Object to Commercial Communications: Object at any time, free of charge, to receiving commercial communications.
- Right to lodge a complaint: File a complaint with a supervisory authority in your Member State of residence, work, or the place of the alleged infringement.
15) How to Exercise Your Rights
Requests to exercise the rights indicated in this notice (especially erasure and revocation of consent) must be addressed directly to the Data Controller via:
- Email: info@criticalcase.com
- Certified Email (PEC): criticalcase@pecmails.it
- Registered Mail (A/R): Criticalcase Srl, Via Chambery 93/107-V – 10142 Turin, Italy.
16) Changes to this Privacy Policy
The Data Controller may modify this Privacy Policy to comply with national/EU regulations or technological innovations. New versions will be posted on the Criticalcase Srl website: https://www.criticalcase.com/it/. Users are invited to check it periodically. Substantial changes altering processing purposes or data categories will be communicated to users, requesting necessary consents.
17) Cloudflare Turnstile Policy
To protect our forms from spam and abuse, we use Cloudflare Turnstile. This service may process technical data (e.g. IP address, browser fingerprint) to detect bot traffic. See Cloudflare’s Turnstile Privacy Policy.
Cookies Policy
User browsing on the site is recorded by cookies. Cookies are small text files downloaded to the user’s browser, allowing analysis of browsing habits on the site. After the first visit, cookies recognize returning users and allow third-party providers (including Google and DoubleClick) to display ads for CriticalCase on websites within their networks.
User navigation on the CriticalCase site, through cookie registration, enables Remarketing and/or Display ads on Google or third-party sites linking back to our site. The user’s navigation path, recorded via cookies, helps trigger Remarketing ads. For more information on Google Remarketing, visit this page: (https://support.google.com/google-ads/answer/2454003?hl=it&rd=1).
Users can disable cookie registration in their browser by following these instructions:
- Google Privacy Policy and Principles: (https://policies.google.com/)
- Opting out of Behavioral Advertising: (https://optout.networkadvertising.org/?c=1#completed)
- Ad Preferences Manager: (https://adssettings.google.com/authenticated)
OUR website uses the “Google Analytics” service provided by Google Inc., which uses cookies. The information obtained is transferred to and stored on a Google-owned server in the United States. Users can disable cookies through their specific browser settings or by downloading the relevant Opt-out Browser Add-on.
