This privacy policy describes the methods of processing the personal data of users who visit the Eco-Zinder S.p.A. website and those who request access to the reserved area of the site. The policy is provided exclusively for the Eco-Zinder S.p.A. website, accessible at ecozinder.com, and not for other websites that may be consulted by the user via links.

1. Data Controller

The Data Controller is: Eco-Zinder S.p.A. Via Lombardia, 58 – 20056 Trezzo sull’Adda (MI) – Italy Tel. +39.02.90962222 Fax +39.02.90961218 e-mail: ecozinder@ecozinder.com Business Register No. 244812/1996 – R.E.A. No. 363507 VAT No. 03330150172

2. Types of Processed Data

a) Navigation data The computer systems and software procedures used to operate the site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category includes, but is not limited to:

• IP addresses or domain names of the devices used by users;
• URI/URL addresses of the requested resources;
• time of the request;
• method used to submit the request to the server;
• size of the file obtained in response;
• numerical code indicating the status of the server’s response;
• other parameters relating to the operating system and the user’s IT environment.

b) Data provided voluntarily by the user The optional, explicit, and voluntary sending of communications to the addresses indicated on the site, including via e-mail or contact forms, entails the acquisition of the sender’s contact data and all personal data contained in the communication, which are necessary to respond to the request.

c) Data provided via the reserved area access request form Filling out the form to request access to the reserved area of the site may involve the processing of data such as:

• name and surname;
• company/organization of affiliation;
• professional role or function;
• e-mail address;
• telephone number;
• any additional information entered in the form or request message.

d) Data relating to the account and the use of the reserved area In case of approval of the access request, the Data Controller may process the data necessary for the creation and management of the user account, as well as data relating to access to the reserved area and the use of the content available therein, for purposes of technical management, security, and system protection.

3. Purposes and Legal Bases of Processing Personal data are processed for the following purposes:

a) To allow navigation and proper functioning of the site Including technical management, infrastructure security, prevention of illicit use, and ascertainment of possible liabilities in case of computer crimes. Legal basis: the Data Controller’s legitimate interest in ensuring the proper functioning and security of the site and information systems; possible fulfillment of legal obligations.

b) To respond to user requests To manage requests for information, contacts, or communications sent spontaneously by the user. Legal basis: performance of pre-contractual measures adopted at the request of the data subject and/or the Data Controller’s legitimate interest in responding to communications received.

c) To evaluate the request for access to the reserved area To receive, verify, and manage the registration application, check the requirements for access, and decide whether or not to authorize enablement. Legal basis: performance of pre-contractual measures adopted at the request of the data subject and the Data Controller’s legitimate interest in selecting and authorizing access to reserved content.

d) To create and manage the authorized user’s account To allow access to the reserved area, make documentation available, manage credentials, provide technical and administrative assistance, and ensure service security. Legal basis: performance of the relationship established with the authorized user and the Data Controller’s legitimate interest in the proper management of the reserved area.

e) To fulfill obligations established by laws, regulations, or orders of competent authorities Including administrative, tax, legal, or cooperation obligations with public authorities. Legal basis: fulfillment of legal obligations to which the Data Controller is subject.

f) To ascertain, exercise, or defend a right of the Data Controller Including in out-of-court or judicial proceedings. Legal basis: the Data Controller’s legitimate interest in the protection of their rights.

4. Nature of Data Provision

The provision of navigation data is necessary to allow the use of the site. The provision of data marked as mandatory in the forms on the site, and particularly in the reserved area access request form, is necessary to process the user’s request. Failure to provide such data may make it impossible to respond to the request or to evaluate/enable access to the reserved area. The provision of any additional, non-mandatory data is optional.

5. Methods of Processing

The processing of personal data is carried out using manual, computer, and telematic tools, in accordance with the principles of lawfulness, fairness, transparency, minimization, accuracy, integrity, and confidentiality, and with appropriate security measures to protect the data from unauthorized access, loss, destruction, disclosure, or illicit use. The evaluation of the request for access to the reserved area takes place with human intervention by the site administrator or individuals authorized by the Data Controller.

6. Data Recipients

Personal data may be processed, within the limits of their respective competencies, by:

• internal staff authorized by the Data Controller;

• providers of technical, IT, hosting, maintenance, site management, email management, and systems assistance services;

• entities that provide services strictly connected to the management of the reserved area and documentation;

• consultants, professionals, and providers of administrative or legal services, where necessary;

• public authorities or entities authorized by legal obligation or order of the authority.

Depending on the case, these entities operate as independent data controllers or as data processors appointed pursuant to Art. 28 of the GDPR.

7. Data Transfer to Third Countries

As a rule, personal data are processed within the European Economic Area (EEA). If, for technical or organizational needs, some data must be processed by suppliers located outside the European Economic Area, such processing will take place in compliance with applicable legislation and, where necessary, subject to the adoption of appropriate safeguards provided for by Chapter V of the GDPR.

8. Data Retention Period

Personal data are kept for a period of time not exceeding that necessary for the purposes for which they are collected and processed, in compliance with the principle of storage limitation. In particular:

• navigation data: for the time strictly necessary for site operation, security, and technical management, except for needs related to the ascertainment of crimes or defense of rights;

• data contained in contact requests or spontaneous communications: for the time necessary to manage and close the request, and in any case for a period consistent with the purpose pursued;

• data collected via the reserved area access request form: for the time necessary to evaluate the request and, in case of non-approval, for 1 month, unless necessary for defense;

• account and reserved area data: for the entire duration of the enablement, without prejudice to legal obligations or the Data Controller’s protection needs;

• data necessary for legal obligations or legal defense: for the times required by applicable legislation or for the time necessary to protect the Data Controller’s rights.

9. Access to the Reserved Area

Access to the reserved area is not automatic. The user must fill out the appropriate form and the request is subject to verification by the site administrator or individuals appointed by the Data Controller. Enablement may be granted or denied based on organizational, technical, or commercial criteria defined by the Data Controller, in relation to the confidential nature of the documentation made available. If approved, the user will receive the instructions necessary to access the reserved area. The authorized user is required to diligently safeguard their login credentials and not disclose them to third parties. It is understood that the Data Controller may suspend, limit, or revoke access to the reserved area in the event of improper use, security needs, or cessation of the conditions that justified the enablement.

10. Automated Decisions

The personal data provided for the reserved area access request are not subject to fully automated decision-making processes aimed at authorizing access.

11. Rights of the Data Subject

The data subject may exercise, in the cases provided for by applicable legislation, the rights of access to personal data, rectification, erasure, restriction of processing, objection to processing, and data portability. The data subject also has the right to lodge a complaint with the Data Protection Authority if they believe that the processing violates current legislation. To exercise their rights, the data subject may contact the Data Controller at the contact details indicated in this policy or the DPO, where appointed.

12. Complaint to the Supervisory Authority

The data subject has the right to lodge a complaint with the Data Protection Authority according to the procedures provided for by current legislation.

(Note: The numbering jumps from 12 to 14 to match your original Italian text)

14. Changes to this Policy

The Data Controller reserves the right to update or modify this policy at any time, also in consideration of regulatory changes, technical evolutions of the site, or changes in the processing carried out. Updates will be published on this page.

15. Cookies and Tracking Tools

For information regarding the possible use of cookies and other tracking tools through the site, please refer to the relevant Cookie Policy, if any.