Privacy policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (GDPR) Pursuant to and for the purposes of applicable legislation, including Regulation (EU) 2016/679 "General Data Protection Regulation" ("GDPR"), Legislative Decree No. 196/2003 ("Privacy Code") and Legislative Decree No. 51/2018, as well as other applicable provisions on the protection of personal data (the "Privacy Legislation")"), Krill Design S.r.l., in its capacity as data controller, informs you that it will process the data communicated by the user or otherwise obtained as a result of the use of the website [•] (the "Site") in the manner and for the purposes described below in this information (the "Policy"). The terms of this Policy apply solely and exclusively to the Site and not to other websites owned by the Data Controller or owned by third parties that the user may access through any links contained in the Site. If you access another website, we recommend that you read the information regarding the processing of personal data applicable to that website. By browsing the Site, the user acknowledges that he or she has read and understood the content of this Policy.
  1. Contact details of the Data Controller and the Data Protection Officer
The Data Controller is Krill Design S.r.l. (hereinafter also the "Data Controller" or "Company") with registered office in via Marco D'Agrate – 20139 Milan (MI). You can contact the Data Controller by email at [•], or by ordinary mail at the address above. The Company has appointed a Data Protection Officer (the "DPO"), as the Data Protection Officer, who can be contacted at the following email address: [•].
  1. Type of personal data processed through the Website
The Data Controller processes the following types of personal data of users who browse and interact with the web services of the Site, in particular:
  • Browsing data
The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols or is used to improve the quality of the service offered. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the Site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, successful, successful,  error, etc.) and other parameters related to the user's operating system and computer environment. These data are used in order to obtain anonymous statistical information on the use of the Site and to check the correct functioning of the computer systems. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes or in the event of damage to the Company or third parties.
  • Data provided voluntarily by the user concerned
Users are not required to provide personal data to visit the Site. However, contacts between users and the Company, through the compilation of contact forms, in the "Contact Us" section, the sending of e-mails, messages or any type of communication to the addresses indicated on the Site, involve the consequent acquisition of common personal data, such as, by way of example, name, surname, e-mail, as well as any other personal data that will be provided by the user spontaneously when interacting with the Company through the Site.  Therefore, if you wish to avoid the processing of your data by the Company, you are invited not to submit any request or, at least, to provide as little personal data as possible.
  1. Purpose and legal basis of the processing
Personal data may be collected and processed for the following purposes:
Purpose of the processing Legal basis of the processing Nature of the provision
1.     to allow users to use the web services of the Site; Article 6(1)(b) GDPR: for the performance of a contract to which the data subject is a party or pre-contractual measures taken at the request of the data subject; The provision of personal data is necessary and does not require your consent. Any refusal to provide the data may make it impossible for the Company to comply with the requested service, to comply with legal obligations and to process and respond to your requests. Providing personal data via the contact forms on the Site is not a legal or contractual requirement; however, the provision of data is necessary to respond to your request.
1.     manage your requests for information; Article 6(1)(b) GDPR: for the performance of a contract to which the data subject is a party or pre-contractual measures taken at the request of the data subject;
1.     prevent the commission of unlawful acts through the Site; Article 6, paragraph 1, letter b) of the GDPR: for the pursuit of a legitimate interest of the Data Controller;
1.     protect the Company's rights, in the event of any legal disputes; Article 6, paragraph 1, letter b) of the GDPR: for the pursuit of a legitimate interest of the Data Controller;
1.     to comply with legal obligations to which the Company is subject; Article 6, paragraph 1, letter c) of the GDPR: for the fulfilment of legal obligations to which the Data Controller is subject;
For any processing of personal data carried out through cookies, please refer to the specific Cookie Policy. If the Data Controller intends to use the personal data collected for any other purpose that is incompatible with the purposes for which they were originally collected or authorised, the Data Controller will inform the user in advance, and the latter may also deny or revoke his/her consent.
  1. Processing methods
Within the Company's organisational structure, personal data will be processed by persons authorised to process it acting under the authority of the Data Controller, adequately instructed by the Data Controller, mainly by electronic systems in accordance with the principles applicable to the processing of personal data pursuant to art. 5 of the GDPR.
  1. Criteria used to determine the retention periods of personal data
Your data will be stored for the period necessary to comply with legal obligations. The retention period of the data depends on the purposes for which it is processed and therefore may vary. The criteria used to determine the applicable retention period are as follows: the personal data covered by this Policy will be retained for the time necessary (i) to manage the contractual relationship with you, (ii) to handle complaints or specific requests from you, (iii) to assert legal claims, and (iv) for the time provided for by applicable law. For the storage times of any personal data processed through cookies, please refer to the Cookie Policy.
  1. Communication, dissemination and transfer of personal data
Personal data will not be disseminated and may be communicated to the competent authorities or to public or private bodies for the fulfilment of obligations provided for by law. The personal data collected may be processed by third-party suppliers, as data processors in relation to the services provided on behalf of the Company on the basis of specific contractual agreements, possibly for occasional maintenance operations and for what is necessary to perform services under specific requests. Your personal data will not be transferred outside the European Union and/or the European Economic Area ("EEA"). The complete list of such subjects or categories of subjects is available at the Data Controller's registered office and can be requested by sending a communication to the contact details indicated in paragraph 1 of this Policy.
  1. Rights of the data subject
Within the limits provided for in Article 2-undecies of the Privacy Code, you have the right to exercise at any time the rights recognized by Articles 15 to 22 and 77 of the GDPR, as briefly summarized below:
  • Right of access: you may request information regarding the processing we operate on your data or confirmation that the Data Controller processes your personal data. If this is the case, you can ask us to provide you with a copy of your data and to check what data we hold about you.
  • Right to rectification: You have the right to request that we rectify your personal data in the event that it is incorrect, including the right to request that we complete incomplete personal data.
  • Right to erasure: You have the right to request that we erase data (or part of it) that you have provided to us, including data that is not necessary to be retained in connection with the purposes for which the data was collected or otherwise processed.
  • Right to restriction of processing: you may request us to limit the processing of your personal data where the legal cases are met.
  • Right to object: you may object to the processing of your personal data, unless there is an overriding legitimate reason for the continuation of such processing.
  • Right to portability: you may obtain from the Company, in a structured, commonly used and machine-readable format, the personal data you have communicated to us, in order to transmit them to another party. This right is applicable in the event that the Company processes such data through automated tools, on the basis of consent or for the purpose of providing services.
  • Withdrawal of consent: if the processing is based on consent, you may withdraw it at any time, without prejudice to the lawfulness of the processing carried out before said withdrawal.
  • Right not to be subjected to automated decision-making: you may request not to be subjected to processing based solely on automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right may not be exercised if: i) the processing is necessary for the conclusion of a contract between you and the Data Controller; ii) the processing is authorised by law; iii) the processing is based on your consent.
  • Right to lodge a complaint with the Supervisory Authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Supervisory Authority if you believe that the processing carried out violates the current legislation on the protection of personal data.
Without prejudice to the procedures provided by the Guarantor to promote a possible complaint, for all other rights you may send a request to the Data Controller or the DPO using the contact details indicated in paragraph 1 of this Policy.