Privacy Policy e Cookie Policy

This policy describes the procedures followed by Pasticceria Confetteria Cova S.r.l. (hereinafter “Cova”, the “Owner” or the “Company”) in relation to the processing of personal data collected through the site http://www.pasticceriacova.com  (hereinafter the “Site”).

Unless otherwise specified, this policy is also valid as information - pursuant to art. 13 of Regulation (EU) no. 2016/679 (hereinafter the “GDPR”) – given to those who interact with the Site (hereinafter the “User”).

Detailed information on the processing of personal data is reported, where necessary, on the pages relating to the individual services offered through the Site. These information are aimed at defining the limits and methods of processing of personal data for each service, on the basis of which the User can freely express your consent, where necessary, and possibly authorize the collection of data and their subsequent processing.

DATA CONTROLLER. DATA CONTROLLER.

The Data Controller is Cova, with registered office in Via Pietro Cossa 2, 20122 Milan (MI), tel. +39 0276002750, e-mail privacy@covamilano.com. The updated list of any data controllers is available at the Data Controller's headquarters.

TYPES OF DATA PROCESSED.

Through the Site the following may be collected and processed:

• navigation data;
• personal data provided voluntarily by the User through contacts on the Site.

COOKIES.

Cookies are small text files that the sites visited send to the user's terminal, where they are stored, and then re-transmitted to the same sites on the next visit. Cookies allow sites to function correctly and efficiently to improve the user experience, allowing the site to store information in the memory of your computer or other devices. 
The Site uses technical cookies. These cookies, being of a technical nature, do not require the User's prior consent to be installed and used.

In particular, the cookies used on the Site can be traced back to the following subcategories:

• navigation or session cookies, which guarantee normal navigation and use of the Site and to collect information anonymously on how users use the site and how many visitors the site has, where they come from, and the other sites they have visited. Not being stored on the user's computer, they disappear when the browser is closed;
• Analytical cookies, such as, for example, those used by Google Analytics, with which statistical information is collected and analyzed, through computers and other devices, on the number of users of the site, or on the number of clicks on the page during their navigation, or from which site users come from and the pages they visited;
• social widgets e plugin: some widgets and plugins made available by social networks may use their own cookies to facilitate interaction with the reference site;

The third-party cookies installed on the Site are listed below. For each of them there is a link to the relevant information on the processing of personal data carried out and on the methods for deactivating the cookies used. With regard to third-party cookies, the Owner only has the obligation to include the link to the third-party site in this policy. This subject, however, is responsible for providing information and indicating the methods for any consent and/or deactivation of cookies.

• Google Analytics: https://support.google.com/analytics/answer/6004245

Cookies can be disabled by the User by checking and/or modifying the browser settings based on the instructions made available by the relevant suppliers at the links listed below.

• Internet Explorer
• Mozilla Firefox
• Google Chrome
• Apple Safari

PURPOSE AND LEGAL BASIS OF THE PROCESSING

The personal data collected through the Site will be processed:

1. for the management of requests for information sent by the User;
2. for sending commercial communications on products and services of the Company and/or third parties - including subsidiaries, parent companies and associated companies - operating in the confectionery and food sector, via e-mail, newsletter, sms, mms, fax or similar and/ or by means of the postal service or telephone calls with an operator;
3. to carry out profiling activities aimed at carrying out the activities referred to in the previous letter b);
4. for the sharing and/or communication of the User's personal data to Cova's commercial partners located in countries outside the European Union, for the latter to send commercial communications on their products and services;
5. for the execution of sales contracts to which it is a party or for the adoption of pre-contractual measures adopted at your request;
6. for the fulfillment of legal obligations, including any administrative and accounting activity, connected to the sale;
7. in the context of the communication of data between companies with parent companies, subsidiaries or affiliates, for administrative and accounting purposes, or connected to organizational activities - including those functional to the fulfillment of contractual and pre-contractual obligations - administrative, financial and accounting;
8. for sending communications aimed at the promotion and/or direct sale of products or services similar to those you have already purchased (so-called “soft spamming”), without prejudice to your right to object at any time.

The processing of personal data for the purposes under a) does not require the User's consent as the processing is necessary to fulfill specific requests of the interested party pursuant to art. 6, c. 1, letter. b) of the GDPR. The processing of personal data for the purposes under b), c) and d) requires the User's consent pursuant to art. 6, c. 1, letter. a) of the GDPR.

The processing of data for the purpose sub e) does not require your consent as the processing is necessary for the fulfillment of specific contractual obligations, pursuant to the art. 6, c. 1, letter. b) of the GDPR. The processing of data for the purpose sub f) does not require your consent as it is necessary to fulfill the legal obligations to which the Data Controller is subject, pursuant to articles . 6, c. 1, letter. c) of the GDPR. The processing of data for the purposes sub g) and h) does not require your consent as it is necessary for the pursuit of the legitimate interest of the Data Controller, pursuant to the articles 6, c. 1, letter. f) of the GDPR.

TRANSFER OF DATA TO THIRD COUNTRIES

The Data may be communicated and/or transferred to commercial partners of the Owner located in countries outside the European Union which may not guarantee an adequate level of protection. In particular, the transfer may be made to the following countries, based on the legitimacy conditions indicated in relation to each of them:

• People's Republic of China, based on your explicit consent;
• Hong Kong, based on your explicit consent;
• Republic of China, based on your explicit consent;
• Macau, based on your explicit consent;
• United Arab Emirates, based on your explicit consent;
• Japan, based on your explicit consent;
• Kingdom of Saudi Arabia, based on your explicit consent;
• Qatar, based on your explicit consent;
• Kingdom of Bahrain, based on your explicit consent;
• South Korea, based on your explicit consent;
• United States, based on your explicit consent;
• Türkiye, based on your explicit consent;
• Principality of Monaco, on the basis of your explicit consent.

PROVISION OF DATA AND CONSEQUENCES OF FAILURE TO PROVIDE DATA

The provision of personal data for the purposes sub a), b), c), d) is optional and failure to provide it will result, as the sole consequence, in It is impossible for the Data Controller to manage and process the interested party's requests, to send commercial communications, and to carry out the activities indicated.

The provision of data for the purposes sub e) and f) is necessary to fulfill the legal and contractual obligations of the interested party and the Data Controller. The provision of data for the purpose sub g) is necessary for the pursuit of the legitimate interests of the Company indicated above. In all these cases, failure to provide data will make it impossible for the Company to follow up on your purchase request and manage your contractual relationship.

RECIPIENTS OR CATEGORIES OF RECIPIENTS

Personal data may be made accessible, brought to the attention of or communicated to the following subjects, who will be appointed by, depending on the case, as managers or agents:

• companies of the group to which the Data Controller belongs (parent companies, subsidiaries, affiliates), employees and/or collaborators in any capacity of the Data Controller and/or companies of the group to which the Data Controller is part;
• public or private entities, natural or legal persons, of whom the Data Controller uses to carry out activities instrumental to achieving the aforementioned purpose or to whom the Data Controller is required to communicate personal data, by virtue of legal or contractual obligations;
• Business partners of the Owner located outside the European Union.

In any case, personal data will not be disclosed.

RETENTION PERIOD

The data will be stored for a maximum period of time equal to the limitation period of the rights enforceable by the Data Controller, as applicable from time to time. In the case of processing for marketing purposes, the data will be stored for a maximum period of 24 months; for profiling purposes, the data will be stored for a maximum period of 12 months.

RIGHTS OF ACCESS, DELETION, LIMITATION AND PORTABILITY

Interested parties are granted the rights referred to in the articles. from 15 to 20 of the GDPR. By way of example, each interested party may:

1. obtain confirmation as to whether or not personal data concerning him or her are being processed;
2. if processing is ongoing, obtain access to the personal data and information relating to the processing as well as request a copy of the personal data;
3. obtain the rectification of inaccurate personal data and the integration of incomplete personal data;
4. obtain, if one of the conditions set out in the art. 17 of the GDPR, the cancellation of personal data concerning him;
5. obtain, in the cases provided for by art. 18 of the GDPR, the limitation of processing;
6. receive personal data concerning him in a structured, commonly used and machine-readable format and request their transmission to another owner, if technically feasible.
   

RIGHT TO OBJECT.

Each interested party has the right to object at any time to the processing of their personal data carried out for the pursuit of a legitimate interest of the Data Controllers. In the event of opposition, your personal data will no longer be processed, provided that there are no legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the interested party or for the assessment, exercise or defense of a right in court.

RIGHT TO WITHDRAW CONSENT.

In the event that consent is required for the processing of personal data, each interested party may also revoke the consent already given at any time, without prejudice to the lawfulness of the processing based on the consent given before the revocation. Consent can be revoked by writing an email to the address

RIGHT TO OBJECT AND WITHDRAW CONSENT IN RELATION TO PROCESSING CARRIED OUT FOR MARKETING PURPOSES.

With reference to the processing of personal data for the purposes under b), d), and h), each interested party may revoke any consent given at any time or oppose their processing by writing an email to the address privacy@covamilano.com. The opposition to the processing exercised through these methods also extends to the sending of commercial communications via the postal service or telephone calls with an operator, without prejudice to the possibility of exercising this right in part, for example by objecting only to the processing carried out through systems automated communications. In the case of transfer and/or communication of data to third parties, the Company will be responsible for communicating to the third parties to whom your personal data have been communicated the revocation of consent or opposition to the processing.

RIGHT TO LODGE A COMPLAINT WITH THE GUARANTOR.

Furthermore, each interested party may lodge a complaint with the Guarantor for the Protection of Personal Data if he/she believes that the rights he/she holds pursuant to the GDPR have been violated, according to the methods indicated on the Guarantor's website accessible at the address: www.garanteprivacy.it.

UPDATES.

This Privacy Policy will be subject to updates. The Owner therefore invites Users who wish to know the methods of processing of personal data collected through the Site to periodically visit this page.

Having read and understood the information on the processing of my personal data:

• I consent to the processing of my personal data for sending commercial communications on products and services of the Company and/or third parties referred to in the letter. b)
• I consent to the sharing and/or communication of my personal data to business partners of Cova located in non-EU countriesfor the latter to send commercial communications on their products and services referred to in the letter. d)  
•  I consent to the processing of my personal data for carrying out profiling activities aimed at sending commercial communications on products and services of the Company and/or third parties of which to the letter c)