1. Legal framework.
1.1. The Policy is inspired by the following EU and/or national (first and/or second level) legislative measures: (i) Directive no. 2002/58/EC of 12.7.2012 (the so-called ePrivacy Directive), as amended by Directive no. 2009/136/EC; (ii) art. 122 of the new Legislative Decree no. n. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into the national legal system; (iii) GDPR: articles 4 no. 11), 7, 12, 13, 25 and 95 (in addition, in particular, to Recitals no. 30, 32 and 173); (iv) Guidelines no. 5/2020 adopted on 4 May 2020 by the EDPB, replacing the Guidelines of 10.4.2018 signed by WP Art. 29; (v) Measure No. 231 of 10.6.2021 [web doc. no. 9677876] signed by the Italian Authority for the protection of personal Data (Data Protection Authority); (vi) Recommendation No. 2/2001 of the WP Art. 29; (vii) Opinion No. 2/2010 of the WP Art. 29; (viii) Opinion No. 4/2012 of the WP Art. 29; (ix) Guidelines No. 8/2020 of the EDPB
2. Cookies and other tracking tools: definition and classification.
2.1. “Cookies" are, as a rule, strings of text that a website ("publisher" or "first party") visited by the user or a different website ("of a third party") places and stores, directly (in the case of the first party website) or indirectly (through the latter, in the case of a third party website), in a terminal device available to the user: in this regard, the Data Protection Authority has specified the fact that the information, encoded in the cookies, can include both personal data ex art. 4 n. 1) of the GDPR (e.g. IP address; user name; email address; unique identifier) and non-personal data ex art. 3 n. 1) of EU Regulation n. 1807/2018 (e.g. language; type of device used).
Next to (or in addition to) them, "other tracking tools" may exist (and therefore be used), which can be divided into "active" (which have almost the same characteristics as cookies) and "passive" (e.g. finger printing).
2.2. Beyond the described intrinsic characteristics, cookies (and other tracking tools) can have different peculiarities from a temporal point of view (and, therefore, be considered "session"1 or "permanent"2, due to their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a "third party") as well as, finally (but especially), from the point of view of their duration. depending on their duration), from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of a "third party") and, finally (but especially), on the basis of the processing purpose pursued, so that they can be divided into two different (macro) categories:
- "technical", used for the sole purpose of "carrying out the transmission of a communication over an electronic communication network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service" (art. 122 paragraph 1) of the Privacy Code).
In this regard, the Data Protection Authority has highlighted, within the Measure no. 231 of 10.6. 2021 (in line of continuity with the previous Provision on the matter of 2014), that the "analytics cookies"3 may well be included within the alveo of cookies (or other tracking tools) of a "technical" nature (and, therefore, may be used in the absence of the prior acquisition of consent by the person concerned), at the occurrence of certain conditions, aimed at precluding the possibility that it is reached, through their use, the direct identification of the person concerned (single out)4.
- "profiling"/"marketing" (the so called non-technical), used to trace specific actions or behavioral patterns recurring in the use of features offered (pattern) to specific subjects, identified or identifiable, in order to group the different profiles within homogeneous clusters of different sizes, so that it is possible for the Data Controller, among other things, also modulate the provision of the service in an increasingly personalized beyond what is strictly necessary to provide the service, as well as send targeted advertising messages (ie, in line with the preferences expressed by the user during navigation on the network).
3. Cookies installed on the Site
3.1. Within the Site, the following types of cookies have been installed:
|Name ||Type ||First Party / Third Party ||Duration |
|GUEST_LANGUAGE_ID ||Technical ||First party www.thdlab.co.uk ||1 year |
|COOKIE_SUPPORT ||Technical ||First party www.thdlab.co.uk ||4 months |
|JSESSIONID ||Technical ||First party www.thdlab.co.uk ||Until the end of the browsing session |
|cookiePage ||Technical ||First party www.thdlab.co.uk ||1 year |
|cookiePolicy ||Technical ||First party www.thdlab.co.uk ||4 months |
|LFR_SESSION_STATE_20103 ||Technical ||First party www.thdlab.co.uk ||Until the end of the browsing session |
|_gat ||Technical/Analytical ||First party www.thdlab.co.uk ||10 minutes |
|_gid ||Technical/Analytical ||First party www.thdlab.co.uk ||24 hours |
|_ga ||Technical/Analytical ||First party www.thdlab.co.uk ||2 years |
Google Analytics cookies: The site uses Google Analytics analysis cookies to collect aggregate statistical information on user behavior. These cookies can not be used to identify specific individuals. More information on the use of Google Analytics cookies can be found at https://www.google.com/policies/privacy/. Google provides a browser plugin to prevent the collection and use of its data to visitors to sites on which the statistical service is active. For more information, visit https://tools.google.com/dlpage/gaoptout.
4. Responsibility for the operation of third party cookies.
4.1. In this regard, it is recalled, faithfully, what it is provided by the Provision of 8.5.2014 signed by the Data Protection Authority: " There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by "third parties". In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders. Secondly, third parties´ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes”.
5. Browser Settings.
5.1. THD highlights the possibility for the user to delete and block the operation of the cookies described in art. 3) above at any time by using the appropriate settings in the browser used: in this regard, THD adds that if the user decides to disable the technical cookies referred to in art. 2.1. point i), the quality and speed of services and features offered and made available on the Site may deteriorate.
5.2 Enabling or disabling cookies
By changing the browser settings (i.e. the navigation program used), you can change the settings on your browser to accept or reject cookies, or to decide which cookies categories to accept or reject, or to decide whether or not to receive a warning message before accepting a cookie from the websites you visit. You can also delete all the cookies set in the cookies folder of your browser.
Remember that if you decide to completely disable the cookies in your browser you may not be able to use all our interactive functions.
If you use a number of different devices, make sure you have set your preferences on every browser. Every browser has slightly different procedures to manage the settings.
Below are some brief instructions and links to specific instructions on how to change your browser's cookie settings, referring in particular to the four most common browsers:
Microsoft Internet Explorer
Click on the “Tools” button at the top-right, and then select “Internet options”. Select the “Privacy” tab. Here you can change the settings of your cookies, and you can block all or some cookies.
Open Chrome, at the top-right, click on “More” and then select “Settings”. At the bottom, click “Show advanced settings”. Under “Privacy and Security”, click “Content settings”. Click “Cookies” to manage your preferences and allow or block all or some cookies.
Click the menu button in the top-left corner of the page and choose “Options”. Select the “Privacy & Security” panel. Go to the Cookies and Site Data section where you can manage your cookies settings.
Click the menu button in the top-right corner of the page and choose “Preferences”. Click “Privacy” and here you can manage your cookies settings.[PO2] We will store your cookies preferences using a special technical cookie with the functions specified in the table above.
If you use a different browser from the ones listed above, select “cookies” in the help section of your browser to find out where you can manage your cookie settings.
6. Rights of the Data Subject
6.1. With regard to your Personal Data that are processed by the Controller THD, We hereby inform you, as Data Subjects pursuant to art. 4 n. 1) of the GDPR, that you are entitled to exercise the following rights possibly subject to the limitations provided for by art. 2 undecies and 2 duodecies of the Privacy Code: Right of access – Article 15 of the GDPR: the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data – including a copy of them – and the following information( the purposes of the processing,); right to rectification – Article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed; right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain the erasure or destruction or anonymization of personal data, however, where the conditions listed in the same article are met; right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction, right with a markedly precautionary connotation, aimed at obtaining the limitation of processing where the hypotheses governed by the same art. 18 of processing where one of the following applies: right to object – Article 21 of the GDPR: the right to object to the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing; right to data portability – Article 20 of the GDPR: the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and the processing is carried out by automated means; right to lodge a complaint with the Italian Data Protection Authority (Garante), Piazza Venezia 11, 00187 Rome (RM)- ex. Article 77 of the GDPR, where it is believed that the processing under analysis violates national and EU legislation on the protection of personal data.
6.2. In addition to the rights described in the previous art. 6.1.), THD specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise, on the one hand, the (sub) right provided for by art. 19 of the GDPR ("The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.”), to be considered connected and connected to the exercise of one or more rights regulated by art. 16, 17 and 18 of the GDPR; on the other hand, THD specifies that, in relation to the personal data of the data subject, there is, where possible and conferring, the right to exercise the right provided for by art. 22 paragraph 1) of the GDPR ("The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.") , subject to the exceptions provided for in paragraph 2) below.
6.3. In accordance with Article 12(1) of the GDPR, THD undertakes to provide the communication under Articles 15 to 22 of the GDPR in a concise, transparent, intelligible and easily accessible form. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
6.4. In accordance with Article 12(3) of the GDPR, the Controller informs you that it undertakes to provide information on action taken on a request under Articles 15 to 22 to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
6.5. The data subject can exercise, at any time, the aforementioned rights (except for the right pursuant to art. 77 of the GDPR) by using the contact details illustrated in art. 7. of this “Notice”.
7. Data Controller’s contact details
7.1. The Controller can be contacted at the following email address: firstname.lastname@example.org
7.2. The “Data Protection Officer”, as specified in Article 37 of the GDPR is the lawyer Sara Mandelli of BALDI & PARTNERS, who can be contacted at the following email address: email@example.com
8. Recipients of your Personal Data
The Controller will disclose your Personal Data to its collaborators, who will act as persons authorised to process personal data.
Furthermore your Personal Data will be processed by third parties belonging, by way of example, to the following categories:
a) any subsidiary, parent or associated company of the Controller, including:
b) entities providing IT system management services, including server hosting and backup services;
c) entities that provide the Controller with tax, legal, judicial and compliance advice;
The entities listed above operate, in some cases, independently as separate data controllers, and in other cases, as data processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.
Moreover, with regard to the Provision of the Italian Data Protection Authority (Garante) made on 27 November 2008 “Misure e accorgimenti prescritti ai titolari dei trattamenti effettuati con strumenti elettronici relativamente alle attribuzioni delle funzioni di Amministratori di sistema” (Measures and mechanisms required by data processing controllers using electronic media with regard to attributing the functions of system administrator), as Data Subject you may also ask the Controller the names of the System Administrators of the operating systems containing the personal data collected.
The personal data processed by the Controller are not disclosed.
THD does not intend to transfer your personal data to any non-EU countries. However, if, in execution of the purposes listed above, THD should transfer your data outside the European Union, the Controller will proceed to carry out such transfer only after establishing that one of the conditions laid down in Articles 44 et seq. of the GDPR is met, in order to ensure an adequate level of protection of your personal data.
Correggio (RE), date 1 September 2021
(In its capacity as Data Controller)
1 Cookies designed to collect and store data while a user accesses a website, and disappear once the user closes the relevant browsing session
2 Cookies that are designed to last for a set period of time (e.g., minutes; months; years).
3 Analytical cookies are usually used to assess the effectiveness of an information society service provided by a publisher, for the design of a website or, finally, to help measure the relative traffic (i.e. the number of visitors, also possibly split by geographical area, time of connection).
4 See Guidelines in question, pg. 13) and 14): " Accordingly, analytics cookies will have to be structured in such a way as to enable the same cookie to relate to several devices, which will create reasonable uncertainty as to the IT identity of the cookie recipient. This is usually achieved by masking out appropriate portions of the IP address in the cookie. Taking into account the 32-bit IPv4 representation of IP addresses, which are usually represented and used as a sequence of four dot-separated decimal numbers between 0 and 255, one of the measures that can be implemented in order to benefit from the said exemption is the masking out of at least the fourth component of the address, which creates a 1/256 (approximately 0.4%) uncertainty in attributing the cookie to a specific data subject. Similar procedures should be adopted with regard to IPv6 addresses, which have a very different structure and a significantly larger addressing space since they consist of 128-bit binary numbers. Further, the Garante stresses the need for analytics cookies to be only used for the production of aggregated statistics and in relation to an individual website or mobile application, so as not to allow tracking an individual’s navigation across different applications or websites. Accordingly, third parties providing web measurement services to the publishers shall not match the data, even if minimized in the manner described above, with any other information (such as customer records or statistics concerning visits to other websites) nor will they forward such data to other third parties since this will result into unacceptably increasing user identification risks. This is without prejudice to the production of statistics based on minimized data across several domains, websites or apps that can be traced back to the same publisher or publishing group. However, statistical analyses concerning several domains, websites or apps that can be traced back to one single controller can be considered lawful even in the absence of the aforementioned minimization measures – on condition such analyses are performed by way of the controller’s own resources and do not turn into activities that go beyond statistical counting and take on ultimately the features of processing operations aimed to enable business-related decision-making”.