COOKIE POLICY

Object

Cookies and other tracking tools.

Regulations

Articles 122 of the Code and 4, point 11), 7, 12, 13 and 25 of the regulation.

Cookies and other tracking tools

Cookies are usually strings of text that websites (so-called publishers or "first party") visited by the user or different websites or web servers (so-called "third parties") place and store within a terminal device available to the user (so-called “active” identifiers). Similar functions can be performed by other tools which, although using a different technology (so-called "passive" identifiers), allow processing similar to those carried out through cookies.

Cookies and other technical identifiers

They are used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or user to provide this service" (see . art. 122, paragraph 1 of the Code).

They do not require the acquisition of consent, but must be indicated in the information.

First and third party analytics cookies

They are comparable to cookies and other technical identifiers only if:

–  are used solely to produce aggregate statistics and

in relation to a single site or a single mobile application;

–  it is masked, for third-party ones, at least the fourth

component of the IP address;

–  third parties refrain from combining analytics cookies, like this

minimized, with other processing (customer files or statistics of visits to other sites, for example) or by transmitting them to further third parties. However, third parties are permitted to produce statistics with data relating to multiple domains, websites or apps that are attributable to the same publisher or business group.

The owner who carries out on his own the mere statistical processing of data relating to multiple domains, websites or apps attributable to him can also use the unencrypted data, in compliance with the purpose constraint.

Cookies and other tracking identifiers with non-technical function

Used to trace back to specific, identified or identifiable subjects, specific actions or recurring behavioral patterns in the use of the features offered (patterns) for the purpose of grouping the different profiles within homogeneous clusters of different sizes, so that it is also possible to modulate the provision of the service in an increasingly personalized way, as well as sending targeted advertising messages, i.e. in line with the preferences expressed by the user when browsing the internet.

Main innovations introduced by the GDPR having effects on the use of cookies and other tracking tools

– accountability;

–  integration of the information (also specify the data retention times);

–  strengthening of consensus (must be “unequivocal”);

–  respect for the principles of privacy by design and by default.

Information and consent

How to provide the information: – simple and accessible language;

• –  usable, without discrimination, even by those who, due to disabilities, require assistive technologies or particular configurations;

• –  also in multilayer and multichannel mode;

• –  if only technical cookies are used, the relevant information can be placed on the home page of the site or in the general information;

• –  if other cookies and other “non-technical” identifiers are also processed, an immediately pop-up banner of adequate size can be used which contains: a) the indication that the site uses technical cookies and, with the user's consent, profiling cookies or other tracking tools indicating the related purposes (short information);

  2. b)  the link to the privacy policy containing the complete information, including any other recipients of the personal data, the data retention times and the exercise of the rights referred to in the Regulation;
  3. c)  the warning that closing the banner (e.g. by selecting the appropriate command marked with the cookies or other tracking tools other than technical ones.

  For the purposes of acquiring consent, the banner must therefore contain:

  d) the mentioned command (e.g. aXinupright) to close the banner without giving consent to the use of cookies or other profiling techniques while maintaining the default settings;

  5. e)  a command to accept all cookies or other tracking techniques;
  6. f)  the link to another area in which you can analytically choose the features, third parties and cookie that you want to install and be able to give consent to the use of all cookies if not previously given or revoke it, even in a single solution, if already expressed. In this regard, it is good practice to use a graphic sign, an icon or other technical device that indicates, even in an essential way, for example. in the footer of each page of the domain, the status of the consents previously given by the user allowing for any modification or update. This area dedicated to detailed choices must also be reachable via a further link positioned in the footer of any page of the domain;

  No to reiterating the request for consent in the presence of a previous failure to provide the same, except: if the conditions of the processing significantly change; if it is impossible for the site to know whether a cookie has already been stored on the device; if at least 6 months have passed since the previous presentation of the banner.

In the case of users with accounts (so-called authenticated users), the cross-referencing of data relating to navigation carried out using multiple devices is prohibited without prior consent.

Additional information to be provided to users

The coding criteria for cookies and other tracking tools adopted, to be communicated, upon request, to the Authority; the possibility, for authenticated users, to consent to tracking carried out also through the cross-analysis of behaviors carried out through the use of different devices.

Analysis of some methods of collecting consent

Scrolling: in itself unsuitable for collecting suitable consent, except in the case in which it is inserted into a more complex process in which the user is able to generate an event, which can be recorded and documented on the server of the site, which can be qualified as a positive action suitable for unequivocally demonstrating the desire to give consent to the processing.

Cookie wall: illicit, except in the case - to be verified on a case-by-case basis - in which the site offers the interested party the possibility of accessing, without giving their consent to the installation and use of cookies, a content or an equivalent service, to be evaluated in light of the principles of the Regulation.

Validity of consents already collected

If they comply with the characteristics required by the Regulation, the consents collected previously maintain their validity provided that, at the time of their acquisition, they have been registered and are therefore documentable

Time to adapt the systems and treatments already in place to the principles expressed by the Guidelines

6 months from the publication of the Guidelines in the Official Journal