Privacy notice

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART.13 OF REGULATION (EU) 2016/679 (GDPR)

This document constitutes the Privacy Policy of the website www.felga.it (hereinafter, the "Site"), drafted in accordance with Regulation (EU) 2016/679 (GDPR). Its purpose is to provide a clear and transparent overview of how users’ personal data is collected, used, stored, and protected when they browse the Site (hereinafter referred to as “users”) or contact the company through the features made available.

The core principle guiding the processing of personal data is transparency, which requires that information and communications related to data processing be easily accessible and understandable, using clear and simple language.

Please note that this Privacy Policy applies exclusively to the Site www.felga.it and does not extend to other websites or external pages that users may access through links or interactive connections on the Site. Therefore, users are encouraged to review the privacy policies provided by the data controllers of any external sites they may be redirected to.

This Policy may be subject to changes and updates, either due to the introduction of new regulations or changes to the functionalities of the Site. Users are therefore encouraged to periodically consult the "Privacy & Cookies" section of the Site to view the most recent version.

Further specific information regarding the processing of personal data may be provided to data subjects in connection with the activation or request of particular services. This Privacy Policy offers a general overview of personal data processing; however, additional and more detailed information may be provided to data subjects through dedicated notices when specific services are activated or requested.

 

1. Identity and Contact Details of the Data Controller

 

The Data Controller of the personal data—meaning the natural or legal person who determines the purposes and means of processing—for the purposes described in this Privacy Policy is Felga Etichette S.r.l., with its registered office at Via dell’Artigianato no. 2/B – 33090 Lestans di Sequals, VAT and Tax Code: 01335900930 (hereinafter also referred to as the “Controller” or the “Company”).

The Data Controller is responsible for ensuring compliance with the principles set out in Article 5 of the GDPR and must be able to demonstrate such compliance (“accountability”).

 

For any matter relating to the processing of personal data, to exercise the rights granted by the GDPR (as detailed in paragraph 9 below), or to request clarification regarding this Privacy Policy, the data subject may contact the Controller.
The available methods of contact are by sending a registered letter with return receipt to the address specified above, or by sending an email to the following address: info@felga.it

 

2. Purpose and Legal Basis of Data Processing

The processing of personal data collected through the Site is carried out in accordance with the principles of lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability, as set out in Article 5 of the GDPR.

Each processing purpose is supported by a specific legal basis, ensuring compliance with applicable legislation. Below are the purposes of the processing and their corresponding legal bases:

a. To ensure the proper functioning of the website pages and their content, as well as to obtain aggregate statistical information on the use of the services offered by the Site. This includes web traffic analysis to optimize user experience and platform stability.
Legal basis: Processing is necessary for the pursuit of the legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR). Such legitimate interest lies in the need to ensure the efficiency and security of the Site, as well as to monitor its use in order to improve its performance and services.

b. To provide assistance, contact users, respond to or follow up on requests submitted through dedicated forms (e.g., “contact us,” “request information”), or through other means of communication (e.g., telephone, email). This purpose also includes the management of activities related to the provision of specific services requested by users, such as the creation of a private account or purchases made via e-commerce (e.g., shipping, billing).
Legal basis: Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR), as well as for the pursuit of the legitimate interest of the Controller (Art. 6(1)(f) GDPR), consisting in the need to respond to the data subject’s requests.

c.Direct marketing by the Controller: to send the data subject, through various communication channels (e.g., postal mail, email, SMS, phone calls with or without an operator, and other contact tools used by the Controller), informative materials, newsletters, promotional, commercial, and advertising communications, as well as updates on events and initiatives promoted by the Controller. This category also includes activities aimed at conducting market research and measuring user satisfaction with the services provided by the Controller.
It is noted that, if the user has given consent to the use of profiling cookies while browsing the Site (as detailed in the specific cookie policy), the Controller may send personalized commercial communications, offers, and invitations, tailored to the user’s profile and specific interests (e.g., targeted commercial proposals or advertising campaigns adapted to individual preferences).
Legal basis: The processing of personal data for direct marketing purposes is based on the data subject’s explicit, free, specific, informed, and unambiguous consent (Art. 6(1)(a) GDPR).

d. To send periodic communications, newsletters, and other promotional or advertising messages to users who have expressly requested such a service via the appropriate functionality available on the Site.
Legal basis: The processing for the purpose of sending newsletters and promotional communications, as a form of direct marketing, is based on the explicit consent of the data subject (Art. 6(1)(a) GDPR).
It is specified that the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal.

e.“Soft spam” activities: To use the email address provided by the data subject in the context of a previous purchase for the purpose of direct marketing of products or services similar to those already purchased from the Controller.
This activity falls under the “soft spam” exception provided for by Article 130, paragraph 4, of Legislative Decree 196/2003 (Italian Privacy Code), which allows the sending of promotional communications without prior explicit consent, provided that the email address was obtained in the context of the sale of a product or service, the communications relate to products or services similar to those already purchased, and the data subject—having been properly informed—does not object to such use initially or in the course of subsequent communications.
Legal basis: The processing is based on the legitimate interest of the Controller under Article 6(1)(f) GDPR, in combination with applicable national legislation.

3. Nature of Data Provision

The nature of providing personal data varies according to the specific purpose of processing, and the consequences of any refusal are detailed as follows:

For the purposes under letter a) – Technical Functioning and Website Usage Statistics:
The provision of personal data for the purposes described in point a) (i.e., those related to the proper technical functioning and collection of statistical data on the use of the Site), while not a legal obligation, constitutes an essential requirement to ensure the full operation and complete usability of the platform. A refusal to provide such data may therefore impair your ability to fully navigate the Site, view all its content, and access the related services.

For the purposes under letter b) – Handling User Requests:
The provision of personal data for the purpose specified in point b) is at your discretion. However, it is important to note that refusing to provide such information will make it impossible for the Controller to respond to your requests (e.g., to receive product or service details, quotes, or make reservations).

For the purposes under letters c) and d) – Direct Marketing, Newsletter:
The provision of personal data and the expression of consent for the purposes indicated in points c) and d) are entirely optional and based on your free choice. If you choose not to give such consent, the Controller will be unable to carry out direct marketing activities or send you newsletters. However, such refusal will not affect your ability to use the essential features of the Site or to access the requested services, as described in points a) and b) above.

4. Types of Data Processed

In pursuing the purposes previously outlined, the Data Controller will process the following categories of personal data:

• Browsing data:
  During the operation of the Site, the computer systems and software procedures used to operate it automatically acquire certain information, the transmission of which is inherent to the use of Internet communication protocols. Although this data is not collected with the intention of identifying specific users, by its very nature it may allow users to be identified through processing and association with data held by third parties.
  This category includes, by way of example: IP addresses and domain names of the devices used to connect to the Site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numeric code indicating the status of the server’s response (e.g., success or error), and other parameters related to the user’s operating system and IT environment.
  This data is used exclusively to obtain aggregate statistical information on the use of the Site and to ensure it functions correctly. In specific circumstances—such as investigations into cybercrimes against the Site or other users—this data may be used to establish liability, upon request from the competent Authorities or supervisory bodies.
  It is noted that such information may also be collected automatically through the use of cookies and similar technologies, such as behavioral web tracking. For more information and to manage your browsing preferences, please refer to our dedicated cookie policy.

• Data voluntarily provided by the user:
  This category includes the personal information you actively and voluntarily provide to us. This includes, for example, identification data (such as date of birth, first and last name), and contact details (such as phone number and email address). Any additional personal data you may provide voluntarily through the completion of data collection forms or by sending emails will be processed in accordance with the principles of fairness, lawfulness, and transparency, and always in compliance with the principle of data minimization. This means we will collect and process only the information strictly necessary to fulfill the intended purposes.

•  

5. Methods of Processing
Your personal data will be processed both in paper format and through the use of electronic tools. This processing will be carried out in full compliance with the applicable data protection laws, and in particular by adopting appropriate technical and organizational measures as set forth in Article 32, paragraph 1, of the GDPR.

6. Categories of Data Recipients
Personal data will not be subject to widespread disclosure or made accessible to an indeterminate number of individuals, except in cases where such communication is expressly required by a legal obligation or by an order of the competent judicial or administrative authority.The Data Controller ensures that access to and processing of personal data is restricted exclusively to individuals who are specifically authorized and adequately trained. These individuals, operating under the direct authority of the Data Controller, are required to process personal data solely based on documented instructions provided by the Data Controller, in accordance with Article 29 of the GDPR. Personal data may be disclosed to specific categories of third parties, always strictly related to the purposes for which they were collected and processed. It is essential to distinguish between parties acting as independent Data Controllers and those acting as Data Processors.The Data Controller makes use of third parties and companies that provide essential services for the management of its operations. These include, but are not limited to, providers of IT systems and telecommunications network services (including email), website developers and managers, providers of commercial communication services, professional firms or consulting companies (legal, tax, administrative). For these categories of subjects, the Data Controller is committed to selecting only partners that provide adequate guarantees regarding the protection of personal data. Where required by applicable law, such parties will be formally appointed as "Data Processors" pursuant to Article 28 of the GDPR. Data Processors are obligated to process personal data only based on documented instructions from the Data Controller.

7. Transfer of Personal Data to Third Countries
At present, the Data Controller does not intend to transfer personal data to countries outside the European Union or the European Economic Area. However, should it become necessary in the future to transfer personal data to third countries or international organizations, the Data Controller ensures that such operations will be carried out in full compliance with the conditions laid down in Chapter V of the GDPR (Articles 44 and following). The primary objective is to ensure that the level of protection of natural persons guaranteed by the GDPR is not compromised in any way.

Transfers of personal data to third countries may take place under the following circumstances:

• Adequacy Decision: The transfer will be allowed to third countries for which the European Commission has adopted an adequacy decision, recognizing that such countries ensure a level of personal data protection essentially equivalent to that of the European Union.

• Appropriate Safeguards (Art. 46 GDPR): In the absence of an adequacy decision, the transfer may occur only if the Data Controller or the Data Processor has provided appropriate safeguards, and on condition that data subjects have enforceable rights and effective legal remedies. Appropriate safeguards may include, in particular, the adoption of Standard Contractual Clauses (SCCs) approved by the European Commission.

Only in exceptional cases and under specific conditions may the transfer of personal data to a third country or an international organization take place without an adequacy decision or appropriate safeguards.

8. Data Retention Period
The Data Controller undertakes to retain personal data for no longer than is strictly necessary to achieve the purposes for which they were collected, in accordance with the principle of storage limitation set out in Article 5(1)(e) of the GDPR.

Specifically, the data retention periods are as follows:

• Data related to website functionality and usage statistics: These data are retained for the time necessary to ensure the proper operation of the website and its contents, as well as for obtaining statistical information on the use of the services. The specific duration is also defined in our cookie policy, where applicable.

• Data processed to respond to user requests: Data collected to manage and respond to your requests will be retained for the time necessary to provide a comprehensive response and, in any case, for no longer than 24 months from the date the request is fulfilled. If a contractual relationship is established following the request (e.g., via an e-commerce purchase), the data will be stored for 10 years after the termination of that relationship, in compliance with applicable legal obligations on document retention.

• Data used for direct marketing purposes: Data used for direct marketing purposes will be retained for 24 months from the date your consent is obtained. This period may be extended in the event of a renewal of your consent.

• Data used for sending newsletters: Data used for newsletter distribution will be retained until we receive your request to unsubscribe. In any case, retention will not exceed 24 months from the date your consent is collected, unless renewed. If you unsubscribe, your data will be removed from our databases within 72 hours of receiving your request.

• Data processed for "soft spam" purposes: Data used to send promotional communications under the "soft spam" exemption (communications regarding products or services similar to those already purchased) will be retained for 24 months from your last purchase.

At the end of the above retention periods, personal data will be automatically deleted or irreversibly anonymized, unless their retention is required by specific legal obligations or requests made by public authorities or judicial bodies. A longer retention period may also be necessary if the Data Controller is involved in legal proceedings that involve the processing of personal data.

The Italian Data Protection Authority has emphasized the importance of clearly defining retention periods and avoiding overly generic references.

9. Rights of the Data Subject

As a data subject, you may exercise your rights under the GDPR at any time, following the procedures indicated in this privacy notice. These rights include:

• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, to access such data and receive detailed information on the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the data have been or will be disclosed, the envisaged period for which the data will be stored or the criteria used to determine that period, the existence of the right to request rectification or erasure of personal data or restriction of processing, the right to object to processing, the right to lodge a complaint with a supervisory authority, and all available information on the data source if the data were not collected directly from you.

• Right to rectification: You have the right to obtain the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data, taking into account the purposes of the processing.

• Right to erasure (“right to be forgotten”): You have the right to obtain the erasure of personal data concerning you in certain circumstances, such as when the data are no longer necessary for the purposes for which they were collected or processed, or when they have been unlawfully processed. The Controller undertakes to carry out the erasure in accordance with the current state of the art, unless retention is required by legal obligations.

• Right to restriction of processing: You have the right to obtain the restriction of the processing of your personal data in specific cases, such as when you contest the accuracy of the data (for the period necessary for the Controller to verify its accuracy) or when the processing is unlawful and you oppose the erasure. In the event of a restriction, we will inform you before it is lifted.

• Right to object: You have the right to object to the processing of your personal data on grounds relating to your particular situation, where processing is based on the legitimate interest of the Controller or for direct marketing purposes. In the latter case, the right to object may be exercised at any time.

• Right to data portability: You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from the original Controller, where the processing is based on your consent or a contract and is carried out by automated means. You also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

• Right to withdraw consent: Where the processing of your personal data is based on your consent (e.g., for direct marketing purposes), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

• Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR (Art. 77 GDPR). In Italy, the competent Supervisory Authority is the Garante per la Protezione dei Dati Personali, based in Rome. If you are not a resident of Italy, you may lodge a complaint with the Supervisory Authority of your country of residence.

10. Absence of Automated Decision-Making

You are hereby informed that the processing of personal data described in this notice is not subject to automated decision-making processes, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).

Data Controller
FELGA ETICHETTE S.R.L.

Date of last update: 7 July 2025