1. Name and contact details of the responsible person

The responsible person under the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the member states, as well as other data protection legislation is::

BRUNI ROBERTO ARCHITECT – ARKLIGHT STUDIO

2. Name and contact details of the company’s data protection officer.

The person responsible for the processing of personal data is:

Responsible: Bruni Roberto

BRUNI ROBERTO ARCHITECT – ARKLIGHT STUDIO

3. General information on data processing

3.1. Scope of personal data processing

In principle, we process your personal data only to the extent that this is necessary for the provision of a functional website and our content and services offered, and regularly only after obtaining your consent. An exception applies in cases where obtaining prior consent is not possible for actual reasons and the data processing is permitted by legal regulations.

Legal basis for the processing of personal data

The legal basis for consent to personal data processing operations is Article 6 (1) (a) GDPR.

In the case of personal data processing necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing necessary for the execution of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) c GDPR serves as the legal basis.

If vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

3.3. Data deletion and storage period

Your personal data will be deleted or blocked as soon as the purpose of storage is no longer valid. Retention may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if the retention period prescribed by the aforementioned regulations expires, unless it is necessary to continue to retain it for the conclusion or performance of a contract.

4. Provision of the website and creation of log files

4.1. Description and scope of data processing

Whenever you access our website, our system automatically collects data and information from the computer system of the calling end device.

The following data is collected:

• IP address of the requesting computer (anonymous),
• Date and time of access,
• Name and URL of the file being accessed,
• Web site from which the access was made (referring URL),
• The browser used and, if applicable, the operating system of your computer, and the name of your access provider.

This data is also stored in the log files of our system. This data is not stored together with other personal data.

4.2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6 paragraph 1 letter f GDPR.

4.3. Purpose of data processing.

The temporary storage of your IP address by the system is necessary to enable the delivery of the website to your computer. For this purpose, your IP address must remain stored for the duration of the session.

Storage in log files is done to ensure the functionality of our website. In addition, we use the data to optimize the website and to ensure the security of our computer systems. In this context, no evaluation of the data is carried out for marketing purposes or to draw conclusions about you personally.

These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

4.4. Duration of storage

Data are deleted as soon as they are no longer needed to achieve the purpose for which they were collected. In the case of data collection for the provision of the website, this is done at the end of the respective session.

In the case of storing data in log files, this occurs after 30 days at the latest. Storage is also possible beyond this period. In this case, users’ IP addresses are deleted or alienated, so that the assignment of the calling client is no longer possible.

4.5. Opposition and removal possibilities

The collection of data for the provision of the website and its storage in log files is absolutely necessary for the operation of the website. Consequently, the user does not have the possibility to object.

5. Contact by email

5.1. DESCRIPTION AND SCOPE OF DATA PROCESSING

You can contact us via the e-mail address provided on our website. In this case, your personal data transmitted with the e-mail will be stored.

In this context, the data will not be transmitted to third parties. The data will be used exclusively for conversation processing.

5.2. LEGAL BASIS FOR DATA PROCESSING

The legal basis for data processing is Article 6 paragraph 1 letter f GDPR.

If the e-mail contact is for the purpose of entering into a contract, the additional legal basis for processing is Art. 6 (1) lett. b GDPR.

5.3. PURPOSE OF DATA PROCESSING

The processing of personal data transmitted by e-mail is exclusively for the purpose of contact processing.

This also constitutes the necessary legitimate interest in the data processing.

5.4. DURATION OF STORAGE

Data will be deleted as soon as it is no longer needed to achieve the purpose for which it was collected.

5. 5 POSSIBILITY OF OBJECTION AND DELETION

You have the opportunity to revoke your consent to the processing of your personal data at any time. You can also object to the storage of your personal data at any time. In that case, you can no longer continue the conversation.

You can notify us of your withdrawal of consent and objection to storage via the e-mail address given in the imprinting or by phone at the phone number given.

In this case, all personal data stored in the course of your contact with us will be deleted.

6. Plugins and tools

6.1. GOOGLE MAPS.

(a) Description and scope of data processing.

We have integrated map material from the Google Maps service into our website. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. In order to display the content in your browser, your IP address must be transmitted to Google, otherwise Google would not be able to provide you with this embedded content.

This information is usually transmitted to a Google server in the United States and stored there. The provider of this site has no influence on this data transmission. If Google Maps is activated, Google may use Google Web Fonts for the uniform display of fonts. When Google Maps is invoked, the browser loads the necessary web fonts into the browser cache to display text and fonts correctly.

(b) Legal basis for data processing

The legal basis for data processing is Article 6 paragraph 1 letter f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lett. a GDPR; consent can be revoked at any time.

Data transfer to the United States is based on the EU Commission’s standard contractual clauses. Details are available here:

https://business.safety.google/controllerterms/

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

1. c) Purpose of data processing.

The purpose and, at the same time, the legitimate interest stem from our need to present our online offerings in an appealing way and to easily find the places indicated on our homepage. It is possible to see at a glance where our company headquarters are located. Through the directions, you can find the fastest or shortest way to reach us.

(d) Length of storage

Google stores some data for a fixed period of time. For other data, Google only offers the option to delete it manually. Google also anonymizes the information in the server logs by deleting part of the IP address after 9 or 18 months.

More information about the processing of user data can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=it

6.2. Wordfence Security

(a) Description and scope of data processing.

To protect our website, we use the “Wordfence Security” service, operated by Defiant Inc, 800 5th Ave, Suite 4100, Seattle, WA 98104, USA.

The website uses the service to protect against viruses and malware and to defend against attacks by cybercriminals. For the purpose of protection against brute force and DDoS attacks or comment spam, IP addresses are stored on Wordfence servers. IP addresses classified as harmless are whitelisted.

(b) Legal basis for data processing.

Data collection is based on our legitimate interests in accordance with Article 6 (1) f) GDPR.

1. c) Purpose of data processing

Wordfence Security protects our website and thus site visitors from viruses and malware. This constitutes a legitimate interest within the meaning of Art. 6 (1) f GDPR.

(c) Purpose of data processing.

Wordfence Security protects our website and thus website visitors from viruses and malware. This constitutes a legitimate interest within the meaning of Article 6 paragraph 1 letter f GDPR.

Further information on the collection and use of data by Wordfence Security can be found in Defiant’s data protection information: https://www.wordfence.com/privacy-policy/.

7. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the data controller:

7.1. Right of access

You can request confirmation from the controller that personal data about you are being processed by us. In case of processing, you may request information from the controller about the following:

(1) The purposes of the processing of personal data;

(2) The categories of personal data processed;

(3) The recipients or categories of recipients to whom personal data concerning you have been or will be disclosed;

(4) The expected length of time for which personal data concerning you will be stored or, if it is not possible to provide specific information on this, the criteria for determining the storage period;

(5) The existence of a right to rectification or erasure of personal data concerning you, a right to restrict processing by the controller, or a right to object to such processing;

(6) The existence of a right of recourse to a supervisory authority;

(7) Any available information about the origin of the data, if the personal data are not collected from the data subject;

(8) The existence of automated decision-making, including profiling, within the meaning of Article 22(1) and (4) of the GDPR and, at least in such cases, meaningful information about the logic involved and the scope and intended effects of such processing on the data subject.

You have the right to request information about the transfer of your personal data to a third country or international organization. In this context, you may ask to be informed about appropriate safeguards under Article 46 of the GDPR in connection with the transfer.

7.2. Right of rectification

You have the right of rectification and/or completion vis-à-vis the controller if processed personal data concerning you are inaccurate or incomplete. The controller must carry out the rectification without undue delay.

7.3. Right to restriction of processing You can request the restriction of processing of personal data concerning you under the following conditions:

(1) If you dispute the accuracy of personal data about you for a period that allows the controller to verify the accuracy of the personal data;

(2) The processing is unlawful and you object to the deletion of personal data and instead request the restriction of the use of personal data;

(3) The controller no longer needs the personal data for the purposes of the processing but you need it for the establishment, exercise or defense of legal rights; or

(4) If you have objected to the processing pursuant to Article 21(1) GDPR and it is not yet clear whether the controller’s legitimate reasons override your reasons.

If the processing of personal data relating to you has been restricted, such data may be processed-as well as stored-only with your consent or for the establishment, exercise or defense of legal rights or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a member state.

If processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

7.4. Right to cancellation

(a) Obligation to erasure

You may request the controller to erase personal data about you without undue delay, and the controller is obligated to erase such data without undue delay if any of the following reasons apply:

(1) Personal data about you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You withdraw the consent on which the processing was based under Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.

(3) You object to processing under Article 21(1) GDPR and there is no overriding legitimate ground for processing, or you object to processing under Article 21(2) GDPR.

(4) Personal data about you have been processed unlawfully.

(5) The erasure of personal data concerning you is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.

(6) Personal data concerning you have been collected in connection with information society services offered pursuant to Article 8(1) of the GDPR.

(b) Information to third parties

If the controller has disclosed personal data about you and is under an obligation to erase it pursuant to Article 17(1) of the GDPR, it must take reasonable steps, including technical measures, taking into account available technology and the costs of implementation, to inform the controllers processing the personal data that you, as a data subject, have requested them to erase all links to, or copies or replicas of, such personal data.

(c) Exceptions

The right to erasure does not exist to the extent that the processing is necessary for:

(1) for the exercise of the right to freedom of expression and information;

(2) for the performance of a legal obligation requiring processing under Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;

(3) for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

(4) for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes within the meaning of Article 89(1) of the GDPR, insofar as the right referred to in section (a) would make it impossible or seriously impair the achievement of the purposes of such processing; or

(5) for the assertion, exercise or defense of legal claims.

7.5. Right to information

If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom personal data concerning you have been disclosed of such rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort.

The user has the right to be informed about such recipients by the data controller.

7.6 Right to data portability.

You have the right to receive personal data about you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transfer such data to another controller without hindrance from the controller to whom you have provided the personal data, provided that.

(1) the processing is based on consent within the meaning of Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or a contract within the meaning of Art. 6 (1) lit. b GDPR, and

(2) the processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to have personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other people.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.7 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.

The controller will no longer process personal data about you unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If personal data about you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about you for such purposes; this also applies to profiling insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, personal data about you will no longer be processed for such purposes.

In connection with the use of information society services, by way of derogation from Directive 2002/58/EC, you have the opportunity to exercise your right to object by means of automated procedures using specific techniques.

7.8. Right to revoke the declaration of consent under the Data Protection Act

You have the right to revoke your declaration of consent under the Data Protection Act at any time. Revocation of consent does not affect the lawfulness of processing carried out on the basis of consent until revocation.

7.9 Automated decision-making in individual cases, including profiling.

You have the right not to be subjected to a decision based solely on automated processing-including profiling-that produces legal effects with respect to you or that affects you in a similar and meaningful way. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the controller,

(2) is permitted on the basis of provisions of the law of the Union or of the Member States to which the controller is subject and such provisions of the law contain appropriate measures to safeguard your rights and freedoms and your legitimate interests; or

(3) is made with your explicit consent.

However, such decisions cannot be based on special categories of personal data within the meaning of Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to have a person from the controller intervene, to express your views and to challenge the decision.

7.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state where you reside, work or where the alleged breach occurred, if you believe that the processing of personal data relating to you violates the GDPR.

The supervisory authority to which the complaint has been submitted will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR