Privacy policy
Privacy Policy
pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)
Last updated: 17/02/2026
This privacy policy is provided by Code0039 Società Cooperativa to users of the website www.code0039.it (hereinafter “Website”) in its capacity as Data Controller, pursuant to Articles 13 and 14 of EU Regulation 2016/679 (“GDPR”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
1. ROLES
Data Controller
The Data Controller, i.e. the entity that determines the purposes and means of processing personal data, is:
• Name: Code0039 Società Cooperativa
• Lanciano Office: Largo Mario Bianco, 29 – 66034 Lanciano (CH)
• Pescara Office: Via degli Equi, 8 – 65127 Pescara (PE)
• VAT: 02474030695 | REA: CH-181741
• Email: info@code0039.it
• PEC: code0039@pec.it
• Tel: +39 0872 700592 | +39 320 8705497 | +39 329 3905656
Data Protection Officer (DPO)
Code0039, given the nature and scope of the processing activities carried out, is not currently required to designate a Data Protection Officer. For any matter relating to the processing of personal data, the data subject may nevertheless contact the Data Controller using the contact details provided above.
Authorised Processors
The processing of personal data is carried out by authorised natural persons (employees, collaborators) who operate under the direct authority of the Data Controller and who have received specific operational instructions in accordance with Article 29 GDPR.
2. PURPOSES OF MANDATORY PROCESSING
The following processing activities are necessary for the provision of requested services or to fulfil legal obligations. Failure to provide data indicated as mandatory prevents the corresponding service from being delivered.
Processing of personal data for Client Area registration
Registration to the Client Area requires the following mandatory data:
• First and last name
• Email address
• Password (stored in encrypted form)
• Purpose: Creation and management of the customer account; access to reserved services; management of the contractual relationship with Code0039.
• Legal basis: Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures taken at the request of the data subject.
• Retention: For the duration of the contractual relationship and, thereafter, for 10 years to fulfil fiscal and accounting obligations.
Processing of personal data for contact request management
Through the contact form on the Website, the following data are collected:
• Name (mandatory)
• Email address (mandatory)
• Subject of the request (optional)
• Message text (mandatory)
• Purpose: Management and response to requests for information, quotes or assistance submitted by the user.
• Legal basis: Art. 6(1)(b) GDPR – pre-contractual measures taken at the request of the data subject; Art. 6(1)(f) GDPR – legitimate interest of the Data Controller in responding to received communications.
• Retention: 24 months from receipt of the request, unless longer retention is required for the protection of rights in legal proceedings.
Processing of data for fiscal, accounting and legal obligations
• Purpose: Fulfilment of fiscal, accounting, social security and legal obligations required by applicable law.
• Legal basis: Art. 6(1)(c) GDPR – compliance with a legal obligation to which the Data Controller is subject.
• Retention: 10 years from the end of the relevant fiscal year, unless otherwise provided by law.
3. PURPOSES OF NON-MANDATORY PROCESSING
The following processing activities are based on the free, specific, informed and unambiguous consent of the data subject. Failure to provide consent does not affect access to the mandatory services described in section 2 above. Consent may be withdrawn at any time without consequences.
Processing of personal data for marketing
Subject to explicit consent, personal data (name, email, and any phone number) may be used for:
• Sending promotional communications relating to the design, contract and furnishing services offered by Code0039
• Proposing special offers, events and industry news
• Basic profiling activities to personalise commercial communications
• Legal basis: Art. 6(1)(a) GDPR – consent of the data subject.
• Retention: Until consent is withdrawn by the data subject.
Processing of personal data for the double opt-in process
Where the user decides to subscribe to the newsletter or marketing services, Code0039 adopts a double opt-in procedure to verify the actual intention to subscribe and the ownership of the email address provided.
The procedure involves:
• Collection of the email address at the time of registration
• Sending of a confirmation email to the provided address
• Activation of the subscription only upon clicking the confirmation link
• Purpose: Verification of consent and protection of the user from unauthorised subscriptions made in their name.
• Legal basis: Art. 6(1)(c) and (f) GDPR – obligation to document consent (Art. 7(1) GDPR) and legitimate interest of the Data Controller.
• Retention: The confirmation log is retained for the entire duration of the subscription and for 5 years thereafter as proof of consent.
Processing of personal data for the newsletter
Users who subscribe to the Code0039 newsletter receive periodic communications relating to: new projects, interior design and furnishing trends, company news, events and editorial content.
• Data processed: Email address; name (optional).
• Legal basis: Art. 6(1)(a) GDPR – consent of the data subject.
• Retention: Until unsubscription or withdrawal of consent. Unsubscription is possible at any time via the link included in every email.
Other processing activities
Navigation data and anonymous statistics:
• Purpose: Analysis of user behaviour on the Website in order to improve the browsing experience and published content.
• Legal basis: Art. 6(1)(f) GDPR – legitimate interest of the Data Controller in improving its digital services.
• Data processed: Anonymised IP address, pages visited, session duration, browser and device used.
• Retention: 13 months from collection, in line with the recommendations of the Italian Data Protection Authority.
IT security and fraud prevention:
• Purpose: Detection of unauthorised access attempts, fraudulent activities or security breaches on the Website.
• Legal basis: Art. 6(1)(f) GDPR – legitimate interest of the Data Controller in the security of its IT systems.
• Retention: 6 months from collection, unless required by ongoing investigations.
4. PROCESSING METHODS
The processing of personal data is carried out using electronic tools (management software, web platforms, email systems) and, to a residual extent, paper-based tools, adopting technical and organisational security measures appropriate to the identified risks, in accordance with Articles 25 and 32 GDPR.
The measures adopted include, by way of example:
• Encryption of data in transit via HTTPS/TLS protocol
• Access control to IT systems via personal credentials
• Data backup and recovery procedures
• Periodic training of staff authorised to process data
• Pseudonymisation and data minimisation where technically feasible
Processing is carried out exclusively by authorised personnel or designated external processors. No automated decision-making process, including profiling, is in place that produces legal effects on or significantly affects the data subject (Art. 22 GDPR).
5. NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL
In the forms on the Website, fields marked as mandatory (usually with an asterisk *) are essential for the provision of the requested service. Failure to provide such data makes it impossible to process the request.
Optional fields allow for an improved quality of response or service but are not required; failure to complete them does not preclude access to the requested service.
In summary:
• Mandatory data (basic services): refusal prevents the provision of the requested service.
• Marketing and newsletter data: refusal has no consequence on the use of the main services; it only results in not receiving commercial or informational communications.
• Navigation data: collected automatically; the user may limit their collection through browser settings or cookie preferences.
6. ACCESS TO DATA
Personal data is accessible exclusively to those who require it in the performance of their work duties or for the provision of the services set out in this policy. In particular, the following have access to the data:
• Internal staff: employees and collaborators of Code0039 expressly authorised and appointed as data processors, limited to the data necessary for their functions (minimisation and need-to-know principles).
• External processors: third parties appointed as Data Processors pursuant to Art. 28 GDPR (e.g. IT providers, cloud services, email platforms) who act on the instructions of the Data Controller and in compliance with the security measures contractually agreed.
• Public authorities: only in cases provided for by law (e.g. requests from the Judicial Authority, the Financial Police, the Revenue Agency).
Personal data is in no way subject to indiscriminate disclosure to unidentified parties.
7. DISCLOSURE OF DATA
Personal data may be disclosed, to the strictly necessary extent, to the following categories of third parties, who will process it as independent controllers or as duly appointed data processors:
• Consultants and professionals: accountants, lawyers, labour consultants and other professionals who assist Code0039 in carrying out its activities.
• Banking and financial institutions: for the management of payments and financial obligations connected to contracts entered into.
• IT service providers: hosting providers, cloud services, CRM and email marketing platforms, acting as Data Processors pursuant to Art. 28 GDPR.
• Public authorities: the Revenue Agency, Chambers of Commerce, social security bodies, the Judicial Authority, in cases provided for by law.
The Data Controller does not sell, transfer or disclose users’ personal data to third parties for external marketing purposes, unless the data subject has given explicit consent.
8. TRANSFER OF DATA TO THIRD COUNTRIES
Personal data is generally stored and processed within the European Union. Where, for technical or operational reasons, it becomes necessary to transfer data to countries outside the European Economic Area (EEA), Code0039 ensures that such transfer takes place in compliance with the provisions of Chapter V of the GDPR (Arts. 44–49), by adopting the following appropriate safeguards:
• Adequacy decisions by the European Commission (Art. 45 GDPR)
• Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR)
• Other appropriate safeguards pursuant to Art. 46 GDPR
The data subject may request specific information from the Data Controller regarding any transfers carried out and the safeguards adopted, by contacting the details indicated in this policy.
9. DATA RETENTION
Personal data is retained for the period strictly necessary to achieve the purposes for which it was collected, in compliance with the principle of storage limitation (Art. 5(1)(e) GDPR). Once this period has elapsed, the data is deleted or irreversibly anonymised.
| Type of data / processing | Retention period |
|---|---|
| Contact requests | 24 months from receipt |
| Client Area account | Duration of relationship + 10 years (fiscal obligations) |
| Contracts and client documentation | 10 years from end of relationship |
| Marketing and profiling | Until consent is withdrawn |
| Newsletter | Until unsubscription |
| Double opt-in log | Duration of subscription + 5 years (proof of consent) |
| Navigation data | 13 months from collection |
| Security logs | 6 months, unless required by ongoing investigations |
| Invoices and accounting documents | 10 years pursuant to Art. 2220 of the Italian Civil Code |
Where data is required to protect rights in legal proceedings, the retention period may be extended until the conclusion of the proceedings, including any appeals.
10. DATA SUBJECT RIGHTS
As a data subject, pursuant to Arts. 15–22 GDPR, the user has the right to:
• Right of access (Art. 15): Obtain confirmation of whether processing concerning them is taking place and access information relating to the purposes, categories of data processed, recipients, retention period and origin of the data.
• Right to rectification (Art. 16): Obtain the correction of inaccurate or incomplete personal data concerning them.
• Right to erasure / “right to be forgotten” (Art. 17): Obtain the deletion of personal data in cases provided for by law (e.g. data no longer necessary, withdrawal of consent, unlawful processing).
• Right to restriction of processing (Art. 18): Obtain the restriction of processing in the cases provided for by law (e.g. contestation of data accuracy, unlawful processing, objection pending verification).
• Right to data portability (Art. 20): Receive personal data in a structured, commonly used and machine-readable format, and transmit it to another controller, where technically feasible.
• Right to object (Art. 21): Object at any time to the processing of personal data based on legitimate interest or public interest, as well as to processing for direct marketing purposes.
• Right to withdraw consent (Art. 7(3)): Withdraw consent previously given at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint (Art. 77): Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) if they believe that processing violates the GDPR.
11. HOW TO EXERCISE YOUR RIGHTS
The data subject may exercise their rights by sending a written request to the Data Controller via one of the following channels:
• Email: info@code0039.it
• PEC: code0039@pec.it
• Post: Code0039 Società Cooperativa, Largo Mario Bianco, 29 – 66034 Lanciano (CH)
The Data Controller will respond to the request without undue delay and, in any case, within 30 days of receipt (Art. 12(3) GDPR). This period may be extended by a further 60 days in cases of particular complexity or a high number of requests, provided the data subject is informed of the reasons for the delay.
The exercise of rights is free of charge. Where requests are manifestly unfounded or excessive, the Data Controller may charge a reasonable fee or refuse to fulfil the request, stating the reasons for doing so.
Where the Data Controller has reasonable doubts about the identity of the applicant, it may request additional information necessary to confirm it, in compliance with the principle of data minimisation.
12. EXTERNAL PROCESSORS AND AUTHORISED STAFF
The Data Controller uses third parties for the provision of services instrumental to its activities (e.g. hosting, IT management, newsletter delivery, analytics). Where such parties process personal data on behalf of the Data Controller, they are appointed as Data Processors pursuant to Art. 28 GDPR by means of a specific contractual agreement governing instructions, security measures and processing limits.
The main categories of external processors currently engaged include:
• Hosting and web infrastructure providers: management of the servers and systems on which the Website operates.
• Email and CRM platforms: delivery of newsletters, transactional communications and contact management.
• Web traffic analytics services: collection of anonymous or aggregated statistical data on browsing.
• Technical and IT consultants: maintenance and development of the Website.
An up-to-date list of Data Processors may be requested from the Data Controller using the contact details provided in this policy.
Authorised processors are the natural persons (employees and collaborators) authorised by the Data Controller to carry out processing operations, pursuant to Art. 29 GDPR and Recital 81 GDPR.
13. CHANGES TO THIS POLICY
Code0039 reserves the right to modify or update this policy at any time, in particular following regulatory changes, technical or organisational updates that affect the methods of processing personal data.
Any changes will be published on this page with an updated date in the header. In the event of substantial changes that significantly affect the rights of data subjects, Code0039 undertakes to provide adequate notice via an announcement on the Website or direct communication to registered users.
We recommend consulting this page periodically to stay informed about the personal data processing methods adopted by Code0039. The version currently in force is always the one published on the Website.
Code0039 Società Cooperativa – VAT 02474030695 – info@code0039.it – www.code0039.it
Privacy policy
pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)
Last updated: 17/02/2026
This privacy policy is provided by Code0039 Società Cooperativa to users of the website www.code0039.it (hereinafter “Website”) in its capacity as Data Controller, pursuant to Articles 13 and 14 of EU Regulation 2016/679 (“GDPR”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
1. ROLES
Data Controller
The Data Controller, i.e. the entity that determines the purposes and means of processing personal data, is:
• Name: Code0039 Società Cooperativa
• Lanciano Office: Largo Mario Bianco, 29 – 66034 Lanciano (CH)
• Pescara Office: Via degli Equi, 8 – 65127 Pescara (PE)
• VAT: 02474030695 | REA: CH-181741
• Email: info@code0039.it
• PEC: code0039@pec.it
• Tel: +39 0872 700592 | +39 320 8705497 | +39 329 3905656
Data Protection Officer (DPO)
Code0039, given the nature and scope of the processing activities carried out, is not currently required to designate a Data Protection Officer. For any matter relating to the processing of personal data, the data subject may nevertheless contact the Data Controller using the contact details provided above.
Authorised Processors
The processing of personal data is carried out by authorised natural persons (employees, collaborators) who operate under the direct authority of the Data Controller and who have received specific operational instructions in accordance with Article 29 GDPR.
2. PURPOSES OF MANDATORY PROCESSING
The following processing activities are necessary for the provision of requested services or to fulfil legal obligations. Failure to provide data indicated as mandatory prevents the corresponding service from being delivered.
Processing of personal data for Client Area registration
Registration to the Client Area requires the following mandatory data:
• First and last name
• Email address
• Password (stored in encrypted form)
• Purpose: Creation and management of the customer account; access to reserved services; management of the contractual relationship with Code0039.
• Legal basis: Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures taken at the request of the data subject.
• Retention: For the duration of the contractual relationship and, thereafter, for 10 years to fulfil fiscal and accounting obligations.
Processing of personal data for contact request management
Through the contact form on the Website, the following data are collected:
• Name (mandatory)
• Email address (mandatory)
• Subject of the request (optional)
• Message text (mandatory)
• Purpose: Management and response to requests for information, quotes or assistance submitted by the user.
• Legal basis: Art. 6(1)(b) GDPR – pre-contractual measures taken at the request of the data subject; Art. 6(1)(f) GDPR – legitimate interest of the Data Controller in responding to received communications.
• Retention: 24 months from receipt of the request, unless longer retention is required for the protection of rights in legal proceedings.
Processing of data for fiscal, accounting and legal obligations
• Purpose: Fulfilment of fiscal, accounting, social security and legal obligations required by applicable law.
• Legal basis: Art. 6(1)(c) GDPR – compliance with a legal obligation to which the Data Controller is subject.
• Retention: 10 years from the end of the relevant fiscal year, unless otherwise provided by law.
3. PURPOSES OF NON-MANDATORY PROCESSING
The following processing activities are based on the free, specific, informed and unambiguous consent of the data subject. Failure to provide consent does not affect access to the mandatory services described in section 2 above. Consent may be withdrawn at any time without consequences.
Processing of personal data for marketing
Subject to explicit consent, personal data (name, email, and any phone number) may be used for:
• Sending promotional communications relating to the design, contract and furnishing services offered by Code0039
• Proposing special offers, events and industry news
• Basic profiling activities to personalise commercial communications
• Legal basis: Art. 6(1)(a) GDPR – consent of the data subject.
• Retention: Until consent is withdrawn by the data subject.
Processing of personal data for the double opt-in process
Where the user decides to subscribe to the newsletter or marketing services, Code0039 adopts a double opt-in procedure to verify the actual intention to subscribe and the ownership of the email address provided.
The procedure involves:
• Collection of the email address at the time of registration
• Sending of a confirmation email to the provided address
• Activation of the subscription only upon clicking the confirmation link
• Purpose: Verification of consent and protection of the user from unauthorised subscriptions made in their name.
• Legal basis: Art. 6(1)(c) and (f) GDPR – obligation to document consent (Art. 7(1) GDPR) and legitimate interest of the Data Controller.
• Retention: The confirmation log is retained for the entire duration of the subscription and for 5 years thereafter as proof of consent.
Processing of personal data for the newsletter
Users who subscribe to the Code0039 newsletter receive periodic communications relating to: new projects, interior design and furnishing trends, company news, events and editorial content.
• Data processed: Email address; name (optional).
• Legal basis: Art. 6(1)(a) GDPR – consent of the data subject.
• Retention: Until unsubscription or withdrawal of consent. Unsubscription is possible at any time via the link included in every email.
Other processing activities
Navigation data and anonymous statistics:
• Purpose: Analysis of user behaviour on the Website in order to improve the browsing experience and published content.
• Legal basis: Art. 6(1)(f) GDPR – legitimate interest of the Data Controller in improving its digital services.
• Data processed: Anonymised IP address, pages visited, session duration, browser and device used.
• Retention: 13 months from collection, in line with the recommendations of the Italian Data Protection Authority.
IT security and fraud prevention:
• Purpose: Detection of unauthorised access attempts, fraudulent activities or security breaches on the Website.
• Legal basis: Art. 6(1)(f) GDPR – legitimate interest of the Data Controller in the security of its IT systems.
• Retention: 6 months from collection, unless required by ongoing investigations.
4. PROCESSING METHODS
The processing of personal data is carried out using electronic tools (management software, web platforms, email systems) and, to a residual extent, paper-based tools, adopting technical and organisational security measures appropriate to the identified risks, in accordance with Articles 25 and 32 GDPR.
The measures adopted include, by way of example:
• Encryption of data in transit via HTTPS/TLS protocol
• Access control to IT systems via personal credentials
• Data backup and recovery procedures
• Periodic training of staff authorised to process data
• Pseudonymisation and data minimisation where technically feasible
Processing is carried out exclusively by authorised personnel or designated external processors. No automated decision-making process, including profiling, is in place that produces legal effects on or significantly affects the data subject (Art. 22 GDPR).
5. NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL
In the forms on the Website, fields marked as mandatory (usually with an asterisk *) are essential for the provision of the requested service. Failure to provide such data makes it impossible to process the request.
Optional fields allow for an improved quality of response or service but are not required; failure to complete them does not preclude access to the requested service.
In summary:
• Mandatory data (basic services): refusal prevents the provision of the requested service.
• Marketing and newsletter data: refusal has no consequence on the use of the main services; it only results in not receiving commercial or informational communications.
• Navigation data: collected automatically; the user may limit their collection through browser settings or cookie preferences.
6. ACCESS TO DATA
Personal data is accessible exclusively to those who require it in the performance of their work duties or for the provision of the services set out in this policy. In particular, the following have access to the data:
• Internal staff: employees and collaborators of Code0039 expressly authorised and appointed as data processors, limited to the data necessary for their functions (minimisation and need-to-know principles).
• External processors: third parties appointed as Data Processors pursuant to Art. 28 GDPR (e.g. IT providers, cloud services, email platforms) who act on the instructions of the Data Controller and in compliance with the security measures contractually agreed.
• Public authorities: only in cases provided for by law (e.g. requests from the Judicial Authority, the Financial Police, the Revenue Agency).
Personal data is in no way subject to indiscriminate disclosure to unidentified parties.
7. DISCLOSURE OF DATA
Personal data may be disclosed, to the strictly necessary extent, to the following categories of third parties, who will process it as independent controllers or as duly appointed data processors:
• Consultants and professionals: accountants, lawyers, labour consultants and other professionals who assist Code0039 in carrying out its activities.
• Banking and financial institutions: for the management of payments and financial obligations connected to contracts entered into.
• IT service providers: hosting providers, cloud services, CRM and email marketing platforms, acting as Data Processors pursuant to Art. 28 GDPR.
• Public authorities: the Revenue Agency, Chambers of Commerce, social security bodies, the Judicial Authority, in cases provided for by law.
The Data Controller does not sell, transfer or disclose users’ personal data to third parties for external marketing purposes, unless the data subject has given explicit consent.
8. TRANSFER OF DATA TO THIRD COUNTRIES
Personal data is generally stored and processed within the European Union. Where, for technical or operational reasons, it becomes necessary to transfer data to countries outside the European Economic Area (EEA), Code0039 ensures that such transfer takes place in compliance with the provisions of Chapter V of the GDPR (Arts. 44–49), by adopting the following appropriate safeguards:
• Adequacy decisions by the European Commission (Art. 45 GDPR)
• Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR)
• Other appropriate safeguards pursuant to Art. 46 GDPR
The data subject may request specific information from the Data Controller regarding any transfers carried out and the safeguards adopted, by contacting the details indicated in this policy.
9. DATA RETENTION
Personal data is retained for the period strictly necessary to achieve the purposes for which it was collected, in compliance with the principle of storage limitation (Art. 5(1)(e) GDPR). Once this period has elapsed, the data is deleted or irreversibly anonymised.
| Type of data / processing | Retention period |
|---|---|
| Contact requests | 24 months from receipt |
| Client Area account | Duration of relationship + 10 years (fiscal obligations) |
| Contracts and client documentation | 10 years from end of relationship |
| Marketing and profiling | Until consent is withdrawn |
| Newsletter | Until unsubscription |
| Double opt-in log | Duration of subscription + 5 years (proof of consent) |
| Navigation data | 13 months from collection |
| Security logs | 6 months, unless required by ongoing investigations |
| Invoices and accounting documents | 10 years pursuant to Art. 2220 of the Italian Civil Code |
Where data is required to protect rights in legal proceedings, the retention period may be extended until the conclusion of the proceedings, including any appeals.
10. DATA SUBJECT RIGHTS
As a data subject, pursuant to Arts. 15–22 GDPR, the user has the right to:
• Right of access (Art. 15): Obtain confirmation of whether processing concerning them is taking place and access information relating to the purposes, categories of data processed, recipients, retention period and origin of the data.
• Right to rectification (Art. 16): Obtain the correction of inaccurate or incomplete personal data concerning them.
• Right to erasure / “right to be forgotten” (Art. 17): Obtain the deletion of personal data in cases provided for by law (e.g. data no longer necessary, withdrawal of consent, unlawful processing).
• Right to restriction of processing (Art. 18): Obtain the restriction of processing in the cases provided for by law (e.g. contestation of data accuracy, unlawful processing, objection pending verification).
• Right to data portability (Art. 20): Receive personal data in a structured, commonly used and machine-readable format, and transmit it to another controller, where technically feasible.
• Right to object (Art. 21): Object at any time to the processing of personal data based on legitimate interest or public interest, as well as to processing for direct marketing purposes.
• Right to withdraw consent (Art. 7(3)): Withdraw consent previously given at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint (Art. 77): Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) if they believe that processing violates the GDPR.
11. HOW TO EXERCISE YOUR RIGHTS
The data subject may exercise their rights by sending a written request to the Data Controller via one of the following channels:
• Email: info@code0039.it
• PEC: code0039@pec.it
• Post: Code0039 Società Cooperativa, Largo Mario Bianco, 29 – 66034 Lanciano (CH)
The Data Controller will respond to the request without undue delay and, in any case, within 30 days of receipt (Art. 12(3) GDPR). This period may be extended by a further 60 days in cases of particular complexity or a high number of requests, provided the data subject is informed of the reasons for the delay.
The exercise of rights is free of charge. Where requests are manifestly unfounded or excessive, the Data Controller may charge a reasonable fee or refuse to fulfil the request, stating the reasons for doing so.
Where the Data Controller has reasonable doubts about the identity of the applicant, it may request additional information necessary to confirm it, in compliance with the principle of data minimisation.
12. EXTERNAL PROCESSORS AND AUTHORISED STAFF
The Data Controller uses third parties for the provision of services instrumental to its activities (e.g. hosting, IT management, newsletter delivery, analytics). Where such parties process personal data on behalf of the Data Controller, they are appointed as Data Processors pursuant to Art. 28 GDPR by means of a specific contractual agreement governing instructions, security measures and processing limits.
The main categories of external processors currently engaged include:
• Hosting and web infrastructure providers: management of the servers and systems on which the Website operates.
• Email and CRM platforms: delivery of newsletters, transactional communications and contact management.
• Web traffic analytics services: collection of anonymous or aggregated statistical data on browsing.
• Technical and IT consultants: maintenance and development of the Website.
An up-to-date list of Data Processors may be requested from the Data Controller using the contact details provided in this policy.
Authorised processors are the natural persons (employees and collaborators) authorised by the Data Controller to carry out processing operations, pursuant to Art. 29 GDPR and Recital 81 GDPR.
13. CHANGES TO THIS POLICY
Code0039 reserves the right to modify or update this policy at any time, in particular following regulatory changes, technical or organisational updates that affect the methods of processing personal data.
Any changes will be published on this page with an updated date in the header. In the event of substantial changes that significantly affect the rights of data subjects, Code0039 undertakes to provide adequate notice via an announcement on the Website or direct communication to registered users.
We recommend consulting this page periodically to stay informed about the personal data processing methods adopted by Code0039. The version currently in force is always the one published on the Website.
Code0039 Società Cooperativa – VAT 02474030695 – info@code0039.it – www.code0039.it