Skip to main content

Privacy Policy

Information notice provided pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (hereinafter “GDPR”)

WHY THIS INFORMATION?

Pursuant to Regulation (EU) 2016/679 (hereinafter “GDPR”), this page describes the methods for processing personal data. This notice is provided in accordance with Art. 13 of the GDPR. This notice does not apply to other third-party websites that may be consulted via links on this website, for which no responsibility is assumed.

Processable Personal Data

  • Personal data: any information relating to an identified or identifiable natural person (“data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity (Recitals 26, 27, 30 GDPR).
  • Contractor/User data.
  • Browsing data: the IT systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category includes IP addresses or domain names of the computers and devices used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.
  • Data voluntarily provided: the optional, explicit, and voluntary sending of messages to the contact addresses indicated on this website and/or the completion of data collection forms entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included.

Information on the Processing of Personal Data Carried Out Through Social Media Platforms

With regard to the processing of personal data carried out by the operators of the social media platforms used by the Data Controller, please refer to the information provided by them through their respective privacy policies. The Data Controller processes personal data provided by users through the dedicated social media platform pages in order to manage interactions with users (comments, public posts, etc.), in compliance with applicable regulations.

Specific Notices

Specific notices may be provided on the Website pages in relation to particular services or specific data processing activities.

COOKIES AND OTHER TRACKING TECHNOLOGIES. WHAT ARE THEY? WHAT ARE THEY USED FOR?

For information about cookies and other tracking technologies, please refer to the Cookies Policy available in the website footer and at the following link.

1. WHO IS THE DATA CONTROLLER? HOW CAN THEY BE CONTACTED?

The Data Controller is ICAM S.p.A., with registered office at Via Pescatori n. 53, 23900 Lecco (LC), Italy, duly represented by its Legal Representative. The Data Controller may be contacted for any information relating to the processing of personal data by sending an email to privacy@icamcioccolato.it.

2. PURPOSES OF THE PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD AND PROVISION OF PERSONAL DATA

PURPOSES OF THE PROCESSINGLEGAL BASIS OF THE PROCESSINGDATA RETENTION PERIODPROVISION OF PERSONAL DATA
Website browsing and usage analytics (collection of statistical information on service usage, such as most visited pages, visitor numbers by time or day, and geographical origin).Legitimate interest of the Data Controller, consisting in the need to ensure access to the website content and to improve the user experience – Art. 6 par. 1 lett f) GDPR.For the duration of the browsing session.The provision of the data is necessary in order to browse the website.

In addition to browsing purposes, personal data will be processed for the following purposes:

PURPOSES OF THE PROCESSINGLEGAL BASIS OF THE PROCESSINGDATA RETENTION PERIODPROVISION OF PERSONAL DATA
A) CONTACTS, submission of contact requests or requests for information via telephone contacts or dedicated forms.Contract – Art. 6 par. 1 lett. b) GDPR.Up to 12 months from the collection.Provision of the data is mandatory.
Failure to provide the required data will result in the impossibility of being contacted and/or receiving the requested information.
B) REGISTRATION to the personal area – CHOCOCUBE, in order to:

  • access dedicated courses; and
  • participate in contests and/or competitions organized by the Data Controller; and
  • handle and respond to information requests; and
  • receive organizational communications and updates.
Contract – Art. 6 par. 1 lett. b) GDPR.Up to a maximum of 24 months from the last access to the user’s reserved area of the website.Provision of the data is mandatory.
Failure to provide the required data will result in the inability to access the platform, use the courses, register for contests and/or interact with the Data Controller.
C) DIRECT MARKETING, for the sending of advertising or direct sales material, or for carrying out market research and commercial and promotional communications, through automated means (e-mail, newsletters).
Communications may contain promotional activities and/or logos of third-party partners. No transfer of personal data shall take place.
In order to compare and, where appropriate, improve the results of automated communications, the Data Controller uses reporting systems. Through such reports, the Data Controller may obtain information such as: the number of readers, openings, unique clickers and clicks; the devices and operating systems used to read the communication; details of individual user activity; details of e-mails sent, delivered or not delivered, and forwarded e-mails.
All such data are used for the purpose of comparing and, where appropriate, improving the results of the communications.		Consent of the data subject – Article 6, par. 1 lett. a) GDPR.Until the withdrawal of consent (or opt-out).The provision of the data is optional.

Failure to provide the required data will result in the impossibility of receiving direct marketing communications.

D) NON-AUTOMATED PROFILING: personal data will be entered into company databases/CRMs/platforms in order to perform analyses and assessments, and to segment data subjects into homogeneous groups based on specific business activity characteristics, for better management of services and the sending of targeted promotional communications.Consent of the data subject – Article 6, par. 1 lett. a) GDPR.Until the withdrawal of consent and, in any event, for a maximum period of 12 months.The provision of personal data is voluntary.

Failure to provide the required data will result in the impossibility of carrying out analyses and sending targeted communications

E) MANAGEMENT OF REQUESTS relating to the protection of personal data and of requests submitted by other data subjects, pursuant to Articles 15 et seq. of the GDPR (data subject rights).Legal obligation – art. 6 par. 1 lett c) GDPR.5 years from the closure of the request, unless disputes or litigation arise.The provision of personal data is mandatory, as it is necessary in order to comply with the applicable legal obligations.
F) PUBLICATION AND DISCLOSURE of the participant’s personal data (e.g. first name, last name, professional experience, image) in the event of winning contests or competitions in which the participant has voluntarily taken part, in compliance with the rules and terms of the relevant contest/competition. Such disclosure shall take place through various digital and/or print communication tools and channels (e.g. brochures, recipe books, websites, press media, online publications and mass media in general). With regard to the processing of personal data carried out by the operators of the social media platforms used by the Data Controller, reference is also made to the information provided by such operators through their respective privacy policies.Contract – Art. 6 par. 1 lett. b) GDPR.Non-winning participants: for the duration of the contest and up to 24 months after its conclusion, unless further retention is required in the event of claims or disputes.

Winners: for a period consistent with the informational and documentary purposes of the contest, without prejudice to the data subject’s rights. Specifically:

  • digital materials will be used for the time necessary to pursue the promotional purpose, unless the data subject requests deletion;
  • printed materials will follow the editorial lifecycle of the work and will be retained until exhaustion of the copies produced prior to the deletion request.
Provision of personal data is necessary for participation in the contest and constitutes an essential condition for registration; participation in the contest implies acceptance of the relevant rules and of the related personal data processing.
Failure to provide the required data will therefore make participation in the contest/competition impossible.

3. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS

Personal data may be disclosed to parties acting as independent Data Controllers or as Data Processors pursuant to Article 28 GDPR and processed by authorised natural persons pursuant to Article 29 GDPR, acting under the authority of the Data Controller and/or the Data Processors, on the basis of specific instructions regarding the purposes and methods of processing. Personal data may be disclosed to recipients belonging to the following categories:

  • Entities managing or assisting, also on an occasional basis, the Data Controller in the administration of IT systems and telecommunications networks (including email services, websites and/or web platforms, mailing list/newsletter management services, CRM);
  • Entities with whom the Data Controller has entered into contractual agreements and, where required, subject to the data subject’s consent;
  • Independent professionals, professional firms or companies providing consultancy and assistance services;
  • Financial and insurance institutions;
  • For direct marketing purposes, subject to consent, entities entrusted with the management of direct marketing activities;
  • Competent authorities, for the fulfilment of legal obligations and/or binding orders issued by public authorities, upon request.

The list of Data Processors appointed pursuant to Article 28 GDPR is available upon request by writing to: privacy@icamcioccolato.it

4. WILL PERSONAL DATA BE TRANSFERRED TO NON-EEA COUNTRIES?

Personal data will not be transferred to countries outside the European Economic Area (EEA).

5. IS THERE ANY AUTOMATED DECISION-MAKING PROCESS?

Personal data will not be subject to fully automated processing. With regard to profiling activities, upon the data subject’s consent, profiling will be carried out with the intervention of an operator who will create the data subject’s profile and analyze their habits and consumption choices, in order to improve the Data Controller’s commercial offer and services (non-automated profiling).

6. DATA SUBJECTS’ RIGHTS

Data subjects may exercise their rights as set out in Articles 15 et seq. of the GDPR by contacting the Data Controller at the e-mail address: privacy@icamcioccolato.it. The Data Controller ensures that data subjects can request, at any time, access to their personal data (Art. 15), rectification (Art. 16), erasure (Art. 17), and restriction of processing (Art. 18). The Data Controller shall communicate (Art. 19) any rectifications, deletions, or restrictions of processing to each recipient to whom the personal data have been disclosed, upon request by the data subjects. The Data Controller also guarantees the right to data portability (Art. 20) and, in case of requests under Art. 20, will provide the data subjects with their personal data in a structured, commonly used, and machine-readable format. Data subjects have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal. To stop receiving automated direct marketing communications (e-mail/newsletters), data subjects may write to privacy@icamcioccolato.it with the subject “unsubscribe from automated communications” or use our automated opt-out systems provided for e-mails. At any time, data subjects are free to withdraw consent to non-automated profiling by sending an e-mail to privacy@icamcioccolato.it with the subject line “no profiling.” Data subjects also have the right to lodge a complaint with the national supervisory authority, or in the place where the alleged GDPR violation occurred (Garante Privacy: https://www.garanteprivacy.it/), or to bring proceedings before the competent courts.

7. CHANGES TO THE PRIVACY NOTICE

The Data Controller may change, modify, add to, or remove any part of this Privacy Notice.
To facilitate verification of any changes, the notice will indicate the date of its latest update.

Last update: January 15th, 2026