The Data Controller is ICAM S.p.A., with registered office at Via Pescatori n. 53, 23900 Lecco (LC), Italy, duly represented by its Legal Representative. The Data Controller may be contacted for any information relating to the processing of personal data by sending an email to privacy@icamcioccolato.it.
Privacy Policy
Information notice provided pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (hereinafter “GDPR”)
1. WHO IS THE DATA CONTROLLER? HOW CAN THEY BE CONTACTED?
2. PURPOSES OF THE PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD AND PROVISION OF PERSONAL DATA
| PURPOSES OF THE PROCESSING | LEGAL BASIS OF THE PROCESSING | DATA RETENTION PERIOD | PROVISION OF PERSONAL DATA |
| Website browsing and usage analytics (collection of statistical information on service usage, such as most visited pages, visitor numbers by time or day, and geographical origin). | Legitimate interest of the Data Controller, consisting in the need to ensure access to the website content and to improve the user experience – Art. 6 par. 1 lett f) GDPR. | For the duration of the browsing session. | The provision of the data is necessary in order to browse the website. |
In addition to browsing purposes, personal data will be processed for the following purposes:
| PURPOSES OF THE PROCESSING | LEGAL BASIS OF THE PROCESSING | DATA RETENTION PERIOD | PROVISION OF PERSONAL DATA |
|---|---|---|---|
| A) CONTACTS, submission of contact requests or requests for information via telephone contacts or dedicated forms. | Contract – Art. 6 par. 1 lett. b) GDPR. | Up to 12 months from the collection. | Provision of the data is mandatory. Failure to provide the required data will result in the impossibility of being contacted and/or receiving the requested information. |
B) REGISTRATION to the personal area – CHOCOCUBE, in order to:
| Contract – Art. 6 par. 1 lett. b) GDPR. | Up to a maximum of 24 months from the last access to the user’s reserved area of the website. | Provision of the data is mandatory. Failure to provide the required data will result in the inability to access the platform, use the courses, register for contests and/or interact with the Data Controller. |
| C) DIRECT MARKETING, for the sending of advertising or direct sales material, or for carrying out market research and commercial and promotional communications, through automated means (e-mail, newsletters). Communications may contain promotional activities and/or logos of third-party partners. No transfer of personal data shall take place. In order to compare and, where appropriate, improve the results of automated communications, the Data Controller uses reporting systems. Through such reports, the Data Controller may obtain information such as: the number of readers, openings, unique clickers and clicks; the devices and operating systems used to read the communication; details of individual user activity; details of e-mails sent, delivered or not delivered, and forwarded e-mails. All such data are used for the purpose of comparing and, where appropriate, improving the results of the communications. | Consent of the data subject – Article 6, par. 1 lett. a) GDPR. | Until the withdrawal of consent (or opt-out). | The provision of the data is optional. Failure to provide the required data will result in the impossibility of receiving direct marketing communications. |
| D) NON-AUTOMATED PROFILING: personal data will be entered into company databases/CRMs/platforms in order to perform analyses and assessments, and to segment data subjects into homogeneous groups based on specific business activity characteristics, for better management of services and the sending of targeted promotional communications. | Consent of the data subject – Article 6, par. 1 lett. a) GDPR. | Until the withdrawal of consent and, in any event, for a maximum period of 12 months. | The provision of personal data is voluntary. Failure to provide the required data will result in the impossibility of carrying out analyses and sending targeted communications |
| E) MANAGEMENT OF REQUESTS relating to the protection of personal data and of requests submitted by other data subjects, pursuant to Articles 15 et seq. of the GDPR (data subject rights). | Legal obligation – art. 6 par. 1 lett c) GDPR. | 5 years from the closure of the request, unless disputes or litigation arise. | The provision of personal data is mandatory, as it is necessary in order to comply with the applicable legal obligations. |
| F) PUBLICATION AND DISCLOSURE of the participant’s personal data (e.g. first name, last name, professional experience, image) in the event of winning contests or competitions in which the participant has voluntarily taken part, in compliance with the rules and terms of the relevant contest/competition. Such disclosure shall take place through various digital and/or print communication tools and channels (e.g. brochures, recipe books, websites, press media, online publications and mass media in general). With regard to the processing of personal data carried out by the operators of the social media platforms used by the Data Controller, reference is also made to the information provided by such operators through their respective privacy policies. | Contract – Art. 6 par. 1 lett. b) GDPR. | Non-winning participants: for the duration of the contest and up to 24 months after its conclusion, unless further retention is required in the event of claims or disputes. Winners: for a period consistent with the informational and documentary purposes of the contest, without prejudice to the data subject’s rights. Specifically:
| Provision of personal data is necessary for participation in the contest and constitutes an essential condition for registration; participation in the contest implies acceptance of the relevant rules and of the related personal data processing. Failure to provide the required data will therefore make participation in the contest/competition impossible. |
3. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS
Personal data may be disclosed to parties acting as independent Data Controllers or as Data Processors pursuant to Article 28 GDPR and processed by authorised natural persons pursuant to Article 29 GDPR, acting under the authority of the Data Controller and/or the Data Processors, on the basis of specific instructions regarding the purposes and methods of processing. Personal data may be disclosed to recipients belonging to the following categories:
- Entities managing or assisting, also on an occasional basis, the Data Controller in the administration of IT systems and telecommunications networks (including email services, websites and/or web platforms, mailing list/newsletter management services, CRM);
- Entities with whom the Data Controller has entered into contractual agreements and, where required, subject to the data subject’s consent;
- Independent professionals, professional firms or companies providing consultancy and assistance services;
- Financial and insurance institutions;
- For direct marketing purposes, subject to consent, entities entrusted with the management of direct marketing activities;
- Competent authorities, for the fulfilment of legal obligations and/or binding orders issued by public authorities, upon request.
The list of Data Processors appointed pursuant to Article 28 GDPR is available upon request by writing to: privacy@icamcioccolato.it
4. WILL PERSONAL DATA BE TRANSFERRED TO NON-EEA COUNTRIES?
Personal data will not be transferred to countries outside the European Economic Area (EEA).
5. IS THERE ANY AUTOMATED DECISION-MAKING PROCESS?
Personal data will not be subject to fully automated processing. With regard to profiling activities, upon the data subject’s consent, profiling will be carried out with the intervention of an operator who will create the data subject’s profile and analyze their habits and consumption choices, in order to improve the Data Controller’s commercial offer and services (non-automated profiling).
6. DATA SUBJECTS’ RIGHTS
Data subjects may exercise their rights as set out in Articles 15 et seq. of the GDPR by contacting the Data Controller at the e-mail address: privacy@icamcioccolato.it. The Data Controller ensures that data subjects can request, at any time, access to their personal data (Art. 15), rectification (Art. 16), erasure (Art. 17), and restriction of processing (Art. 18). The Data Controller shall communicate (Art. 19) any rectifications, deletions, or restrictions of processing to each recipient to whom the personal data have been disclosed, upon request by the data subjects. The Data Controller also guarantees the right to data portability (Art. 20) and, in case of requests under Art. 20, will provide the data subjects with their personal data in a structured, commonly used, and machine-readable format. Data subjects have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal. To stop receiving automated direct marketing communications (e-mail/newsletters), data subjects may write to privacy@icamcioccolato.it with the subject “unsubscribe from automated communications” or use our automated opt-out systems provided for e-mails. At any time, data subjects are free to withdraw consent to non-automated profiling by sending an e-mail to privacy@icamcioccolato.it with the subject line “no profiling.” Data subjects also have the right to lodge a complaint with the national supervisory authority, or in the place where the alleged GDPR violation occurred (Garante Privacy: https://www.garanteprivacy.it/), or to bring proceedings before the competent courts.
7. CHANGES TO THE PRIVACY NOTICE
The Data Controller may change, modify, add to, or remove any part of this Privacy Notice.
To facilitate verification of any changes, the notice will indicate the date of its latest update.
Last update: 27/03/2026
