INTRODUCTION

Pursuant to Art. 13 of the EU Regulation 2016/679 (hereinafter also "GDPR"), as well as Art. 111 bis of Legislative Decree 30 June 2003, no. 196 as amended by Legislative Decree 10 August 2018, no. 101 (c.d. "Privacy Code") and by the Cookie Guidelines Privacy Authority of January 09, 2022, below we provide you with information on the processing of personal data and the rights due to users of the site "www.drop.it" and/or customers (hereinafter "interested parties") who navigating the site contact DROP Srl or are contacted by DROP Srl.

The information is provided only for the website www.drop.it and for the company pages on social networks and not also for other websites that may be consulted by the user through links.

DATA CONTROLLER AND CONTACT INFORMATION

The data controller is Drop s.r.l. a socio unico with registered office in Montegranaro 63812 (FM), at viale Sandro Pertini n.1, Fiscal Code, VAT No. and registration number with the Register of Companies of the Marche 01383870431, which as such defines means, instruments and purposes of processing. Interested parties may contact the data controller by sending an email to the following address: privacy@drop.it .

DROP Srl has appointed a Data Protection Officer, who can be contacted by data subjects for all matters related to the processing of their personal data by sending an email to the following address: dpo@drop.it .

The processing of Personal Data of data subjects will be carried out within the European Union and conducted in accordance with applicable European legislation and the Privacy Code, which governs the processing of personal data carried out by anyone who is resident or based in Italy.

We care about the security of the personal data of the data subjects and to prevent its loss, illicit or unlicensed use and unauthorized access, we use and observe specific security measures, which are constantly updated. In addition, Drop srl specifies that it implements precise protections with regard to underage individuals; therefore, it does not process in any way the personal data of individuals under the age of 14 or the limit for digital consent introduced in Italy with Law 101/2018, which draws its legal basis from both Article 8 of GDPR 2016/679 and Article 13 of the Convention on the Rights of the Child, "the freedom to seek, receive and impart information and ideas of all kinds" in written, oral or artistic form or by any other means of the child's choosing."

TYPES OF DATA PROCESSED

Pursuant to Article 4 of the EU Regulation 2016/679, the data processed under this policy are qualified as "personal data" or any information concerning an identified or identifiable natural person directly or indirectly.

It should be noted, by way of example but not limited to, that the personal data of data subjects subject to processing belong to the following types:

• personal data: first name, last name, tax code, VAT number, residential address, domicile of the interested party or, if the latter is a legal person, of its internal contact person(s);
• Contact information: telephone and/or e-mail address of the data subject, including at the company to which the data subject belongs;
• data subject-generated content: i.e. any additional data that may have been voluntarily and voluntarily communicated by the data subject through open form fields or by e-mail. This category of personal data allows us to offer information about the data subject or third parties and, in some cases, allows us to contact the data subject. This information could include images of the data subject or other people, or any other type of content such as text, feedback, opinions, personal information about other people that the data subject may provide to us (e.g., via social media), "tags" or "likes" to our social media page or any other content posted by us, or any other personal information that the data subject may make publicly available. The data subject may remove such content at any time if he or she no longer wishes us to use it;
• browsing data (the IP addresses or domain names of the computers used by users connecting to the site, the addresses in URL notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the user's operating system and computer environment);
• cookies, as described in more detail in the Cookie Policy available at the following link: https://www.iubenda.com/privacy-policy/725754/cookie-policy?an=no&s_ck=false ; In this regard, it specifies that, in compliance with the provisions of Article 49 GDPR 2016/679, some data are transferred to servers located in a Third Country (among which America-USA is mentioned) or in a State not belonging to the EU or the European Economic Area including also Norway, Iceland and Linchestein.
• nature and location information: this category of personal data allows for a better rendering of the service you expect from us. Such data may include personal information related to your interactions with us, which enables us to manage your profile, offer relevant information and updates and tailored marketing content, establish communications and conduct our business safely, evaluate and understand and optimize and manage our website and other means of communication. However, the collection of this information is not systematic: only the information necessary to fulfill the specific purpose will be collected and used;
• business information: this category of personal data allows us to provide the data subject with the services they have requested from us, along with the necessary customer service and support, protect our communications, and manage and better understand our business activities. The information may include personal data about the services the data subject is considering;
• data for applications for job positions ("Jobs" or "Recruiting" area): personal and contact data of the candidate, photograph, data on education, studies and career, languages spoken, membership in protected categories, additional data voluntarily given by the candidate in his/her CV.

PROVISION OF PERSONAL DATA

The provision of personal data may take place by data subjects through the completion of appropriate contact forms or registration, by browsing the site, through any applications or by e-mail, when concluding contracts for the provision of services and/or for requests for information, quotes and assistance. In connection with these activities, the Data Controller collects personal data relating to data subjects.

We may also use cookies or other online advertising technologies for this purpose. In addition, we may obtain personal information from services provided by other companies in order to update or supplement data of data subjects, for example, when data subjects link their social media profile to our profile. These companies have their own privacy and cookie policies, so data subjects should keep in mind that the personal information they transmit to these companies will be subject to their rules and not ours.

The compulsory or optional nature of the provision is specified from time to time - with reference to the individual information requested - by affixing an appropriate symbol (*) to the mandatory information. Any refusal to communicate the data marked as mandatory makes it impossible for the Controller to provide the services requested or available on the site or to fulfill obligations arising from laws or regulations.

The provision of additional data that are not indicated with the symbol (*) is, however, optional and their non-conferral does not entail any consequences with regard to the services requested and/or available on the Site or the fulfillment of legal or regulatory obligations.

METHODS AND PURPOSES OF PROCESSING

The processing of personal data of data subjects is carried out in accordance with the principles of lawfulness, fairness and transparency. We guarantee that the data processed will be adequate, relevant and not excessive in relation to what is necessary for the purposes of processing.

The personal data of the data subjects: (a) shall be processed and stored in electronic format, through instruments suitable to ensure the security and confidentiality of the data. The processing may also be carried out through automated tools designed to store, manage or transmit the data themselves and, in any case, will be carried out in compliance with the provisions of the Regulations; (b) will be kept in a form that allows their identification for the time strictly necessary for the purpose for which they were collected and subsequently processed and, in any case, within the limits of the law; (c) except as otherwise provided for in this notice, they will not be disclosed to third parties for purposes not permitted by law or without the express consent of the data subject; (d) they may be disclosed to the police or judicial authorities, in accordance with the law and when requested; (e) they are processed and are stored in computer and telematic archives located within the borders of the European Union.

Should Drop Srl transfer data outside the European Union, it undertakes to ensure that this transfer takes place in compliance with the provisions issued by the European Commission, in accordance with the applicable legal provisions. Furthermore, Drop srl undertakes to carry out periodic monitoring activities towards suppliers located in Third Countries and informs its customers in a clear and transparent manner by updating this Privacy Policy.

The processing of personal data of data subjects is carried out by means of the following operations namely collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, deletion or destruction.

Drop Srl implements the security measures assessed as most appropriate in order to preserve the confidentiality, integrity and availability of the personal data of the data subjects and imposes similar security measures on third party suppliers and Processors.

The purposes for which the personal data of data subjects are processed are specifically disclosed, from time to time, at the time when the provision of personal data is requested. In particular, the personal data of data subjects will be lawfully processed for the following purposes of processing:

• To process requests from interested parties;
• administrative-accounting purposes, that is, to carry out activities of an organizational, administrative, financial and accounting nature, such as internal organizational activities and activities functional to the fulfillment of contractual and pre-contractual obligations;
• fulfillment of legal obligations, i.e., to fulfill obligations required by law, authority, regulation or European legislation;
• Direct marketing purposes, such as subscribing to the newsletter service, sending advertising and/or promotional offers by automated contact methods (email, text message, etc.);
• verification of the proper operation, maintenance and management of the site, whereby navigation data and technical cookies may be used to obtain anonymous information on the use of the site and to check its proper functioning;
• management of applications for job positions, i.e., for the process of selecting and evaluating proposals.

LEGAL BASIS FOR PROCESSING

For the processing of data subjects' requests, the legal basis consists of Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract and/or the execution of pre-contractual measures taken at the request of the data subject.

For administrative-accounting purposes, the legal basis consists of Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of a contract and/or the execution of pre-contractual measures taken at the request of the data subject.

For the fulfillment of legal obligations, the legal basis consists of Article 6(1)(c) of the GDPR, as the processing is necessary to fulfill a legal obligation to which the Data Controller is subject.

For direct marketing purposes, the legal basis consists of Article 6(1)(a) of the GDPR, as for the purpose of processing it is necessary that the data subject has given consent for that specific purpose.

For the verification of the proper operation, maintenance and management of the site, the legal basis consists of Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the owner in the verification of the operation and effectiveness of the site and its better management and maintenance.

For the processing of job applications, the legal basis consists of Article 6(1)(a) of the GDPR, as the processing is based on the free, optional and explicit consent of the data subject.

To ensure the interests of Data Controllers or a Third Party without impairing the fundamental rights and freedom of data subjects.

A data subject who has given his or her explicit consent to the processing may revoke it at any time. However, it is clarified that such revocation does not affect the lawfulness of the processing based on the consent given prior to the revocation.

DATA RETENTION TIME

The personal data of data subjects will be kept for the time strictly necessary to fulfill the purposes of processing, without prejudice to the need to keep it for additional periods for the protection of the holder's rights or when required by law or by the Judicial Authority.

Data related to the fulfillment of administrative-accounting purposes are retained for the period of ten years in accordance with the provisions of the law.

If the data subject has consented to the sending of direct marketing communications, his or her data will be processed and stored until the consent is revoked by the data subject. In this regard, the data subject will be reminded in direct marketing communications that he or she has the option to unsubscribe from the service.

Browsing data processed to verify the proper operation, maintenance and management of the site are retained as long as they are necessary to correct any malfunctions and/or ascertain computer crimes or other wrongdoing by third parties to the detriment of the site.

Data provided by data subjects to apply for job positions are kept for the period necessary for the selection of the candidate and for a maximum of two years after the application is sent.

At the end of these periods, the data, if not processed for any other purpose and unless further retention periods are required by law or imposed by the need of the data controller to protect its rights, will be automatically deleted in whole or in part (in accordance with applicable regulations) or anonymized so as not to allow, even indirectly or by linking other databases, the identification of the data subjects. In any case, if the data subject decides to withdraw consent or object to the processing, his or her data will be deleted within thirty days of the request. Pursuant to the GDPR, this is without prejudice to the data controller's right to extend this period by two months, if necessary, taking into account the complexity and number of requests: in this case, the data controller shall inform the data subject of such extension and the reasons for the delay, within one month of receipt of the request. Session data will be kept until the end of your session (by leaving or closing the pages of our website).

In addition, the Data Controller may be obliged to retain Personal Data for a longer period in compliance with a legal obligation or by order of an authority. In this regard, please note that following the Data Retention Act (Law 167/2017), data is retained by the provider for a period of 6 years.

In the event that the interested parties should forward to Drop Srl personal data not requested or not necessary for the purpose of the performance of the requested service, Drop Srl cannot be considered the owner of these data and will delete them as soon as possible.

DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

The employees and/or collaborators of DROP Srl in charge of managing the site and the requests of the interested parties and/or contacting them may become aware of the personal data of the interested parties. These subjects, who have been instructed to this effect by the owner in accordance with art.29 of the Regulations, will process the data of the interested parties exclusively for the purposes indicated in this statement and in compliance with the provisions of the applicable legislation.

Third parties who process personal data on behalf of DROP Srl in the capacity of Data Processors pursuant to Article 28 of the GDPR, such as, by way of example, providers of IT and logistical services functional to the operation of the owner's website, providers of outsourced or cloud computing services, professionals and consultants, as well as third parties that the Data Processors may use, in the capacity of "Sub-Processors", pursuant to Article 28 of the GDPR, may also become aware of the personal data of the data subjects.

The personal data of data subjects may be disclosed to other recipients of the data collected on the site, who process the data independently, only when this purpose is not incompatible with the purposes for which your data was collected and subsequently processed and, in any case, in a manner that complies with the law. In particular, the data provided by the data subjects may be processed, with their consent, by third-party partners for their communications concerning their own products, services, newsletters and events, as well as to carry out any market studies and statistical analyses. The condition that makes the processing lawful is the consent of the data subjects (optional and revocable at any time). Revocation of consent does not affect the data processing activities carried out previously.

In addition, the personal data of the interested parties could be communicated to all those public and/or private individuals and/or legal entities (legal, administrative and tax consulting firms, Judicial Offices, Chambers of Commerce, Chambers and Offices of Labor, public authorities, etc.) in case of their request under regulatory or administrative measures, if the communication is necessary or functional for the proper fulfillment of contractual obligations undertaken in relation to the services on the site, as well as obligations arising from the law or in the case of ascertaining, exercising or defending a right.

Data are also stored with our provider for communication via website and e-mail and with the Digital Preservation Delegate in accordance with the Agid Guidelines Preservation of Information Documents 2022.

Data subjects have the right to obtain a list of those to whom their data has been disclosed or may be disclosed by making a request by e-mail to the following address privacy@drop.it.

The data will not be disclosed, transferred or otherwise transferred to other third parties without the prior notification of the data subjects and, with their consent, when required by law.

We may allow selected third parties (such as authorized advertising partners) to collect personal information from data subjects by means of automated technologies on our site ("Cookies ") in an effort to provide data subjects with content and advertisements that may be of interest to them, in accordance with the provisions of Articles 5 and 6 of the GDPR on the lawfulness of processing and the legal basis thereof.

For more information regarding the sharing of their personal data, data subjects can contact our Data Protection Officer at: dpo@drop.it

RIGHTS OF INTERESTED PARTIES

DROP Srl is committed to protecting and implementing the privacy rights of data subjects. Pursuant to EU Regulation 2016/679, data subjects have the right to:

• obtain access to the data, i.e. receive confirmation from the data controller of the existence or non-existence of their personal data and know their content and origin, ask the data controller to confirm whether or not personal data concerning them are being processed;
• receive clear information on the methods and purposes of the processing of their personal data, the logic applied in the case of processing carried out with the aid of electronic instruments, the identification details of the owner and those responsible, the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them as managers or appointees;
• obtain the updating, rectification or, when they are interested, the integration of incomplete personal data, including by providing a supplementary statement;
• Obtain the deletion, transformation into anonymous form or restriction of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed, except in legitimate cases of exemption;
• obtain certification that the operations referred to in the two preceding points have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where this proves impossible or involves the use of means manifestly disproportionate to the protected right;
• Revoke consent at any time if the processing is based on their consent;
• obtain (where applicable) data portability, i.e. they have the right to receive all personal data concerning them in a structured, commonly used, machine-readable format and to transmit such data to another data controller without hindrance;
• oppose, in whole or in part, for legitimate reasons, the processing of personal data concerning them, even if relevant to the purpose of collection;
• object, in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;
• object, where personal data are processed for direct marketing purposes, at any time to the processing of data carried out for that purpose, including profiling insofar as it is related to such direct marketing;
• should they believe that the processing concerning them violates the GDPR, the right to lodge a complaint with the Supervisory Authority (in the member state in which they normally reside, in the member state in which they work, or in the member state in which the alleged violation occurred).

To exercise their rights, data subjects may contact the Data Controller by sending an email to the following address: privacy@drop.it or to the Data Protection Officer, by sending an email to the following address: dpo@drop.it attaching the appropriate application published on the Home Page.

At any time it is the right of the 'data subject to contact the Italian Data Protection Authority. The Italian Data Protection Authority is the Garante per la Protezione dei Dati Personali, based in Piazza Venezia, n. 11, 00187 - Rome (RM)(http://www.garanteprivacy.it/). The owner is not responsible for updating the latter link, so if said link is not working and/or updated, data subjects acknowledge and accept that they should always refer to the document and/or section of the websites referred to by said link.

The data controller will provide the data subject with information about the action taken regarding a request without undue delay and, at the latest, within one month of receipt of the request. In accordance with the provisions of the GDPR, this period may be extended by two months, if necessary, taking into account the complexity and number of requests: in such case, the data controller shall inform the data subject of such extension and the reasons for the delay, within one month of receipt of the request.

RIGHT TO BE FORGOTTEN

The User has the right to obtain the deletion of data concerning him/her without undue delay.

PRIVACY POLICY CHANGES AND UPDATES

DROP Srl may modify or simply update, in whole or in part, the Privacy Policy published on the site also in consideration of the modification of the laws or regulations that govern this matter and protect the rights of the interested parties. Changes and updates to the Privacy Policy will be notified to users on the Homepage of the site as soon as they are adopted and will be binding as soon as they are published on the site in this same section. We therefore kindly ask interested parties to regularly access this section to check the publication of the most recent and updated Privacy Policy.

Cookie policy

This Cookie Policy supplements the technical details that are contained in the corresponding banner on the website www.drop.it. We use cookies to personalize content and ads, to provide social media features, and to analyze our traffic.

WHAT ARE COOKIES

Cookies are small text strings stored on your computer when you visit certain pages on the Internet. In most browsers cookies are enabled, at the bottom is the information needed to change the cookie settings on your browser. Cookies are not harmful to the device. In the cookies we generate, we do not store personally identifiable information, but we do use information to improve your stay on the site. For example, they are useful for identifying and resolving errors. Cookies then are distinguished into "session" and "persistent" cookies, the former once downloaded are then deleted when the Browser is closed, while the latter are stored until they expire or are deleted.

COOKIES PRESENT

Technical navigation cookies: These are cookies that ensure normal navigation and use of the website and allow the connection between the server and the user's browser. They are cookies that are essential for navigation (e.g. session identifiers), which allow you to use the main functionalities of the site and protect your connection. Without these cookies, it would not be possible to use the site normally.

Analytical Cookies: These are cookies that collect information about how you use the website, such as which web pages are visited most often. This website uses third-party cookies "Google Analytcs", "Google Optimize", " Microsoft Clarity".

All data collected is anonymous and in aggregate form therefore not profiling. The information generated by the cookie about your use of the website (including your IP address) is transmitted to, and stored on, Google's servers.

The Google Analytics cookie policy can be found at Google Analytics Cookie Usage on Websites (https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage).

Users can disable Google Analytics cookies, either totally or by selecting some of them, by downloading an add-on (https://tools.google.com/dlpage/gaoptout) to their browsers to disable Google Analytics

Optimize uses Analytics cookies to target variants of content to a user.

"Microsoft Clarity" uses Microsoft's cookies that can be found at the following link

https://privacy.microsoft.com/it-it/privacystatement

Cookies related to Social Buttons: Social buttons are those particular "buttons" on the site that depict social network icons (Facebook , Linkedin) and allow users who are browsing to interact with a "click" directly with social networks. The social buttons used by the site are links that refer to the social pages of Drop srl.

Facebook (cookie policy link) https://www.facebook.com/policies/cookies/

LinkedIn (cookie policy link) https://www.linkedin.com/legal/cookie-policy/

Cookies that provide interactive maps: These cookies allow interactive maps to be included within this site via Google Maps. 

DELETION OF COOKIES

Users may at any time delete cookies that have been installed on their device by deleting the browsing history of their browser. Deleting cookies altogether, however, may not allow the site to function properly.

There are specific procedures established by individual browsers for deleting cookies:

Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroid&hl=it

Safari: https://support.apple.com/it-it/guide/safari/sfri11471/mac

Opera: https://help.opera.com/en/latest/web-preferences/#cookies

Mozilla: https://support.mozilla.org/it/kb/Eliminare%20i%20cookie

Explorer: https://support.microsoft.com/it-it/help/17442/windows-internet-explorer-delete-manage-cookies

Android: https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DAndroid&hl=it

iOS: https://support.apple.com/it-it/HT201265#:~:text=To%20delete%20the%20chronology%20and%20i,data%20sites%20web%20and%20chronology

COOKIE STATEMENT AS OF 09/05/2022