NOTICE ON THE PROCESSING OF PERSONAL DATA

Sixmenu Co., as Data Controller, informs you, pursuant to Article 13 of EU Regulation 2016/679 (hereinafter, “GDPR”) and in accordance with Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, that it will process users’ personal data collected through the website www.snellobeach.com (the “Website”) in the manner and for the purposes described below.

This notice applies exclusively to the Website www.snellobeach.com and not to any other websites that may be accessed by the user via links on the Website, over which the Data Controller has no control, nor access to the personal data of users visiting such websites.

This notice may be subject to changes. Any substantial changes and updates will be communicated to the data subjects as soon as they are adopted, by updating the link to the Privacy Policy in the Website footer. Data subjects are encouraged to regularly review this Privacy Notice to stay informed about how their personal data is collected and used. In the event of changes that significantly affect the rights of registered users, they will be informed in advance via email.

1. Subject of Processing

The Website processes the following categories of personal data provided by users while browsing:

• Data collected during navigation
• Data voluntarily provided by the user

2. Purpose of Processing

• The data provided by the user during navigation of the website, as set out in art. 1, letter a), will be processed, without the user’s prior consent, pursuant to Article 6 of the GDPR, for the following Service Purposes:
• Data voluntarily provided by the user

4. Methods of Processing and Retention Period

Personal data are processed using manual, IT, and telematic tools, with methods strictly related to the purposes for which the data were collected and, in any case, in a manner that ensures their security and confidentiality.

Appropriate technical and organizational measures are implemented to prevent unauthorized access, disclosure, alteration, or unauthorized destruction of personal data. Access to the data is strictly limited to authorized personnel or to third parties duly appointed as Data Processors, who operate on the basis of specific instructions.

Personal data are retained for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principle of storage limitation; in particular:

• Data processed for contractual purposes are retained for the entire duration of the contractual relationship and, thereafter, for the period required by applicable legal obligations (for example, in tax or accounting matters).
• Data processed on the basis of the data subject’s consent are retained until such consent is withdrawn, without prejudice to any further legal obligations.
• Data processed for marketing purposes are retained for a period not exceeding that permitted by applicable law or until the data subject objects.

At the end of the retention period, the data will be deleted, anonymized, or otherwise processed in such a way that the data subject can no longer be identified, without prejudice to any further retention obligations provided by law.

5. Data Access and Disclosure

Personal data may be made accessible exclusively to subjects authorized to process them, duly instructed and bound by confidentiality obligations, who operate under the authority of the Data Controller; in particular, the following may have access to the data:

• employees and collaborators of the Data Controller, within the scope of their assigned duties.
• providers of technical, IT, administrative, or organizational services related to the purposes of the processing.
• consultants and professionals (e.g., legal, tax, accounting), strictly within the limits necessary to perform their assignment.

Where required by applicable law, such subjects are appointed as Data Processors pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) or operate as independent Data Controllers.

Personal data may be disclosed to third parties exclusively in the following cases:

• Where disclosure is necessary to comply with legal obligations, regulations, or EU legislation.
• Where disclosure is necessary for the performance of obligations arising from a contract to which the data subject is a party.
• With the prior consent of the data subject, where required.

The data will not be subject to dissemination, except in cases expressly provided for by law.

Where personal data are transferred to countries outside the European Economic Area (EEA), the Data Controller ensures that such transfer will take place in compliance with the appropriate safeguards provided for by applicable law, such as adequacy decisions of the European Commission or the adoption of Standard Contractual Clauses.

6. Data Transfer

The management and storage of data will take place on servers located within the European Union, owned by third-party companies appointed by the Data Controller.

If necessary, including for the use of cloud services or similar, the transfer of data to countries outside the European Union or the European Economic Area (EEA) will be subject to an assessment by the Data Controller, who will adopt, where applicable, the most appropriate safeguards (such as adequacy decisions or standard contractual clauses), in compliance with Articles 45 et seq. of the GDPR.

7. Links to External Platforms and Third-Party Websites

The Controller uses on the Website certain tools (widgets) that offer direct connection to configured Social Media platforms. By clicking on these links, the user can interact directly with the Controller’s accounts (social pages) in a separate browser window. There are also other links to third-party websites or platforms. The managers of the social networks to which the widgets refer and of the websites linked via hyperlinks are independent data controllers, with no possibility of control by the Controller. Therefore, the owners of such websites and platforms shall remain the sole and exclusive data controllers responsible for processing the personal data of their users, and the Controller shall have no involvement in or responsibility for such processing or any related consequences, damage, or cost resulting from improper or failed management. More information about the privacy policies of the social media platforms and third-party websites, as well as about cookie management and deactivation, can be found directly on the website of the respective third party.

8. Exercising Your Rights

The User may at any time exercise their rights as a data subject, as defined in Articles 15, 16, 17, 18, 19, 20, 21, and 22 of the GDPR, by sending an email to email@emailemail.com. Exercising these rights is free of charge and not subject to any formal requirements.

9. Data Controller, Data Processor, and Authorized Persons

The Data Controller is: