Information provided by CAST – COOPERATIVA ANONIMA SERVIZI TIPOGRAFICI Società Cooperativa (Typographic Services Cooperative) pursuant to and for the purposes of Articles 13 and 14 of Regulation (EU) 2016/679 – GDPR and Legislative Decree 181/18, containing ‘Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679’

1. BACKGROUND
   1. Scope of the privacy policy
   2. Data Controller
   3. Place of processing
   4. Legal basis for processing
2. TYPES OF DATA PROCESSED AND PROCESSING METHODS
   1. Navigation data
   2. Cookies – cookies used by this website – social network buttons – options to browse without cookies
   3. Data provided voluntarily by the User / Data Subject
   4. Data processing methods
   5. Security measures
3. RIGHTS OF THE USER / DATA SUBJECT
4. CHANGES TO THE DOCUMENT ‘PRIVACY & COOKIES POLICY’

1. Background

1.1 Scope of the privacy policy

In compliance with EU Regulation 679/2016-GDPR, and Legislative Decree 181/18, in order to ensure maximum transparency with regard to the information that the website collects and how it uses it, we hereby provide due information regarding the purposes, nature and methods of processing personal data to those who consult the pages of the website www.c-a-s-t.com of CAST – COOPERATIVA ANONIMA SERVIZI TIPOGRAFICI Società Cooperativa, regardless of the purpose of the connection itself, in accordance with current Italian and European legislation.

The following information is to be considered valid only for this website and not for others that may be consulted through links published on this website;with respect to these third-party sites, the Data Controller is not to be considered in any way responsible, referring to any privacy policy which may be provided for third-party websites.

1.2 Data Controller

The Data Controller is the natural or legal person or other body which, individually or jointly with others, determines the specific methods and purposes of data processing, assuming responsibility for the actual implementation of the processing.

Pursuant to and for the purposes of Article 24 GDPR, the Data Controller of the data collected through the c-a-s-t.comwebsite is:

CAST – COOPERATIVA ANONIMA SERVIZI TIPOGRAFICI Società Cooperativa, with registered office in Via Maso della Pieve, 2/D 39100 Bolzano (BZ), P.I., Italy / Tax Code 02802640215

Email: info@c-a-s-t.com

1.3 Place of processing           

The data collected by the website www.c-a-s-t.com are processed at the Data Controller’s premises, and at the webhostingdata centre which, in this case, is provided by the company NETSONS SRL, with registered office in Via Tirino, n. 69 – 65129 Pescara, Tax Code/VAT ID 01838660684, whose servers hosting the website are located in Via Caldera 21, Milan – Italy, therefore subject to the GDPR. By processing data on behalf of the Data Controller, the webhosting provider is responsible for processing.

1.4 Legal basis for processing

The website www.c-a-s-t.com processes data on the basis of consent (Article 6, para. 1, letter a) EU Reg. 679/2016). By using or consulting our website, visitors and Users explicitly approve this privacy policy and consent to the processing of their personal data in relation to the methods and purposes described below.

The provision of data, and therefore consent to its collection, is optional, the User may refuse consent and may always revoke it once provided.

However, refusing consent may result in the inability to provide certain services and the User’s browsing experience on the site may be impaired.

2. Types of data processed and processing methods

2.1 Navigation data

The computer systems and software procedures used to operate this website may acquire, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow the Users to be identified.

This category of data includes IP addresses or the domain names of the computers used by Users who connect to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the date and time of the visit, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User’s operating system and computer environment.

These data may be used to ascertain possible liability in the event of hypothetical computer crimes against the site and therefore to verify the proper functioning of the site.

It should be noted that for security purposes (spam filters, firewalls, virus detection, etc.), automatically recorded data may also include personal data such as the IP address, which may be used in accordance with current legislation, in order to prevent the commission of computer crimes or other activities harmful to the site.

Such data are never used for customer identification or profiling.

2.2 Cookies

Cookies are small text files that are sent from the visited website to the User’s device (usually to the browser), where they are stored so that they can recognise that device on the next visit. On each subsequent visit the cookies are re-sent to the site from the User’s device. Cookies are mainly used to adapt the operation of the site to the User’s expectations, personalising the browsing experience and memorising any choices made previously.

Each cookie generally contains: the name of the server from which the cookie was sent, the expiry date, and a value, usually a unique number randomly generated by the User’s computer. The server of the website that transfers the cookie uses this number to recognise the User when he or she returns to a site or navigates from one page to another.

Cookies can be installed not only by the same operator of the site visited by the User (first-party cookies), but also by a different site that installs cookies through the first site (third-party cookies) and is able to recognise these. This happens because there may be elements on the site visited (images, maps, sounds, links to web pages of other domains, etc.) that are stored on servers other than that of the site visited.

In general, cookies are classified into different types according to:

• Duration: Session cookies (temporary) automatically deleted when the browser is closed and are used to identify the User and prevent him or her from having to log in each time a page is visited. Permanent cookies active until their expiry date or deletion by the User.
• Source: First-party cookies sent to the User’s browser directly from the site being visited. Third-party cookies sent to the User’s browser from other sites and not from the site being visited.
• Purposes: 

Technical cookies contribute to the proper functioning of the site, for example, they enable the User to navigate between pages or access protected areas, store User language preferences and so on. If they are blocked, the site cannot function properly or navigation will be less functional. Technical cookies also include the statistical/analytic a) first-party cookie or b) third-party cookie with IP masking, without data cross-referencing, which is used to collect information and generate website usage statistics to understand how visitors interact.

Non-technical cookies. Third-party statistical/analytic cookies without IP masking, with data cross-referencing, and profiling/advertising/tracking or conversion cookies for selecting advertising based on what is relevant to a User (personalised ads). These are all profiling cookies aimed at creating profiles relating to the User and are used in order to send advertising messages in line with the preferences expressed by the same during web browsing.

With this specific information on cookies CAST – COOPERATIVA ANONIMA SERVIZI TIPOGRAFICI Società Cooperativa, has implemented the obligations provided for by the Provision of the Guarantor Authority for the Protection of Personal Data Identification of simplified procedures for information and acquisition of consent for the use of cookies – 8 May 2014(Published in the Official Gazette no. 126 of 3 June 2014), as well as subsequent interventions of the Authority on the subject of ‘cookies’ and this despite the fact that this site does not use profiling cookies.

Cookies used by this website

CAST – COOPERATIVA ANONIMA SERVIZI TIPOGRAFICI Società Cooperativa informs Users that its website www.c-a-s-t-.com uses the following types of cookies:

• First-party technical cookies, which are necessary for the correct and efficient operation of our website and do not require the User’s consent;
• Third-party technical cookies, which do not require the User’s consent, and third-party analytical cookies, which are assimilated to technical cookies in that tools have been adopted to reduce the identifying power of the cookies (by masking significant portions of the IP address) and the third party does not cross-reference the information collected with other information it already has.

In particular, Google Analytics and other technical cookies from Google, Woocommerce, Paypal and Mailchimp,the privacy and cookies policy of which should therefore be referred to.

Social network buttons

Social Buttons are buttons on the site that allow Users who are browsing to interact with social platforms with one click.

The Social Buttons used by the www.c-a-s-t.com website are links which redirect to theData Controller’s accounts on the social networks shown.

The use of these buttons does not, therefore, entail the installation of third-party cookies on our site.

CAST – COOPERATIVA ANONIMA SERVIZI TIPOGRAFICI Società Cooperativa uses, in particular, the social buttons of Twitter, Instagram, Facebook, YouTube and LinkedIn. In general, beyond the type of cookies used by this website, we would like to inform Users that, in addition to the protections provided for by current legislation, there are possible

Options for navigating without cookies

Which include:

Blocking third-party cookies: third-party cookies are generally not essential for browsing, so the User can refuse them by default, through special functions in the User’s browser.

Activating the ‘Do Not Track’ option:the ‘Do Not Track’ option exists on the majority of the latest generation of browsers. Websites designed to comply with this option should automatically stop collecting certain browsing data when it is activated. As mentioned, however, not all websites are set up to respect this (discretionary) option.

Activating ‘incognito’ mode: with this function, the User can browse without leaving any trace of his or her browsing data in the browser. Sites will not remember the User, pages he or she visits will not be stored in his or her history and new cookies will be deleted. However, incognito surfing does not guarantee anonymity on the Internet, as it only serves to keep the User’s browsing data out of his or her browser, whereas his or her surfing data will continue to be available to website operators and connectivity providers.

Deleting cookies directly: there are functions for this in all browsers. However, it should be remembered that new cookies are downloaded every time the User connects to the Internet, so these will require periodic deletion. If desired, some browsers offer automated systems for the periodic deletion of cookies.

For any further information on the subject of cookies, please consult the following link: http://www.garanteprivacy.it/cookie

In addition, if you would like to know how to restrict, block and/or remove the cookies set on your device, please visit the following link: http://www.aboutcookies.org

As mentioned above, you can also manage your cookie preferences through your browser. To find out the type and version of the browser you are using, we recommend that you click on ‘Help’ in the browser window at the top of the page, where you can access all the information you need. If, on the other hand, you know the type and version of your browser, simply click on the link corresponding to the browser you are using to access the cookie management page.

• Microsoft Internet Explorer
• Google Chrome
• Mozilla Firefox
• Safari

Finally, for more information on how to manage cookies, please visit the following web pages: http://www.youronlinechoices.eu, http://www.allaboutcookies.org, https://tools.google.com/dlpage/gaoptout,http://aboutads.info/choices, http://www.networkadvertising.org/choices.

2.3 Data provided voluntarily by the User/Data Subject

Following consultation of this site, data relating to identified or identifiable persons may be processed, freely provided by Users through the contact details on the www.c-a-s-t.com,website, such as email address, and/or by filling in specific forms on the site (font purchase form).

The data required if the User decides to create his or her own account or purchase fonts are: first and last name, email address, telephone number, billing address, tax code, and VAT number.

The optional, explicit and voluntary sending of messages to the contact addresses present on the c-a-s-t.com website, the private messages sent by the Users to the profiles/pages on social media(where this is provided for), as well as the filling in and forwarding of forms present on this website, imply the acquisition of the sender’s contact data, necessary to answer and for the other purposes requested, as well as all the personal data included in the communications. All these data will be processed in accordance with the principles of correctness, lawfulness and transparency, protecting the confidentiality and rights of the User.

Specific information will be prepared for the provision of certain services.

This information is intended to define the limits, purposes and methods of processing of each data collection form, and each visitor will be able to freely express their consent and authorise the collection of data and its subsequent use.

Please note that in no section of the site, nor for access to any functionality, is a request made for ‘special categories of personal data’ and/or ‘personal data relating to criminal convictions and offences’, as defined by Articles 9 and 10 of EU Reg. 679/2016: if the User spontaneously sends the Data Controller information of the above-mentioned type, the Data Controller will process such data in compliance with the current legislation on the protection of personal data (EU Reg. 679/2016) and within the limits of what is strictly necessary in relation to the requests made by the User concerned, and, if not necessary, will immediately delete any such data.

2.4 Data processing methods

The processing that the Data Controller may carry out will be carried out by means of automated processes and/or the collection of paper documents;

The User is free to provide his or her own information by sending it to the Data Controller through the contact details on the website www.c-a-s-t.com by filling in specific information collection forms on the site; in the latter case, failure to provide certain data may, depending on the case, make it impossible to carry out the activities requested by the User(for example, see ‘required fields’ marked with (required) within the information collection forms).

Please note that our website allows you to purchase fonts by paying with Paypal. We confirm that no data referring to the card used for the payment will be stored.

The User’s personal data shall be processed by persons specifically appointed by the Data Controller as data processors and/or by anyone acting under its authority whohas access to personal data; such persons shall process the data only when necessary in relation to the purposes for which they were provided and only within the scope of the performance of the tasks assigned to them by the Data Controller.

In addition, personal data may be communicated to third parties only if strictly necessary to provide specific services or information requested by the User or to comply with legal obligations, or for the defence of the Data Controller and/or processors in a judicial context. Finally, it should be noted that the Data Controller may make use of internal or external computer technicians for occasional maintenance, updating or assistance operations, in case of malfunctioning of the website, who will be instructed on the precautions to be taken in relation to personal data to which they may have access in the performance of their duties.

The Data Controller has not designated a D.P.O. (Article 37 EU Reg. 679/2016 and WP Guidelines Article 29 of 13/12/2016), as this figure is not necessary within the structure, given that the characteristics of the processing do not fall within the parameters referred to in the aforementioned Article 37.

The communications of data described above are strictly connected to the correct execution of the services requested by the User in the context of the management of the relationship and are necessary for the purposes for which the data were conferred, in particular:

1. to fulfil the User’s legitimate requests;
2. to fulfil legal obligations;
3. to resolve any disputes;
4. to process the User’s order and issue a fiscal invoice;
5. to send our fonts or other requested products;
6. to grant access to the site to download purchased fonts;
7. to notify of changes in our service;
8. to send our newsletter if the User joins our mailing list.

If the Data Controller in the course of its business intends to transfer personal data to a third country or an international organisation, it will only be required to carry out the processing in the presence of appropriate guarantees from the third parties in line with the GDPR, notifying Users accordingly;

Data will not be communicated to other third parties, unless express consent is requested in advance from the User.

Personal data shall not be disseminated and shall be kept for the time necessary to achieve the purposes for which they were provided, or in any case to fulfil legal obligations, including tax obligations. At the end of this period, unless expressly reconfirmed by the interested party, the data will be deleted, without prejudice to their transformation into anonymous form.

The personal data provided will not be processed in order to carry out an automated decision-making process (profiling).

In the event that the personal data provided is to be processed for purposes other than and in addition to those indicated above, the Data Controller shall provide information on such other purpose and any other relevant information.

2.5 Security measures

The Data Controller, taking into account the state of the art and the costs of implementation as well as the nature, scope, context and purposes of the processing both when determining the means of processing and at the time of processing itself (risk analysis – accountability), has put in place appropriate technical and organisational measures aimed at effectively implementing the data protection principles and integrating the necessary safeguards into the processing in order to meet the requirements of EU Reg. 679/2016 and protect the rights of the data subject.

The data will be processed using methods and tools suitable for guaranteeing its security (Articles 24, 25 and 32 EU Reg. 679/2016) and will be carried out through automated processes and through non-automated means (paper-based archives), to which all technical and organisational measures will be applied to ensure a level of security appropriate to the risk, so as to ensure on a permanent basis, their confidentiality, integrity, availability and resilience of the processing systems and services (by way of example but not limited to: controls both on the assignment of tasks to the persons in charge of data processing and on the classification of the data themselves; procedures, if sustainable, of pseudonymisation and encryption etc.).

3. Rights of the User/Data Subject

The Data Controller also informs the User that:

the data subject has the right to ask the Controller for accessto his or her personal data and the rectificationor deletion of these data or the restriction of their processingor to object to their processing in addition tothe right to data portability(Articles 15, 16, 17, 18, and 20 EU Reg. 679/2016); by exercising the right of access, the data subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, while the exercise of the right to portability allows the data subject to obtain from the Data Controller the personal data in a structured, commonly usable eligible format, or the transfer of such data from the original Data Controller to another (see WP 242 of 13/12/2016);

the data subject shall have the right, where the processing is based on Article 6 para. 1 letter a or Article 9 para. 2 letter a, to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given beforethe withdrawal;

the data subject has the right to lodge a complaint with a supervisory authority;

the data subject has the right to be made aware, by the Data Controller, who must provide notification without justified delay, of any personal data breach that is likely to present a high risk to the rights and freedoms of natural persons(Article 34 EU Reg. 679/2016).

The full text of the articles of EU Reg. 679/2016 relating to your rights (Articles 15 to 23 inclusive) can be consulted at any time at the following link to the websiteof the Data Protection Authority.

Alternatively, they will be provided by the Data Controller on simple request, by sending a communication to the contact details indicated above.

4. Changes to the document ‘Privacy & cookies policy’

The Data Controller reserves the right to make changes to this Privacy & Cookies Policy at any time, giving notice to Users.

Users are therefore kindly requested to consult this page frequently, taking as a reference the date of lastchange indicated at the bottom.

In the event of any updates or amendments to this document, Users will be put in a position to understand and assess the changes made by comparing the different versions of the information notice that may have followed one another over time, since the previous versions of the document will still be available to Users on the website.

In the event of non-acceptance of the changes made to this privacy policy, the User must cease using this website and request the Data Controller to delete his or her personal databy sending a specific communication to the Data Controller at the contact details indicated above.

Unless otherwise specified, this Privacy & Cookies Policy will continue to apply to personal data collected up to that point.

If you have any questions, comments or requests regarding this privacy policy, please contact us at the following address:

info@c-a-s-t.com

In any case, we invite Users to report any difficulties they may have in viewing this Privacy & Cookies Policy, so that we can, if necessary, provide alternative means of information.

Date of last change 24/03/2021