Pursuant to the current legislation on the protection of personal data (the “Privacy Regulations“) including the EU Regulation 2016/679 (the “GDPR“), as well as Italian Legislative Decree 196/2003 as amended by Italian Legislative Decree 101/2018 (“Privacy Code“), Geico S.p.A. (the “Company” or the “Data Controller“), as data controller, informs the users (hereinafter the “Users” or, individually, the “User“) of the website www.geico-spa.com (the “Website“), that it will process their personal data collected through the Website in the manner and for the purposes described below in this policy (the “Policy“).
The User, by browsing the Website, acknowledges having read and understood the content of this Policy.
The Data Controller is Geico S.p.A. with registered office in Cinisello Balsamo (MI), Via Pelizza da Volpedo 109/111, 20092, VAT no 00688580968, and can be contacted at the number +39 02 660221 or at the following e-mail address email@example.com.
The Company will only process the following types of personal data of Users who browse and interact with the web services of the Website, in particular:
Computer systems, cookie technology and software procedures used to operate the Website acquire, during their normal operation, some data whose transmission is implicit in the use of the Internet. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow Users to be identified.
This category of data includes, for example, the IP addresses or domain names of the computers used by the Users who connect to the Website, the pages visited by the Users within the Website, the domain names and addresses of the Internet sites from which the User has accessed the Website (by referral), the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the web server, the size of the file obtained in response, the numerical code indicating the status of the response sent by the web server, and other parameters relating to the type of browser (e.g. Internet Explorer, Google Chrome, Firefox), operating system (e.g. Windows) and the User’s computer environment.
This refers to the data provided to the Company directly by the User (such as, by way of example but not limited to: name, surname, e-mail address, personal data of the sender possibly contained in e-mail communications or in the attachments thereto, etc.) following the sending of an e-mail or other communication to the Company’s contacts indicated on the Website.
The personal data provided (implicitly or directly) by the User will be processed without requiring the User’s prior consent, for the following purposes (“Purposes“):
If the legal basis of the processing is the legitimate interest of the Data Controller, the latter guarantees to have previously carried out an assessment aimed at ensuring the proportionality of the processing so that the rights and freedoms of the Users are not prejudiced, taking into account the reasonable expectations of the same in relation to the specific processing activity.
Users may request additional information about the above evaluation by sending an email to the following address firstname.lastname@example.org.
The Data Controller also informs the User that s/he has the possibility to object at any time to the processing of his/her Personal Data carried out on the basis of legitimate interests of the Company.
If the Company intends to use the personal data collected for any other purpose that is incompatible with the aforementioned Purposes for which they were originally collected or authorised, the Company will inform the User in advance, possibly obtaining consent for further processing of the data.
The provision of data directly by the User is instead optional. However, failure to provide them may result in the impossibility of receiving replies to communications sent by the User to the Company.
In relation to the indicated Purposes, the processing of Personal Data may consist of the activities indicated in Article 4, paragraph 1, no. 2) of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, disclosure by transmission, or otherwise making available, restriction, erasure or destruction of Personal Data.
Data can be processed through automated tools, according to a logic strictly related to the purposes and, however, in such a way as to ensure the security and confidentiality of data, in addition to compliance with the specific obligations under the legislation in force and applicable from time to time.
The data may be made accessible exclusively for the purposes mentioned above to the following subjects: employees and collaborators of the Data Controller, in their capacity as authorised data processors.
Even without the express consent of the User, the Company may communicate the User’s data for the purposes referred to in paragraph 3 above to supervisory and/or control bodies of the Company, judicial authorities and all other entities to whom the communication is required by law for the fulfilment of the mentioned Purposes, as independent data controllers.
In addition, the Company may entrust certain personal data processing operations carried out for the Purposes set out in Paragraph 3 above to categories of third parties, specifically appointed by the Company, if necessary, as data processors, including, by way of example but not limited to:
The User’s personal data will not be subject to transfer to third parties other than those indicated in this Policy.
User data will not be disclosed to the public or to unspecified parties.
The management and storage of data will take place on the Company’s servers located within the European Union and/or on the servers of third party companies duly appointed as data processors.
The User’s data may be transferred outside the European Union.
In any case, such transfer may only take place to those non-member countries which have been the subject of an adequacy decision and which, therefore, guarantee an adequate level of protection of personal data, or on the basis of standard contractual clauses validated by a European supervisory authority and conforming to the templates proposed by the Commission in Decision 2010/87/EU.
Adequacy decisions with reference to the countries of Japan and the United Kingdom are available at the following links.
For further information regarding adequacy decisions and/or standard contractual clauses with respect to other non-EU countries to which Personal Data may be transferred, please write to email@example.com
Personal data will be stored and processed for the entire duration of the navigation and, after its termination, for whatever reason, for a period not exceeding 24 months (the “Retention Period“).
At the end of the Retention Period, personal data will be deleted, unless there are further legitimate interests of the Company and/or legal obligations that make it necessary to retain it, after minimisation.
In accordance with the law, the Users, in their capacity as data subjects, will always have the right to revoke any consent given, and may also at any time exercise the following rights:
In the above cases, where necessary, the Data Controller will inform the third parties to whom the User’s personal data are communicated of the possible exercise of rights, except in specific cases where this is not possible or is too costly and, in any case, in accordance with the provisions of the Privacy Regulations.
Where processing is based on consent, the User will also be entitled to revoke, at any time, any consent given, it being understood that revocation of consent will not affect the lawfulness of processing based on consent prior to revocation.
The Data Subject may at any time exercise his/her Rights in the following ways:
The Data Controller informs the Data Subject that, pursuant to the Privacy Regulations, he or she has the right to lodge a complaint with the competent supervisory Authority (in particular in the Member State of his or her usual residence, place of work or place of the alleged breach), if he or she deems that his or her Personal Data are being processed in a manner that would result in a breach of the GDPR.
In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the European Union Supervisory Authorities are available at the following link https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
Finally, if the User intends to lodge a complaint with the Supervisory Authority competent for the Italian territory (i.e. Italian Data Protection Authority), the complaint form is available at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524.
Last updated 14 October 2021