CISALFA SPORT S.p.A. hereinafter the Data Controller, protects the confidentiality of your personal data and guarantees them the necessary protection from any event that could put them at risk of violation.

The Data Controller puts into practice policies and practices regarding the collection and use of personal data and the exercise of the rights that are recognized by the applicable legislation.

The Data Controller takes care to update the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organizational changes that may affect the processing of your personal data.

The Data Controller has appointed a Data Protection Officer (DPO) that you can contact if you have questions about the policies and practices adopted. The contact details of the Data Protection Officer are as follows: dpogruppocisalfa@cisalfasport.it

The Data Controller collects and / or receives information about you, such as: IP address personal identification data (such as name, surname, date of birth, physical and telematic address) released while browsing the site www.cisalfasport.it.

They are used by the Data Controller for the management of the site and to follow up on your registration request. They are also used by the Data Controller to follow up on the management of the sale contract and the fulfillment of legal and regulatory obligations to which Cisalfa Sport S.p.A. is required according to the activity carried out.

The communication of your personal data takes place mainly towards third parties and / or recipients whose activity is necessary for the performance of activities related to the aforementioned purposes, and also to respond to certain legal obligations. Any communication that does not respond to these purposes will be subject to your consent in advance.

Your personal data will not be disclosed to indeterminate subjects in any way. The Data Controller does not transfer your personal data abroad.

Your personal data will not be disclosed in any way to indeterminate subjects and not identifiable even as third parties. Personal information about you will be processed for:

The processing of your personal data, specifically the data to be entered in the mandatory fields in the registration form voluntarily transmitted by you at the time of registration to the Data Controller's site, are processed to process your request to create a personal account useful for the use of the services offered by the Data Controller through the site and access the online portal.

The processing of your personal data resulting from your purchase, such as order management, production and shipment of the purchased good, for invoicing and payment management, the processing of complaints and / or reports to the technical assistance service, the management and settlement of contractual and conventional guarantees, as well as for the fulfillment of any other obligation arising from the contract, such as, the registration and storage of your personal data.

The obligations that the Data Controller must fulfill depending on the contract and specific regulations governing it, are, among other things, those of:

• Book Keeping:

Your personal data are also processed to prevent fraud, including contractual fraud. Finally, your data will be processed to provide you with assistance on the products covered by the contract.

The processing of your personal data takes place depending on the contract and the obligations, including legal and / or regulatory, that derive from it. Your data will not be disclosed to third parties / recipients for their autonomous purposes unless:

1. you give your permission;

2. it is necessary for the fulfillment of the obligations dependent on the contract and on the laws governing it (eg for the defense of your rights, for the complaint to the supervisory authorities, etc.);

3. the communication takes place towards the companies of the group to which the Data Controller for administrative purposes; auditing and certification of financial statements; quality detection and certification companies; transport companies and freight forwarders for aspects related to the shipment of goods and customs procedures; banking institutions for the management of receipts and payments; companies and law firms for the protection of contractual rights and / or that deal with credit recovery; data processing and IT services companies (e.g. web hosting, data entry, management and maintenance of IT infrastructures and services, etc.);

4. the communication takes place towards the financial administration, and the public supervisory and control bodies towards which the Data Controller must fulfill specific obligations deriving from the specificity of the activity carried out;

5. are not delegated or are not legally entitled to receive your personal data. This is the case, for example, of family members, cohabitants or legal representatives (curators, guardians, etc.).

The Data Controller processes, also through its suppliers (third parties and / or recipients), your personal data, including IT data (eg logical accesses) or traffic data collected or obtained in the case of services displayed on the website www.bearsurfboards.eu to the extent strictly necessary and proportionate to ensure the security and ability of a network or servers connected to it to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted.

For these purposes, the Data Controller provides procedures for the management of the violation of personal data (data breach) in compliance with the legal obligations to which it is bound.

The personal data concerning you and identifying you are necessary for the fulfillment of the request submitted by you through the "register" section or to allow you to place an online order. Any refusal makes it impossible for the Data Controller to fulfill the request for registration on the site and the conclusion of the online purchase.

The processing of data concerning you takes place through both electronic and manual means and tools made available to subjects acting under the authority of the Data Controller and authorized and trained for this purpose. Personal data are stored, in the case in electronic archives protected by effective and adequate security measures to counter the risks of violation considered by the Data Controller.

For the time necessary to fulfill the requests for registration and sending communications of this exclusive nature that the Data Controller makes following your request and in any case for a period not exceeding a maximum of 10 years, except in cases where events occur that involve the intervention of the competent Authorities, also in collaboration with third parties / recipients to whom the IT security activity of the Data Controller is entrusted, to carry out any investigations on the causes that led to the event.

The personal data processed by the Data Controller are kept for the time necessary to carry out the activities related to the management of the contract with the Data Controller and up to ten years following its conclusion (Article 2946 of the Italian Civil Code) or from when the rights that depend on it can be asserted (pursuant to Article 2935 of the Civil Code); as well as for the fulfillment of obligations (eg tax and accounting) that remain even after the conclusion of the contract (Article 2220 of the Civil Code), for which purposes the Data Controller must keep only the data necessary for their pursuit.

Except in cases where the rights deriving from the contract should be asserted in court, in which case your data, only those necessary for these purposes, will be processed for the time necessary for their pursuit The data are stored in computer and telematic archives located within the European Economic Area, and adequate security measures are ensured.

Compatibly with the time limits established for the processing of personal data concerning you, the rights that are recognized to you allow you to always have control of your data.

Your rights are to:

1. access;

2. rectification;

3. cancellation;

4. limitation of processing;

5. opposition to processing;

6. portability. Your rights are guaranteed to you without special charges and formalities for the request of their exercise which is essentially free of charge.

You have the right:

1. to obtain a copy, also in electronic format, of the data to which you have requested access. If you request further copies, the Account Holder may charge you a reasonable fee;

2. to obtain the cancellation of the same or the limitation of processing or even the updating and correction of your personal data and that third parties / recipients also adapt to your request in the event that they receive your data, unless legitimate reasons prevail higher than those that determined your request (eg environmental investigations and containment of the risk determined by the emergency managed through them by the Data Controller);

1. to obtain any useful communication regarding the activities carried out following the exercise of your rights without delay and in any case, within one month of your request, unless extended, motivated, up to two months that must be duly communicated to you.

For any further information and in any case to send your request you must contact CISALFA SPORT S.p.A., at the address privacy@cisalfasport.it

Without prejudice to any other administrative or judicial action, you can lodge a complaint with the competent supervisory authority or with the one that carries out its tasks and exercises its powers in Italy where you have your habitual residence or work or if different in the Member State where the violation of Regulation (EU) 2016/679 occurred. In particular, you can lodge a complaint with the Guarantor for the protection of personal data based in Piazza Venezia n. 11 - 00187 Rome, Tel. (+39) 06.696771; Fax. (+39) 06.69677.3785; E-mail: protocollo@gpdp.it; Certified e-mail: protocollo@pec.gpdp.it.

Any update of this information will be communicated to you promptly and by appropriate means and you will also be notified if the Data Controller will follow up the processing of your data for purposes other than those referred to in this statement before proceeding and in time to give your consent if necessary.