Pursuant to and in accordance with Article 13 of the EU Regulation 2016/679 (hereinafter “GDPR”) on the protection of natural persons with regard to the processing of personal data.

Dear User,

this policy is rendered, with reference to the website (the “Website”), by Mirato S.p.A., with registered office in Landiona (NO), Strada Provinciale Est Sesia, CAP 28064, P.I.: 02202120032, Reg. Imp.: 221690 (“Owner”) as the data controller, and allows you to know the origin and use of browsing information in accordance with current legislation on the protection of personal data. Mirato S.p.A. reserves the right to modify this document at any time, to specify the activities in more detail and to comply with the laws.
You will be informed by a message on the Website inviting you to read the updated policy, as well as by any other appropriate method.
If you have an account, an email or notification will be forwarded to your account.
This notice does not cover websites, applications and services, which have separate policies and which do not include or refer to this document.
Any personal data acquired will be processed in accordance with the aforementioned regulations.
In connection with the abovementioned processing, the following information is provided:

1. Purpose is a Website for the commercial promotion of the Products of MIRATO S.p.A. under the brand I PROVENZALI.

2. Object

The Website collects several types of personal data. This data is processed to enable the user:

    • Registration and participation in the prize contests held by Mirato, including (i) the management of all content sent by the interested party in order to participate in the contest, (ii) the management of the possible supply of goods and services of any prizes inherent in the contest, (iii) the preparation of statistics in aggregate anonymous form;
    • Commercial and promotional activities, including the possible subscription to the informative, promotional and commercial newsletter related to the activities of Mirato spa and other companies of the Group;
    • Navigating the Website easily;
    • Receiving a response to any request for information sent through the contact form or message/comment via any social media networks such as Facebook, Instagram, etc.;
    • Fulfilling legal obligations or other obligations defined by the competent authority;
    • Cybersecurity, with related and possible protection of a right, judicially or otherwise.

2.1 Navigation data

Like all websites, this Website makes use of log files that store information collected in an automated manner during user visits.

Cookies and other tracking technologies are used on this Website to collect information about users when they interact with the Website or emails that are sent. This information allows us to infer the user’s preferences for certain brands or products and to analyze how they interact with certain content. This information is collected both when you are logged in and when you are not logged in and can be cross-referenced with each other, regardless of the device you use. For more information about cookies and how to delete them, see the cookie policy.

Categories of information that are collected include:

    • internet protocol (IP) address;
    • browser type and parameters of the device used to connect to the website;
    • name of the internet service provider (ISP);
    • date and time of the visit;
    • the web page of the visitor’s origin (referral) and exit;
    • possibly the number of clicks.

The above information is processed in an automated form and collected in aggregate form only for the purpose of verifying the proper functioning of the website, and for security reasons (from May 25, 2018, this information will be processed based on the legitimate interests of the owner).

For security purposes (spam filters, firewalls, virus detection), the automatically recorded data may possibly also include personal data such as the IP address, which could be used, in accordance with the relevant laws, to block attacks on the Website itself or to harm other users, or otherwise harmful or criminal activities. Such data is never used for user identification or profiling, but only for the purpose of protecting the Website and its users (from May 25, 2018, such information will be processed according to the legitimate interests of the owner).

2.2 Data provided by the user

Where the Website allows for comments to be posted, messages to be sent via the appropriate contact form, or in the case of specific services requested by the user to the contacts indicated therein, the Website automatically detects and records certain identifying data about the user, (including the user’s email address or account), or in some cases the user himself provides them in his request for information, including but not limited to: first name, last name, date of birth, address, e-mail, number of the “mobile” device for sending SMS messages, answers to contests and/or games, the details of a valid identification document. These data are understood to be voluntarily provided by the user when requesting the provision of service or information in the appropriate contact form on the website. The same applies to any data entered by the user to the owner via message or comment with tools provided by third-party social media (such as Facebook) – for the processing of data by such third parties, the user should refer to the relevant privacy policy of the social media of reference.

Any refusal to disclose data prevents the provision of the requested services. The owner also acknowledges that any non-communication, or incorrect communication, of any of the mandatory information, has as its consequences: the impossibility of guaranteeing the appropriateness of the processing itself; the possible mismatch of the results of the processing with any obligations imposed by the fiscal, administrative and civil law to which it is addressed.

3. Legal basis

Personal data are collected only when the owner has a legal basis, provided by the applicable law, for collecting and processing the data.

The personal data collections described below are made only because they are :

    • NECESSARY TO PROVIDE THE SERVICES REQUIRED BY THE USER (so-called contractual purposes). The User’s data are used to manage the subscribed services and to fulfil any pre-contractual obligations. Any other current or future services related to the Services are stated in the various terms and conditions of use.
    • NECESSARY FOR THE HOLDER’S LEGITIMATE INTEREST (so-called legitimate interest). In this case, the Owner ensures that it considers any potential impact this collection may have on users of the website. If it believes that the interests or fundamental rights and freedoms of the User outweigh its legitimate interests, personal data will not be used on this basis and specific consent will be sought.
    • NECESSARY TO FULFILL OUR LEGAL OBLIGATIONS (so-called legal obligation). Some data may also be retained to fulfil our legal obligations and defend our interests in the event of litigation or legal action.
    • BASED ON THE FREELY GIVEN CONSENT OF THE DATA SUBJECT (so-called consent). In the event that user data should be collected and processed for commercial purposes, through communications and/or newsletters regarding commercial activities, initiatives and offers, as well as to conduct market research and activities aimed at detecting the quality of the services offered. For the pursuit of the purposes for which the consent of the data subject is required by law, personal data will be processed only with the express consent of the user.

4. Data storage

The data received will be used exclusively for the provision of the requested service and only for the time necessary for the provision of the requested service or information. The information that users of the Website will provide the owner through the services and tools made available to them, is provided by the user knowingly and voluntarily, exempting this Website from any responsibility regarding any violation of the laws. It is up to the user to verify that he or she has permission to enter the personal data of third parties or content protected by national and international regulations.

In general, the User’s personal data is retained for the duration of the relationship and, after termination, for a maximum period of 10 years. In the case of judicial litigation, data will be held for the entire duration of the litigation, until the exhaustion of the time limits for appeal actions.

After the above retention periods have expired, personal data will be destroyed, deleted or anonymized, consistent with the technical procedures for deletion and backup.

Emails sent to customer service are retained for 24 months.

5. Data access

The personal data processed by the Owner will not be disseminated, i.e., will not be made known to unspecified parties, in any possible form, including making them available or for mere consultation, except in the event that participation in the prize contests involves the dissemination of materials containing personal data. In this case, the data voluntarily submitted for participation in the contest will be disseminated, subject to consent, on the Website and/or social media page and/or otherwise where provided for within the prize contest rules. The data may be disclosed to third parties as data processors, pursuant to art. 28 GDPR, or autonomous data controllers, including (i) suppliers of the owner (subjects who carry out assistance activities; firms or companies within assistance and consulting relationships; companies that are contractually linked to Mirato spa) (ii) entities, Public Administrations, banks and credit and insurance institutions; (iii) competent authorities for compliance with obligations of laws and/or provisions of public bodies, upon request; (iv) to MediaMilano S. r.l. for the performance of ministerial activities related to the possible participation of the user in the contest, also with the aim of ensuring its proper conduct.

Personal data may also be communicated to employees working for the Owner as well as to some individuals who collaborate with them. Lastly, they may be communicated to the subjects entitled to access them according to provisions of the law, regulations and EU rules.

In particular, on the basis of the roles and work duties performed, some workers have been legitimized to process personal data, within the limits of their competence and in accordance with the instructions given to them by the Data Controller. Access to the data and/or the request for portability will be fulfilled within the maximum period of 30 days, subject to impediments and/or complexities in fulfilment. A fee based on the administrative costs incurred will be charged for the issuance of additional copies of the personal data being processed.

Even without the express consent ex Art. ex art. 6 lett. b) – c) and Art. 13 lett. e) of the GDPR, the Data Controller may communicate the data for the indicated purposes to Supervisory Bodies, Judicial Authorities, as well as to any other subjects to whom the communication is obligatory by law. Nonetheless, your data may be transmitted, by way of example, to

    • Agents or external figures working with the company;
    • Subsidiaries and associated companies;
    • Banks and credit institutions;
    • Service providers (e.g., IT system providers, cloud service providers, database providers, and consultants).

The updated list of Data Processors is available at the registered office of the Data Controller and will be provided upon written request.

6. Security of personal data

The user’s personal data are protected by technical and organizational measures in accordance with European legal and regulatory requirements that guarantee their security and confidentiality.

In particular, Mirato S.p.A. uses protective technologies, such as encryption, authentication and fraud detection systems, to protect your online account and payment transactions.

Mirato S.p.A. obtains written commitments from all its service providers to ensure and implement security measures sufficient to guarantee the protection of personal data entrusted to them for processing in accordance with legal requirements for the protection of personal data.

7. Data transfers

The management and storage of personal data will take place on servers of the Data Controller and/or third-party companies contracted and duly appointed as Data Processors located within the European Union. Currently, the servers are located in Italy. The data will not be transferred outside the European Union. It is in any case understood that the Data Controller, should it become necessary, will have the right to move the location of the servers in Italy and/or the European Union and/or countries outside the EU. In this case, the Data Controller ensures as of now that the transfer of data outside the EU will take place in accordance with the applicable legal provisions.

8. Data Subjects’ Rights

In your capacity as a data subject, you are the holder of the rights set forth in Article 15 et seq. of Regulation 2016/679 (GDPR), namely:

    1. ) Right to request from the data controller access to personal data (Art. 15) i.e., confirmation as to whether or not personal data concerning you are being processed, and if so, to obtain access to them;
    2. ) the right to ask the data controller for rectification (Art. 16) i.e., to obtain rectification and/or integration of inaccurate personal data concerning you;
    3. ) right to request from the data controller the deletion of the same (Art. 17) i.e., obtain the deletion of the data concerning you without undue delay;
    4. ) right to request from the data controller the restriction of processing concerning you (Art. 18), i.e., to obtain confirmation that the processing of personal data concerning you is limited to what is necessary for the purposes of storage;
    5. ) right to data portability (Art. 20), i.e., to obtain in a structured, commonly used and readable format, personal data concerning you;
    6. ) right to object to their processing (Art. 21) i.e., to object at any time, for reasons related to your particular situation, to the processing of data concerning you;
    7. ) right in relation to automated decision-making processes (Art. 22), i.e., the right not to be subject to a decision based solely on automated data processing without your explicit consent.
    8. ) right to erasure (Art. 17), i.e., the right to obtain, in the cases provided for in the Regulation, the erasure of personal data concerning you; In addition, you may at any time revoke the consent on which the processing carried out in accordance with the obtaining of consent to the processing is based;
    9. ) right to lodge a complaint with the Supervisory Authority (Art. 77) (Garante Privacy – link to the Authority’s website), i.e., the right to refer the matter to the Authority if you believe that the processing concerning you violates the Regulation;

9. Data Breach and notification to the Supervisory Authority and/or communication to the data subject

In the event of a personal data breach – to be meant as a breach of security that accidentally or unlawfully results in the destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed – where the risk to the rights and freedoms of individuals is to be considered probable and/or high, the Data Controller will notify the Supervisory Authority without delay and in any case no later than 72 hours, giving a description of the nature of the data breach, including the number of individuals and the categories of data affected. The name and contact information of the DPO will also be provided.

10. Ways of exercising Data Subjects’ Rights

You may at any time exercise the above rights by sending:

    • a registered letter with return receipt to : Mirato S.p.A, Strada Provinciale Est Sesia s.n.c., CAP. 28064 – Landiona (NO).
    • e-mail:

11. DPO

The data controller is Mirato S.p.a., with registered office in Strada provinciale Est Sesia, 28064 Landiona (NO), Tel. +39-0321-827711, Fax +39-0321-828273, e-mail:

The Data Protection Officer can be contacted at the following e-mail address: