Privacy Policy – Street art ECSA

Privacy policy

This policy is provided pursuant to Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (so-called “General Data Protection Regulation” or “GDPR”) and the data protection laws of the Swiss Confederation, in particular the Federal Act on Data Protection of 25 September 2020 and the Data Protection Ordinance (DPO) of 31 August 2022. It is provided by the Data Controller, i.e. the person who, individually or jointly with others, determines the purposes and methods for the processing of personal data.

The Data Controller, aware of the importance of guaranteeing the security of personal information, provides the information necessary to make the user (hereinafter “User” or “Data Subject”) aware of the characteristics and methods used to process his/her personal data.

Data Controller	Who determines the purposes and methods used to process data?
	ECSA Chemicals AG, with registered office in CH-9230 Flawil, Burgauerstrasse, 17, CHE-103.950.878, in the person of the legal representative pro tempore, in the quality of Data controller (hereinafter “Data Controller”).

Subject of the processing

What personal data are processed?

The personal data that may be processed are the User’s data collected when the User browses the website and when he/she uses the functions and services of the website. In particular, the Data Controller may process: personal data whose transmission is connected to the use of Internet communication protocols (navigation data, such as page accesses, amount of data transferred, status message after accesses, session ID numbers, IP addresses, URL addresses, location data, display language, coordinated universal time, etc.);ordinary personal data (e.g. registration data, personal data, contact details, e-mail address).

Purposes

What are the purposes of data processing?

The User’s personal data, collected when the User browses the website and when he/she uses the functions and services of the website, may be processed for the following purposes: purpose connected to the provision of web pages, functions and services of the website:the processing of personal data (navigation data whose transmission is linked to the use of Internet communication protocols, such as, for example, page accesses, amount of data transferred, status message after accesses, session ID numbers, IP addresses, URL addresses, display language, coordinated universal time, etc.), is required to allow the provision of web pages, website functions and services, to obtain statistical information on the use of web pages and to check the pages are functioning correctly; purposes related to registration on the website: processing of personal data (registration data, personal data, contact details, e-mail address), to allow registration on the website and the provision of functions and services connected to the registration itself; purpose related to responding to reports, questions or requests made by the User:the processing of the User’s personal data (personal data, contact details, e-mail address), necessary to respond to the reports, questions and/or requests made by the User; purpose connected to the protection of rights and the management of website security: the processing of the User’s personal data necessary for the protection of the Data Controller’s rights, including in legal proceedings, as well as to allow the management of the website’s security; purpose connected to the sending of newsletters: the processing of the User’s personal data (registration data, personal data, contact details, e-mail address), which is needed to send communications of an informative nature to people who specifically request it by subscribing to the newsletter. The User can withdraw and unsubscribe from the newsletter at any time, by notifying the Data Controller; purpose related to the issue of the Fidelity Card and participation in the related loyalty programmes:the processing of the User’s personal data (registration data, personal data, contact details, e-mail address), necessary for the issue of the Fidelity Card for participation in initiatives and loyalty programmes based on the use of the Fidelity Card itself; purpose connected to the sending of commercial communications to customers (soft spam): the processing of the User’s personal data (personal data, contact details, e-mail address), which is needed to e-mail promotions, discounts, etc. related to products or services previously purchased by the User. In any case, if such communications are no longer wanted, the User can object, at any time, by notifying the Data Controller, who will stop sending them. From the moment of the User objects, the Data Controller will no longer be able to process the data for this purpose; purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): subject to the User’s consent, the processing of the User’s personal data (personal data, contact details, e-mail address), necessary for sending, by e-mail or via other automated systems (e.g. WhatsApp), advertising material and promotional communications on the Data Controller’s products or services, also based on the sectors the User has shown an interest in; purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: subject to the User’s consent, the processing of the User’s personal data (personal data, contact details, e-mail address), necessary for the communication of the same to the other ECSA Group companies, so that they can contact the User directly by sending to him/her, by e-mail or via other automated systems (e.g. WhatsApp), advertising material and promotional communications on their products or services.

Legal bases

What are the reasons that justify data processing?

The reasons that justify the processing of the User’s personal data, collected when the User browses the website and when he/she uses the functions and services of the website, are: : the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to use the functions and services of the website);: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to register on the website);:the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to send reports, questions and/or requests to the Data Controller);: the pursuit of the legitimate interest of the Data Controller (protection of rights and management of website security);: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (User’s decision to subscribe to the newsletter); purpose related to the issue of the Fidelity Card and participation in the related loyalty programmes:the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to own a Fidelity Card and join the loyalty programmes); purpose connected to the sending of commercial communications to customers (soft spam): the pursuit of the legitimate interest of the Data Controller (sending of commercial communications to Users who are already customers); purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): the express consent of the User. Consent can always be withdrawn; from the moment consent is withdrawn, the Data Controller will no longer be able to process the data for this purpose; purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: the express consent of the User. Consent can always be withdrawn; from the moment consent is withdrawn, the Data Controller will no longer be able to process the data for this purpose.

Provision of the personal data

What is the nature of the provision of data?

The provision of the personal data that are processed is: : it is necessary to allow the provision of the web pages and the website functions and services. Personal data are acquired automatically while the User browses the web, through the computer systems and software procedures used to operate the website;purposes related to registration on the website: necessary to allow registration on the website and the provision of functions and services connected to the registration itself; failure to provide data, therefore, makes it impossible for the User to register on the website and use the features and services connected to the registration itself;:necessary to allow the responding to reports, questions and/or requests from the User; failure to provide data, therefore, makes it impossible for the User to receive answers to reports, questions and/or requests sent to the Data Controller;: due to the exercise of the Data Controller’s legitimate interest to protect their rights, including during legal proceedings, as well as to be able to manage the security of the website;: necessary to allow the sending of communications of an informative nature to subjects who expressly request them by subscribing to the newsletter; failure to provide data, therefore, makes it impossible for the User to subscribe to the newsletter. The User can withdraw and unsubscribe from the newsletter at any time by notifying the Data Controller, who will interrupt the activity;: necessary for the issue of the Fidelity Card and to allow participation in the related loyalty programmes; failure to provide the data, therefore, makes it impossible for the User to own the Fidelity Card itself and to participate in the related loyalty programmes;: due to the exercise of a legitimate interest of the Data Controller to be able to send commercial communications to Users who are existing customers. In any case, Users who no longer wish to receive such communications can object, at any time, by notifying the Data Controller, who will interrupt the activity;: optional; failure to provide data will make it impossible for the Data Controller to send, via e-mail or other automated systems, advertising material and promotional communications on the Data Controller’s products or services, also based on the sectors the User has shown an interest in;: optional; failure to provide (or withdrawal of previously given consent) will make it impossible for the Data Controller to communicate the data to the ECSA Group companies. Without the data, these companies therefore will not be able to contact the User directly and will be unable to send, via e-mail or other automated systems (e.g. WhatsApp), advertising material and promotional communications on their products or services.

Storage period

How long are the data kept for?

The User’s personal data will be stored: for the purpose connected to the provision of the functions and services of the website: the User’s personal data will be stored, in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for a few days (unless specific requests from the public authority requires data to be stored for longer);for purposes related to registration on the website: the User’s personal data will be stored, in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for as long as the User is a registered user of the website;for the purpose related to responding to reports, questions and/or requests made by the User:the User’s personal data will be kept, in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are stored, depending on the subject and type of messages, for the time necessary to respond to reports, questions and/or requests made by the User and in any case no more than 10 years from the time of collection;for purposes related to the protection of rights and the management of website security: in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are stored for no more than 10 years from the time of collection;for the purpose connected to the sending of newsletters: in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for as long as the User is subscribed to the newsletter;for the purposes related to the issue of the Fidelity Card and participation in the related loyalty programmes: in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for as long as the User holds the Fidelity Card and participates in the related loyalty programmes;for the purpose connected to the sending of commercial communications to customers (soft spam): in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose and in any case no longer than 24 months from the time of collection;for the purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): until consent is withdrawn or in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose and in any case no longer than 24 months from the time of collection;for the purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: until consent is withdrawn or in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose and in any case no longer than 24 months from the time of collection;

Methods of data processing

How are the data processed?

The processing of personal data will be carried out with the use of electronic tools. The processing of personal data will be based on the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and will be carried out with computerised procedures (and residually through manual or paper tools), suitable for guaranteeing data security and confidentiality, also through the use of suitable procedures that avoid the risk of destruction, loss, modification, unauthorised disclosure, unauthorised access to transmitted, stored or, in any case, processed personal data.

Access, communication and dissemination

Who can access and process the data?

Personal data may be made accessible to workers or collaborators, who have been expressly trained and authorised to process data and who work for or under the direct authority of the Data Controller. Personal data may also be processed by third parties that, on behalf of the Data Controller, carry out outsourced activities and have proven they have adopted technical and organisational measures that can guarantee data security. These third parties, expressly designated as processors of personal data, will be provided with adequate operating instructions. These subjects are essentially included in the following categories: companies that offer management and maintenance services for IT systems and websites;companies that offer support for market studies;companies that perform management and maintenance services for the database of the Joint Controllers;companies that offer e-mailing services;companies that offer services for the management of the marketing automation platform;companies that provide organisational support and event reception services. The processed personal data cannot be communicated to other specific subjects, with the exception of the cases provided for by current legislation, such as, for example, communication to the Authorities and control and supervisory bodies and, in general, communication to third parties, including private individuals, who can legitimately request and receive data, or to Public Authorities who expressly request data from the Data Controller for administrative or institutional purposes. Furthermore, personal data may be communicated to other specific subjects if the User explicitly consents to transmission. The processed data cannot be disclosed to indeterminate subjects.

Transfer of data	Where are personal data stored?
	Personal data will be stored within the Swiss Confederation and the European Economic Area (EEA). Any transfer to third countries that do not belong to the European Economic Area can only take place if those countries guarantee an adequate level of protection of personal data, using methods that comply with European and Swiss legislation on the protection of personal data.

Rights of the data subjects

What are the rights of the data subject?

The User has the right to: obtain confirmation from the Data Controller as to whether or not personal data concerning him/her are being processed and, in this case, have access to personal data and other related information, also receiving a copy (right of access); obtain from the Data Controller the rectification of inaccurate personal data and/or the integration of incomplete personal data concerning him/her (right to rectification); in the foreseen cases, obtain the cancellation of personal data from the Data Controller (right to erasure); in the foreseen cases, obtain from the Data Controller the restriction of the processing of all or part of the personal data processed by the Data Controller (right to the restriction of processing); in the event that the processing is based on consent or on the execution of a contract the User is party to and is carried out in an automated way, request and receive from the Data Controller, in a commonly used electronic format, the personal data that concern him/her, as well as, if technically feasible, the transmission to another Data Controller (right to data portability); withdraw, at any time, any consent given in relation to the processing of personal data (right to withdraw consent); in the foreseen cases, object, in whole or in part, to the processing of personal data (right to object); in the foreseen cases, not to be subjected to a decision based solely on automated processing. If the User believes that the data processing is in violation of European and Swiss legislation on the protection of personal data, he/she has the right to lodge a complaint with the competent Supervisory Authority or, in the cases provided for, to appeal to the appropriate judicial offices.

Exercise of rights	How can the data subject exercise his/her rights?
	The User may exercise his/her rights at any time by contacting the Controller: ECSA Chemicals AG Burgauerstrasse 17 CH-9230 Flawil (Switzerland) e-mail: privacy@ecsa.ch

Data Protection Officer	How can the Data Protection Consultant be contacted?
	The User may exercise his/her rights at any time by contacting the Data Protection Consultant or the Data Protection Officer (DPO) by writing to this e-mail address: studiobarbieri@mywaysec.com

Cookies

Which cookies are used and what function do they perform?

The website uses so-called cookies to guarantee the provision of the functions and/or services of the website itself, as well as to improve the way it functions. What are cookies? Cookies are small text fragments, normally made up of letters and/or numbers, which are sent by the visited website and stored by the internet browsing software (browser) installed on the device (personal computer, smartphone, tablet, etc.) used by the User for navigation. The cookies are then transmitted back to the website the next time the User visits the website. The information encoded in cookies may include personal data, such as an IP address, username or e-mail address, but may also contain non-personal data, such as language settings or information about the type of device a person is using to navigate the website. Cookies can therefore perform important and different kinds of actions, including monitoring sessions, storing information on specific configurations related to users accessing the server or facilitating the use of online content. They can, for example, be used to track items in an online shopping cart or information used to fill out a computer form. If, on the one hand, cookies can be used to make web pages load faster, as well as route information on a network (therefore in line with obligations strictly connected to the operation of the websites themselves), it is also through cookies that behavioural advertising can be delivered and the effectiveness of the advertising message can be measured. Cookies can also be used to adapt, to the user’s behaviour, the type and methods of services provided. The same result can also be achieved through the use of other tracking tools, which allow for processing similar to that performed through cookies. These tracking tools include fingerprinting, which allows the device the User is browsing on to be identified (through the collection of all or some of the information relating to the specific configuration of the device adopted by the user). This technique can be used to achieve the same profiling purposes also aimed at displaying personalised behavioural advertising and analysing and monitoring the behaviour of website visitors, or to adjust the type and methods of rendered services to user behaviour. From now on, these tracking tools will also be included in the definition of cookies. How are cookies classified? Cookies can be classified according to: purpose (technical, analytical or profiling cookies);provenance (first-party cookies or third-party cookies);duration (session cookies or persistent cookies). Based on their purpose, cookies are divided into technical cookies, analytical cookies and profiling cookies. Technical cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provider of an information society service explicitly requested by the user to provide this service. Technical cookies are essential for a website to function correctly and are used to manage various services related to the website itself (e.g. logging in or access to reserved functions on the sites). The duration of cookies is strictly limited to the work session or they can remain for longer in order to remember the user’s choices. Disabling strictly necessary cookies can compromise the user experience and navigation of the website. The prior acquisition of the user’s consent is not required for the use of technical cookies. Analytical cookies are cookies used to collect information on the use of the website. In particular, they are useful for statistically analysing accesses or visits to the site itself and for improving its structure, navigation logics and contents. The information collected is used to carry out statistical analyses in order to improve the use of the website and possibly to make the contents more interesting and relevant to the User’s wishes. Since they are not necessary for the website to function, analytical cookies can be used only after acquiring the user’s consent. However, analytical cookies that adopt minimisation measures that reduce the identifying power of data (e.g. anonymised by masking portions of the IP address of the User browsing the website) can be compared to technical cookies, so the prior acquisition of the user’s consent is not required for their use. Profiling cookies are used to trace the User’s navigation, analyse his/her behaviour and create profiles regarding user tastes, habits or choices, etc. In this way it is possible, for example, to transmit targeted advertising messages in relation to the user’s interests and in line with the preferences expressed by the user when browsing online. The prior acquisition of the user’s consent is required for the use of profiling cookies. Based on their origin, cookies are divided into first-party cookies and third-party cookies. First party cookies are installed directly by the website that the user is visiting, while third-party cookies are installed by a domain that is not the one the user is visiting. This may occur if the visited website incorporates elements from other sites, such as images, plug-ins from social media and social networks or advertisements, or if there are widgets and other tools for interconnection with external sites and features. In the case of third-party cookies installed through the website, the obligations regarding the protection of personal data (e.g. providing the privacy policy and acquiring consent for the use of cookies) involve the third parties and it is possible to object to cookie use directly on the third-party website. Based on the duration, cookies are divided into session cookies and persistent cookies. Cookies that expire at the end of a browser session (normally when a user closes their browser) are defined session cookies and are used, for example, to memorise a user’s purchase order, or for security purposes, such as when logging into personal internet banking or webmail account. Cookies which, on the other hand, are stored for a longer period of time (between one session and another, even after closing the browser) are called persistent cookies and are useful, for example, to remember user preferences or to offer targeted advertising. What are the cookies used by the Data Controller’s website? The cookies used by the Data Controller’s website are only technical cookies or analytical cookies with minimisation measures that reduce the identifying power of the data (equivalent to technical cookies), to guarantee the provision of the functions and/or services of the website as well as to improve the way it functions. The prior consent of the User is not required for the installation of these cookies. The website uses “Google Analytics”, a Google web analysis service, which allows the collection of information useful for analysing how visitors use the website, with the aim of improving the way the website functions. When using Google Analytics, parts of the IP address are masked, so it is not possible to directly identify the User browsing the website. For more information on the Google Analytics privacy policy, click here. To deactivate Google Analytics, click here. The user can express his/her preferences on cookies also through the settings of the browser used. By default, almost all browsers are set to automatically accept cookies, but users can change the default configuration through the settings of the browser they use, which allow users to cancel/remove all or some cookies, block the sending of cookies or limit them to certain sites. Disabling / blocking cookies or deleting them could cause some areas of the website to not function optimally or prevent some features from working. The configuration of cookie management depends on the browser used. Below are the main browsers’ instructions and links to the guides for managing cookies: Google Chrome: click on the icon with the three dots at the top right and then on “Settings”. Select “Advanced” and in the “Privacy and security” section click on “Site Settings”. Adjust the cookie settings by selecting “Cookies and site data”. Click here for more information. Mozilla Firefox: click on the icon with the three horizontal bars at the top right and select “Options”. In the window, select “Privacy and security” to adjust cookie settings. Click here for more information. Microsoft Edge: click on the icon with the three horizontal dots at the top right and select “Settings”. In the window, select “Privacy and security” to adjust cookie settings. Click here for more information. Microsoft Internet Explorer: click on the gear icon at the top right and select “Internet Options”. In the window, select “Privacy”, “Advanced” and adjust the cookie settings. Click here for more information. Apple Safari: select “Preferences” and then “Privacy” to adjust cookie settings. Click here for more information. Opera: select the icon with the three horizontal bars at the top right and then select “Advanced”. Select “Privacy & Security” and then “Site Settings”. From the “Cookies and site data” section, adjust the cookie settings. Click here for more information. For browsers other than those listed above, read the relevant guide to identify how to manage cookies.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.