Cookie Policy - MRR Bullets

MRR Bullets srl (VAT No.: 04140440985) (hereinafter “MRR”), with its registered office at Via Alessandro Volta 92, 25063 Gardone Val Trompia (BS) — Italy, in its capacity as Data Controller pursuant to Articles 4(7) and 24 of EU Regulation No. 2016/679 (GDPR), hereby informs you that, pursuant to Article 13 of the GDPR, it sets out below the cookie policy (“Policy”) applicable solely to this website www.mrrbullets.com (“Website”).

1. Legal framework.

1.1. This Policy is based on the following EU and/or national legislative provisions (of first and/or second level): (i) Directive 2002/58/EC of 12 July 2012 (the so-called ePrivacy Directive), as amended by Directive 2009/136/EC; (ii) Article 122 of the amended Legislative Decree No. 196/2003 (Privacy Code), which transposed the ePrivacy Directive into national law; (iii) GDPR: Articles 4(11), 7, 12, 13, 25 and 95 (as well as, in particular, Recitals 30, 32 and 173); (iv) Guidelines No. 5/2020 adopted on 4 May 2020 by the EDPB, replacing the Guidelines of 10 April 2018 signed by the Article 29 Working Party; (v) Provision No. 231 of 10 June 2021 [web doc. No. 9677876] signed by the Italian Data Protection Authority (Garante Privacy); (vi) Recommendation No. 2/2001 of the Article 29 Working Party; (vii) Opinion No. 2/2010 of the Article 29 Working Party; (viii) Opinion No. 4/2012 of the Article 29 Working Party; (ix) Guidelines No. 8/2020 of the EDPB.

2. Cookies and other tracking tools: definition and classification.

2.1. ‘Cookies’[1] are, as a rule, text strings that a website (‘publisher’ or ‘first-party’) visited by the user, or a different website (‘third-party’), places and stores, either directly (in the case of the first-party website) or indirectly (via the latter, in the case of the third-party website), on a terminal device available to the user: in this regard, the Data Protection Authority has specified that the information encoded in cookies may include both personal data pursuant to Article 4(1) of the GDPR (e.g. IP address; username; email address; unique identifier) and non-personal data pursuant to Article 3(1) of EU Regulation No 1807/2018 (e.g. language; type of device used).

Alongside (or in addition to) these, ‘other tracking tools’ may exist (and therefore be used), which can be divided into ‘active’ (which have almost the same characteristics as cookies) and ‘passive’ (e.g. fingerprinting).

2.2. Beyond the intrinsic characteristics described above, cookies (and other tracking tools) may exhibit different characteristics in terms of duration (and may therefore be classified as ‘session’[2] or ‘persistent’ [3], depending on their duration), from a subjective perspective (depending on whether the publisher acts independently or on behalf of a “third party”) and, finally (but most importantly), based on the purpose of the processing, so that they can be divided into two distinct (macro) categories:

“technical” data, used solely for the purpose of “transmitting a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide that service” (Article 122(1) of the Data Protection Code).

In this regard, the Data Protection Authority highlighted, in Provision No. 231 of 10 June 2021 (in line with the previous Provision on the subject from 2014), that “analytics cookies” [4] may well be classified as ‘technical’ cookies (or other tracking tools) (and, therefore, may be used without the prior consent of the data subject), provided certain conditions are met, aimed at precluding the possibility that their use could lead to the direct identification of the data subject (single out) [5].

“profiling”/“marketing” (so-called non-technical) data, used to attribute specific actions or recurring behavioural patterns in the use of the features offered (patterns) to specific, identified or identifiable individuals, for the purpose of grouping different profiles into homogeneous clusters of varying sizes, so that the Data Controller may, among other things, to tailor the provision of the service in an increasingly personalised manner beyond what is strictly necessary for the provision of the service, as well as to send targeted advertising messages (i.e., in line with the preferences expressed by the user whilst browsing the internet).

3. Cookies used on the Website.

3.1. The following types of cookies have been installed (or may be installed, subject to the user’s specific consent) on the Website:

[INSERIRE TABELLA COOKIE]

4. Browser settings.

4.1. MRR highlights that users have the option to delete and block the operation of the cookies described in Article 3 above at any time by using the relevant settings within their browser: in this regard, MRR adds that, should the user decide to disable the technical cookies referred to in Article 2.2(i), the quality and speed of the services and features offered and made available on the Website may be impaired.

You can find information on how to manage cookies in some of the most popular browsers by visiting the following web pages:

https://support.google.com/chrome/answer/95647?hl=it
https://support.mozilla.org/it/kb/Gestione%20dei%20cookie?redirectlocale=enUS&redirectslug=Cookies
https://support.microsoft.com/it-it/help/17442

5. Rights of the data subject.

5.1. With regard to the user’s personal data, MRR hereby informs the data subject, as defined in Article 4(1) of the GDPR, that they have the right to exercise the following rights, subject to any restrictions provided for in Articles 2-undecies and 2-duodecies of the Privacy Code: right of access pursuant to Article 15 of the GDPR: the right to obtain confirmation as to whether or not personal data concerning the data subject are being processed, as well as the information referred to in Article 15 of the GDPR (e.g. purposes of processing, retention period); right to rectification pursuant to Article 16 of the GDPR: the right to correct, update or supplement personal data; right to erasure pursuant to Article 17 of the GDPR: the right to obtain the erasure, destruction or anonymisation of personal data, provided that the conditions set out in that Article are met; right to restriction of processing pursuant to Article 18 of the GDPR: a right of a distinctly precautionary nature, aimed at obtaining the restriction of processing where the circumstances governed by Article 18 apply; right to data portability pursuant to Article 20 of the GDPR: the right to obtain personal data provided to MRR in a structured, commonly used and machine-readable format (and, where requested, to have it transmitted directly to another data controller), provided that the specific conditions set out in the same article are met (e.g. legal basis of consent and/or performance of a contract); right to object under Article 21 of the GDPR: the right to have the processing of specific personal data permanently ceased; right to lodge a complaint with the Supervisory Authority (i.e. the Italian Data Protection Authority) under Article 77 of the GDPR: the right to lodge a complaint where it is believed that the processing in question infringes national and EU data protection legislation.

5.2. In addition to the rights described in Article 6.1 above, MRR specifies that, in relation to the data subject’s personal data, where possible and appropriate, the data subject has the right to exercise, on the one hand, the (sub)right provided for in Article 19 of the GDPR (“ The data controller shall inform each recipient to whom the personal data have been disclosed of any rectification, erasure or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of such recipients if the data subject so requests”), to be considered connected and linked to the exercise of one or more rights regulated by Articles 16, 17 and 18 of the GDPR; on the other hand, MRR specifies that, in relation to the data subject’s personal data, there is, where possible and relevant, the right to exercise the right provided for in Article 22(1) of the GDPR (“ The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”), subject to the exceptions provided for in paragraph 2 below).

5.3. In accordance with Article 12(1) of the GDPR, MRR undertakes to provide the user with the information referred to in Articles 15 to 22 and 34 of the GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language: such information shall be provided in writing or by other means, including electronic means, or, at the user’s request, shall be provided orally provided that the user’s identity is verified by other means.

5.4. In accordance with Article 12(3) of the GDPR, MRR hereby informs you that it undertakes to provide you with information regarding the action taken in response to a request made pursuant to Articles 15 to 22 of the GDPR without undue delay and, in any event, no later than one month from receipt of the request; this period may be extended by two months if necessary, taking into account the complexity and number of requests (in which case, the Data Controller undertakes to inform the user of such an extension and the reasons for the delay within one month of receiving the request).

5.5. You may exercise the rights described above at any time (with the exception of the right under Article 77 of the GDPR) by using the contact details set out in Article 6.

6. Contact details

6.1. MRR can be contacted at the following address: info@mrrbullets.com

7. Social plug-in.

7.1. In accordance with EDPB Guidelines No. 7/2020, MRR also states that it acts as a joint controller pursuant to Articles 4(7) and 26 of the GDPR in relation to certain social media providers (e.g. LinkedIn; YouTube), due to the installation on the Website of the relevant social plug-ins, which are easily visible and accessible on the Website.

[1] See Recital no. 30) of the GDPR (“Natural persons may be associated with online identifiers produced by the devices, applications, tools and protocols used, such as IP addresses, temporary markers (cookies) or other types of identifiers, such as radio frequency identification tags. Such identifiers may leave traces which, in particular when combined with unique identifiers and other information received from servers, can be used to create profiles of natural persons and identify them”), and art. 122 paragraphs 1) and 2) of the Privacy Code (“1. The storage of information in the terminal equipment of a contractor or user or access to information already stored is permitted only on condition that the contractor or user has expressed his consent after being informed using simplified methods. This does not prohibit any technical storage or access to information already stored if aimed solely at carrying out the transmission of a communication on an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or user to provide such service. For the purposes of determining the simplified methods referred to in the first period, the Guarantor also takes into account the proposals formulated by the most representative associations at national level of consumers and the economic categories involved, also with the aim of guaranteeing the use of methodologies that ensure the effective awareness of the contractor or user. 2. For the purposes of expressing the consent referred to in paragraph 1, specific configurations of computer programs or devices that are easy and clear may be used usability for the contractor or the user…”); see also page 15) of Provision no. 231 of 10.6.2021 signed by the Privacy Guarantor: “…to date, there is still no universally accepted system of semantic coding of cookies and other tracking tools that allows for an objective distinction, for example, between technical ones and analytics or profiling ones, unless based on the indications provided by the owner himself in the privacy policy […] the hope that a general coding will be achieved quickly”.

[2] Cookies designed to collect and store data while a user accesses a website, and disappear once the user has closed the relevant browsing session.

[3] Cookies designed to last for a predetermined period of time (e.g., minutes; months; years).

[4] Analytical cookies are typically used to evaluate the effectiveness of an information society service provided by a publisher, to design a website, or to help measure traffic (i.e., the number of visitors, possibly broken down by geographic area or time of day).

[5] See Provision no. 231 of 10 June 2021 signed by the Italian Data Protection Authority, page 11. 13/14: “The structure of the analytics cookie must therefore provide for the possibility that it can be traced not only to one, but to multiple devices, so as to create reasonable uncertainty about the IT identity of the recipient. This effect is usually achieved by masking appropriate portions of the IP address within the cookie. Given the 32-bit representation of IP version 4 (IPv4) addresses, which are usually represented and used as a sequence of four decimal numbers between 0 and 255 separated by a dot, one of the measures that can be implemented in order to benefit from the exemption consists in masking at least the fourth component of the address, an option that introduces an uncertainty in the attribution of the cookie to a specific data subject equal to 1/256 (approximately 0.4%). Similar procedures should be adopted with reference to IP version 6 (IPv6) addresses, which have a different structure and a vastly larger address space (being made up of binary numbers represented by 128 bits). The Guarantor also emphasizes: The use of analytics cookies must be limited solely to the production of aggregate statistics and must be used in relation to a single site or mobile application, so as not to allow the tracking of users who use different applications or browse different websites. It is therefore understood that third parties who provide the publisher with the web measurement service must not combine the data, even minimized, with other processes (customer files or statistics on visits to other sites, for example) or transmit them to other third parties, under penalty of an unacceptable increase in the risk of user identification; except where the statistics they generate with the minimized data concern multiple domains, websites, or apps attributable to the same publisher or business group. However, it is possible to consider it lawful, even in the absence of the adoption of the required minimization measures, to use statistical analyses relating to multiple domains, websites, or apps attributable to the same data controller, provided that the latter performs the statistical processing itself. In any case, such analyses must not result in an activity that, going beyond the confines of a mere statistical count, it actually takes on the characteristics of an elaboration aimed at making commercial decisions”.