Policy
Privacy & Cookie Policy
Notice provided pursuant to articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended by Decree 101/2018 ("Privacy Code"), and the Italian Data Protection Authority's Guidelines on cookies and other tracking technologies of 10 June 2021.
1. Data Controller
The data controller is Amedeo Greco, a freelance professional operating under the trade name Dharma Film (jointly, the "Controller").
- Contact email: amedeo@filmdharma.com
- Website: https://filmdharma.com
No Data Protection Officer (DPO) has been appointed as the conditions under article 37 GDPR do not apply.
2. Categories of personal data processed
The Controller processes the following categories of personal data:
- Contact data submitted via form, name, email address, optional organisation, free-text message. Submission is voluntary: data is only required if the user wishes to send a request.
- Browsing data, information whose transmission is implicit in the use of internet protocols (IP address, user agent, pages visited, timestamp). Processed in minimised form and for the time strictly necessary.
- Data collected via technical cookies, session preferences, cookie banner acceptance state, selected language. See section 9.
The site does not process special categories of personal data under article 9 GDPR nor data relating to criminal convictions under article 10 GDPR; users are invited not to include such data voluntarily in the free-text fields of the form.
3. Purposes of processing and legal bases
| Purpose | Legal basis (art. 6 GDPR) |
|---|---|
| Reply to requests submitted via contact form | Lett. b), pre-contractual measures |
| Comply with legal obligations (e.g. tax, accounting) connected to a possible contractual relationship | Lett. c), legal obligation |
| Ensure site security, prevent fraud and abuse (technical logs, anti-spam) | Lett. f), legitimate interest of the Controller |
| Install technical and functional cookies | Art. 122 Italian Privacy Code, no consent required |
The Controller does not carry out marketing, profiling or newsletter activities with data collected via the site. No profiling cookies or third-party tracking tools for advertising purposes are used.
4. Processing methods
Data is processed by electronic means with technical and organisational measures appropriate under articles 25 and 32 GDPR: TLS encryption in transit, access control, audit logs, periodic backups, data minimisation. Data is not subject to automated decision-making or profiling under article 22 GDPR.
5. Retention periods
- Contact form data: up to 24 months from the last useful contact, after which it is deleted or anonymised unless retention is required by law.
- Navigation logs: maximum 30 days, save for extended retention for the purpose of investigating IT offences (art. 132 Italian Privacy Code).
- Data linked to a contractual relationship: 10 years from termination, in line with civil and tax obligations (Italian Civil Code art. 2220 and Presidential Decree 600/1973 art. 22).
- Technical cookies and preferences: as specified in section 9.
6. Data recipients
Data may be disclosed, strictly as necessary, to the following categories of recipients, appointed as processors under article 28 GDPR where applicable:
- Hosting and cloud infrastructure providers located in the European Economic Area (EEA).
- Email and SMTP service providers.
- Appointed professionals (tax, legal consultants) limited to compliance purposes.
- Judicial and supervisory authorities, where required by law.
Data is not disseminated nor sold to third parties for commercial purposes.
7. Transfers outside the EEA
The site embeds third-party video players (YouTube, operated by Google Ireland Limited; Vimeo, operated by Vimeo Inc.). Such players are loaded only after the user's explicit click on the video preview: until that moment no data is transmitted to the providers. By clicking the player, the user accepts that their browsing data (IP address, device identifiers, provider cookies) may be processed by the aforementioned companies also outside the EEA (in particular in the United States), under their respective privacy policies. For transfers to the United States, providers have joined the EU-US Data Privacy Framework approved by the European Commission's adequacy decision of 10 July 2023 (C(2023) 4745).
- YouTube/Google privacy policy: https://policies.google.com/privacy
- Vimeo privacy policy: https://vimeo.com/privacy
8. Data subject rights
The data subject may at any time exercise the rights granted by articles 15-22 GDPR, in particular:
- Access (art. 15): obtain confirmation of processing and a copy of personal data.
- Rectification (art. 16): correct inaccurate data or complete incomplete data.
- Erasure (art. 17, "right to be forgotten").
- Restriction of processing (art. 18).
- Portability (art. 20): receive data in a structured, commonly used and machine-readable format.
- Objection to processing based on legitimate interest (art. 21).
- Withdrawal of consent at any time, without affecting the lawfulness of processing carried out before withdrawal (art. 7(3)).
Rights are exercised by sending a written request to amedeo@filmdharma.com. The Controller responds without undue delay and in any event within 30 days of receipt, extendable by a further 60 days in particularly complex cases (art. 12(3) GDPR).
The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (art. 77 GDPR; www.garanteprivacy.it) or to seek a judicial remedy (art. 79 GDPR).
9. Cookie policy
The site uses only cookies and similar technologies falling within the following categories, all qualifying as technical under article 122 Italian Privacy Code and the Italian Authority's Guidelines of 10 June 2021:
| Cookie | Purpose | Duration | Consent |
|---|---|---|---|
spark_privacy_accepted | Stores cookie banner acceptance state | 12 months | Not required |
NEXT_LOCALE | Stores user's selected language | Session | Not required |
| NextAuth session cookies | Restricted area only: authenticated user session | Session | Not required |
No profiling cookies, no third-party analytics, no marketing or advertising tracking is installed. Any cookies set by third-party video players are activated only after the explicit click on the player and are subject to the respective providers' notices (section 7).
Users may at any time manage or disable cookies via their browser settings; disabling technical cookies may impair the proper functioning of the site.
10. Data security
The Controller adopts technical and organisational security measures appropriate to the risk (art. 32 GDPR), including: end-to-end TLS 1.2+ transport, password hashing (bcrypt), rate limiting on public APIs, audit logging, encrypted periodic backups. In the event of a personal data breach, the Controller will provide the notifications required by articles 33-34 GDPR.
11. Changes to this notice
The Controller reserves the right to amend this notice to address regulatory, organisational or technological changes. Updated versions will be published on this page; substantial changes will be highlighted via an in-site banner.