Matomo opt-in or opt-out

If you have chosen “Allow tracking” we remind you that data will be collected anonymously and in aggregate form as stated in this policy.
You can change your choices at any time.

Privacy Policy

This privacy policy is provided pursuant to Regulation (EU) 2016/679 (“GDPR”), for those who consult the website https://nicfab.eu. This privacy policy applies only to this website and not to other websites that the user may access via links.

Data Controller

The data controller for the processing of data relating to identified or identifiable persons who access and browse this website is Nicola Fabiano (privacy [at] nicfab.eu).

Purpose and legal basis of processing

Data processed

Navigation data

Access to and browsing of this website occur through a web browser. The IT systems responsible for the operation of this website acquire, during their regular operation, some data whose transmission is implicit in the use of Internet communication protocols. Data necessary for Internet browsing, by their very nature, could allow users to be identified through processing and associations with data held by third parties. That refers in particular to IP addresses (anonymized) or domain names of computers used by users who connect to this website, addresses in URI notation of requested resources, request time, browser type, and operating system used, etc.

Such data are used solely to obtain anonymous statistical information on website use, to verify its proper functioning, and to ensure system security. Web server log data is kept for up to 7 days, after which it is automatically deleted. The data could be used to ascertain responsibility in the event of computer crimes against the website, upon request of the Judicial Authority.

Data voluntarily provided by the user

Comments

Users can leave comments using the Comentario system, an open-source self-hosted software on servers located in the European Union.

Anonymous comments
It is possible to comment completely anonymously, without providing any personal data. In this case:

• no name or email address is required;
• the comment appears as “Anonymous” or with a freely chosen pseudonym;
• No personal data is collected or stored in relation to the comment.
  Therefore, for this mode the GDPR does not apply.

Pseudonymous or nominative comments (optional)
The user can choose to indicate an optional name or nickname/pseudonym. In this case, the name (nickname or pseudonym) is publicly visible together with the comment.

The legal basis for these processing operations is the legitimate interest of the controller (art. 6, para. 1, lett. f) GDPR) in allowing and moderating discussion, in compliance with the principles of minimization and proportionality.

Technical session cookie
The comentario_commenter_session cookie (duration 14 days) is necessary for managing the comment session and is a technical cookie exempt from consent.

Internal technical statistics of Comentario (privacy by design)
Comentario does not add tracking scripts or pixels and shows no advertising. However, the software may generate high-level statistics (e.g., visitor’s country, browser, language), calculated server-side and used in aggregate form for technical purposes (service quality/anti-abuse). These statistics do not identify the user; any technical processing of IP addresses for security/anti-spam purposes is limited and subject to a maximum retention of 90 days. Legal basis: legitimate interest of the controller (art. 6(1)(f) GDPR).

Email

The optional, explicit, and voluntary sending of email to the addresses indicated on this website entails the acquisition of the sender’s address, necessary to respond, as well as any other personal data contained in the message. Such data are processed exclusively to respond to messages sent and to fulfill any related requests. Failure to provide personal data for communications or to send any requests prevents their fulfillment. Data are kept for the period strictly necessary for the purposes for which they are processed, no more than 30 days from the response.

Newsletter

This website offers the possibility to subscribe to a weekly newsletter to receive professional updates on Data Protection, Privacy, GDPR, and Artificial Intelligence Law.

Service used

The newsletter is managed through Listmonk, an open-source self-hosted software running on servers located in the European Union (domain: newsletter.nicfab.eu), which guarantees the Controller complete control over the data.

Data collected

• Email address (mandatory): necessary for sending the newsletter
• Name (optional): used to personalize communications

Legal basis

The processing of data for sending the newsletter is based on the explicit consent of the user (art. 6(1)(a) GDPR), acquired through a double opt-in procedure:

1. The user fills out the subscription form at https://www.nicfab.eu/newsletter
2. The system sends a confirmation email to the provided address
3. The user clicks on the confirmation link contained in the email
4. Only after confirmation, the subscription becomes active, and the user starts receiving newsletters

This process ensures that:

• Consent is freely given, specific, informed and unambiguous (art. 4, no. 11 GDPR)
• The email address actually belongs to the requester
• Fraudulent subscriptions cannot occur

Purpose of processing

The collected data are used exclusively for:

• Sending weekly newsletter with content related to Privacy, GDPR, AI Act, and Artificial Intelligence Law
• Aggregate statistical analysis (number of subscribers, open rate) to improve content quality

Frequency and content

• Frequency: weekly (every Monday)
• Content: professional legal analysis, regulatory updates, Data Protection Authority provisions, European court decisions, GDPR best practices
• Format: HTML email with professional text, without tracking pixels

Privacy by design

The newsletter configuration respects the principles of privacy by design and data minimization:

• ✓ European Union server (newsletter.nicfab.eu)
• ✓ Mandatory double opt-in (GDPR art. 7)
• ✓ No tracking pixels in emails
• ✓ No profiling of subscribers
• ✓ No sharing with third parties
• ✓ Unsubscribe link present in every email
• ✓ Secure SMTP via Proton Mail (privacy-oriented provider)
• ✓ Encrypted communication (TLS/SSL)
• ✓ Open-source software (Listmonk)

Separate lists by language

The service manages two separate lists:

• Newsletter EN: content in English
• Newsletter IT: content in Italian

A subscription is automatically added to the list corresponding to the language of the page from which the subscription is made.

Data retention

Subscriber data are retained until:

• Voluntary cancellation of subscription via the link present in every email
• Explicit deletion request sent to the Controller
• Prolonged inactivity: In case of no email opening for more than 24 consecutive months, the Controller reserves the right to cancel the subscription with prior notice

Data subject rights

Newsletter subscribers can at any time:

• Unsubscribe by clicking on the “Unsubscribe” link present in every email
• Request access to their data (art. 15 GDPR)
• Request rectification of incorrect data (art. 16 GDPR)
• Request deletion (right to be forgotten, art. 17 GDPR)
• Request export of their data in structured format (portability, art. 20 GDPR)
• Withdraw consent at any time (art. 7, para. 3 GDPR)

To exercise these rights: privacy [at] nicfab.eu

Data recipients

Subscriber data are not communicated or transferred to third parties. Have access to the data:

• The Controller (Nicola Fabiano)
• Any external data processors designated pursuant to art. 28 GDPR (e.g., EU server hosting provider)

Extra-EU data transfer

Newsletter subscriber data is not transferred outside the European Union. All servers used (hosting, PostgreSQL database, Listmonk system, Proton Mail SMTP) are located in the European Union.

Cookies

This website uses exclusively technical cookies strictly necessary for its functioning and to record the user’s privacy choices. No analytical, profiling, or advertising cookies are used.

Technical cookies used

These cookies are exempt from the obligation to obtain prior consent pursuant to Art. 122 of the Italian Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) because:

• mtm_consent_removed: necessary to respect the user’s privacy choices (opt-out from tracking);
• comentario_commenter_session: necessary for the functioning of the comment service requested by the user.

Important

• The mtm_consent_removed cookie is created only if the user interacts with the opt-out widget present on the website pages.
• The comentario_commenter_session cookie is created only when the user publishes a comment (either anonymous or identified).

If the user does not use these features, no cookies are installed.

Important note about newsletter: Newsletter subscription does not use cookies. Data are collected through standard HTML forms and sent directly to the Listmonk server via secure HTTPS protocol.

Cookie management in browsers

• Mozilla Firefox
• Microsoft Internet Explorer
• Microsoft Edge
• Google Chrome
• Opera
• Apple Safari

Cookies from external platforms

In case of sharing the contents of this website on social platforms, the collection and use of information are governed by their respective privacy policies:

• Facebook (Cookie Policy)
• Twitter/X (Cookie Policy)
• LinkedIn (Cookie Policy)
• Telegram (Cookie Policy)

Matomo Web Analytics

This website uses Matomo to collect aggregate and anonymous browsing statistics (as specified in the purpose table).

Privacy-first configuration implemented

• ✓ No cookies installed on the user’s device
• ✓ IP address anonymization (last 2 bytes masked)
• ✓ Respect for the “Do Not Track” (DNT) browser signal
• ✓ Aggregate data not attributable to individual users
• ✓ No sharing with third parties
• ✓ Matomo server hosted in the European Union

How to opt out

Users can completely disable Matomo tracking at any time:

• through the banner on the website’s home page;
• through the control at the top of this page;
• by enabling the “Do Not Track” option in their browser settings.

Once tracking is disabled, Matomo will no longer collect any data relating to the user’s browsing on this website.

Comentario comment system

This website uses Comentario, an open-source self-hosted comment system, configured in privacy-friendly mode:

• ✓ No tracking scripts/pixels and no advertising
• ✓ EU-based server (full data control)
• ✓ Anonymous comments allowed (identifying data optional)
• ✓ No sharing with third parties
• ✓ Technical session cookie (exempt from consent)
• ✓ High-level technical statistics (country, browser, language) in aggregate server-side form

Comment modes

• Anonymous: users can comment without providing any identifying data. The comment appears as “Anonymous”.
• Pseudonymous or nominative (optional): the name/pseudonym is public.

Comment management

• Comments are moderated; the Controller reserves the right not to publish or to remove inappropriate, offensive, or spam content.
• Users can request deletion of their comments by contacting the Controller.

Privacy by Design: essential technical cookies

This website has adopted a privacy-first approach using exclusively technical cookies created only upon user request, ensuring:

✓ Maximum respect for privacy (only necessary cookies)
✓ No consent required (Art. 122 Italian Privacy Code)
✓ Cookies created only when the user uses the features (opt-out or comments)
✓ No invasive banners; no profiling/advertising
✓ Compliance with GDPR, ePrivacy Directive, and Italian Privacy Code
✓ Minimization principle
✓ Self-hosting of Matomo and Comentario on EU servers
✓ Self-hosting of Listmonk for newsletter on EU servers

Browsing statistics are collected through Matomo in cookie-less configuration with strong anonymization, in full compliance with the principle of personal data minimization (art. 5(1)(c) GDPR).

The newsletter does not use any cookies; it collects data exclusively through explicit double opt-in consent.

Recipients

Personal data collected from this website as a result of consultation are not disclosed to recipients or categories of recipients.

For the newsletter service, data are processed exclusively by the Controller and any designated data processors (e.g., a hosting provider), all of whom are located in the European Union.

Personal data retention period

• Web server logs: maximum 7 days, then automatic deletion
• Matomo analytics data: 12 months in aggregate and anonymous form
• Technical cookies: durations indicated in the cookie table (14 days for comment session, 1 year for opt-out)
• Published comments: indefinite (publicly visible until possible deletion request)
• IP addresses (Comentario anti-spam): maximum 90 days
• Email requests: time strictly necessary, no more than 30 days from response
• Newsletter subscribers: until subscription cancellation by the user or explicit deletion request; in case of prolonged inactivity (no email opening for more than 24 consecutive months), with prior notice

Retention periods comply with the principle of storage limitation (art. 5, para. 1, lett. e) GDPR).

Transfer of data to non-EU countries

This website does not share data with services located outside the European Economic Area (EEA).
All servers and services used (hosting, Matomo, Comentario, Listmonk, and Proton Mail SMTP) are located in the European Union.

Security measures

Visitors’/users’ data are processed lawfully and correctly, adopting appropriate measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data, including:

• Communication encryption (SSL/TLS)
• Anonymization (IP address masking at source)
• Access limitation (access to logs and data only by authorized personnel)
• Regular backups
• Monitoring (detection of unauthorized access/attack attempts)
• Comment moderation (abuse prevention)
• Double opt-in for newsletter (subscriber identity verification)
• Encrypted communications (TLS/SSL for SMTP)

In addition to the Controller, external parties (e.g., hosting providers) may, in some cases, have access to data and be designated as data processors pursuant to Art. 28 GDPR.

Data subject rights

Data subjects can exercise the rights provided by the Articles. 15–22 GDPR:

• Access (art. 15): obtain confirmation of processing and a copy of the data
• Rectification (art. 16): correct inaccurate or incomplete data
• Erasure (art. 17): request data deletion (right to be forgotten) – including published comments and newsletter subscription
• Restriction (art. 18): restrict processing in specific circumstances
• Portability (art. 20): receive data in structured format (e.g., newsletter subscriber list export)
• Objection (art. 21): object to processing based on legitimate interest
• Withdrawal of consent (art. 7, para. 3): for newsletter, withdrawable at any time via unsubscribe link or by contacting the Controller

To exercise your rights: privacy [at] nicfab.eu.
The Controller will respond without undue delay and, in any case, within one month.

Quick newsletter unsubscribe

To unsubscribe from the newsletter,:

1. Click on the “Unsubscribe” link present in every email received, or
2. Send a request to privacy [at] nicfab.eu

Cancellation will be immediate, and you will no longer receive newsletters.

Right to lodge a complaint

Data subjects who believe that the processing of their personal data carried out through this website violates the GDPR have the right, pursuant to Art. 77, to lodge a complaint with the Italian Data Protection Authority:

Piazza Venezia, 11 — 00187 Rome, Italy
Tel. +39 06.696771 — Fax +39 06.69677.3785
Email: garante@gpdp.it — PEC: protocollo@pec.gpdp.it
Website: https://www.garanteprivacy.it

Last updated: December 2025