1. Identity and contact details of the Data Controller and Processors
The Data Controller is COMPANY NAME with headquarters at COMPANY ADDRESS, with V.A.T. ID COMPANY VAT I.D.
You are informed in the sense of Art. 13 EU Regulation No. 2016/679 (hereinafter, “GDPR”) that your data will be processed in the following ways and for the following purposes:
2. Subject of Processing
COMPANY NAME processes personal, identifying data (e.g. forename, surname, company name, address, telephone, email – hereinafter “personal data” or “data”) communicated by you when concluding contracts for services provided by COMPANY NAME or for the conclusion of supply contracts between the parties as well as in relation to the data communicated for the provision of services also in collaboration with other Bodies and Companies that act as Data Controllers as far as they are concerned.
3. Purpose of the processing and legitimate interests
Your personal data are processed without your express consent (Art. 6 lit. b), e) GDPR), for the following Service Purposes:
- the data are processed by COMPANY NAME as Data Controller because the processing is necessary for the execution of a contract to which the data subject is a party or for the execution of pre-contractual measures dictated at the request of the same (personal data relating to contracts or pre-contractual activities with customers and suppliers)
- to comply with obligations laid down by law, regulation, Community legislation or an order of the Authority (e.g. in the field of anti-money laundering);
- to exercise the rights of the Data Controller, for example the right of defence in legal proceedings
4. Recipients of personal data and communication of data
Your data may be made accessible for the purposes referred to in Art. 2
- to the Data Controller’s employees and collaborators, including external ones, in their capacity as data processors and/or system administrators
- to tax consultants, legal advisors, or banks for the provision of their services (accounting, contracts, etc.), operating as Data Controllers
- to other Companies in partnership with COMPANY NAME for the management of outsourced services that operate as Data Controllers
Personal data is stored on servers located within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the servers even outside the EU. In this case, the Data Controller assures from now on that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to the standard contractual clauses provided by the European Commission.
Without the need for express consent art. 6 lit. b) and c) GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2 to Supervisory Bodies (such as IVASS), Judicial Authorities, as well as to those subjects to whom the communication is mandatory by law in order to fulfil the said purposes. These subjects will process the data in their capacity as independent data controllers.
5. Means of processing and storage period
The processing of your personal data is carried out through the operations indicated in Art. 4 no. 2) GDPR and, specifically: collection, recording, organisation, storage, consultation, processing, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is manually processed both on paper and electronically. The Data Controller will process personal data for the time necessary to fulfil the above purposes and in any case for no longer than 10 years from the termination of the relationship for the Service Purposes.
6. Rights of the Data Subject
As Data Subject, you have the rights stipulated in Art. 15 GDPR, that is specifically the right to:
- obtain confirmation of the existence or not of personal data concerning you, even if not yet recorded, and their communication in an intelligible form;
- obtain indication of: a) the origin of the personal data; b) the purposes and methods of processing; c) the software used in case of processing carried out with the aid of electronic instruments; d) the identity of the Data Controller, Data Processors and the Data Protection Officer appointed under Art. 3, paragraph 1, GDPR; e) the subjects or categories of persons to whom the personal data may be communicated or who can learn about them as appointed Data Protection Officer in the State, processors or agents;
- obtain: a) updating, rectification or, when interested therein, integration of data; b) cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) certification to the effect that the operations as per lit. a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
- object to, in whole or in part: a) for legitimate reasons, the processing of personal data concerning you, even if pertinent to the purpose of collection; b) the processing of personal data concerning you for the purpose of sending advertising materials or direct selling or for carrying out market research or commercial communication, through the use of automated calling systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or paper mail. It should be noted that the right of opposition of the data subject, set out in point b) above, for direct marketing purposes by automated means extends to traditional marketing methods and that in any case the data subject may exercise the right of opposition even only in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither.
- demand the rectification of your personal data if they are modified and do not correspond to those previously acquired or communicated (art. 16)
demand the deletion of the data (“right to be forgotten” Art. 17). COMPANY NAME, in one of the following cases, shall proceed to delete the data from all databases and archives where it is contained:
- the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
- the data subject revokes previously granted consent, and there is no other legal basis for the processing;
- the data subject opposes processing within the meaning of Article 21(1) and there are no overriding legitimate grounds for processing, or opposes processing within the meaning of Article 21(2);
- the personal data have been processed unlawfully;
- the personal data must be erased in order to comply with a legal obligation under Union law or the law of the Member State to which the Data Controller is subject;
- the personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
Right of limitation of processing (Art. 18). The data subject has the right to obtain from the data controller the limitation of the processing when one of the following cases occurs:
- the data subject contests the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such data;
- the processing is unlawful and the data subject opposes the deletion of personal data and asks instead that its use be restricted;
- although the data controller no longer needs them for the purposes of processing, the personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
- the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate reasons of the data controller take precedence over those of the data subject.
Right of opposition (Art. 21-22): The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6, paragraph 1, lit. e) or f), including profiling on the basis of those provisions. COMPANY NAME shall not subject the data to decisions based solely on automated processing.
COMPANY NAME shall notify each data subject of any corrections, restrictions or deletion of data.
COMPANY NAME shall refrain from further processing of personal data unless there are compelling legitimate reasons for processing that prevail over the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a right in court.
For the data that the COMPANY NAME processes for marketing purposes, the rights of the data subject are expressed in the specific Information on data processing for marketing purposes.
7. Methods of exercising rights
You may exercise your rights at any time by sending:
- an email addressed to COMPANY EMAIL
8. Nature of the provision of data and consequences of refusal to respond
The provision of data for the purposes set out in Art. 2. is mandatory. In their absence, we will not be able to guarantee you the services of Art. 3