Information for clients regarding the protection of personal data pursuant to art. 13 of the eu regulation 2016/679
In compliance with the provisions of art. 13 of the EU Regulation 2016/679 (the “GDPR”) and by way of applying the principles set out in the GDPR itself, we are sending you this information to make you aware of the characteristics and processing methods (the “Treatment”) we use for any information you have given us about the relationships set up or established between us and/or that concern a natural person (the “Interested Party”) who is either expressly identified or identifiable from these data (“Personal Data”), including your employees and collaborators. In accordance with art. 4.1. of the GDPR, “an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
1. Data Controller (the “Data Controller”).
The Data Controller responsible for processing the personal data is Pelletterie Bianchi e Nardi S.p.A. (with Tax Code and VAT number 00385830484), having its registered office in Scandicci (FI), Via delle Fonti no. 2, and email email@example.com, in the person of its legal representative pro tempore, Mr Gabriele Bianchi (hereinafter referred to as the “Data Controller”).
Any communications about processing, also pursuant to the following articles, must be sent by you and/or by the data subject, by registered letter with a return receipt, registered PEC or e-mail to the addresses indicated above.
2. Purpose of the Treatment (the “Purposes”) and legal basis.
Personal Data, whether collected from the Data Subject (article 13 GDPR) or not (article 14 GDPR), will be used exclusively for the purposes of:
- fulfilling pre-contractual and contractual obligations relating to you;
- fulfilling and demanding the fulfilment of specific obligations deriving from laws and regula-tions
- sending business offers for the purpose of selling products and/or services similar to those al-ready purchased (soft-spam);
- to send the newsletter;
- to carry out the activities of marketing (by paper mail, calls with operators, calls without opera-tors, e-mails, faxes, MMS, SMS) and market research;
- carry out profiling activities in accordance with art. 4.4. GDPR;
The legal basis for this Treatment arises:
- from the need for us to execute a contract, to which the interested party is a party, or for pre-contractual measures adopted at the request of that party;
- from our need to fulfil a legal obligation;
- from the legitimate interests of the Controller (Article 6 letter f) GDPR);
- only for points (iv) et seq., with the express consent that will be freely given by the interested party (article 7 of the GDPR), also by sending e-mails, compilations of an appropriate form and the affixing of the flag required.
With reference to point (v), the Data Controller specifies that in the context of the sale of a product or service, the e-mail details of the interested party may be used by the Data Controller, without prior consent from the Data Subject, for the purpose of offering and selling services similar to those that have already been sold (Article 130, 4 Legislative Decree 196/2003). The interested party may object to this treatment at any time, free of charge, by making a simple written request to the ad-dresses indicated above.
With reference to point (vii), the Data Controller specifies that the interested party may at any time indicate a preferred mode of contact from those listed above, and may object to receiving pro-motional communications through all or only some of these communication channels.
3. Mandatory/voluntary provision of Personal Data
Communication of your personal data by you is optional, but necessary, because if you refuse to consent, as well as risking the data being communicated incorrectly, it could make it impossible for the Controller to establish the relationship, or to implement the various purposes for which personal data have been collected.
For the same reasons, as well as to properly manage the existing relationship, we also ask you to in-form us about any changes to the Personal Data we have already collected, as soon as they arise.
4. Disclosure of Personal Data
Personal data are processed internally by people who are authorised to process the data (the “Au-thorised”), under the responsibility of the Data Controller, for the purposes indicated above.
Personal data may be disclosed to external personnel, who are responsible for the completion of instrumental and/or accessory functions in the performance of our business activities, who will pro-cess said data on our behalf. These people will be appointed by us as External Processing Manag-ers (the “External Managers”), in accordance with the provisions of art. 28 GDPR. An updated list of External Processing Managers is available at the registered office of the Data Controller, and will be provided to the interested party on written request to the aforementioned addresses.
Apart from the aforementioned cases, Personal Data can also be disclosed to additional recipients and/or categories of recipients (the “Recipients” and the “Recipients Categories”), only for perform-ing activities related to a pre-contractual and/or contractual relationship between us and/or to ful-fil legal obligations and/or on the orders of the Authorities; this will always be in compliance with the assurances in the GDPR and Italian Authority guidelines, as well as the Commission guidelines estab-lished to comply with the aforementioned GDPR.
Without prejudice to the foregoing, Personal Data will never be disclosed and/or communicated to third parties, unless the interested party specifically agrees to it, and only when necessary for the fulfilment of the Purposes.
5. Processing of “particular categories of personal data” and “personal data related to criminal convictions and offences”.
If, as part of the processing, the Data Controller becomes aware of Personal Data relating:
(i) to “particular categories” pursuant to art. 9 GDPR (or those ” that reveal racial or ethnic origin, po-litical opinions, religious or philosophical beliefs, or union membership, as well as treating genetic data, biometric data intended uniquely to identify a physical person, data related to health or sex life or to the sexual orientation of the person”), said data should only be processed exclusively for the purposes indicated above with the prior consent of the interested party or, in all cases, only as far as the processing is necessary to fulfil the obligations and exercise the specific rights of the Data Controller or the interested party work and social security and social protection, to the extent that it is authorised by law in the European Union or its Member States or by a collective agreement under the law of the Member States, in the presence of appropriate guarantees for the basic human rights and interests of the interested party;
(ii) to “criminal convictions and offences or related security measures”, pursuant to art. 10 GDPR, the Processing will only take place under the control of a Public Authority or, if the Processing is authorised by the laws of the European Union or those of the Member States which provide appropriate guarantees of the rights and freedoms of Data Subjects. Any comprehensive register of criminal convictions will only be kept under the control of the public authority.
6. Processing methods.
Processing is performed with the aid of electronic and/or paper tools and, in all cases, by adopting procedures, organisational and IT measures that are suitable to protect the security, confidentiality, relevance and non-excessiveness of the data.
7. Territorial scope.
Personal Data will be processed within the territories of the European Union.
If, for technical and/or operational reasons, it is necessary to use bodies that are located outside of this territory, they will be appointed as External Managers, and transfers of Personal Data to them, limited to performing specific processing activities, will be regulated in compliance with the provisions of the GDPR, with all the necessary precautions taken to ensure total protection of the personal data and by basing this transfer on an evaluation of appropriate guarantees (including, for example, decisions about the adequacy of third country recipients expressed by the European Commission, adequate guarantees expressed by the third party recipient pursuant to Article 46 of the GDPR, etc.).
In all cases, the Data Subject may request more details from the Data Controller if Personal Data have been processed outside the European Union, and ask for evidence of the specific guarantees adopted.
8. Retention period.
Personal Data will be retained by the Owner for the period strictly necessary for pursuing the Purposes, and in particular, until the pre-contractual and contractual relations between us are terminated, subject to any further retention period that may be imposed by law.
In relation to marketing purposes, the data will be stored, subject to revocation of consent, for the period needed to achieve the purposes and, in all cases, for a period not exceeding 24 months, or for a different maximum period indicated by the Authority for the protection of personal data.
Where consent is given with reference to profiling Purposes, the data will be stored, subject to revocation of consent, for the period needed to achieve those Purposes and, in any case, for a period not exceeding 12 months, or for a different maximum period indicated by the Authority for the protection of personal data.
To handle any disputes or contentions, and in any case for the assessment, exercise or defence of a legal case in a court, the Personal Data may be kept for a further period, equal to that of the statute of limitations.
9. Methods of issuing information.
In compliance with the principle of proportionality, in view of the evident difficulty, and the excessive burden for the Data Controller to deal with issuing this information directly to every interested party who collaborates or performs activities for your benefit, including your employees and collaborators, we invite you to send this information to the parties involved and, in any event, to inform them it is available on our corporate website can be sent by making a written request to the ad-dresses indicated above.
10. Rights of the interested party and methods of operation.
The interested party can, at any time, exercise the rights recognised by the GDPR (the “Rights of the interested party”), and in particular:
- Art. 15 – Right of access of the interested party: the interested party has the right to access their data and related Processes. This right is substantiated by the possibility of obtaining confirmation of whether or not a Personal Data Processing is being performed, or the possibility of requesting and receiving a copy of the data being processed;
- Art. 16 – Right of rectification: the interested party has the right to have inaccurate personal da-ta concerning him rectified by the Data Controller without undue delay. Taking into account the purposes of processing, the data subject will have the right to have incomplete personal data made complete, including by means of providing a supplementary statement.
- Art. 17 – Right to deletion (“right to be forgotten”): the Data Subject has the right to ask the Da-ta Controller to delete Personal Data about him/her, and in some cases, where there is an end, to have it deleted without unjustified delay when the purpose of the Treatment has expired, or when consent has been revoked, opposition has been made to it being processed or where the processing of their personal data is not otherwise compliant with the GDPR;
- Art. 18 – Right to limit processing: the interested party has the right to limit the processing of his/her personal data where there are inaccuracies or disputes, or as an alternative measure to having it deleted;
- Art. 20 – Right to data portability: the interested party, with the exception of situations in which the data are archived by means of non-automated processing (e.g. in paper format), has the right to receive personal data in a structured format, that is commonly used and can be read using an automatic device, when the data refers to him/her, where reference is made to data supplied directly by the interested party, with express consent or on a contractual basis, and to request that these data be transmitted to another data controller, if technically feasible;
- – Art. 21 – Right to object: the interested party has the right to object, at any time, for reasons re-lated to his/her particular situation, the processing of personal data about him/her.
If the interested party wishes to exercise one of the rights listed above, he/she must address the request directly to the Data Controller at the addresses indicated above, apart from the right to lodge a complaint, which should be sent to the Guarantor Authority or by filing an appeal before the competent Court Authority.
The period for replying to the Interested party by the Owner is, for all of the rights (including the right of access) and also in case of denial, 1 month, which can be extended by up to 3 months in par-ticularly complex cases.
In any event, by applying art. 12 GDPR.
11. Withdrawal of consent.
In cases where processing should only take place after the consent of the interested party, and where the latter has provided it, he/she has the right to revoke the consent they have given at any time, by sending a written request to the Holder at the addresses indicated above.
Withdrawal of consent will not affect the lawfulness of any processing based on that consent be-fore it was withdrawn.
12. Right to object.
The interested party has the right to object at any time to the processing of their personal data for the purpose of direct marketing including profiling, in so far as it is related to direct marketing, by sending a written request to the addresses indicated above.
Effective from 25/05/2018