Privacy Policy

PRIVACY INFORMATION FOR THE AUTHORIZATION OF THE TREATMENT OF PERSONAL DATA

 

Pursuant to the combined provisions of Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data" (Consolidated Act on Privacy)

and of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

relating to the protection of individuals with regard to the processing of personal data

as well as the free movement of such data henceforth also only “GDPR”

 

 

WHEREAS

 

1. that the GDPR, published in the Official Journal of the European Union (OJEU) L. 119 of 4 May 2016 and, pursuant to art. 99 of the GDPR, entered into force on 25 May 2016 and will be compulsorily applied in each Member State from 25 May 2018;

 

2. that, until the issuance of measures aimed at adapting the national regulatory framework to the provisions of EU Regulation no. 679/2016 (GDPR), the application of the Privacy Code (D.lgs.n.196/2003) is also necessary, even if, within the limits of what this will not be incompatible with the provisions contained in the GDPR itself;

 

3. which, therefore, without prejudice to what is already provided for and governed by Legislative Decree n.196/2003, the GDPR, with the exceptions provided for in article 2, applies to the wholly or partially automated processing of personal data and to non-automated processing of personal data contained in a file or intended to appear therein;

 

4. which, according to the provisions of theart. 5 GDPR (“Principles applicable to the processing of personal data"), the personal data of the interested party are processed according to the principles of

 

• of legitimacy that is, compliance with the rules; of correctness that is, compliance with non-codified ethical and deontological rules; and of transparency or guarantee of awareness of the interested party, traceability of the data e disclosure at any time at the request of the interested party (letter a);

• Of "purpose limitation” or collected for specific, explicit and legitimate purposes as well as subsequently processed in ways that are not incompatible with these purposes (letter b);

• Of "data minimization” or collected in an adequate, pertinent and limited way to what is necessary with respect to the purposes for which the same data are processed (letter c);

• Of "accuracy” or collected in an exact way and, if necessary, updated as well as canceled or corrected in the event of their ascertained inaccuracy (letter d);

• Of "limitation of conservation” or stored in a form that allows the identification of the interested parties for a period of time not exceeding that functional to the achievement of the purposes for which the same data are processed (letter e);

• Of "integrity and confidentiality” or processed in such a way as to guarantee adequate security of personal data, including their protection through adequate technical and organizational measures, from unauthorized or unlawful processing or from accidental loss, destruction or damage (letter f);

 

5. that, in particular, the treatment is “lawful” if, and to the extent that, cf. art. 6 GDPR (“Lawfulness of processingat least one of the following conditions is met:

 

• the interested party has given his consent to the processing of his personal data for one or more specific purposes (letter a);

• the processing is necessary for the execution of a contract of which the interested party is a part or for the execution of pre-contractual measures adopted at the request of the same (letter b);

• the processing is necessary to fulfill a legal obligation to which the data controller is subject (letter c);

• the processing is necessary to safeguard the vital interests of the data subject or of another natural person (letter d);

• the treatment is necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller (letter e);

• the processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail, in particular if the data subject is a minor (letter f).

 

all of the above, in compliance with the regulatory provisions referred to inart. 13 (“Information to be provided if personal data is collected from the data subject”) – Section 2 (“Information and access to personal data") of the GDPR, and pursuant toart. 13 (“Disclosure”) of the Legislative Decree n.196/2003

 

Identification of the "Data Controller"

 

(see definition "Holder of the treatment" point 7 - art. 4 “Definitions” GDPR: “natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data” and definition “Holder"letter f) - art. 4 "Definitions" Legislative Decree 196/2003: "the natural person, the legal person, the public administration and any other body, association or body, which are also responsible jointly with another owner, decisions regarding the purposes, methods of processing personal data and the tools used, including the security profile"):

 

Object and Methods of Treatment:

 

(see definition "Treatment” – art. 4 "Definitions" GDPR: “any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction” and definition “Treatment” – letter a) art. 4, Legislative Decree 196/2003: “any operation or set of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison , the use, interconnection, blocking, communication, dissemination, cancellation and destruction of data, even if not registered in a database” see definition of "Personal Data” point 1 – art. 4 "Definitions" GDPR: “any information concerning an identified or identifiable person ("interested") considering "identifiable" the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data , an online identifier or one or more characteristic elements of its physical, physiological, generic, psychic, economic, cultural or social identity”); and definition "Personal Data” – letter b), art. 4, Legislative Decree 196/2003: “any information relating to a natural person, legal person, organization or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number”;

 

The owner processes the personal identification data provided by the interested party.

The processing of personal data is carried out on the basis of the operations indicated in article 4, n.2), GDPR and by art. 4, letter a), Legislative Decree n.196/2003 and precisely: collection, also, through the aid of electronic and automated tools; registration for specific, explicit and legitimate purposes and use in further processing operations, however, compatible with these purposes; organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.

The data will be processed in compliance with the necessary security and confidentiality and will be subjected to both paper and electronic and / or automated processing.

The Data Controller will process personal data for the time necessary to fulfill the aforementioned purposes, taking care to keep them, however, within the limits of what is specified below.

 

Purpose of the processing for which the personal data are intended:

 

The data is collected and processed here:

 

1. without express consent (see art. 24, Legislative Decree n.196/2003 and see art. 6 GDPR), for the following Service purposes:

 

• conclude the contracts for the services of the Owner

• fulfill the pre-contractual, contractual and tax obligations deriving from existing relationships with the interested party;

• fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority;

• prevent or detect fraudulent activity or abuse harmful to the website;

• exercise the rights of the owner, for example the right to defense in court.

 

2. only with specific and distinct consent (see art. 7 GDPR), for the following Marketing purposes:

 

• send via e-mail, post and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and survey of the degree of satisfaction with the quality of the services offered, notifying that, where the If the interested party is already our customer, we will be able to send commercial communications relating to the Data Controller's services and products similar to those which the interested party has already used, unless opposed (see Article 21 of the GDPR);

• send by e-mail, post and / or text message and / or telephone contacts, commercial and / or promotional communications from third parties (for example: business partners, insurance companies, etc.);

 

Clarifications regarding the treatment for "Marketing purposes" and of "Profiling”

 

For the benefit of the interested party, the following is specified:

 

1. The personal data collected will also be processed to pursue commercial promotion purposes, advertising communication, solicitation of purchasing behavior, market research, surveys (also by telephone, online or using forms), statistical processing (in identification form), other research marketing samples in the broadest sense of products and/or services referable to the Company (hereinafter, collectively, "Processing for Marketing Purposes”) both through “generic” marketing and “profiled” i.e. consequent to "profiling activity”(see definition "Profiling"- art. 4 “Definitions”: “any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person [...]")

2. In any case, even where the interested party has given consent, he will in any case remain free to revoke it, modifying the consent settings in the area "Communication and Privacy” of the site. Following receipt of this request from opt-out, the Data Controller will promptly remove and cancel the data from the databases used for the "Processing for Marketing Purposes" and of "Profiling” and will inform any third parties to whom the data have been communicated for the same purposes of cancellation.

3. If - for the purposes illustrated above - the indication of the telephone number of the interested party is required and the latter has given the optional and specific consent (which also covers the processing of such personal data) for the purposes of commercial promotion, marketing and profiling profiles illustrated above, the Data Controller informs the interested party that he will be able to legally process the telephone user for marketing and profiling purposes even if it is registered in the Public Opposition Register, as it is taken from a source other than the public telephone directories and covered by specific consent, except for the right to object following treatment where consent is formally revoked.

4. We inform you specifically and separately, as required by art. 21 of the GDPR that the interested party has the right to object at any time to the processing of personal data concerning him carried out for these purposes and that if the interested party opposes the treatment for direct marketing and profiling purposes, the personal data will not be able to can no longer be processed for these purposes.

 

Rights of the interested party:

 

In compliance with the provisions of art. 7, D.lgs.n.196/2003 and GDPR the interested party can exercise the following rights

 

• ask the data controller foraccess to personal data in order to be able to confirm whether or not personal data concerning him is being processed and, in this case, to obtain all the necessary information according to what is better provided for and governed by thearticle 15 “Right of access of the interested party” GDPR, and article 7, paragraph 1, Legislative Decree n.196/2003;

• ask the data controller for the rectification of personal data inaccurate that concern him as well as the integration of incomplete ones according to what is better foreseen and governed by thearticle 16 “Right of rectification” GDPR and article 7, paragraph 3, letter a), Legislative Decree n.196/2003;

• ask the data controller for the deletion of personal data concerning him in the event that the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed (letter a); the interested party has revoked the consent or there is no legal basis for the treatment (letter b); the interested party has opposed the processing pursuant to art. 21, paragraphs 1 or 2, and there are no prevailing reasons to proceed, in any case, with the treatment (letter c); the processing is unlawful (letter d); the deletion of data constitutes fulfillment of a legal obligation to which the data controller is subject (letter e); where the hypothesis provided for by article 8, paragraph 1 (letter f) exists, all - in any case - according to what is better provided for and governed byarticle 17 “Right to erasure (“right to be forgotten”) GDPR and article 7, paragraph 3, letter b), Legislative Decree 196/2003;

• obtain from the data controller the limitation of processing same when: the data subject disputes the accuracy of the personal data (in this case within the time limit necessary to verify the accuracy of such data - letter a); in the event of unlawful processing, the interested party opposes - however - the cancellation of the data by requesting, instead, that its use be limited (letter b); regardless of the fact that the data controller no longer needs it for the purposes of the treatment itself, the interested party needs to keep the data for purposes of assessment, exercise or defense in court (letter c); the interested party has opposed the processing pursuant to art. 21, paragraph 1, pending the verification of the possible prevalence of the legitimate reasons of the owner with respect to those of the interested party (letter d), all - in any case - according to what is better provided for and regulated in thearticle 18 “Right to limitation of treatment”;

• at any time, for reasons connected with your particular situation, oppose the treatment of personal data concerning him, pursuant to article 6, paragraph 1, letters e) of), including the profiling on the basis of these provisions, as well as in the case of data processing for marketing purposes including, also, in this case, profiling to the extent that it is connected to such direct marketing. All, in any case, according to what is better foreseen and regulated in thearticle 21 “Right to object” GDPR and article 7, paragraph 4, letters a) and b), Legislative Decree n.196/2003;

• get the data portability according to what is better foreseen and regulated in thearticle 20 “Right to data portability”;

• at any time, withdraw your consent to the processing of data without this affecting the legitimacy of the treatment based on the consent before the revocation. All, in any case, according to what is better provided for and governed by thearticle 7 “Conditions for consent”.

• propose a complaint to a Supervisory Authority with the task of supervising the application of the GDPR in order to protect the fundamental rights and freedoms of individuals with regard to the processing of personal data. All this, in any case, according to what is best provided for and governed by the articles 51 et seq. “Supervisory authority”;