PURSUANT TO ARTICLES 13 AND 14 OF THE (“GDPR”) 2016/679 (UE) REGULATIONS AND SUBSEQUENT NATIONAL ADJUSTMENT RULES
This document (“Policy”) provides you indications regarding the information processing, described as follows, regarding details provided by You or anyway the ones available at our company, processed by our company and/or other subsidiaries for the purposes listed below. The Policy, in particular, is issued pursuant to the (“GDPR”) UE Regulations No 679/2016 and subsequent national adjustment rules (together with the GDPR, hereinafter “Applicable Law”).
1. Identity and contact data of the data Controller
Pursuant to art. 4 and 24 of the UE 2016/679 Regulations, the Data Controller is Vichi srl–VICHI s.r.l., Viale Mutilati e Invalidi del Lavoro 102 63100 – Ascoli Piceno P.Iva: 02368650442, firstname.lastname@example.org, in the person of the pro-tempore legal representative (hereinafter “Controller”).
Site of data processing
The data processing related to the web services of this site is carried out at the Vichi srl above-mentioned offices and is only handled by the technical staff in charge of data processing. In case of necessity, the data connected to some services may be processed by persons belonging to societies which have in charge the maintenance of the site’s technological aspect (appointed responsible of the processing pursuant to the article 29 of the Code in terms of personal data protection), at their respective offices. An updated list of these responsibles is available at Vichi srl offices.
2. Contact data of the Data Protection Responsible (c.d. “RPD-DPO”)
The Data Controller does not carry out any activities which envisage the designation of the Personal Data Protection Responsible.
3. Processing purpose and legal basis
The collected Personal Data will be treated for the purposes and in accordance with the legal basis as follows:
Processing legal basis section 3, lett. a): for Your contractual relationship management that is pre-contractual provision executing (as, for example, the information or quotation request). In this case, You are free to communicate also particular Personal Data; however the lack of the personal detail provision will not allow You to establish the relationship described above and satisfy Your request. The processing is necessary for a contract execution where You take part
section 3, lett. b): upon Your specific consent, in order to send you (i) promotional communications related to the Controller and (ii) communications related to events organized by the Controller (hereinafter “marketing purposes”)
4. Processed personal data categories (pursuant to art. 14)
In the limits of the purposes and methods described in this Policy it will be possible to process information that can be considered “Personal Data”, which include Your personal details and contact information (as, for example, phone number, e-mail address, etc.).
5. Recipients and recipient categories
The personal data will not be spread, so will not be disclosed to any undetermined subject. They can be communicated to very defined subjects, in full compliance with legal requirements, for purposes which are closely related to the ones previously indicated. Any access to Your personal data is limited to the subjects authorized by the Controller. The communication to the identified recipients, only if involved and functional, is linked to the achievement of the purposes referred to in section 3 above, therefore the personal data collected and processed may be:
a) used anonymously for statistical purposes;
b) made available to the Data Controller’s collaborators, as Managers or persons authorized to process personal data;
c) disclosed to third parties, physical or legal, public administrations, professionals, law enforcement agencies, government agencies, regulatory bodies, courts or other public authorities authorized by law;
d) communicated to commercial partner, only in case of previous and expressed User’s consent;
e) if necessary, transferred to another Data Controller in accordance with the provisions of the GDPR, also with regard to the data portability right.
The information may also be communicated whenever the communication may be necessary to comply with requests from the Judicial Authority or Public Security. The collected data will in no case be disclosed.
The list of persons in charge of processing personal data is available at the headquarters of the Data Controller.
6. Data transfer abroad
The data will not be transferred outside the European Community.
7. Data retention period (determination criteria)
Below there is a table that contains the indications of the retention time (i.e. the determination criteria) of personal data:
section 3, lett. a): contract management
For the entire duration of the relationship and subsequently for 10 years (ordinary prescription).
section 3, lett. b): marketing purposes
2 years from collection, with the possibility for the interested party to modify and/ or revoke his/ her will at any time
8. Data processing methods
Personal Data will be processed using manual, computerized or telematic tools, suitable for guaranteeing security and confidentiality, and will be carried out by personnel properly trained in compliance with the Applicable Law. There is no automated decision making process.
In addition to cases in which it is necessary to contact you for needs related to the management of Your position, where You consent to the processing of Your data for the purposes referred to in section 3, lett. b), you can be contacted by e-mail, newsletter, text message, or through any equivalent electronic tool or by paper based mail or call via operator to all the contact details provided.
9. Rights of the Data Subject
We inform you that you will be able to exercise the rights recognized by the Applicable Law including, but not limited to, the right:
a) to access Your Personal Data and to know the origin and purposes of the processing, the data of the subjects to whom they are communicated, the retention period of the data or the criteria necessary to determine it (art.15);
b) to request the correction (art.16);
c) to the cancellation (“oblivion”), if no longer necessary, incomplete, erroneous or collected in violation of the law (art.17);
d) to request that the processing be limited to a part of the information concerning You (art.18);
e) to receive in a structured format or to transmit to You or to third parties indicated by You the information concerning you (so-called “portability”) or those that you have voluntarily provided (art. 20), as far as it is technically possible;
f) to oppose their processing based on legitimate interest (art. 21);
g) and to revoke Your consent at any time, if this constitutes the basis of the processing (the revocation of consent, however, does not affect the lawfulness of the processing based on the consent made before the revocation itself).
The aforementioned rights may be exercised by means of a written request addressed without formalities to the Contracting Parties [i.e. to the DPO/ DPOs] to the contacts indicated in sections 1 and 2.
The Controller must proceed in this direction without delay and, in any case, no later than one month after receipt of the request. The deadline may be extended by two months if necessary, taking into account the complexity and the number of requests received from the Data Controller. In such cases, the Data Controller within one month of receiving your request will inform you about the reasons of the extension.
The Controller reminds you that, if the response to Your requests was not satisfactory in Your opinion, You can contact and submit a complaint with the Authority for the Protection of Personal Data (http://www.garanteprivacy.it/) in the manner provided by the Applicable Regulations.
Revision: May, 2018