INFORMATION EXTENDED PURSUANT TO ARTS. 12, 13 AND, IF NECESSARY, 14 OF THE GDPR – REGULATION (EU) 2016/679 RELATING TO THE PROTECTION OF INDIVIDUALS, WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)
The data controller reports, below, the information pursuant to articles 12, 13 and, if necessary, 14 of the GDPR relating to the processing of personal data provided by the Customer / interested party by completing and signing the Contract to purchase the products / services offered for sale by the data controller himself, spontaneously uploading data to this website personal data (in particular by filling in forms) or simply browsing it.
1. Data controller and contact details
Titolare del trattamento è !!MARCHESI SRL!!, con sede in !!VIA CREMONESE 112A 43100 parma (PR)!!, P.I. !!00143510345!!, tel. !!+39 0521671853!!, e-mail !!firstname.lastname@example.org!!, web https://www.marchesi.co.it/ (di seguito il Sito).
2. Principles applicable to the treatment
In accordance with the provisions of the GDPR, the data controller constantly strives to ensure that personal data are:
- processed lawfully, fairly and transparently;
- collected for specified, explicit and legitimate purposes, and not further processed in a way that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, if necessary, updated;
- kept for a period of time not exceeding the achievement of the purposes for which they are processed;
- processed, through appropriate technical and organizational measures, in order to guarantee their security;
- processed, if by virtue of consent, by decision freely taken by the Customer/interested party, on the basis of a request presented in a way that is clearly distinguishable from the rest, in an understandable and easily accessible form, using simple and clear language.
The data controller adopts adequate technical and organizational measures in order to ensure the protection of personal data from the design stage and to ensure that, by default, only the data necessary for each specific processing purpose are processed.
The data controller collects and takes the utmost account of the indications, observations and opinions of the Customer/data subject sent to the addresses indicated above, in order to implement a dynamic privacy management system that ensures effective protection of people, with regard to the processing of their data.
This information may undergo changes, in line with the evolution of the reference legislation and the technical and organizational measures gradually adopted by the data controller; the Customer/interested party is, therefore, requested to periodically visit this section of the Site, to view the updates and the Information in the text in effect from time to time.
3. Methods of processing personal data
The processing of personal data is carried out manually and with electronic tools, with logic strictly related to the purposes indicated below and, in any case, in order to guarantee the security and confidentiality of the data.
4. Purpose of the processing of personal data
(4a) Purpose for which data processing is necessary
The personal data provided by the Customer/data subject are mainly processed for the execution of the Contract and credit management and, more generally, for the relationship arising from the Contract itself.
The provision of data in the Contract or later, during the contractual relationship, for the processing purposes in question is mandatory; therefore, the missing, partial or incorrect provision of such data makes it impossible to stipulate and/or execute the Contract and, for the Customer/interested party, to take advantage of the products/services offered by the data controller, potentially exposing the Customer/interested party to liability for breach of contract.
The personal data provided by the Customer/data subject may also be processed if this is necessary to fulfill a legal obligation to which the data controller is subject, for the protection of the vital interests of the Customer/data subject or of another person physical, for the execution of a task of public interest or connected to the exercise of public powers with which the data controller is invested, or for the pursuit of the legitimate interest of the data controller himself or of third parties, provided that they do not prevail the interests or fundamental rights and freedoms of the Client/data subject; even in these cases, the provision of data is mandatory and, therefore, the failure, partial or inaccurate communication of the data may expose the Customer / interested party to any liability and penalties provided for by the legal system.
(4b) Additional purposes of processing following specific and express consent of the Customer/data subject
In addition to the aforementioned processing purposes, the personal data provided/acquired may be processed, subject to the consent of the Customer/data subject, to be expressed by selecting the box <<Give consent>> on the Contract or on the Site (or using other social or web applications of the data controller), also for carrying out market surveys and for carrying out commercial and promotional communications, by telephone (also using the mobile phone number provided) and automated systems of contact (email, sms, mms, fax, etc.), on products/services of the data controller or of companies of the Group to which the data controller may belong.
Consent for the processing purposes referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed only for the purposes indicated in the previous point (4a), except as specified below with reference to the legitimate interests of the data controller or third parties.
5. Categories of personal data processed
The data controller mainly processes identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, tax/invoicing addresses, except for others) and, if commercial transactions, financial data (of a banking nature, in particular current account identifiers, credit card numbers, except for others connected to the aforementioned commercial transactions).
The treatment that the data controller carries out, both for the execution of the Contract and by virtue of the express consent of the Customer/interested party, does not generally concern particular categories of personal data, known as sensitive (which reveal racial or ethnic origin , political opinions, religious beliefs, state of health or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).
However, it cannot be excluded that the data controller, in order to fulfill the obligations deriving from the Contract, must keep and/or need to process sensitive, genetic and biometric or judicial data, of the Customer/interested party or of third parties, of which the Customer/interested party disposes as data controller; in the hypothesis in question, the treatment by the data controller takes place under the conditions and within the limits set out in the appointment of the same data controller as data processor, by the Customer/interested party.
The data controller also processes the so-called navigation data, as data controller with reference to the Site, and, potentially, as data processor appointed (in the terms indicated above) by the Customer/data subject. The computer systems and software procedures used to operate the websites acquire, during their normal operation, some personal data, the transmission of which is implicit in the use of internet communication protocols. This is information that is not collected to be associated with identified subjects, but which, by their very nature, could allow the data subject to be identified. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and website addresses from which you accessed or exited, information on the pages visited by users within of the site, access time, permanence on the single page, analysis of the internal path and other parameters relating to the operating system and the user’s IT environment. Therefore, this is information which, by its very nature, allows users to be identified through processing and association also with data held by third parties.
Furthermore, cookies may be used on the Site, both session cookies (which are not memorized on the user’s computer and disappear when the browser is closed) and persistent cookies, for the transmission of information of a personal nature, or in any case systems for tracking of data subjects.
6. Source of personal data
The personal data that the data controller processes are collected directly by the data controller himself from the Customer/data subject at the time of, and during, navigation of this on the Site (or using other social or web applications of the data controller), or , also by means of its sales representatives, on the occasion of, or after, the signing of the Contract, in the execution phase of the same, or from public sources.
As specified above, the data controller, as responsible for the treatment appointed to do so, in order to perform the obligations deriving from the Contract, can store and/or process data, in particular navigation, potentially sensitive, genetic and biometric or judicial, of third parties, of which the Customer/interested party has access to as data controller, acquired, with the prior consent of said third parties, at the time of, and during, navigation of the same third parties on the Site (or using other social or web applications referable to the owner of the treatment).
7. Legitimate interests
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for the processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the controller and the data subject, for example when the data subject is a customer of the controller. In particular, it constitutes the legitimate interest of the data controller to process personal data of the Customer/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of the same data within the business group to which the data controller treatment possibly belongs, or relating to traffic, in order to guarantee network and information security, i.e. the ability of a network or system to resist unforeseen events or illegal acts that may compromise the availability, authenticity, integrity and confidentiality of data.
8. Circulation of personal data
(8a) Disclosure of personal data – categories of recipients
In addition to the employees and collaborators in various capacities of the data controller (who are authorized by the data controller himself for processing by virtue of adequate written operating instructions, in order to be able to guarantee the confidentiality and security of the data), some processing operations they can also be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, functional to the purposes referred to in point (4a), therefore both in execution of contractual and legal obligations, among which they deserve mention, a however, inevitably, non-exhaustive title: commercial and/or technical partners; companies that provide banking and financial services; companies that perform document archiving services; debt collection companies; auditing and financial statement certification company; rating company; subjects who carry out professional assistance and consultancy activities in favor of the data controller; companies that carry out customer care activities; factoring companies, credit securitization companies or assignees of credits in other capacities; companies of the Group to which the data controller possibly belongs; entities that provide commercial information; computer service company. The subjects belonging to the aforementioned categories process the personal data themselves as independent data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the same subjects perform in favor of/in the interest of the data controller; the data controller issues adequate written operating instructions to the data processors, with particular reference to the adoption of minimum security measures, in order to be able to guarantee the confidentiality and security of the data.
Some processing operations can be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, also functionally to the purposes referred to in point (4b), among which deserve mention, however, inevitably, not exhaustive: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; subjects who provide assistance and advice with reference to contests and prize operations. The subjects belonging to the aforementioned categories process personal data as independent data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the same subjects perform in favor of/in the interest of the data controller; the data controller issues adequate written operating instructions to the data processors, with particular reference to the adoption of minimum security measures, in order to be able to guarantee the confidentiality and security of the data.
Upon written request to be sent to the headquarters of the data controller, the list, subject to periodic updating, of the data processors with whom the data controller maintains relations is available.
Personal data may also be communicated, in the event of a request, to the competent authorities, in fulfillment of obligations deriving from mandatory provisions of law.
(8b) Transfer of personal data to third countries
The personal data of the Customer/data subject may also be transferred abroad, both to countries of the European Union and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within the scope and with the adequate guarantees provided by the GDPR (therefore, in particular, in the presence of standard contractual data protection clauses approved by the European Commission), or, apart from the hypotheses referred to above, resorting to one or more of the derogations envisaged by the GDPR (in particular, by virtue of the explicit consent of the Customer / interested party, or for the execution of the Contract concluded by the Customer / interested party, or for the execution of a contract stipulated between the data controller and another natural person or in favor of the Customer/interested party, in particular for the execution of activities delegated to it by the data controller for the execution of the Contract concluded with the Customer/interested party). For the hypothesis of data transfers to countries outside the European Union, the Customer/data subject is allowed, upon written request to be sent to the headquarters of the data controller, to know the adequate guarantees, or the exceptions, which legitimize cross-border processing. It is understood, in the event of transfer of data to countries outside the European Union, that for each request concerning the data, also for the exercise of the rights recognized by the GDPR to the Customer / interested party, this can always validly contact the owner of the treatment.
9. Criteria for determining the retention period of personal data
For the purposes referred to in point (4a) above, the retention period of the personal data released by the Customer/data subject, and their consequent potential treatment, coincides with the limitation period of the rights/duties (legal, fiscal, etc. ) descendants from the Contract: basically 10 years, therefore, except for the occurrence of events interrupting the limitation period which could effectively prolong said period.
For the purposes referred to in point (4b) above, the retention period of the data released by the Customer/interested party, and their consequent potential processing, ends with the revocation of the consent previously issued by the Customer/interested party or, in the absence of this, in any case after one year from the termination of any relationship between the data controller and the customer/interested party.
10. Rights of the Customer/Data Subject
The data controller recognizes – and facilitates the exercise, by the Customer / interested party, of – all the rights provided for by the GDPR, in particular the right to request access to their personal data and to extract a copy (art. 15 GDPR ), the rectification (art. 16 GDPR) and the cancellation of the same (art. 17 GDPR), the limitation of the treatment that concerns him (art. 18 GDPR), the portability of data (art. 20 GDPR, where the assumptions) and to oppose the processing that concerns him (articles 21 and 22 GDPR, for the hypotheses mentioned therein and, in particular, to the processing for marketing purposes or which translates into an automated decision-making process, including profiling, which produces legal effects concerning him, where the conditions are met).
The data controller also acknowledges the Customer/data subject, if the treatment is based on consent, the right to revoke said consent at any time, without prejudice to the lawfulness of the treatment based on the consent given before the revocation. To do this, the Customer/interested party can unsubscribe at any time on the Site (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of each commercial communication received, or by contacting the data controller at contact details listed above.
The data controller also informs the Customer/data subject of the right to lodge a complaint with the Guarantor Authority for the Protection of Personal Data, as supervisory authority operating in Italy, and to lodge a judicial appeal against a decision of the Guarantor Authority , as against the data controller himself and/or a data processor.
11. Security of systems and personal data
Taking into account the state of the art and implementation costs, as well as the nature, object, context and purpose of the processing, as well as the risk, in terms of likelihood and seriousness, for the rights and freedoms of natural persons , the data controller adopts technical and organizational measures deemed appropriate to guarantee a level of security appropriate to the risk, in particular by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services ( also through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in the event of a physical or technical accident, and by adopting internal procedures aimed at regularly testing, verifying and evaluating the effectiveness of the technical and organizational measures employed .
In assessing the appropriate level of security, account is taken of the risks presented by the processing resulting, in particular, from the accidental or illegal destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
The data controller takes steps to ensure that anyone who acts under his authority and has access to personal data does not process such data unless instructed to do so by the data controller himself.
That said, the Customer/interested party acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller is not liable for the acts or deeds of third parties who illegally, despite the adequate precautions taken, should access the systems without the necessary authorisations.
12. Automated decision-making processes, including profiling
The data controller can carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the shopping experience, except as specified above with regard to the rights of opposition and withdrawal of consent by the Customer/interested party.
Profiling means any form of automated processing of personal data aimed at evaluating certain aspects relating to a natural person, in particular to analyze or predict aspects concerning, for example, personal preferences, interests or location of that natural person, also in order to create profiles, i.e. homogeneous groups of subjects by characteristics, interests or behaviour.
The data controller does not carry out any automated processing that produces legal effects concerning the Customer/interested party or that significantly affects his person in a similar way, unless this is necessary for the conclusion or execution of the Contract, is authorized by law or is based on the explicit consent of the Customer/data subject, in any case always recognizing the latter’s right to obtain human intervention, to express his or her opinion and to contest the decision.