INFORMATION NOTICE IN ACCORDANCE WITH ART. 12, 13 AND, IF APPLICABLE, 14 OF THE GDPR – (EU) REGULATION 2016/679 RELATED TO THE PROTECTION OF NATURAL PERSONS, REGARDING THE PROCESSING OF PERSONAL DATA (HEREINAFTER REFERRED TO AS GDPR)
The data controller hereby reports the information notice, in accordance with art. 12, 13 and, if applicable, 14 of the GDPR, related to the protection of personal data provided by the Client/party concerned through the completion and signing on the Contract for the purchase of products/services offered for sale by the same data controller, by voluntarily uploading personal data on this website (specifically through the completion of the form) or by simply browsing the same.
1. Data Controller and Contact Info
The Data Controller is AL.GI.PA. S.R.L.S. SOLE-SHAREHOLDER COMPANY, with office in Castellanza, Via Buon Gesù, 3 , Tax Code 03488470125, VAT 03488470125, tel. +39 3406498506 , e-mail firstname.lastname@example.org, web http://www.formicamica.com/
2. Principles Applicable to Processing
In compliance with what is prescribed by the GDPR, the data controller shall constantly strive to ensure that the personal data is:
- processed legally, correctly and transparently;
- collected for the explicit and legitimate purposes established, and subsequently processed under the methods compatible with said purposes;
- appropriate, pertinent and limited to what is necessary for the purposes for which it is processed;
- accurate and, if necessary, updated;
- stored for a period of time not exceeding the achievement of the purposes for which it is processed;
- processed, through suitable technical and organizational measures, in such way so as to guarantee security;
- processed, by virtue of consent, under the voluntary decision of the Client/party concerned, based on the requested presented in a manner clearly distinguishable from the rest, in a comprehensible and easily accessible format, using simple and clear language.
The Data Controller shall adopt the adequate technical and organizational measures to ensure the protection of the personal data from the time of its planning, and to guarantee that only the necessary data is processed for each specific processing purpose, by default.
The Data Controller shall collect and safeguard with the utmost consideration the indications, comments and opinions of the Client/party concerned sent to the aforementioned contacts, in order to implement a dynamic privacy management system that ensures effective protection of persons, with regards to the processing of their data.
This information notice may be modified, in coherence with the evolution of the regulations reference and the technical and organizational measures adopted along the way by the Data Controller, the Client/party concerned, therefore, is urged to periodically visit this section of the Website, in order to view updates and the Information Notice text updated from time to time.
3. Methods of Personal Data Processing
The processing of the personal data is performed manually and with electronic tools, through logics strictly correlated to the purposes indicated below and, in any case, in such a way so as to guarantee the security and confidentiality of said data.
4. Purposes of Personal Data Processing
(4a) The purposes for which the data processing is required
The data provided by the Client/party concerned is primarily processed for the fulfillment of the Contract and management of credit, and in general, the relationship deriving from the same Contract. The conferment of the data in the Contract or afterwards, during the contractual relationship, for the purposes of the processing in question is mandatory; therefore, the lack, partial or inaccurate conferment of said data shall render the stipulation and/or fulfillment of the Contract impossible, and prohibits the Client/party concerned from benefitting from the products/services offered by the Data Controller, potentially exposing the Client/party concerned to liability due to breach of contract. The personal data provided by the Client/party concerned may be processed if such is required to fulfill a legal obligation which the data controller is subject to, for safeguarding the vital interests of the Client/party concerned or another natural person, for implementing a task of public interest or connected to the exercising of public powers which the data controller possesses, or for pursuing the legitimate interest of the data controller or third parties, under the condition that the interests or rights and fundamental freedoms of the Client/party concerned do not prevail; even in these cases, the conferment of the data is mandatory and, therefore, the lack, partial or inaccurate communication of said data may expose the Client/party concerned to potential liability and sanctions foreseen by the Legal System.
indicated in the previous point (4a), notwithstanding what is indicated below concerning the legitimate interests of the data controller or third parties.
5. Categories of personal data processed
The data controller processes primarily identification/contact data (name, surname, addresses, identification document types and number, telephone numbers, e-mail addresses, of a fiscal/invoicing nature, and other) and, if there are business transactions involved, financial data (of a banking nature, specifically identification numbers of bank accounts, credit card numbers, and other, connected to the previously mentioned business transactions). The processing performed by the data controller, as well as the implementation of the Contract effective under the consent expressed by the Client/party concerned, does generally concern specific categories of personal data known as sensitive (that reveal the race or ethnicity, political opinions, religious beliefs, state of heath or sexual orientation, etc.), nor genetic and biometric data or data considered judicial (related to criminal convictions and offences).
However, the data controller cannot exclude having to store and/or requiring processing sensitive, genetic and biometric or judicial data of the Client/party concerned or third parties, which the Client/party concerned has while acting as the data controller, for the purposes of fulfilling the Contract obligations; in the event in question, processing by the data controller shall occur under the conditions and within the limits referred to in the appointment of the same data controller as processor, by the Client/party concerned.
The data controlled shall also process, in the role of data controller of the Website, and potentially of processor assigned to said task (under the terms indicated above) by the Client/party concerned, the so-called browsing data. The computerized systems and software procedures responsible for the operation of the internet sites acquire, throughout their usual operation, some personal data, the transmission of which is implied in the use of internet communication protocols. This is information that is not collected to be associated with identified individuals, but rather, due to their nature, may allow for the identification of the party concerned. The following data falls under this category: geolocalization, IP addresses, browser type, operating system, domain name and website addresses from where the access or exit was performed, information on the pages visited by the user within the site, access time, duration of stay on a single page, internal path analysis and other parameters related to the operating system and the IT environment of the user. Therefore, it is information that allows for the identification of users, due to its nature, though elaborations and associations.
6. Source of the Personal Data
The personal data that the data controller processes is collected directly by the same data controller from the Client/party concerned at the time of, and during, the browsing of this Website (or by using other social or web applications of the data controller), as well as through business tools in the event of or the subsequent signing of the Contract, during its implementation phase, or from public sources.
As specified above, the data controller, acting as the appointed processor, may store and/or process data for the purposes of fulfilling the requirements deriving from the Contract, specifically browsing data, and potentially even sensitive, genetic and biometric or judicial data, or that of third parties which the Client/party concerned may have while acting as the data controller, acquires, upon prior consent by aid third parties, at the time of, and during, the browsing of the Website by the same third parties (by using other social or web applications attributable to the data controller).
7. Legitimate Interests
The legitimate interests of the data controller or third parties may constitute valid legal grounds for the processing, under the condition that the interests or rights and the fundamental freedoms of the party concerned do not prevail. In general, these legitimate interests may exist when a pertinent and appropriate relationship exists between the data controller and the party concerned; for example when the party concerned is a client of the controller. More specifically, it is in the legitimate interest of the data controller to process personal data of the Client/party concerned in the following instances: for the purposes of preventing fraud, for the purpose of direct marketing, for ensuring the free movement of said data within the business Group which the data controller may belong to, or related to traffic, for the purpose of guaranteeing network and information security, meaning the ability of a network or a system to resist unexpected events or illicit acts that may compromise the availability, authenticity, integrity and confidentiality of data.
8. Movement of Personal Data
(8a) communication of personal data – categories of recipients
In addition to employees and collaborators of the data controller (whom are authorized by the same data controller to process the data following adequate written operational instructions, in order to guarantee the confidentiality and security of the data), some processing operations may even be performed by third parties, which the data controller has entrusted with certain activities, or part of them, functional to the purposes referred to in point (4a), thus for the fulfillment of contractual obligations as well as legal. Among these third parties, inevitably but nevertheless not limited to, are: business partners and/or technicians; companies providing banking and financial services; companies performing document archiving services; credit collector companies; accounting revision and financial statements certification companies; rating companies; parties carrying out, on behalf of the data controller, professional consulting and assistance activities; companies that provide customer care; factoring, securitization of receivables or other transfers of receivables companies; companies of the Group which the data controller potentially belongs to; parties that provide business information; IT services companies. The parties belonging to the aforementioned categories shall process the personal data acting as independent data controllers, or as processors, with regards to specific processing operations that fall under the contractual services that the same parties provide for/in the interest of the data controller; the data controller shall impart to the processors adequate written operational instructions, with particular reference to the adoption of the minimum security measures, in order to guarantee the confidentiality and security of the data.
Some processing operations may be performed by third parties, which the data controller has entrusted with certain activities, or parts of them, even functional to the purposes referred to in point (4b). Among these third parties, inevitably but nevertheless not limited to, are: business partners and/or technicians; companies providing marketing services institutionally; advertising agencies; parties providing consulting and assistance with regards to contests or prize operations. The parties belonging to the aforementioned categories shall process the personal data acting as independent data controllers, or as processors, with regards to specific processing operations that fall under the contractual services that the same parties provide for/in the interest of the data controller; the data controller shall impart to the processors adequate written operational instructions, with particular reference to the adoption of the minimum security measures, in order to guarantee the confidentiality and security of the data.
A list of the processors that the data controller deals with is available, via written request forwarded to the offices of the data controller, subject to periodical updating.
Furthermore, the personal data may be communicated, if requested, to competent authorities for the fulfillment of requirements deriving from mandatory laws.
(8b) Transfer of Personal Data to Third-party Countries
The personal data of the Client/party concerned may also be sent abroad, both to European Union Countries as well as Countries outside of the European Union and, in the latter case, based on a decision of adequacy or under and with the adequate guarantees foreseen by the GDPR (in essence, specifically, in the presence of contractual clauses for the protection of data approved by the European Commission), or, outside of the aforementioned situations, using one or more of the derogations provided for by the GDPR (specifically, with the explicit consent of the Client/party concerned, or for the implementation of the Contract signed by the Client/party concerned, or for the implementation of a contract entered into between the data controlled and another natural or juridical person on behalf of the Client/party concerned, particularly for the performance of activities demanded by the data controller for the fulfillment of the Contract signed by the Client/party concerned). For situations where the data is transferred to Countries outside of the European Union, the Client/party concerned is allowed, with a prior written request to be sent to the offices of the data controller, to know the adequate guarantees, or the derogations, that legitimize the processing across borders. It is understood that, in the event the data is transferred to Countries outside of the European Union, for each request inherent to the data, even for the exercising of the rights recognized to the Client/party concerned by the GDPR, the latter may always faithfully contact the controller.
9. Criteria for determining the period of time the personal data is stored
For the purposes referred to in the previous point (4a), the period of storage of the personal data released by the Client/party concerned, and the consequent potential processing thereof, coincides with the prescription period of the rights/duties (legal, fiscal, etc.) deriving from the Contract: basically 10 years, notwithstanding the occurrence of events interrupting the prescription which may prolong, in fact, this period.
For the purposes referred to in the previous point (4b), the period of storage of the personal data released by the Client/party concerned, and the consequent potential processing thereof, ends with the withdrawal of the consent previously given by the Client/party concerned or, in lack thereof, nevertheless one year after the termination of every relationship between the controller and the Client/party concerned.
10. Rights of the Client/party concerned
The data controller shall recognize and facilitate the Client’s/party’s exercising of all the rights foreseen by the GDPR, in particular the right to request access to its personal data and obtain a copy (art. 15 GDPR), rectify it (art. 16 GDPR), delete it (art. 17 GDPR), limit its processing (art. 18 GDPR), data portability (art. 20 GDPR, where the conditions are met) and to oppose its processing (art. 21 and 22 GDPR, under the circumstances mentioned therein and, in particular, to processing for the purposes of marketing or which translates into an automated decision-making process, including profiling, which produces legal effects affecting it, where the conditions are met). Moreover, the data controller also recognizes the Client/party’s right, should consent be given for the processing, to withdraw said consent at any time, without prejudice to the lawfulness of the processing under the consent given before the withdrawal. To do so the Client/party concerned may unsubscribe at any time on the website (or on other social or web applications of the data controller) or by using the appropriate link found at the bottom of every business communication received, or by contacting the data controller using the contact information reported above.
Furthermore, the data controller hereby inform the Client/party concerned of the right to submit a claim to the Personal Data Protection Authority, acting as the control authority operating in Italy, and to file a judicial appeal against a decision of the Protection Authority, as well as against the same data controller and/or processor.
11. Security of the Systems and the Personal Data
Taking into account the state of the art and the costs of implementation , as well as the nature, subject, context and purposes of the processing, as well as the risk in terms of probability and severity for the rights and freedoms of natural persons, the data controller shall adopt technical and organizational measures deemed appropriate for guaranteeing a level of security suitable to the risk, in particular, permanently ensuring the confidentiality, integrity, availability and resilience of the processing systems and services (even through the encryption of personal data, where necessary), and the skills to promptly reset the availability of data in the event of a physical or technical accident, by adopting internal procedures aimed at regularly testing, verifying and assessing the efficiency of the technical and organizational measures employed. In assessing the adequate level of security, the risks the processing presents shall be taken into account, which particularly derive from the destructions, loss, modification, unauthorized disclosure or access, whether accidental or illegal, of personal data transmitted, stored or in any case processed.
The data controller shall ensure that anyone acting under his/her authority and having access to personal data does not process such data if he/she is not instructed to do so by the data controller. Having said that, the Client/party concerned hereby acknowledges and accepts that so security system can guarantee, in terms of certainty, absolute protection; therefore, the data controller shall not be liable for the acts or actions of third parties that, despite the appropriate precautions taken, could access the systems without due authorization.
12. Automated decision-making processed, including profiling
The data controller may carry out automated processing, including profiling, related to the purposes previously referred to in point (4b), in order to optimize the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the purchase experience, notwithstanding what is specified above regarding the Client’s/Party’s rights to oppose and withdraw consent. Profiling means any form of automated processing of personal data aimed at evaluating specific aspects related to a natural person, especially to analyzing or predicting aspects concerning, for example, personal preferences, the interests or location of a person, even for the purpose of creating profiles or homogenous groups of individuals based on characteristics, interests or behaviour.
The data controller shall not carry out automated processing that produces legal effects for the Client/party concerned, or that may similarly significantly impact the person, notwithstanding what is required for the conclusion and fulfillment of the Contract, whether authorized by the law of based on the explicit consent of the Client/party concerned, in any case always recognizing the latter’s right to obtain human intervention, to express his/her own opinion and to dispute the decision.