INFORMATION FOR THE PROCESSING OF PERSONAL DATA
Dear User/Data Subject
this Information Notice is provided pursuant to Legislative Decree no. 196 of 30 June 2003 and as amended (so-called Privacy Code), and pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016.
We would like to inform you that the personal data you provide when consulting the website www.sit-in.it enabling users to register on the aforementioned website and use the services offered by the company Radici Pietro Industries & Brands S.p.A., and to be able to subscribe to the newsletter through which users receive advantageous commercial offers and are kept updated on the company’s products and activities, will be processed by Radici Pietro Industries & Brands S.p.A. represented by its pro tempore legal representative as Data Controller (hereinafter also Data Controller), in compliance with the protection principles established by the Privacy Code as amended, and European and national legislative actions and/or Supervisory Authority provisions.
The following information is provided for the website www.sit-in.it only, not for other websites that may be consulted by the User via links.
A. PROCESSING PURPOSE
The various processing operations on data provided voluntarily by Users are carried out by the Data Controller:
- to fulfil legal obligations for accounting and tax matters;
- to allow the User to contact the Data Controller in order to request information or make requests. This processing is needed to allow the User to contact the Data Controller;
- to enable the User to create a personal account on the Data Controller's website and take advantage of the services provided. This processing is needed to enable the User to take advantage of the services provided by the Data Controller;
- to allow users to receive special newsletters through which they can receive advantageous commercial offers and are kept up to date on the services provided by the data controller. This processing is optional and will only be carried out with the User's consent;
- for marketing purposes; therefore also to profile Users to be able to send them suitable commercial offers. This processing is optional and will only be carried out with the User's consent.
B. TYPE OF DATA COLLECTED AND PROCESSED
If the user requires information from the Data Controller, he/she must provide the following personal data:
- Type of collaboration.
Without prejudice to the personal autonomy of the Data Subject and without prejudice to provision of navigation data, providing the above data is essential and failure to provide even part of the data specifically indicated as essential will make it impossible for the user to contact the Data Controller.
If the user wishes to use the services provided by the Data Controller, he/she must provide the following personal data:
- Postal code;
Without prejudice to the personal autonomy of the Data Subject and without prejudice to the provision of navigation data, providing the data described above is essential and failure to do so for even a part of the data specifically indicated as essential will make it impossible for the user to use the services provided by the Data Controller.
Without prejudice to the personal autonomy of the Data Subject and without prejudice to the provision of navigation data, providing the above data is optional and is done with the user's consent, which may be revoked at any time.
C. DATA CONTROLLER, MANAGERS AND APPOINTEES
The Data Controller is the company Radici Pietro Industries & Brands S.p.A. in the person of its pro tempore legal representative (VAT no. 00217360163), with registered office in Cazzano S. Andrea (BG).
Please note that the Data provided may be processed by other subjects involved in the Data Controller’s organisation, all in their capacity as appointed processors and/or internal data processors, or external subjects (such as third party technical service providers, hosting providers, platforms for the provision of training courses), appointed as External Data Processors by the Controller.
In any event, all those persons processing data in the name and on behalf of the Data Controller will be duly appointed and shall have the means and resources to process personal data in accordance with the GDPR.
D. PROCESSING METHODS
The personal data provided will be processed at the Data Controller's headquarters or by External Data Processors appointed by the Controller (suppliers of IT and logistics services; suppliers of outsourcing and cloud computing services and of management services; external professionals and consultants; external software to manage mailing lists). Processing will be carried out through computerised and/or telematic procedures in the manner and within the limits needed to pursue the aforementioned purposes. In any case, the server where the data provided by users will be stored is located in territory belonging to the European Union.
The Data Controller avails itself of services provided by leading companies in the sector appointed to develop and maintain management software and technically maintain the website.
E. TRANSFER OF DATA TO THIRD COUNTRIES
The Data Controller declares that the data provided and processed, whether by professionals or company representatives, will not be transferred to third countries.
F. RETENTION PERIOD.
Please note that the Data provided will be processed and stored by the Data Controller for the purposes indicated above, and stored c/o the Data Controller in accordance with the timeframes set out below.
For invoicing following the purchase of the services and products offered, the purchasing data will be kept for 10 years from the date of invoicing, in accordance with provisions in the applicable tax/accounting law.
If the user has simply contacted the Data Controller to request information on services rendered, the data will be stored for the time strictly needed to process the request and, in any case, for no longer than three months.
If the User has given his/her consent in order to receive the newsletter and/or interesting and advantageous economic offers for the products marketed by the Data Controller (Marketing and Profiling treatment), Processing will continue until the User revokes his/her consent. In every specific e-mail containing Newsletters or advantageous offers there will be a link through which Users may revoke their consent.
From when consent is revoked, the Data Controller must immediately stop sending newsletters and/or commercial offers and will have a period of thirty days to delete all personal data; this in order to allow a reasonable period of time for the technical/logistic deletion of data.
Personal Data collected for purposes related to the legitimate interest of the Controller will be retained until that interest has been satisfied.
G. RIGHTS OF THE DATA SUBJECT
The data subject may, at any time, exercise his or her rights vis-à-vis the Data Controller pursuant to Legislative Decree no. 196/2003. and Regulation (EU) 2016/679 as referred to in the following articles:
- RIGHT OF ACCESS TO THE DATA SUBJECT - Art. 15 Reg. (EU) 2016/679
- RIGHT OF RECTIFICATION - Art. 15 Reg. (EU) 2016/679
- RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN") - Art. 17 Reg. (EU) 2016/679
- RIGHT TO LIMIT PROCESSING - Art. 18 Reg. (EU) 2016/679
- RIGHT TO DATA PORTABILITY - Art. 20 Reg. (EU) 2016/679
- RIGHT TO OPPOSE - Art. 21 Reg. (EU) 2016/679
GENERAL RULES FOR EXERCISING RIGHTS
Please note that the rights referred to in the above paragraphs may be exercised at any time by sending an email to firstname.lastname@example.org together with a digital copy of a valid identity document.
We would like to remind you that if you ask us to stop all processing of your personal data, we will not be able to continue providing you with the services you have requested from us and, in a generic request, we will stop all processing of your personal data, including by traditional means.
In any event, the Data Controller may retain some of your personal data if it is needed to defend or enforce a right.
If you would like one, an up-to-date list containing the names of the persons responsible for processing your data is available at the Data Controller's registered office. You can also request it by e-mail from email@example.com.
ART. 5 GDPR
For the purposes of this Information notice, the following definitions apply:
Personal data: any information relating to an identified or identifiable natural person, also referred to as "data subject"; an identifiable person is one who can be identified, directly or indirectly, by specific reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity;
Processing: any operation or group of operations which is performed upon personal data or groups of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction;
Limitation of processing: the marking of stored personal data with a view to limiting processing in the future;
Profiling: any form of automated processing of personal data consisting in the use of that personal data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects of that person's professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Pseudonymisation: the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information; provided that such additional information is kept separately, and is subject to technical and organisational measures to ensure that such personal data cannot be attributed to an identified or identifiable natural person;
Archives: any structured group of personal data accessible according to specified criteria, regardless of whether this group is centralised, decentralised or dispersed on a functional or geographical basis;
Controller: the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing the personal data; where the purposes and means of that processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be established by Union or Member State law;
Processor: the natural or legal person, public authority, service or other body which processes personal data on behalf of the controller;
Recipient: the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it is of a third party. However, public authorities that may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of that data by those public authorities is in accordance with the applicable data protection regulations according to the processing purposes;
Third party: any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons authorised to process personal data under the direct authority of the controller or processor;
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes, whereby the data subject provides his/her agreement, by way of a statement or an unambiguous affirmative action, to personal data relating to him/her being processed;
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed;
Genetic data: personal data relating to inherited or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample from that natural person;
Biometric data: personal data obtained through specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm their unambiguous identification, such as facial image or dactyloscopic data;
Health data: personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his/her state of health;
(a) in the case of a data controller with facilities in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another facility of the controller in the Union and the latter facility has the power to order implementation of those decisions,
in which case the facility that has taken those decisions will be considered the main facility;
(b) with regard to a controller with facilities in more than one Member State, the place where its central administration in the Union is located or, where the controller does not have a central administration in the Union, the facility of the controller in the Union where the main processing activities are carried out in the context of the activities of a controller facility in so far as that controller is subject to specific obligations under this Regulation;
Representative: a natural or legal person established in the Union who, designated by the controller or processor in writing in accordance with Article 27, represents them in relation to their respective obligations under this Regulation;
Enterprise: any natural or legal person, regardless of their legal form, engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity;
Enterprise group: means a group consisting of a parent company and its subsidiaries;
Binding Corporate Rules: the personal data protection policies applied by a controller or processor established in the territory of a Member State to the transfer or grouped transfers of personal data to a controller or processor in one or more third countries, within the framework of a corporate group or a group of enterprises carrying out a joint economic activity;
Supervisory authority: the independent public authority established by a Member State in accordance with Article 51;
Supervisory authority involved: a supervisory authority affected by the processing of personal data because:
(a) the controller or processor is established in the territory of the Member State of that supervisory authority
(b) data subjects residing in the Member State of the supervisory authority are or are likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;
(a) processing of personal data which takes place in the course of the activities of facilities in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the course of the activities of a single facility of a controller or processor in the Union, but which substantially affects or is likely to affect data subjects in more than one Member State;
Relevant and reasoned objection: an objection to the draft decision as to whether or not there is a breach of this Regulation, or whether the action envisaged in relation to the controller or processor complies with this Regulation, where the objection clearly demonstrates the relevance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;
Information company service: a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
International organisation: an organisation and bodies governed by public international law subordinate to it or any other body established by or on the basis of an agreement between two or more States.