INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA – CUSTOMERS
Information on the processing, communication and movement of data, in application of the European Data Protection Regulation – -Reg. 679/2016 (GDPR)
Pursuant to articles 13 and 14 of EU Regulation 2016/679 (GDPR), laying down provisions for the protection of individuals with regard to the processing of personal data, the Data Controller is required to provide the subject with some information regarding the use of their personal data.
In particular, the undersigned SIDASTICO S.P.A. in carrying out its activities / functions needs to process information and personal data related to individuals operating on behalf of its organization, acting in the role of Data Controller in accordance with the GDPR.
The information and personal data, provided by you, or acquired within the contractual relationship with the undersigned, are treated in compliance with the laws in force and the confidentiality obligations that have always inspired the activity of SIDASTICO S.P.A., as well as in the respect for rights and freedoms fundamental rights, the dignity of the interested party, respect for personal identity and the right to the protection of personal data, with particular reference (see Article 5 – Principles applicable to the processing of personal data) to the principles of lawfulness, correctness and transparency, of the limitation of the purposes, of the minimization of data, accuracy, limitation of retention, integrity and confidentiality.
Data controller is: SIDASTICO S.P.A.
Via Astico, 44 36030 Fara Vic.no (VI) – ITALY Tel. +39 0445/869500 – +39 0445/1920895 Fax +39 0445/869569 – +39 0445/1920395 info@sidastico.com VAT: 02931940247 |
PURPOSE OF THE TREATMENT
The processing of data is aimed at the pre-contractual and contractual management of the activities carried out on behalf of the Customer by SIDASTICO S.P.A.. In particular, we highlight the following purposes:
- Commercial and pre-contractual management, with regard to all activities preceding the conclusion of the contract (e.g. activities for preparing estimates and processing related information);
- Contractual, administrative and accounting management (e.g. issue of invoices, preparation of payments and relations with credit institutions, contractual management and protection of credit positions arising therefrom, etc.);
- Management of the characteristic activities and services provided by the Company in favour of the customer (procurement, logistics and production management, etc.);
- Commercial and post-sales management, customer service, marketing and crm.
The processing will be carried out with the main support of electronic tools, and may cover data and information on computer or paper media, by authorized individuals.
In general, for the purposes mentioned above, as appropriate, the data will be stored at our company, at the customer’s IT infrastructure, at our datacentres, or at our suppliers’ datacentre and will be communicated exclusively to the competent subjects, internal or external to the organization, as described below, for the completion of the services necessary for a correct management of the contractual relationship and the underlying services with guarantee of protection of the rights of the interested party.
LAWFULNESS AND LEGAL BASIS OF TREATMENT
The processing of personal data by the controller is legitimized by the following conditions (art.6 of the GDPR):
- The interested party has given his/her consent to the processing of his/her personal data for one or more specific purposes
- The processing is necessary for the execution of a contract of which the interested party is a party and for the possible execution of pre-contractual or post-contractual measures taken at the request of the same.
- Processing is necessary to fulfil a legal obligation to which the Data Controller is subject (in particular for administrative and accounting purposes).
- The processing is justified by a legitimate interest of the owner, such as sending commercial and / or promotional communications relating to products and services similar to those covered by the contractual relationship.
SCOPE AND CATEGORIES OF SUBJECTS TO WHICH DATA MAY BE COMMUNICATED AND POSSIBLE LIABILITIES
Personal data collected by SIDASTICO S.P.A. may be communicated, within the limits and in the forms strictly pertinent to the aforementioned purposes, also to the following subjects or categories of subjects:
- Subjects to whom communication is required by law, by regulation or by national and community legislation as well as for the performance of contractual or pre-contractual obligations;
- Credit Institutions, Insurance Companies and other entities for the execution of contractual or pre-contractual obligations (payment of payments, stipulation of compulsory insurance policies, etc.);
- External studies and professionals specialized in consulting for the management of accounting and tax aspects for the fulfilment of the law (e.g. accountant, auditing company, etc.);
- entities providing services for the management of the SIDASTICO S.P.A. information system and telecommunications networks (including e-mail), including the provision of cloud data centre services and related security profile management for data processing by SIDASTICO S.P.A.;
For the types of communications to the parties referred to above, iii, iv, SIDASTICO S.P.A. has a contract in place that assigns and regulates their role of responsibility for the processing (so-called Sub-Processors) pursuant to Art. 28 of Reg. 679/2016 – GDPR – The updated list is available at the offices of SIDASTICO S.P.A.
DATA TRANSFER
As a rule, the Data Controller does not transfer personal data to third countries or to international organizations.
The undersigned also reserves the right to use services in cloud; in which case, the service providers will be selected among those who provide adequate guarantees, as required by art. 46 GDPR 679/16.
DATA CONSENT AND CONSEQUENCES OF MANDATORY/NOT MANDATORY CONSENT FAILURE
The data consent must be considered mandatory with regard to the processing that the organization must carry out to fulfil its obligations towards the data subject on the basis of the existing relationship (or contract), as well as legal obligations, rules, regulations – see paragraph purposes, b) and c) – Failure to provide such data may make it impossible for SIDASTICO S.P.A. to carry out the ongoing relationship.
The consent is not mandatory for all other purposes and, even if conferred, can be revoked at any time by the interested party. In the event of failure to provide consent, the consequences will be assessed from time to time, having regard to the specific case. For the purposes d) the communications will always be accompanied by an information for the processing of data and will always be given the right to withdraw from communications of a commercial or promotional nature.
DATA RETENTION
The data are kept only for the period necessary for the purposes for which they are processed, or in accordance with the laws, national and community laws and regulations to which the organization must comply (e.g. accounting and tax regulations, etc.). It is expected that a periodic check will be carried out annually on the data processed and on the possibility of being able to cancel them if no longer necessary for the intended purposes.
THE RIGHTS OF DATA SUBJECTS
The Data Controller undertakes to provide the interested party with feedback on any requests in relation to the processing of data, within 30 days, and, in case of impossibility to comply with these times, to justify the possible extension of the terms provided. The response will be free of charge, except in cases of groundlessness or excessive requests for which a fee may be charged that is not higher than the costs actually incurred for the research carried out.
In particular, we remind the rights of the subject to access, rectify or delete data, and those to limit or opposite to processing, as shown in the tables below:
Access (art.15) |
|
Rectification (art.16) |
|
Erasure (art.17) |
In case:
|
Restriction (art.18) |
Temporary restriction of processing where one of the following applies:
The data Controller is required to retain the data and performs any other processing only |
Portability (art.20) | For treatments based on consent or on a contract, the data subject is entitled to receive from the Data Controller his personal data in electronic format “in common use” in order to transmit them to another Data Controller (also directly from the Data Controller to the Data Controller). Personal data “portable” are those that the data subject has provided directly and explicitly to the controller, but also those collected during the provision of the service, such as, for example, traffic or navigation data (for network service providers). |
Opposition (art.21) |
Opposition to the processing of personal data based on the criteria of lawfulness of the exercise of public interest or of the legitimate interest of the Controller, including direct marketing or any profiling; The Data Controller shall no longer process the data, except legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims the data controller shall not longer process the personal data processing for direct marketing purposes. |
Below other rights reserved to the subject.
Complaint (art.77) | Right to lodge a complaint with a supervisory authority (Guarantor of privacy ), if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. |
Remedy (art.82) | Right to obtain from the Controller the full and effective remedy for any damage suffered, material or immaterial (financial loss, identity theft, discrimination, etc.), if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation and the Data Controller are not able to prove that the harmful event is not attributable to them. |
For the processing legitimated by a consent, the subject has the right to revoke it at any time without prejudice to the lawfulness based on the consent given prior to the revocation.