PRIVACY NOTICE PURSUANT TO ARTICLES 13-14 OF THE GDPR (GENERAL DATA PROTECTION REGULATION) 2016/679
According to the indicated regulation, this processing will be guided by the principles of fairness, lawfulness, transparency, and the protection of your privacy and rights.
In accordance with Article 13 of GDPR 2016/679, we hereby provide you with the following information:
A – Personal data (name, surname, identity document details and a copy thereof, telephone number, email address, etc.) will be provided upon joining, depending on the type of membership requested. EVA FRANCESCHINI, as the data controller for your personal data, informs you about its use and your rights, so that you can knowingly give your consent, where required, and exercise the rights provided for by the General Data Protection Regulation (European Regulation 679/2016, hereinafter: the Regulation). Your personal data (provided by you, by third parties, or obtained, within legal limits, from public registers) may be processed for the following explicitly stated purposes:
– Proposing services or goods to the interested party (i.e. activities prior to the conclusion of a contract with third parties);
- Perform profiling in order to propose direct or indirect marketing;
– To carry out historical, scientific, and statistical profiling;
– Defence of one’s own rights or those of third parties in legal proceedings;
– In order to send periodic commercial, informative and educational communications, newsletters;
– To fulfil a legal or regulatory obligation, including those of a tax nature (invoices, tax returns, tax payments);
Below, we specifically explain the meaning of the types of purposes:
1. by law: meaning to fulfil obligations provided for by law, by a regulation, by European Union legislation, and by provisions issued by Authorities legitimately empowered by law or by competent supervisory or control Bodies (in such cases, your consent is not necessary as the processing of data is related to compliance with said obligations/provisions). Data processed by law include those relating to tax regulations or anti-money laundering registers.
2. contractual and, more generally, administrative-accounting matters, i.e. to fulfil obligations arising from contracts to which you are a party or to comply, before the conclusion of the contract, with your specific requests, including through remote communication techniques, such as a dedicated telephone call centre (in this case, your consent is not required, as the data processing is functional to the management of the relationship or the execution of the requests); such processing also includes the purpose arising from the protection of mutual interests in judicial proceedings and for tax purposes or for other legal obligations such as, for example, maintaining the anti-money laundering register if applicable.
3. Direct marketing: data processing activities aimed at providing you with information and sending you informational, commercial, and advertising material (including via remote communication techniques such as, but not limited to, postal mail, telephone calls (including through automated calling systems), fax, email, SMS or MMS messages, or other types) about the company's products, services, or initiatives, for promotional purposes, to carry out direct sales activities, for market research, and to verify the quality of products or services offered to you (including via telephone calls or by sending questionnaires). The processing of such data may occur with your optional consent or based on the company's legitimate interest where deemed not to conflict with your rights.
4. Profiling: data processing activity aimed at optimising commercial offers (including through focused and selected analysis), for making targeted commercial communications, for conducting statistical research, for applying one or more profiles to you (for the purpose of making appropriate commercial decisions or for analysing or predicting, for commercial purposes, your personal preferences, your behaviour and your attitudes). (In this case, your consent is optional and does not prejudice the continuation of your relationship with the company).
5. Indirect commercial purposes: that is, by communicating Your data to third parties so that they can carry out their own independent commercial activities as indicated in the previous number 3. (In this case, Your consent is optional and does not prejudice the continuation of the relationship with the company)
6. marketing communications: i.e. for the purpose of exploring, after the cessation or revocation of the relationship with the Company, the reasons for the termination of the relationship. (In this case, your consent is optional and does not affect the continuation of the relationship with the Company)
Special data cases
7. Particular‘ or ’sensitive‘ data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning the health or sex life or sexual orientation of the individual (Art. 9 of the regulation) or data concerning criminal convictions and offences or related security measures (Art. 10 of the regulation). Such data may only be processed with your express written consent if one of the reasons stated in Art. 9 para. 2 and Art. 10 of the regulation applies. Consent is free and optional, but refusal to consent could jeopardise the performance of one or more activities requested by you from the company that specifically concern facts for which it is essential to process this type of data.
8. Your data may be transferred to third parties for the purposes stated by the Controller. In particular, they may be transferred to third countries subject to an adequacy decision or, in its absence, subject to your explicit consent.
B – DATA PROCESSING METHODS.
Your data will be processed using manual tools and manual/paper-based storage, as well as electronic and automated tools, in a manner strictly related to the purposes indicated above. Where you have given your consent, processing may also take place through profiling or data matching. The Company has adopted technical and organisational measures to prevent and limit the risk of loss, deterioration, or theft of your data, and to ensure its restoration within a reasonable time in the event of a ‘data breach’. Processing will be carried out in a way that guarantees the security, protection, and confidentiality of your data.
Within the company, your personal data may be known, as data controllers or processors:
- employees, managers and directors or partners of the company who have or hold by law or company by-laws administrative, collaborative or commercial roles subject to self-employment contracts operating within the company structure. Such personnel have been provided with adequate training and instructions by the Company to protect the storage, maintenance, updating and security and confidentiality of your data. Consent to processing by such personnel is not required as it is inherent in the necessary modalities provided for by law.
Outside the company, your data may be processed by:
• self-employed workers operating away from the company premises
• Sales representatives on non-employment contracts operating outside the company's premises
• Consultants of any kind (lawyers, doctors, chartered accountants, engineers, architects, employment consultants, or other professionals, registered or not registered with professional registers), who carry out technical, support (in particular: legal services, IT services, shipping) and business control tasks on behalf of the company.
• Public bodies or public administrations for the fulfilment of legal obligations
For the pursuit of the aforementioned purposes, the company may communicate or otherwise transmit Your data to certain parties, including foreign ones, who will use the data received as independent joint controllers, unless they have been appointed by the company as “data processors” for their specific responsibilities. You have the right to request and obtain a list of the third parties to whom this data is transmitted. Your consent is required for the transmission of data to these third parties, but in case of refusal, the Company may not be able to provide the requested services or fulfil the obligations it has undertaken towards You.
It is possible for the data controller to delegate the processing of your data to other sub-processors, who in turn will be instructed on the correct ways to process the data. Your data may be subject to profiling, meaning the collection and aggregation of data concerning you for the purpose of making appropriate commercial decisions or to analyse or predict, again for commercial purposes, your personal preferences, behaviours, and attitudes. Profiling may take place a) with your prior consent or b) based on our company's legitimate interest. Failure to give consent for profiling purposes does not normally compromise the regular development of the relationship on which your data is processed.
Your data may be transferred to a foreign country. In such cases, should this occur within the European Union, your data will be treated in the same way as if it were processed in Italy. If transferred to countries outside the European Union, it will be processed in compliance with the rights provided in your favour by the European Regulation. Should your data be transferred to a country outside the EU, it may be processed by entities that guarantee compliance with the rights provided by the European Regulation through their voluntary adherence to general measures. In any event, data transfers will occur through tools that guarantee the protection of the data itself from third-party intrusions.
Your data has been collected directly from you and therefore we provide you with the following information in this form where applicable:
• Holder and representative details
• Data Protection Officer details
• purpose and legal basis of the processing
Data recipients
intention to transfer data abroad
• duration of the retention period or criteria for determining the duration
• right to access, rectification, erasure, objection to processing, portability
• right to revoke consent to processing if possible, subject to legal obligations
• possibility of submitting complaints to the authority (Garante)
• if the data is required for the performance of a contract, or by law, and the consequences if consent is not given
• if the data are or will be subject to profiling and, if so, the logic of the profiling
• the existence of automated decision-making processes and the data subject's right to human intervention in decision-making.
Our company has obtained data concerning you from third parties. We therefore provide you with the following information in this form, where applicable to you:
- owner and representative data
• Data Protection Officer (DPO) details, if applicable
• purpose and legal basis of the processing
• categories of data collected
Data recipients
intention to transfer data abroad
• retention period or criteria for determining the period
• rights of access, revocation, rectification, erasure, portability, withdrawal of consent to processing, restriction
• possibility of complaint to the guarantor
• the source from which your data originates, which is as follows:
________________________________________________
the existence of automated decision-making processes and the right of the data subject to human intervention in decision-making
Your data will be retained by the Data Controller, in compliance with the stipulated purposes, for the time necessary for the existing relationship with you and to guarantee the mutual protection of rights in legal proceedings, as well as to comply with legal obligations, including those of a tax nature. Data not necessary for the latter purposes will be deleted within the maximum period provided for by the right to be forgotten, as indicated further in this notice, or, at your request, even sooner if not in conflict with the rights of the Data Controller. The data of the data subject that does not need to be retained due to a specific legal obligation will be deleted within 20 years for accounting data.
Regarding profiling logic, the company declares the following:
monitoring of web pages visited through so-called ‘cookies’;
Profiling via services offered by Google, Facebook and other software.
C – RIGHTS OF THE DATA SUBJECT
She may, at any time, exercise the following rights expressly granted to her by the Regulation:
• You have the right at any time to lodge a complaint with the national supervisory authority (Garante per la protezione dei dati personali) if you believe your rights have been infringed.
She has the right to ensure that her data is always accurate and up-to-date, and therefore she can report or request its update at any time.
• She has the right to withdraw consent to the processing of her data where this is not prevented by a provision of law or by the need to protect the data controller's rights, including in legal proceedings. In any case, the request for withdrawal gives rise to the right to restrict processing.
• You have the right to access your data processed by the Data Controller by written request, including electronic format. It is essential that you can provide proof of your identity, potentially by accessing our databases via credentials uniquely attributable to you. You are entitled to free access once, while a contribution to expenses may be requested for subsequent requests. You have the right to receive a response within thirty days of your request. You have the right to have your data in
Printable formats.
• She is entitled to have her data rectified and updated, and can at any time request its update and correction should she ascertain that the data in our possession is outdated or incorrect. In order to ensure data is kept up-to-date, we invite you to notify us of any relevant changes.
She has the right to erasure of her personal data, provided that this does not concern data which the Controller is legally obliged to retain, such as, for example, obligations arising from tax regulations, anti-money laundering regulations, or for protecting the data controller's rights in legal disputes.
• Should you dispute the accuracy of your data, the lawfulness of the processing, or the Data Controller's right to erase your data, or should you object to the processing of your data and the Data Controller disputes your objection, you have the right to have your data stored but not processed, except to the extent necessary for resolving the dispute concerning the data itself.
Should the Data Controller modify or delete your data, in whole or in part, you have the right to be informed and to object to the modification and deletion.
• You are entitled to transfer your data – stored and processed electronically – to another service provider, within the limits indicated by the Regulation, and provided it is technically feasible, in a way that allows for easy reading and acquisition by third parties. Data derived from the automatic monitoring of your activity carried out through the Data Controller's IT services, such as searches and the history of activities performed, also fall within the scope of data you are entitled to transfer (portability).
• She has the right to object to the processing of Her data, profiling, the use of data for direct marketing, profiling for public interest or for scientific, historical or statistical purposes.
• The company may, in certain circumstances, adopt automated procedures in order to make decisions concerning it, and in particular to decide whether and on what terms to conclude contracts directly or through third parties with you. In such cases, you have the right to request that, before a binding decision is made, your position be in any case reviewed by a human operator who will carry out an assessment on merits.
• The company may, in certain circumstances, process your data in order to communicate with you regarding commercial, informational, or educational initiatives (so-called newsletters). In such cases, your consent, if necessary, must be explicit and separate from other forms of consent, and you may withdraw your consent granted for this purpose at any time.
She has the right to be consulted when assessing the procedures for the processing and protection of her data.
D – INDICATION OF THE PARTIES INVOLVED IN THE PROCESSING
Your data may be processed by the following parties:
1. [holder] Eva Franceschini Via Cesare Battisti 29 22070 Solbiate (Como) VAT No: 04727470280 Fiscal Code: FRNVEA82P58G224U
2. [Joint data controllers] None
[representative] Not applicable
4. [Responsible Parties] External professionals appointed as responsible parties:
GIANLUCA NOSEDA, Chartered Accountant.;
DOMENICO BISCEGLIA, marketing consultancy;
ITALIX SAS of Andrea Sivieri and Partners, IT development.
5. [RDP/DPO] No appointment is necessary.
E – HOW TO EXERCISE YOUR RIGHTS
Your requests may be exercised by written communications to the Company's address at via Cesare Battisti 29, Solbiate con Cagno (CO) or to the e-mail address eva.franceschini@gmail.com, or, if provided for, independently within your personal area made available to you electronically via a unique identifier.