DISCLOSURE PURSUANT TO ART. 13 EUROPEAN REGULATION 2016/679
Pursuant to the current policy on the protection of natural persons and other subjects, and, in particular, pursuant to art. 13 of the 2016/679 European Regulation (later GDPR) e. 13 D. Lgs. 196/2003 (Privacy Code), as applicable, and ss. mm. and ii, in relation to the personal data of the holder, we inform you of the following:
1. HOLDER OF THE PROCESSING OF PERSONAL DATA AND DATA PROTECTION OFFICER
The data controller is Exept S.r.l. (c.f./p.va 01721020095), with the registered office in Via Felice Casati, 20 Milan, email contact: firstname.lastname@example.org.
Contact details of the Data Protection Manager are: email@example.com
2. TREATMENT OF PERSONAL DATA
For the purposes of the establishment and professional relationship, personal data will be used as per art. 4, n. 1), GDPR and particular categories of personal data pursuant to art. 9, paragraph 1, GDPR. The personal data collected may be, as example, and not an exhaustive list: name, surname, place and date of birth, tax code, address, residence and residence, telephone contacts, e-mail, details of identity documents, details of current accounts, data relating to the physical and anthropometric characteristics of a person, such as height, weight, measure of the forearm, etc. The sources of personal data may originate from the said individual, third parties, or public records.
3. PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
The data processing can be utilized
a) for the establishment of a contractual relationship with the holder, which includes the pre-contractual details, as well as to the correct and complete execution of the same contract, concerning:
The exchange of details and correspondence in the form of telematica across any distance, import and the export, the deposit and the representation of:
- cycles and motorcycles of any type and quality;
- equipment, clothing, sporting and fitness items of any type and quality;
- parts, components and spare parts of the forementioned products;
b) for the purposes connected to the obligations established by laws, regulations and community legislation, as well as by provisions issued by legitimate legal authorities or by supervisory or control authorities (for example, against money laundering, tax matters, etc.) ;
c) direct marketing, or promotion and sale of products and services of the data controller, performed directly by the owner himself, via advertising material, telephone contact and any other form of communication through automated processes (such as, but not limited to), e-mails, sms, mms, advertising via social networks, etc.) or non-automated (paper correspondence, promotional telephone calls with operator …).
d) communication and/or transfer of data to third parties for the purposes of promotion and or sale of products and/or services, whether automated or not;
e) sending electronic newsletters and using IT tools.
The purpose of the outcome set out in items a) and b) identify the basis of legal obligation, of regulation or other lawful act and in the obligations deriving from the conferment and from the execution of the contract of which the interested party is involved, including any pre-contractual measures. The treatment referred to items c), d) and e) are legally based in the agreed free, and the informed and explicit consent of the interested party.
4. DATA PROCESSING METHODS
The processing of data will be carried out by the data controller and/or his representatives, in strict compliance with the principles set out in Articles. 5 and ss. GDPR (in particular, the principles of lawfulness, correctness, transparency, accuracy, limited to the agreed upon purposes of, limiting data), by means of the operations or set of operations indicated by current legislation and, in particular, by art . 4 GDPR, concerning the collection, registration, organization, structuring, preserving, use, adaptation or modification, consultation, processing, selection, extraction, comparison or connecting, blocking, communication in general and specifically communication by transmission, dissemination or any other form of provision, limitation, deletion or destruction of data. The aforesaid operations may be carried out with or without electronic processes and the data may be stored in both paper, electronic, centralized and decentralized archives. The systems used for data processing are originally configured, so as to minimize the use of the said data. Following periodic checks, the data controller will verify the accuracy, relevance, adequacy and the essence of the data collected with respect to the obligations and purpose for which they were collected. The data will be processed in such a way as to ensure its adequate security, including protection, using appropriate technical and/organizational measures against unauthorized or illicit processing or loss, destruction, modification, unauthorized disclosure, accidental damage, as well as from unauthorized access, of personal data transmitted, stored or otherwise processed, even in the case of processing through communication by distance.
5. DATA CONSERVATION
The processing of data will take place, in the cases provided by the current provisions of the law or the GDPR, with the free, specific and explicit consent of the party concerned, and in particular, with regard to the particular data required by art. 9 GDPR (which may be processed only after the free, explicit and written consent of the interested party), for the time strictly necessary and not after the achievement of the goals for which the data were collected and processed, except for the fulfillment of obligations by laws (for example, in the matter of anti-money laundering), regulations and by community legislation, as well as by provisions issued by legitimate legal authorities or by supervisory or control bodies, or for statistical purposes, provided that, in such cases, appropriate technical and/organizational security measures will be implemented to protect the rights and freedoms of the subject and data. Personal data which does not need to be kept, in relation to the purposes indicated, will be erased or irreversibly transformed into an anonymous form.
6. DATA STORAGE TIME
The retention time of personal data varies according to the purpose of the use of the data. In relation to the purpose set out in item a) of point 3, the data are kept only for the strictly necessary period of time and not exceeding the achievement of the purposes for which the data were collected and processed. In relation to the purpose set out in item b) of point 3, data retention times are set at ten years and, in any case, only for the period of time strictly necessary for the purposes and fulfillment of the obligations established by laws, regulations and by community legislation, as well as by provisions issued by legitimate legal authorities or by supervisory or control bodies. In relation to the purposes set out in items c) d) and e), the interested party has the right to revoke their consent at any time and in a manner similar to that which was provided for its conferment, without consequences, other than not processing data for these purposes. Personal data of a fiscal or accounting nature will be kept for the ten years following the end of the fiscal year after the year in which the tax is incurred, in order to justify any tax assessment and/or dispute. In the event that the holder must act or defend himself by judicial or extrajudicial means, personal data necessary for this purpose will be retained until the final judicial or extrajudicial outcome of the dispute.
7. EXISTENCE OF AN AUTOMATED DECISION-MAKING PROCESS, INCLUDING PROFILING
The owner will not adopt any automated decision-making process, including profiling, as per current legislation and, in particular, as per art. 22, paragraphs 1 and 4 of the GDPR.
8. DATA CONFERMENT, REFUSAL OF DATA CONFERENCE AND REFUSAL OR WITHDRAWAL OF CONSENT
In relation to the purposes expressed in point 3, items a) and b), the provision of data and consent to the processing are mandatory, being a legal or contractual obligation or a necessary requirement for the conclusion and/or execution of the contract; a possible refusal, will not allow the owner to complete or execute the contract of which the interested party is involved. In the case of legal obligations, a possible refusal would make it impossible for the Data Controller to establish relationships with the data subject and may have the obligation to report the refusal. In relation to the purposes set out in items c), d), and e) the provision of data and consent of the processing are optional, therefore the refusal does not imply the impossibility on the part of the Owner to fulfill the services which are the purpose of the relationship, and thus the concerned has the right to withdraw his consent at any time, and without consequences, other than the failure to process personal data for these purposes. In any case, the interested party has the right to withdraw consent to the processing of personal data in relation to the purposes set out above, or for any other, without prejudice to the legality of the treatment which was based on consent given before the said revocation.
9. COMMUNICATION OF DATA AND ADDRESSING THE SHARING OF PERSONAL DATA
Personal data will not be shared (meaning to give it to one or more other specific subjects) without explicit consent of the interested party, unless the communication is necessary for the fulfillment of a legal obligation. In such cases, personal data may be communicated for the purposes referred to in point 3 to all those subjects, public or private, to whom communication is necessary due to the law and or necessary and functional for the proper fulfillment of the purposes indicated in point 3 and/or in any case strictly connected and pertaining to the assignment conferred (for example, employees of the owner, accountant, webmaster, IT services manager, retailers, couriers, banks, insurance companies, etc.). The interested party, at any time, upon written reques addressed to the data controller, at the registered office indicated in point 1, may have an updated and complete list of the recipients of the communication of their personal data. All the subjects listed above, recipients of the communication of personal data pursuant to art. 4, paragraph 9 GDPR, with the exception of employees, will process personal data as autonomous data controllers.
10. DIFFUSION OF DATA
Personal data will not be disseminated, with this term being intended to give knowledge to indeterminate subjects in any way, including by making it available or for consultation.
11. TRANSFER OF DATA ABROAD
Personal data will not be transferred as part of the purposes referred to in point 3, to European Union countries and to third countries with respect to the European Union. If, for technical and/or operational reasons, it is necessary to make use of subjects located outside the European Union, or it is necessary to transfer some of the data collected to electronic systems and services managed in the cloud and located outside the European Union, the data will be regulated in accordance with the provisions of Articles 44 and following of EU Regulation 679/2016 and authorized on the basis of specific EU decisions. All necessary precautions will be taken to ensure the widest possible protection of the data subject’s personal data.
12. RIGHTS OF THE INTERESTED PARTY
The current provisions of the law, and in particular the articles from 15 to 23 of the GDPR, confer to the interested parties the exercise of specific rights. Therefore, within the limits and under the conditions established by the forementioned legislation, the data controller acknowledges and guarantees to the interested party the exercise of the following rights:
- to request confirmation of the existence or trace of personal data in the archives of the holder;
- to access personal data in the owner’s archives with all the information relating to the law and the GDPR;
- to request the correction, updating, integration and deletion of personal data, if incomplete or erroneous, as well as to oppose their processing for legitimate and specific reasons;
- to obtain the correction of incorrect personal data without unjustified delay;
- to obtain the cancellation of personal data without unjustified delay, if one of the reasons is that specified in art. 17, paragraph 1, GDPR (c.d. “right to be forgotten”);
- to limit of the processing of personal data if one of the reasons is set out in art. 18, paragraph 1, GDPR;
- to obtain the transfer of personal data, ie receive it / them from the owner in a structured format, commonly used and readable by automatic device and/or transmit them to another holder without impediments, to obtain direct transmission of data or data personal data from the data controller to another data controller, within the limits and in the ways provided for by art. 20 GDPR;
- to withdraw the consent to the processing of personal data, in particular where provided pursuant to art. 6, paragraph 1, item a) or art. 9, paragraph 2, letter a), GDPR, in relation to the forementioned purposes or other, at any time and in a manner similar to those envisioned for its conferment, without prejudice to the lawfulness of the treatment based on consent, given before the revocation;
- to oppose, at any time, the processing of personal data for purposes of direct marketing, including profiling related to direct marketing;
- to oppose an automated decision-making process concerning individuals, including profiling, and obtain the personal interaction by the owner, allowing him to express his opinion and contest the decision;
- to oppose the processing of personal data for the purposes of scientific or historical research or for statistical purposes, unless the processing is necessary for the performance of a task carried out for public interest;
- to receive information regarding action taken concerning the exercise of one or more of the rights listed above, or the effects arising from the exercise of one or more of the forementioned rights, without undue delay and, in any case, no later than one month from receipt of the request (this deadline, if necessary, possibly extendable to two months in the cases provided for by law and by Article 12, paragraph 3, GDPR);
- to propose a complaint to a supervisory authority;
- to propose a judicial appeal;
Except in cases where the processing is unlawful or violates the principles established by current legislation, the exercise of the rights listed above, by the interested party, must be relevant and motivated, and may not imply the revocation of consent given or deletion of data provided for the conclusion or execution of the contract or for the fulfillment of a legal obligation referred to in point 3, to the extent that and as long as personal data are necessary for such purposes. The European Union or the Italian State may limit the scope of the obligations and rights of the owner and the interested party, as mentioned above, pursuant to and by effect of art. 23 GDPR. The rights in question, with the exception of the right to lodge a complaint or appeal, may be exercised by means of a written request addressed to the Data Controller at the addresses and contacts indicated in point 1. For everything not expressly mentioned in this statement, a request should be expressed to the GDPR for enforced legal provisions.