EXTENDED DISCLOSURE PURSUANT TO ART. 12, 13 AND, REQUIRED, 14 DEL GDPR – REGULATION (EU) 2016/679 RELATIVE TO THE PROTECTION OF PHYSICAL PERSONS, CONCERNING THE TREATMENT OF PERSONAL DATA (FOLLOWING THE GDPR)
The controller reports below the Notice under Articles. 12, 13 and, necessary, 14 of the GDPR relating to the processing of personal data provided by the Customer/interested through the compilation and signing of the Agreement to purchase the products/services offered for sale by the controller itself, spontaneously uploading personal data (particularly through filling out forms) to this website or simply browsing it.
1. Treatment owner and contact details
The data controller is ARCONHE S.R.L., with its registered office in CORSO ITALIA 69 95129 Catania (CT), VAT number 05611940874, tel. 3929525507, e-mail firstname.lastname@example.org, web https://www.noname-group.com (hereinafter the Site).
2. Principles applicable to treatment
In accordance with GDPR, the controller is constantly working to ensure that personal data is:
- treated lawfully, fairly and transparently;
- collected for specific, explicit and legitimate purposes, and subsequently treated in a way that is not incompatible with those purposes;
- appropriate, relevant and limited to what is needed in relation to the purposes for which they are treated;
- exact and, if necessary, updated;
- retained for a period of time no longer than the achievement of the purposes for which they are treated;
- appropriate technical and organizational measures to ensure their safety;
- treaties, if by consensus, for a decision freely taken by the Client / interested party, based on a request presented in a clearly distinguishable way, in a comprehensible and easily accessible form, using simple and clear language.
The controller takes appropriate technical and organizational measures to ensure the protection of personal data from the design and to ensure that only the data needed for each specification is processed by default. purpose of treatment.
The controller collects and takes into account the customer/interest’s indications, observations and opinions transmitted to the contact details above, in order to implement a dynamic privacy management system that ensures effective protection of people, with regard to the processing of their data.
This Notice may be subject to changes, in line with the evolution of the reference legislation and the technical and organizational measures gradually adopted by the controller; The Customer/interested is therefore asked to periodically visit this section of the Site, to view the updates and the Policy in the text time in time in time.
3. How personal data is processed
The processing of personal data is carried out manually and with electronic tools, with logic closely related to the purposes below and, in any case, in order to ensure the security and confidentiality of the data itself.
4. Purpose of the processing of personal data
(4th) Purpose for data processing to be required
The personal data provided by the Customer/interested person is mainly processed for the execution of the Agreement and the management of the credit and, more generally, of the relationship emerging from the Contract itself.
The provision of data in the Contract or later, during the contractual relationship, is mandatory for the purposes of this treatment; therefore, the non-delivery, partial or inaccurate of such data makes it impossible to enter into and/or execute the Agreement and, for the Customer/interested, to take advantage of the products/services offered by the controller, potentially exposing the Customer/interest person himself to liability for contractual non-compliance.
The personal data provided by the Customer/interested person may also be subject to treatment if this is necessary to fulfill a legal obligation to which the controller is subject, to safeguard the vital interests of the Customer/interested or to another individual, to perform a task of public interest or related to the exercise of public powers in which the controller is invested, or for the pursuit of the legitimate interest of the owner of the treatment. third parties, provided that the interests or fundamental rights and freedoms of the Customer/interested person do not prevail; even in these cases, the provision of data is mandatory and, therefore, the failure, partial or inaccurate communication of the data may expose the Customer/interested to any liability and penalties provided by the Legal Order.
(4b) Additional purposes of the treatment as a result of specific and expressed consent of the Customer/interested
In addition to the above treatment purposes, the personal data conferred/acquired can be processed, with the consent of the Customer/interested, to be expressed by checking the box <<Give consent>> on the Contract or on the Site (or using other social or web applications of the controller), also for conducting market investigations and to carry out commercial and promotional communications, by telephone (also using the mobile number provided) and automated contact systems (e-mails, sms, mms, faxes, etc.), on products/services of the controller or company of the Group to which the controller holder possibly belongs.
Consent for the treatment purposes mentioned in this paragraph (4b) is optional; therefore, as a result of any denial, the data will be processed for the purposes only specified in the previous point (4a), except as specified below with reference to the legitimate interests of the controller or third party
5. Categories of personal data processed
The holder of the treatment mainly deals with identification/contact data (first name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, tax/billing, except others) and, if there are any commercial transactions, financial data (bank type, in particular bank account identifiers, credit card numbers, except others related to those trade transactions).
The treatment that the controller performs, both for the execution of the Contract and on the basis of the express consent of the Client/interested, does not generally concern particular categories of personal data, known as sensitive (revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and crimes).
However, it cannot be excluded that the holder of the treatment, in order to carry out the obligations descended from the Agreement, must retain and/or have the need to process sensitive data, genetic and biometric or judicial, of the Customer/interested or of a third party, which the Customer/interested has as the holder of the treatment; In this case, the treatment by the holder of the treatment takes place under the strength, conditions and limits of which the same holder of the treatment is appointed to be responsible for the treatment, by the Customer/interested.
The holder of the treatment treats, as the owner of the treatment with reference to the Site, and, potentially, as a person responsible for the treatment of what is in charge (in the above terms) by the Customer/interested, also the so-called navigation data. Computer systems and software procedures for the operation of websites acquire, in the course of their normal operation, some personal data, the transmission of which is implicit in the use of internet communication protocols. This information is not collected to be associated with identified persons, but which, by their very nature, could allow to identify the person concerned. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name, and addresses of websites from which you have logged in or exited, information about pages visited by users within the site, access time, permanence on the single page, internal path analysis and other parameters related to the user’s operating system and computer environment. It is, therefore, information that, by its very nature, allows, through elaborations and associations even with data held by third parties, to identify users.
6. Source of personal data
The personal data that the controller treats is collected directly by the holder of the treatment itself at the customer/interested at the time of, and during the navigation of this on the Site (or using other social or web applications of the controller), that is, also by means of its own commercial, at the time of, or later, the signing of the Contract, at the time of execution of the same, or from public sources.
As stated above, the controller, as a person responsible for the treatment of this, in order to carry out the bonds descended from the Agreement, may retain and/or process data, in particular navigation, potentially also sensitive, genetic and biometric or judicial, of third parties, which the Customer/interested has as the holder of the treatment, acquired, with the consent of those third parties, at the time of, and during the navigation of the same third parties on the Site social or web applications related to the controller).
7. Legitimate interests
The legitimate interests of the holder of the treatment or of third parties may constitute a valid legal basis for the treatment, provided that the interests or fundamental rights and freedoms of the person concerned do not prevail. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the controller and the interested person, for example when the person is a customer of the holder. It is, in particular, the legitimate interest of the holder of the treatment to treat personal data of the Customer/interested: for the purposes of fraud prevention, for direct marketing purposes, to ensure the free movement of the same data within the Business Group to which the controller possibly belongs, i.e. related to trafficking, in order to ensure the security of networks and information, i.e. the ability of a network or system to withstand unexpected events or traffic. compromising the availability, authenticity, integrity and confidentiality of your data.
8. Circulation of personal data
(8a) Communication of personal data – categories of recipients
In addition to the employees and employees in various capacities of the controller (who are from the holder of the treatment itself authorized for treatment under appropriate written operational instructions, in order to be able to ensure the confidentiality and security of the data), some processing operations can also be carried out by third parties, to whom the controller entrusts certain activities, or part of them, functional to the purposes referred to in the point (4a), therefore so much in the execution of contractual obligations legal, including a merit to mention, however, inevitably, not exhaustive: commercial and/or technical partners; banking and financial services; companies that carry out document storage services; debt collection company; auditing and balance sheet certification companies; rating companies; caregivers, assisting and counseling activities; customer care companies; factoring, discretization of receivables or other disclaimers; Group company to which the controller may belong; entities that provide business information; IT services companies. Those belonging to those categories treat the personal data themselves as self-employed holders of the treatment, or as those responsible for the treatment, with reference to specific treatment operations that fall within the contractual services that the same parties perform in favor/in the interests of the controller; The controller gives the controller appropriate written operational instructions, with particular reference to the adoption of minimum security measures, in order to ensure the confidentiality and security of the data.
Some processing operations may be carried out by third parties, to whom the controller entrusts certain activities, or part of them, even functionally to the purposes referred to in point (4b), among which, however, inevitably, non-exhaustive: commercial and/or technical partners are worth mentioning; companies that provide institutional marketing services; advertising agencies; caregivers and consultancies with reference to competitions and award-winning operations. The subjects belonging to the aforementioned categories treat the personal data as autonomous data controllers, or as controllers, with reference to specific processing operations that fall within the contractual services that the subjects perform in favor of / in the interest of the data controller; Data controllers are given adequate written operating instructions by the data controller, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of data.
The list, subject to periodic updating, of the data controllers with whom the data controller himself has relations is available, upon written request to be sent to the data controller’s offices.
Personal data may also be communicated, in the event of a request, to the competent authorities, in fulfillment of obligations deriving from mandatory laws.
(8b) Transfer of personal data to third countries
The personal data of the Customer / interested party may also be transferred abroad, both in European Union countries and in countries outside the European Union and, in the latter case, or on the basis of an adequacy decision, or in the context and with the adequate guarantees provided for by the GDPR (therefore, in particular, in the presence of contractual clauses for the protection of data approved by the European Commission), or, outside the hypotheses mentioned above, by resorting to one or more of the exceptions provided for by the GDPR (in particular, by virtue of the explicit consent of the Client / interested party, or for the execution of the Contract concluded by the Customer / interested party, or for the execution of a contract stipulated between the data controller and another natural person or legal in favor of the Customer / interested party, in particular for the execution of activities entrusted to it by the data controller for the execution of the Contract concluded with the Customer / interests to). For the hypothesis of data transfers to countries outside the European Union, the Customer / interested party is allowed, upon written request to be sent to the office of the data controller, to know the appropriate guarantees, or the exceptions, which legitimize cross-border treatment. It is understood, in the event of transfer of data to countries outside the European Union, that for every request concerning the data, also for the exercise of the rights recognized by the GDPR to the Customer / interested party, this can always validly apply to the owner of the treatment.
9. Criteria for determining the retention period of personal data
For the purposes referred to in point (4a) above, the period of retention of personal data issued by the Customer / interested party, and the consequent potential treatment thereof, coincides with the period of prescription of rights / duties (legal, fiscal, etc. ) descendants of the Contract: tendentiously 10 years, therefore, except for the occurrence of interruptive events of the prescription which could prolong, in fact, said period.
For the purposes referred to in point (4b) above, the period of retention of data released by the Client / interested party, and the consequent potential treatment thereof, ends with the revocation of the consent previously released by the Customer / interested party or, in the absence of this, however, one year after the termination of any relationship between the data controller and the Customer / interested party.
10. Rights of the Customer / interested party
The data controller recognizes – and facilitates the exercise, by the Customer / interested party, of – all the rights provided by the GDPR, in particular the right to request access to their personal data and to extract a copy (art. 15 GDPR ), to the rectification (art. 16 GDPR) and to the cancellation of the same (art. 17 GDPR), to the limitation of the processing that concerns it (art. 18 GDPR), to the portability of data (art. 20 GDPR, where the assumptions) and to oppose the processing that concerns him (articles 21 and 22 GDPR, for the hypotheses mentioned therein and, in particular, to the processing for marketing purposes or that results in an automated decision-making process, including profiling, which produces legal effects concerning him, if the conditions exist).
The holder of the treatment also recognizes to the Customer/interested, if the treatment is based on consent, the right to withdraw that consent at any time, without prejudging the legality of the treatment based on consent provided before revocation. To do this, the Customer / interested party can unsubscribe at any time on the Site (or on other social applications or the data controller’s website) or by using the appropriate link at the bottom of every commercial communication received, or by contacting the data controller at contact details above.
The data controller also informs the Customer / interested party of the right to lodge a complaint with the Italian Data Protection Authority, as the supervisory authority operating in Italy, and to appeal to the courts, as much against a decision of the Guarantor Authority , as for the data controller and / or a data controller.
11. Security of systems and personal data
Taking into account the state of the art and the implementation costs, as well as the nature, object, context and purpose of the processing, as well as the risk, in terms of probability and seriousness, for the rights and freedoms of individuals , the data controller adopts technical and organizational measures deemed appropriate to guarantee an adequate level of security to the risk, in particular ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services ( also through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in the event of a physical or technical accident, and by adopting internal procedures aimed at regularly testing, verifying and assessing the effectiveness of the technical and organizational measures employed .
In assessing the adequate level of security, the risks presented by the treatment are taken into account, deriving, in particular, from destruction, loss, modification, unauthorized disclosure or accidental or illegal access to personal data transmitted, stored or otherwise processed.
The data controller shall do his best to ensure that anyone acting under his authority and having access to personal data does not process such data unless he is instructed to do so by the data controller.
Having said this, the Customer / interested party acknowledges and accepts that no security system guarantees absolute protection in terms of certainty; therefore, the data controller does not respond for acts or acts of third parties who illegally, despite the appropriate precautions taken, should access the systems without the necessary authorizations.
12. Automated decision-making processes, including profiling
The data controller can perform automated treatments, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or the usability of other social applications or web of the data controller) and for improve the shopping experience, except as specified above with regard to the rights of opposition and withdrawal of consent from the Customer / interested party.
Profiling means any form of automated processing of personal data aimed at assessing certain aspects relating to a natural person, in particular to analyze or foresee aspects concerning, for example, personal preferences, interests or location of said person, also in order to create profiles, or homogeneous groups of subjects by characteristics, interests or behavior.
The data controller does not carry out any automated processing that produces legal effects that concern the Customer / interested party or that significantly affect his person, unless this is necessary for the conclusion or execution of the Contract, is authorized by law or is based on the explicit consent of the Client / interested party, in any case always acknowledging the right to obtain human intervention, to express his / her opinion and to challenge the decision.