Privacy Notice GDPR N.679/2016
Information pursuant to Articles 13 and 14 of the General Data Protection Regulation
2016/679 (hereinafter referred to as “GDPR”)
Given that we will process some of your personal data in order to carry out the contractual or pre-contractual measures you requested, or in order to process certain personal data you have provided us with for commercial or marketing purposes, or in order to fulfil a legal obligation, in accordance with the provisions of Articles 13 and 14 of the GDPR, we wish to provide you with the information of which data subjects must be aware in relation to the operations we shall carry out to process your personal data.
The data controller is Tenute S.r.l. (Tax Code and VAT No. 02893320156), with registered office in 20122 Milan (MI), Viale A. Filippetti 39 and operational headquarters in 20040 Cambiago (MI), Via Leonardo Da Vinci 5 (the “Controller”), acting through its pro tempore legal representative; the contact details are as follows: email address email@example.com; certified email (PEC) firstname.lastname@example.org; fax no. 02/9506603; tel. no.: 02/9506523.
Type of personal data processed and origin of personal data
The Controller shall process general personal data, not belonging to the categories of special personal data included in the list of Article 9 of the GDPR, such as name, surname, residence and domicile, telephone number, email address, any bank and payment references, role and/or position in the company, tax data (hereinafter, the “Personal Data”).
Personal Data shall be collected by the Controller:
when concluding contracts or when pre-contractual measures are requested;
on the occasion of events or fairs, visits and meetings at the operational headquarters of the Controller or of the data subject;
through online channels such as, for example, the Controller’s website; and
through the Controller’s sale agents, business finders or other business partners.
Purposes and legal basis of data processing
The Personal Data collected shall be processed by the Controller for the performance of the latter’s activities, for the purposes and by virtue of the legal bases set out below.
Personal Data shall be processed primarily for purposes related to the fulfilment of obligations relating to commercial and/or contractual relationships to which your employer or principal is, or you personally are, a party, or in order to implement pre-contractual measures required of the Controller or to fulfil a legal obligation (hereinafter, “Commercial Purposes”). In particular, Personal Data for Commercial Purposes shall be processed in paper or computerized form:
to conclude and perform contracts concerning the products and services of the Controller, including the performance of all activities related or ancillary to the performance of contracts, including, but not limited to, the provision of sale and after-sale services and returns management;
to carry out the pre-contractual measures requested, relating to the products or services of the Controller;
to meet any request regarding products or services purchased by the Controller;
for the management of money collection and payments;
to comply with the legal obligations provided for by law, by the GDPR, by national or community regulations or by an order of the authority to which the Controller is subject, such as, by way of example, civil, fiscal or accounting laws or regulations;
to carry out management activities relating to administrative, accounting or tax obligations; and
to possibly exercise the rights of the Controller, such as, for example, the right to assert a right in court.
Legal bases for the use of Personal Data for Commercial Purposes and legitimate interests pursued: Personal Data for Commercial Purposes shall be processed legitimately, without your express consent, in accordance with the provisions of Art. 6(b, c, f) of the GDPR, concomitantly to each other, therefore, to fulfil commercial or legal obligations and also on the basis of the legitimate interest of the Controller represented by the need to be able to develop business relationships with customers and with those working for them.
The Personal Data collected from all sources, or on the occasion of any other type of commercial contact with the Controller, may be processed, subject to your prior consent, also for marketing purposes (hereinafter, “Marketing Purposes”), in paper and computerized or automated form, for the following purposes:
to send by email, post, text message, or facsimile, advertising material, communications for commercial, marketing, promotional or advertising purposes, relating to the products and services of the Controller;
to carry out direct activities for the sale or placement of the products and services of the Controller;
to send by email, post, text message, facsimile, telephone contacts, newsletters, invitations to events, meetings or fairs organized by the Controller or of which it is part; and
to carry out sample marketing searches.
You may in any case express your wish to receive communications for Marketing Purposes exclusively through traditional means such as telephone or post by sending an email to the Controller’s address.
Legal basis for the use of Personal Data for Marketing Purposes and legitimate interests pursued: Personal Data for Marketing Purposes shall be processed in accordance with Art. 7 and Art. 6(1)(a) of the GDPR, and therefore on the basis of your consent or, if preconditions are met, without your consent, in accordance with Art. 6(f) of the GDPR, i.e., on the basis of a legitimate interest of the Controller represented by the latter’s interest in promoting the sale of its products or services to persons with whom the Controller had a commercial relationship in the past, which thus qualifies as a relevant and appropriate relationship. In the event that the processing is carried out without your consent, on the basis of the legitimate interest of the Controller, the direct marketing activity for the purpose of sending commercial communications shall be limited to services and products of the Controller analogous or similar to those previously sold to you or to the person for whom you work, and shall be carried out in a manner that does not prejudice your rights and fundamental freedoms.
Recipients of Personal Data
The Personal Data processed for Commercial Purposes may be disclosed to the following categories of recipients:
public entities or entities providing services in the public interest, which may have access to Personal Data by virtue of legal provisions or under the GDPR, within the limits provided for by such provisions or regulations (for example: judicial authorities, inland revenue offices, police or law enforcement authorities or, in any case, entities or persons having public powers);
other parties to whom Personal Data must be necessarily disclosed in relation to the performance of contracts to which the Controller is a party, such as, by way of example, credit institutions, forwarding agents, carriers and any other third party that may be involved in the performance of contracts to which the data subject or the entity for which the data subject works is a party; and
agents, distributors of the Controller or third party professionals working with the Controller.
Your Personal Data may also be made accessible to persons who have taken on the role of external processors or persons in charge of the processing, such as:
subordinate employees or consultants of the Controller;
external parties who carry out consultancy activities in the administrative, accounting, legal, fiscal or commercial fields or otherwise connected to the activity of the Controller;
website providers, cloud providers, IT support technicians; and
The Personal Data provided both for Commercial Purposes and for Marketing Purposes shall not be disclosed.
In the event of extraordinary or corporate transactions (e.g., mergers or acquisitions), Personal Data are likely to be transferred and may be shared with legal successors, to the extent permitted by law and the GDPR, on the basis of a legitimate interest of the Controller.
Modalities to process Personal Data
The processing of Personal Data shall consist of the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication, limitation, erasure, or destruction.
Personal Data shall be processed both on paper and with the assistance of computerized or automated means through the use of hardware and software owned by the Controller or third parties.
In any case, the logical and physical security of Personal Data and, in general, the confidentiality of the Personal Data processed shall be guaranteed by taking all necessary technical and organizational measures to ensure the security of Personal Data.
Personal Data Storage Period
The Personal Data collected for Commercial Purposes shall be processed and stored:
- throughout the contractual relationship between you and the Controller, or between the Controller and the person on whose behalf you work or otherwise cooperate in any capacity; and
- for the following period, until the expiration of the limitation period, for the actions taken in contractual and non-contractual contexts, during which it is necessary to store the information that also includes your Personal Data in order to be able to prove the exact performance by the Controller of the contracts to which it is party.
The Personal Data collected for Marketing Purposes shall be processed and stored for 24 months, except for in the case of renewal of your consent to the processing for Marketing Purposes.
Nature of the disclosure of Personal Data
The provision of Personal Data for Commercial Purposes is optional, however, failure to provide the data may make it impossible to enter into or perform the contract or business relationship, or the adoption of the pre-contractual measures requested.
Conversely, the provision of Personal Data for Marketing Purposes only is always optional. The only consequence of the failure to provide Personal Data for these purposes shall be that you will not be contacted to be informed about commercial initiatives or about the products and services marketed by the Controller, unless you specifically request so, and unless the marketing activity can be carried out on the basis of a legitimate interest in accordance with Art. 6(f) of the GDPR. You may deny your consent to the use of Personal Data for Marketing Purposes even when you have provided Personal Data for Commercial Purposes. The consent for Marketing Purposes may also be revoked at any time by simply sending a communication to the following email address email@example.com.
Transfer of Personal Data outside the EU
Pursuant to Art. 13(1)(f) of the GDPR, we inform you that the Personal Data collected shall not be transferred to third countries located outside the European Union.
The products and services of the Controller are not intended for children under 18. Therefore, the Controller shall not intentionally collect Personal Data or, in general, personal information relating to minors. In the event that information on minors is unintentionally recorded, the Controller shall delete it in a timely manner, at the request of users.
Rights of the data subject
In accordance with the provisions of Chapter III, Section I, of the GDPR, the data subject may exercise the rights set forth therein, including, in particular:
Right of access – right to obtain from the Controller confirmation as to whether or not Personal Data are being processed, and, where that is the case, have access to the information related, in particular, to: purposes of the processing, categories of Personal Data processed and storage period, recipients to whom Personal Data may be communicated (Art. 15 of the GDPR);
Right of rectification – right to obtain, without undue delay, the rectification of inaccurate Personal Data and that any incomplete Personal Data be completed (Art. 16 of the GDPR);
Right to erasure – right to obtain, without undue delay, the erasure of Personal Data, in the cases provided for by the GDPR (Art. 17 of the GDPR);
Right to restriction of processing – right to obtain restriction of processing in the cases provided for by the GDPR (Art. 18 of the GDPR);
Right to data portability – right to receive the Personal Data disclosed in a structured, commonly used and machine-readable format and the right to cause them to be transferred to another controller without hindrance, in the cases provided for by the GDPR (Art. 20 of the GDPR); and
Right to lodge a complaint with the supervisory authority – right to lodge a complaint with the competent data protection authority in the EU Member State of the data subject’s habitual residence or place of work, or place of alleged infringement of the GDPR (Art. 77 of the GDPR). In particular, with reference to Italy, the relevant supervisory authority is the Garante per la protezione dei Dati Personali, Piazza Venezia 11, 00187 Rome (RM).
Additional rights of the data subject: right to object and right of revocation
In accordance with the provisions of Chapter III, Section I, of the GDPR, the data subject may exercise, in particular, the following additional rights:
Right to object – right to object to the processing of Personal Data, unless there are legitimate grounds to continue the processing (Art. 21 of the Regulation); and
Right of revocation – if the data subject has given his or her consent for the processing of his or her Personal Data for the purposes for which the same is required, the latter shall in any case remain free to revoke it at any time by sending an informal notice to that effect to the following email address: firstname.lastname@example.org. Following receipt of this request, Personal Data shall no longer be processed for the purposes for which consent is required.
Exercise of the rights of the Data Subject
You may exercise all the rights set forth in this information simply by sending a request by email to the following email address: email@example.com. The exercise of the rights is not subject to formal rules and is free of charge.
Absence of automated decision-making processes
The Controller shall not carry out any profiling activity with your Personal Data, nor shall the Controller make decisions on the basis of automated processes.
Cambiago, May 25th, 2018