INFORMATION NOTE ON THE PROCESSING OF PERSONAL DATA
This information note is provided pursuant to article 13 of Italian Legislative Decree (Lgs.D.) 30.06.2003, no. 196 ("Codice in materia di protezione dei dati personali” [Data Protection Act]) and article 13 of Regulation EU no. 2016/679 (“General Data Protection Regulation”).
The company ECSA Italia s.r.l., single member company, with registered office in Via Lavoratori Autobianchi, 1 - 20832 - Desio (MB), T.C./V.A.T. Reg. No. 00222470130, here represented by Emanuele Centonze, as Data Controller (hereinafter, “Data Controller”), informs, pursuant to art. 13, Lgs.D. 30.06.2003, no. 196 (hereinafter “Privacy Code”) and art. 13, EU Regulation no. 2016/679 (hereinafter “GDPR”) that data will be processed in the manner and for the purposes described below.
- Subject of the processing
ECSA Italia s.r.l., a single-Member company, is committed to safeguarding your personal data and complies with data protection legislation applicable (Privacy Code and GDPR 12016/679). Your personal data are processed with respect for their confidential nature and are transferred to third parties solely in the manner envisaged by this Policy, or with your Consent. We process personal data passed on to us when you use the website and/or after registering.
In particular, we process:
- personal, non-sensitive identification data (more precisely, first name, surname, tax code, VAT registration number, e-mail address, telephone number - hereinafter referred to as “personal data” or also “data”), which are supplied directly when you register on the site;
- data that you did not directly supply – but were nevertheless obtained within the scope laid down in art. 14, paragraph 5, GDPR – whose transmission is connected with the use of Internet communications protocols (for example, access to pages, quantity of data transferred, status message upon earlier access, session ID numbers, IP addresses, URL addresses, etc.). These data allow your earlier visits to the site to be reconstructed.
- Purposes of data processing
Your personal data are processed:
A) without your express Consent (art. 24, lett. a), b), c), Privacy Code and art. 6, lett. b), e), GDPR), for the following Service Purposes:
- to process a contract request;
- to complete precontractual measures taken at your request;
- to process internal statistics;
- to perform pre-contractual, contractual or tax obligations stemming from current business relations
- comply with the law, regulations, EU laws or an order from authorities;
- protect vital interests of the data subject or another physical person;
- carry out duties in the public interest or connected to the exercise of public authority granted to the Data Controller;
- to prevent or detect fraudulent activities or misuse that is detrimental to the website;
- pursue a legitimate interest of the Data Controller or of third parties, in the limits and at the conditions set forth in article 6, point f), GDPR;
- exercise the rights of the Data Controller (including, but not limited to, the right to a defence in court);
B) only with your specific and unequivocal consent (articles 23 and 130 of the Privacy Code and article 7 of the GDPR), for marketing purposes, specifically to:
- send e-mail newsletters, marketing communications and/or advertising materials regarding products and/or services, different and/or unlike the ones already bought, offered by the Data Controller.
- Provision of the personal data
The conferment of your Data for the purposes described under point 2, lett. A), nos. i) and ii) is mandatory. Without these data, we cannot guarantee that you will be able to register on the site, nor will we able to satisfy your requests.
The conferment of Data for the purposes described under point 2, lett. b), is, on the other hand, optional. You may therefore choose not to confer data or to withdraw consent to processing on our part given in the past. In this case, you will no longer receive our newsletters, but will continue to receive our services and to be entitled to register on the site.
- Processing methods
Your personal data are processed through the operations listed in article 4, Privacy Code, and article 4, no. 2), GDPR, which are: collection, recording, organisation, storage, consultation, processing, alteration or adaptation, selection, retrieval, comparison, use, alignment or combination, blocking, disclosure by transmission, dissemination or otherwise making available, erasure and destruction of data. Your data will be processed in compliance with the principles of fairness, lawfulness and transparency. Your data may be processed through automated methods that can store, manage and transmit them, using tools that, as reasonable and depending on the state of the art, can ensure data security and confidentiality through the application of suitable procedures that avoid the loss, unauthorised access, unlawful use and dissemination of data.
- Data storage period
The Data Controller will store the personal data for the time required to fulfil the purposes listed above and, in all cases, for no more than 10 years from the end of the relationship for service purposes and for no longer than 2 years from data collection for marketing purposes. When the above storage period ends, the data will be erased or made anonymous.
- Access to data
The personal data processed by the Data Controller will not be disseminated, i.e. will not be disclosed to unknown subjects, in no form of any kind, including making data available or simply allowing the consulting of such data. The data may be disclosed to employees of the Data Controller and to some external subjects they work with. Specifically, your data may be made accessible to:
- the Data Controller’s employees and working associates, consultants authorised to manage the site and to provide the related services (for example: customer services, IT department, etc.), acting as in-house data processors and/or subjects authorised to process personal data and/or system administrators;
- third party companies or other subjects (e.g. banks, professional firms, consultants, insurance companies, etc.) that carry out outsourced activities on behalf of the Data Controller, as external Processors and/or Persons in charge of the processing of personal data.
Your data may also be transferred, in so far as is strictly necessary, to subjects authorised by legislation, regulations or community laws to have access to them.
- Data disclosure
Without your explicit consent (ex art. 24 points a), b), d), Privacy Code and art. 6, point b), c), GDPR), the Data Controller may disclose your data for the purposes listed above to surveillance bodies, judicial authorities and to all the subjects the data must be disclosed to by law for carrying out those purposes.
- Transfer of data
Data will be managed and stored on the servers of the Data Controller and/or of third-party companies put in charge and formally appointed as Processors, based in the European Union, in compliance with the provisions set forth in articles 45 and following of the GDPR. The servers are currently based in Balerna (Switzerland). The data will not be transferred outside the European Union. It is in all cases understood that, should the servers have to be moved in Italy and/or to the EU and/or non-EU states, the transfer will always comply with articles 45 and following of the GDPR. In the case above, the Data Controller guarantees from the very beginning that the transfer of data to non-EU states will be in compliance with the applicable laws. If necessary, the Data Controller will enter agreements that guarantee suitable levels of protection and/or include the standard contractual clauses required by the European Commission.
- Navigation data
The data processing systems and software procedures responsible for running this Website may obtain, during normal operations, certain personal data whose transmission is implied when Internet communications protocols are used. This information is not collected so that it can be associated with the subjects concerned, but, by its very nature, may, through processing and association with data kept by third parties, allow the Users to be identified (i.e. parameters relating to the user’s operating system and computer environment). These data are used by the Data Controller solely for the purpose of obtaining anonymous statistical information on the use of the Website and of ensuring that the site functions correctly and they are deleted immediately after processing. These data may also be used to establish liability whenever hypothetical computer crimes are committed to the detriment of the Website
- Rights of the data subject
As the data subject, you have the rights acknowledged by article 7, Privacy Code, and article 15, GDPR, and specifically, the right to:
- obtain confirmation about whether data regarding you exist or not, even if not recorded yet, and to receive such data in comprehensible form;
- obtain information on: a) the origin of the personal data; b) the purposes for which the data are processed and the processing methods; c) the logic applied if data are processed using electronic tools; d) the identity and contacts of the data controller, processors and representatives designated for personal data processing pursuant to article 5, paragraph 2, Privacy Code, and article 3, paragraph 1, GDPR; e) the subjects and categories of subjects to whom the data may be disclosed to or who may have access to them in their capacity of designated representative(s) in the State's territory, of data processors or persons in charge of the processing;
- obtain: a) updating, amendment, or, where it is to your benefit, the integration of data; b) the erasure, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which they were collected or subsequently processed; c) the certification to the effect that the above-mentioned operations have been notified, also related to their content, to those to whom data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
- object, in whole or in part: a) on legitimate grounds, to the processing of personal information concerning you, even though they are relevant to the purpose of the collection; b) to object to the processing of your personal information, where it is carried out for the purpose of sending advertising materials or direct selling or for market surveys or commercial communications, using automated systems without an operator via e-mail and/or via traditional marketing means (over the phone and/or via paper mail). It is specified that the right of the data subject (described in paragraph “b” above), to object to processing for direct marketing purposes using automatic systems also extends to all traditional methods, without prejudice to the fact that the data subject may exercise the right to object partially. Therefore, the data subject may decide to receive communications only via traditional methods or only automatic communications or neither type.
Where applicable, you also have the rights listed in articles 16-21 of the GDPR (right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object) and the right to complain to the Data Protection Authority.
- How to exercise your rights
You have the right to ask the Data Controller to access the data concerning you, to ask for data rectification or erasure, the integration of incomplete data, the restriction of processing; to receive such data in a structured, commonly used and machine-readable format; to withdraw the consent (where given) to the processing of personal details and to object, totally or partially, to the use of the data; to complain to the Authority and to exercise all the other rights acknowledged by the applicable laws.
You may exercise your rights at any time by sending:
a registered letter with advice of receipt to: ECSA Italia s.r.l., a single-Member company, with registered office at Via Lavoratori Autobianchi, 1 - 20832 - Desio (MB); an e-mail to the address: email@example.com
If the subject providing the data is aged under 16 years, the processing of that data is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The identification data and a copy of identity documents of that adult must be provided.
- Data Controller, processors and persons in charge
The Data Controller is ECSA Italia s.r.l. single member company, registered office in Via Lavoratori Autobianchi, 1 - 20832 - Desio (MB), T.C. 00222470130, in the person of Emanuele Centonze, e-mail: firstname.lastname@example.org
The System Administrator is Fabio Rigamonti e-mail: email@example.com
- Modifications to this privacy statement
This privacy statement may be modified. We therefore advise you to check the statement on a regular basis and refer to the most up-to-date version.