Information on the processing of personal data of customers and suppliers
Arbi Arredobagno Srl, with registered office in Viale Lino Zanussi 34/A, 33070 Maron di Brugnera (PN), Italy, Tax Code and VAT number 01250700935 (hereinafter the “Data Controller”), in its capacity as Data Controller, hereby informs you, pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter the “GDPR”), that your personal data shall be processed in the manner and for the purposes set out below:
1. Scope of the data processing
The Data Controller processes personal identification data (e.g. first name, surname, telephone number and email; hereinafter referred to as “personal data” or “data”) communicated by you when entering into agreements for the provision of Services offered by or with the Data Controller, or as part of your request for information through the web portal or at trade fairs or in relation to business contacts.
2. Purpose of the data processing
Your personal data is processed:
A) without your express consent (pursuant to Article 6(b)(e) of the GDPR), for the following Service-related Purposes:
• to enter into agreements for the services furnished by the Data Controller;
• to enter into agreements with the Data Controller;
• to fulfil pre-contractual, contractual and tax obligations deriving from relationships in existence with you;
• to fulfil obligations established by law, by a regulation, by community legislation or by an order of the Authorities (such as with regard to money laundering);
• to exercise the Data Controller’s rights (for example the right to representation in court);
B) only after your specific and clear consent (pursuant to Article 7 of the GDPR), for the following purposes:
• to send you newsletters containing commercial information and/or advertising material about products or services offered by the Data Controller via email.
Please note that if you are already one of our customers, we may send you commercial information about the products and services offered by the Data Controller similar to those you have already used, except in case of your expressed disagreement (Article 130(4) of the Privacy Code).
3. Data processing methods
Your personal data shall be processed by means of the operations set out in Article 4(2) of the GDPR, specifically: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of the data. Your personal data shall be subjected to both paper and electronic and/or automated processing. The Data Controller shall process your personal data for the time strictly necessary to fulfil the aforementioned purposes and, in any case, no later than the legal limits for the mandatory retention of data and no later than 2 years for sending newsletters.
4. Access to personal data
For the purposes referred to in Article 2, your data may be made accessible to:
• employees and collaborators of the Data Controller or of Group companies, in their capacity as Persons in charge of the data processing and/or system administrators;
• third-party companies or other subjects performing outsourcing on behalf of the Data Controller, in their capacity as Data Processors: Mailup platform (www.mailup.com), operating as a Data Processor.
The updated list of Data Processors and Persons in charge of processing personal data is maintained at the Data Controller’s registered office.
5. Disclosure of personal data
The Data Controller may disclose your data, without the need for express consent (pursuant to Article 6(b)(c) of the GDPR), for the purposes referred to in Article 2, to supervisory bodies, judicial authorities, as well as subjects to whom disclosure is mandatory by law for the aforementioned purposes. Said subjects shall process the data in their capacity as independent Data Controllers.
6. Transfer of personal data
Personal data shall be stored on the Data Controller’s servers and on Cloud services, located within the European Union. It is, in any case, understood that the Data Controller, where necessary, shall have the right to move its servers outside the EU. In this case, the Data Controller shall ensure that the transfer of data outside the EU takes place in accordance with the applicable legal provisions, subject to the stipulation of standard contractual clauses provided for by the European Commission.
7. Provision of data and consequences of refusal
The provision of data for the purposes referred to in Article 2-A is mandatory and, in its absence, we shall not be able to guarantee the requested Services. The provision of personal data for the purposes referred to in Article 2-B is optional. You may, therefore, decide not to provide any data or to subsequently deny the processing of data already provided. In such cases, you shall not be able to receive newsletters, commercial information or advertising material relating to the Services offered by the Data Controller. You shall, however, continue to be entitled to the Services referred to in Article 2-A.
8. Rights of the Data Subject
As the Data Subject, you may exercise the rights referred to in Article 15 of the GDPR and, specifically, you are entitled to:
I. obtain confirmation regarding the existence or otherwise of personal data concerning you, even if not yet registered, and its communication in intelligible form;
II. obtain information relating to:
a. where the personal data comes from;
b. the processing purposes and methods used;
c. the logic applied if it is processed using electronic tools;
d. the identity of the Data Controller, the Data Processors and the representative appointed under Article 3(1) of the GDPR;
e. the subjects and subject categories to which the personal data may be communicated or who may gain knowledge of it as representatives appointed in the State, Data Processors or Persons in charge of data processing;
a. the updating, the correction or, where interested, the integration of the data;
b. the deletion, the transformation into anonymous form or the blocking of unlawfully processed data, including any data which has no need to be kept in relation to the purposes for which it was collected or subsequently processed;
c. the confirmation that operations as per letters a) and b) have been notified, including as regard to their contents, to those to whom the data was communicated or disclosed, except where this should prove impossible or should involve the use of means manifestly disproportionate to the protected right;
IV. oppose, in whole or in part:
a. on legitimate grounds, the processing of your personal data, even if said data may be relevant to the purpose for which it was collected;
b. the processing of personal data for sending advertising material or for direct selling or for carrying out market research or commercial communications, through the use of automated calling systems without the intervention of an operator, by e-mail and/or through traditional marketing methods by telephone and/or paper mail. Please note that the Data Subject’s right to object to the processing of personal data for direct marketing purposes using automated means also extends to traditional means and, therefore, the Data Subject shall be entitled to exercise their right to object, even in part. The Data Subject may therefore choose to only receive communications through traditional means or only automated communications or neither of these types of communication.
As applicable, you shall also be entitled to the rights set out in Articles 16-21 of the GDPR (right to rectification, right to be forgotten, right to restrict data processing, right to data portability, right to object), as well as the right to file a complaint with the Italian Supervisory Authority.
9. Exercising consent
Consent relating to the purposes referred to in Article 2-B shall be managed through a check box on the website or via an e-mail.
10. How to exercise your rights
You may, at any time, exercise the above rights by sending:
• a registered letter with return receipt to Arbi Arredobagno Srl Viale Lino Zanussi 34/A, 33070 Maron di Brugnera (PN), Italy;
• an e-mail to email@example.com.
Any reasons for dissatisfaction or complaints may be reported to the Italian Personal Data Protection Supervisory Authority: Piazza Venezia, 11 – 00187 Rome, Italy, (+39) 06696771, firstname.lastname@example.org (certified e-mail), email@example.com (www.garanteprivacy.it).
Pordenone, 5 October 2020