on personal data processing
Articles 12 et seq. of the Regulation (EU) 2016/679 (GDPR)
Subject: informative note on personal data processing pursuant to articles 12 et seq. of the Regulation (EU) 2016/679
Introduction – The Regulation (EU) 2016/679 (“General Data Protection Regulation”, hereinafter referred to as GDPR) provides for the protection of natural persons with reference to the personal data processing. According to this regulation, the processing of the personal data referring to a subject, specifically to be defined as “person concerned”, is governed by the principles of correctness, lawfulness and transparency, as well as the protection of the privacy and the rights of the person concerned.
We hereby inform you, in compliance with the above mentioned regulation, that regarding the relationship or connection that you have with our company, as Customer, our company possesses certain data related to you, which were directly, even verbally acquired or by means of third parties that perform operations related to you or that, in order to meet your request, acquire and provide information.
Pursuant to GDPR, such information, related to you, is qualified as “personal data”, and they should however benefit from the protection provided by the mentioned provisions. More specifically, pursuant to the regulation, you are the person concerned benefiting from the rights designed to protect your personal data.
Pursuant to articles 12 et seq. of the GDPR, our company, as Data Controller, will process the personal data provided by you in compliance with the regulation, with the utmost care, implementing efficient management procedures and processes in order to guarantee the protection of your personal data processing. To this end, the undersigned, using material and management procedures to safeguard the collected data, undertakes to protect the communicated information, so as to prevent unauthorised accesses or disclosures and also to maintain the data accuracy and to ensure their adequate use.
In accordance with this introduction, the following information is provided:
Collected personal data – The undersigned, as Data Controller, uses his/her personal data in order to best perform his/her activity.
The following data might be, even partially, requested from you:
– personal data, tax code, VAT number, name, registered office, residence and domicile and contact data;
– data related to the contractual relation describing the type of contract and also the information related to its execution and necessary for fulfilling that contract;
– accounting data related to the economic relationship, to the due amounts and payments, to their periodic status, to the summary of the accounting status of the relationship;
– data in order to make clearer the relationship with our company, and more effective our collaboration and operational efficiency;
– data related to: your employees and/or collaborators, information on the performed profession or about your company.
Storage period of your data – The collected data will be stored for the entire duration of the relationship or collaboration with our company and for 10 years as of the termination date of the relationship. If, during the contractual relationship, data unrelated to the administrative and accounting obligations connected to it are processed, such data will be stored for the time necessary to achieve the purpose for which they were collected and then deleted. The storage period of such data will be communicated to you by means of informative notes, when they will be collected.
Mandatory or optional nature of the data provision and the consequences of a possible refusal – Essential data should be submitted to the undersigned for the execution of the contractual relationship, as well as data necessary to fulfil the obligations provided by laws, regulations, community regulations, or by provisions of the Authority legitimated by the law in that respect and by supervisory and control bodies.
The non-essential data for the execution of the contractual relationship must be qualified and considered as additional information and their provision, if required, is optional. Your possible refusal to provide such data will decrease however the efficiency of our company in carrying out the relationships with third parties.
In case of essential “sensitive data or the processing of which presents specific risks” for the execution of the relationship or for the fulfilment of specific services and of legal obligations as well, the provision of such data will be mandatory and because their processing is allowed only by prior written consent of the person concerned (pursuant to articles 9 and 10 of GDPR), you must also give consent for their processing.
Processing method – Pursuant to articles 12 et seq. of GDPR, we wish to inform you that the personal data communicated by you will be registered, processed and stored in our archives, on hardcopy and electronic means, in compliance with the adequate technical and organisational measures according to art. 32 of GDPR. The processing of your personal data can consist of any operation or several operations from those indicated at art. 4, paragraph 1, point 2 of GDPR.
The processing of personal data will be performed by means of adequate tools and procedures so as to guarantee their security and confidentiality and it can be carried out, directly and/or through delegated third parties, either manually by means of hardcopy support or by using electronic means or tools. The data, for the proper management of the relationship and for the fulfilment of legal obligations, may be included in the internal documentation of the Data Controller and, if necessary, also in the records and registers required by law.
Possible outsourced activities – The Data Controller, when carrying out his/her activities, may occasionally request other operators to perform certain services on his/her behalf, such as processing services or other services, activities necessary for the execution of the requested operations or services, shipments and deliveries, accounting records and administrative activities. If the operator, delegated by the Data Controller to carry out certain activities, is a company that provides payment, tax collection and treasury services, banking and financial intermediation, may perform the following services: massive operations related to payments, bills, cheques and other bonds; transmission, enveloping, transport and sorting of communications, documentation archiving, identification of financial risks, fraud control, credit recovery. The above mentioned operators will be provided only with the information necessary for the provision of the commissioned services and they will be bound to observe the confidentiality, prohibiting the use of the provided data for other purposes than the agreed one. The operators who are not in charge with personal data processing will be appointed as Data Processors (pursuant to Article 28 of GDPR) and will process data within the limits strictly necessary to provide the commissioned service and exclusively for this purpose and they will ensure that their appointees have signed a confidentiality agreement. For all that is not stated here, these subjects will have to provide a specific informative note on personal data processing.
Transfer of personal data abroad – The data provided by you will be processed only in Italy. If, during the contractual relationship, your data is processed in a non-EU state, the rights attributed to you by the Community legislation will be guaranteed and you will be promptly notified.
The purposes of the processing for which the personal data is intended – The main purpose of your personal data processing, which the undersigned intends to perform, is to allow a regular establishment and/or evolution, as well as a proper management of the relationship specified in the introduction.
Particularly, the purposes of the processing are the following:
- Administrative and accounting, specifically:
- Fulfilment of tax or accounting obligations;
- Management of the clientele (management of the clientele; management of contracts, orders, shipments and invoices; reliability and solvency control);
- Management of litigation (contractual breaches, warnings, transactions, debt collection, arbitrations, legal disputes);
- Internal control services (of the security, productivity, service quality and asset integrity);
- Management of marketing activities (market analyses and surveys);
- Promotional activities;
- Identification of the degree of customers’ satisfaction.
The personal data will be processed for the fulfilment of legal obligations, as well as to fulfil administrative, insurance and tax obligations provided by the legislation in force and also to meet accounting and commercial purposes or to be able to regularly fulfil contractual and legal obligations arising from the legal relationship with the person concerned. Furthermore, the provided data may also be used to contact the person concerned for market research regarding the products or services or for offers or commercial campaigns. In any case, the person concerned may freely choose not to give his/her consent for these purposes and may also indicate how to be contacted or to receive commercial information.
Scope of disclosure of your data – The following categories of persons responsible or appointed by the undersigned for the processing may come to know of your data:
- Subordinate workers or collaborators generally employed at
- internal protocol and administrative offices;
- persons in charge with the identification and supply of services and with the maintenance and support provided to you;
- Accounting and invoicing employees;
- Employees in charge with the marketing of services;
- Persons in charge with the identification of customers’ satisfaction; employees for fraud and corruption prevention;
- Employees of the marketing offices;
- Offices, services and regional offices;
- External employees for enveloping the correspondence;
- Consultants in charge of consultancies, assistance or services of our company;
- Executives and administrators;
- Members of the regulatory bodies;
- Our agents, representatives and distributors;
The personal data can also be known by subjects agreed upon with the undersigned, indicated in the paragraph entitled “Processing method“. The undersigned can delegate to these subjects the execution of certain fulfilments or the performance of particular actions for the execution of the legal relationship with the person concerned.
Communication and dissemination – Your data may be communicated, with the term meaning to give knowledge to one or several subjects outside the company, to implement all the necessary legal and/or contractual obligations. Particularly, your data may be communicated to:
- other companies of Zucchetti Group, including parent companies, subsidiaries and associated companies;
- Institutions or public offices or control authorities depending on the legal and/or contractual obligations;
- banking institutions and/or credit institutions for the management of payments deriving from the contractual relationship;
Your data may be communicated by the undersigned:
- to subjects who can access the data by virtue of the regulation, rule or community legislation within the limits provided by these regulations;
- to subjects who must access your data for purposes auxiliary to the relationship existing between you and us, within the limits strictly necessary for developing additional assignments (by way of example, the credit institutions and the carriers);
- to our subjects, consultants and/or professionals, within the limits necessary for performing their work at our or their organisation, upon nomination as person in charge who undertakes the duty of confidentiality and security.
In any case, your data will not be communicated, except to the operators for the execution of acts related to the fulfilment of relationships occurring with the persons concerned to whom this data refers.
Dissemination – The undersigned will not disseminate indiscriminately your data or, in other words, inform unspecified subjects, neither by making available nor by consultation.
Trust and confidentiality – The undersigned considers invaluable the trust shown by the persons concerned who have given their consent for their personal data processing and therefore, undertakes not to sell, rent or entrust the personal information to others.
Rights pursuant to articles 15 et seq. of GDPR – Pursuant to art. 15 of GDPR, you have the right to obtain the confirmation regarding the existence or not of a processing related to your personal data, even if they are not yet registered. The exercise of the rights is subject to checking the concerned person’s identity, through the presentation of the identity document, which will not be kept by the undersigned, but only consulted in order to perform the verification of the legitimacy of the request.
You have the right to access the personal data and the following information:
- the purposes of the processing;
- the categories of personal data subject to the processing;
- the recipients and the categories of recipients to whom the personal data were or will be communicated, particularly, in case of recipients of third countries or international organisations;
- when possible, the provided storage period of the personal data or, if not possible, the criteria used to determine this period;
- if the data is not collected from the person concerned, all the pieces of information available about their origin;
- the existence of an automated decision process, including the profiling pursuant to art. 22, par. 1 and 4 and, at least in such cases, significant information on the used logic and the importance and the consequences provided by this processing for the person concerned as well
In case the data is transferred to a third country or to an international organisation, you have the right to be informed on the existence of adequate guarantees pursuant to art. 46 of GDPR.
You have the right to ask the Data Controller the correction or the deletion, even partially, of the personal data or the limitation of his/her personal data processing or to object, in whole or in part, to their processing.
In accordance to art. 2 of the Legislative Decree no. 196/2003 the exercise of your rights may be delayed, restricted or excluded, by reasoned notice given without delay, unless such notice would jeopardise the purpose of the restriction, for such time and to the extent that this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the person concerned, in order to safeguard the interests referred to in paragraph 1(a) (protected money laundering interests), (e) (the conduct of defensive investigations or the exercise of a right in court) and (f) (the confidentiality of the identity of an employee who reports offences of which s/he has become aware by virtue of his/her office). In such cases, your rights may also be exercised through the Data Protection Authority in the manner set out in Article 160 of the same Decree. In this case, the Data Protection Authority will inform you that it has carried out all the necessary checks or has carried out a review and that you have the right to appeal.
In order to exercises these rights, you can turn to our company, “Data Controller”, to the following address firstname.lastname@example.org or call 0371/594.3191 or send a letter to Zucchetti Privacy Office, via Dante n. 17 – 26900 Lodi.
The Data Controller will answer within 30 (thirty) days as of the receipt of your formal request.
Please bear in mind that in the event of a breach of your personal data, you may lodge a complaint with the competent authority: “Personal Data Protection Authority”.
Identification data of the Data Controller and, if appointed, of the Representative on the State territory and of the Data Protection Officer.
Data Controller – The Data Controller is the undersigned: ZUCCHETTI AXESS SPA, with registered office in via Solferino n.1 – 26900 Lodi; Tel: 0371/594.7000; fax: 0371/594.7170; certified e-mail address: email@example.com; e-mail: firstname.lastname@example.org.
Data Protection Officer – The Data Protection Officer is Mario Brocca whose contact information is: 0371/5943191 – email@example.com
Data Processors – The role of Data Processors is performed by foreign companies with which a contractual relationship was established and that in order to fulfil these agreements have to receive your personal data
In order to know the Data Processors in case they were nominated and to know the persons who will be nominated in the future for the mentioned role, each person concerned will be able to send a request letter to the Data Controller of the personal data, to the above mentioned address
Please note that the above mentioned Data Processors do not handle the right exercise requests of the persons concerned pursuant to articles 15 et seq. of GDPR. This activity is exclusively performed by the undersigned as Data Controller.
Representative established on the State territory – Please note that, our organisation, pursuant to art. 4, par. 1, point 17 of GDPR, given the inexistence of any situation provided by the above mentioned Regulation, which would require such nomination, has not designated any representative established on the State territory for the purposes of the application of the personal data processing provisions.
Processings without the need for the concerned person’s consent – Please note that the undersigned, even without your consent, will be entitled to process your personal data, in case it is necessary in order to:
- fulfil an obligation provided by law, by a rule or by the community regulation;
- perform obligations arising from a contract in which you are part or to fulfil, before the conclusion
- of the contract, as specifically requested by you.
Furthermore, your explicit consent is not required when the processing:
1) concerns data coming from public registers, lists, records or documents available to anyone, considering the limits and methods of the laws, rules or community regulation determine for the data knowability and publicity, i.e. data related to the performance of economic activities, processed in respect to the regulation in force regarding industrial and business secrecy;
2) is necessary for the protection of life or the physical integrity of a third party (in this case, the Data Controller has to inform the processing of the personal data to the subject concerned by informative note even subsequently to the processing, but without delay. Therefore, in such case, the consent is expressed subsequent to the presentation of the informative note);
3) excluding the dissemination, it becomes necessary for carrying out the defensive investigations referred to in the Law no. 397 of 7th December 2000, or, in any case, to enforce or defend a right in judicial court, provided that the data is exclusively processed for these purposes and for the time strictly necessary for their pursuit, in compliance with the regulation in force regarding the industrial and business secrecy;
4) excluding the dissemination, it is necessary, in the cases identified by the Data Protection Authority on the basis of the principles set by law, to pursue a legitimate interest of the Data Controller or of a third recipient of the data, also with reference to the activity of banking groups and controlled or associated companies, in case the fundamental rights and freedoms do not prevail, the dignity or a legitimate interest of the person concerned.
of the personal data processing
Zucchetti Axess Spa