1. Data controller
Via Mancini n. 2/C
47841, Cattolica (RN)
E-mail: [email protected]
2. Categories of data subject to processing
The data processed by the Data Controller is exclusively “personal data” (pursuant to Art. 4.1 of the GDPR).
In particular, the possible categories of personal data subject to processing include but are not limited to:
3. Purposes and lawfulness of the processing of personal data
3.1 Purposes connected with the fulfilment of a legal obligation (art. 6 paragraph 1 (c) of EU Regulation 2016/679, hereinafter known as the “GDPR”)
a. fulfilment of legal, regulatory and Union law obligations, i.e. provisions issued by authorities or control and supervisory authorities in relation to or connected with the current and/or future legal relationship (e.g. relative to protection of the consumer as per Legislative Decree no. 206 as amended of 6 September 2005 and the anti-money laundering law as established by Legislative Decree no. 231 as amended of 21 November 2007).
The retention period of the personal data relative to the purposes outlined in this section is For purpose a: 10 years from the termination of the eventual working contract or the eventual legal relationship established. This retention period, notwithstanding the deactivation of your account, following your request or “deregistration” or the verification of any of the causes outlined in the aforementioned “Terms and Conditions” or in any other instructions communicated by the Data Controller, also refers to the data contained in the relative reserved area of the website. In fact, this Data will be stored in order to fulfil the anti-money laundering obligations for the above-reported period.
3.2 Purposes connected with the performance of a contract or steps prior to entering into a contract (art. 6 paragraph 1 (b) of the GDPR)
a. The conclusion and execution of contracts for the purchase of products and services offered on the Website, including the supply of said products and services, the delivery of same and the management of returns;
b. Management of administrative, accounting, tax and financial processes connected with products and services purchased by the customer, including invoicing;
c. Protection of contractual rights or rights deriving from legal relationships established;
d. Management of requests by our Customer Services team, which uses the personal data provided to fulfil requests for information and assistance;
e. Creation and management of accounts for the reserved area of the Website.
The retention period of personal data, relative to the purposes outlined in this section is: For purposes: a, b, c, d, 10 years from the termination of the working contract or eventual legal relationship established (except in the case of controversies or different legal provisions); For purposes: e, until the data subject requests to cancel their account. If the data subject account is inactive for over 10 years the account will be deleted by the Data Controller.
3.3 Purposes of pursuing legitimate interests (art. 6 (1f) of the GDPR)
a. Sending of newsletters and information material, requests for brochures, organisation of events, and other marketing activities, using automated forms of contact (e.g.: automated calls, email, text messaging and various messaging systems, also instant and via internet, also to mobile phones) and non-automated forms of contact (post and calls from operators), regarding products or services similar to those subject to legal relationships in place, as well as the sending of email notifications about products left in your cart;
b. Performance of anti-fraud activities and controls and therefore measures to prevent and pursue any fraudulent activities;
c. Monitoring the correct functioning, as well as the security, of the Website, and anonymous statistical processing regarding the use of the site.
The personal data retention period relative to the purposes outlined in this section is: For purpose: a, for the duration of the legal relationship and up to 24 months from the termination of the relationship , for other marketing purposes, different from the above purpose a, it does equate to the objection to same and will not lead to the termination of this purpose and connected activities, as well as for any incomplete purchases, for up to 48 hours from when the cart was filled;
For purpose: b, until the transfer of the payments connected with the purchases made and the conclusion of all associated and subsequent administrative and accounting formalities, as well as the expiry of the right of withdrawal and the terms applied for the contestation of the payment, and in any case no more than two years from the purchase itself, except in the case of additional requirements connected with controversies, established or in the process of being established.
For purpose: c, for the duration of the browsing session and until the processing of data, for statistical purposes, in aggregate form, unless it is necessary to store the data for an additional period of time to protect the rights and interests of the Data Controller (e.g. in the event of security incidents).
3.4 Purposes covered by the consent of the data subject (Art. 6, paragraph 1 (a) of the GDPR) Personal data may also be processed for specific purposes for which the Data Subject has given their consent.
a. To respond to requests or questions presented and submitted to the contacts indicated on this website, to receive information also on our products and services, as well as the submission of quotes and requests for assistance;
b. Advertising, marketing or promotional activities, including the sending of newsletters and other connected information materials, using automated forms of contact (e.g.: automated calls, email, text messaging and various messaging systems, also instant and via internet, also to mobile phones) and non-automated forms of contact (post and calls from operators);
The retention period of personal data, relative to the purposes outlined in this section, is: For purpose: a, until the request is processed, subject to any legal relationships connected with the request and established between the data subject and the Data Controller (in this case the retention period will correspond to the period envisaged or established for the processing of data connected with said legal relationships);
For purpose: b, 24 months from the provision of consent.
4. Recipients or categories of recipients of the personal data (art. 13 paragraph 1 (e) of the GDPR) *
With regard to the aforementioned purposes, the Data Controller may communicate your data to:
● Offices and internal functions of the Data Controller;
● Control and supervisory bodies of the Data Controller;
● Companies and professional operators that provide IT services, including electronic data processing, software and cloud management services, website management services and IT consultancy (including but not limited to: order management software, software for the management of promotional communications and invoicing software);
● Advertising and communications companies and agencies;
● Consultants, professionals and service companies that provide administration and corporate management services on behalf of the Data Controller;
● Mailing and hosting provider companies, couriers and companies that provide services for the mailing and delivery of the abovementioned materials and communications, and companies that provide documentation storage services;
● Banks and/or payment companies, as well as insurance companies;
● Public bodies, public and legal authorities, as part of their institutional function.
* More information on the Recipients (art. 4.9 of the GDPR) is available from the Data Controller using the abovementioned contact details.
5. Recipients or categories of recipients of the personal data (art. 13 paragraph 1 (f) of the GDPR) and transfer of data to non-EU countries
The Data Controller communicates that it has no intention of transferring your data to countries outside the EU and the EEA for the abovementioned purposes.
6. Rights of the Data Subject
In relation to the personal data that is the subject of this policy, the data subject may exercise the following rights established by the EU Regulation:
• right of access by the data subject [art. 15 of the EU Regulation] (the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and to receive a copy of the data);
• the right to rectification of their personal data [art. 16 of the EU Regulation] (the data subject has the right to the rectification of inaccurate personal data concerning him or her);
• right to erasure of their personal data without undue delay (“right to be forgotten”) [art. 17 of the EU Regulation] (the data subject shall have the right to obtain the erasure of their personal data);
• right to restriction of processing of their personal data in the cases outlined in art. 18 of the EU Regulation, including in the event of unlawful processing or if the accuracy of the personal data is contested by the data subject [art. 18 of the EU Regulation];
• right to data portability [art. 20 of the EU Regulation], (the data subject may request to receive their personal data in a structured format and transmit them to another data controller, in the cases outlined in the article);
• right to object to the processing of their personal data [art. 21 of the EU Regulation] (the data subject shall have the right to object to the processing of their personal data in the cases established and regulated by art. 21 of the EU Regulation);
• the right not to be subject to automated decision-making processes [art. 22 of the EU Regulation] (the data subject shall have the right not to be subject to a decision based solely on automated processing).
The above description is not a substitute for the text of the articles cited herein which are referenced in full and may be read in their entirety in the final section of this policy. With regard to the purposes, for which consent is required, the Data Subject may withdraw their consent at any time with immediate effect, subject to all legal constraints. In general, the withdrawal of consent only has effect in the future. The above rights may be exercised in accordance with the EU Regulation by sending an email to [email protected] or using the other contact details indicated in point 1. Pursuant to art. 19 of the EU Regulation, where possible Gaudenzi S.r.l. shall inform recipients of the personal data of any requested rectification or erasure of personal data or restriction of processing.
7. Right to lodge a complaint (art. 13 paragraph 2 (d) of the GDPR) If the data subject believes that their rights have been compromised, they have the right to lodge a complaint with the Data Protection Authority. For further information on your rights and how to exercise them see http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or write to the Data Protection Authority.
8. Possible consequences of failing to communicate the data and the nature of the processing of the data (art. 13 paragraph 2 (e) of the GDPR)
8.1 In the event of legal or contractual obligations
If the legal basis for the processing is a legal or contractual (also pre-contractual) obligation, the data subject must provided the requested data. Conversely, it will be impossible for the Data Controller to proceed with the specific purposes of processing.
8.2 In the event of the pursuit of legitimate interests
Likewise, with regard to purposes based on legitimate interests that do not require consent, the opposition of the data subject will make it impossible to fulfil the respective purposes and perform any associated services, to which the data subject respectively opposed, except in the case of the overriding compelling legitimate interests of the Data Controller or reasons connected with the protection of legal rights.
8.3 In the event of the consent of the data subject
The legal basis for the aforementioned purposes is consent and, relative to these purposes, the Data Subject may withdraw their consent at any time with immediate effect, subject to all legal constraints. In general, the withdrawal of consent only has effect in the future. As such, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The failure or partial failure to provide your consent (or the withdrawal of your consent) may make it impossible to fully provide the services or activities related to the purposes for which consent is denied, but will not compromise or prevent other purposes (and connected activities) not involved or expressly connected with the denial of consent or not founded on this legal basis.
With regards to requests for information, though consenting to the processing of one’s personal data is a free and voluntary choice, said consent is in any case necessary for the processing of such requests. As such, the submission of requests or equivalent demonstrations of interest shall be considered as evidence of consent which can always be withdrawn with the above-illustrated consequences.
When personal data is no longer required it is regularly deleted; if the deletion of said data is impossible or would involve a disproportionate effort because of a particular storage method, the data may not be processed and must be stored in inaccessible areas.
9. The existence of automated decision-making (including profiling)
As detailed in article 22 of the GDPR, decisions based solely on automated processing are not permitted. If these processes are introduced for individual cases in the future, the data subject will be informed under separate cover if this is envisaged by law or the updating of this policy.
10. Processing methods
Personal data will be processed in paper, digital and electronic form and stored in the appropriate database which may be accessed by, and therefore come to the knowledge of, workers expressly appointed by the Data Controller, such as Supervisors and Processors authorised to process personal data, who may carry out consultation, usage, processing, comparative and any other appropriate operations, also automated and with respect for all relevant legislation, necessary to guarantee the confidentiality and security of the data, and the accuracy, updating and relevance of the data with regard to the declared purposes.
Processing of data for browsing purposes
The computer systems and software used for the functioning of this website acquire some personal data during normal operations, the transmission of which is implicit in Internet communication protocols. This information is not collected to be associated with identified data subjects but, due to its nature, could be used to identify users following processing and associations with data held by third parties. The types of information that may be collected include IP addresses, type of browser or operating system used, URI (uniform resource identifier) addresses, domain names and the web addresses from which accesses or exits are made (referring/exit pages), the time in which the request was made to the server, the method used and information on the response received, additional information on how the user browses the website (see also the section on cookies) and other parameters connected with the user’s operating system and computing environment. This same data may also be used to identify and assess responsibility in the event of cybercrimes against the website.
Regulatory references on the rights of the data subject
Right of access by data subject
1. The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her is being processed and, if so, to obtain access to this personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data in question;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged retention period of the personal data or, if not possible, the criteria used to determine that period;
e) the existence of the right of the data subject to request from the controller the rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing;
f) the right to lodge a complaint with a supervisory authority;
g) where personal data have not been collected from the data subject, all available information on its origin
h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4 The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (“right to be forgotten”)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing; c) the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2); d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1). 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) for the establishment, exercise or defence of legal claims.
Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification of whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1): and
b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or;
c) is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.