SECTION 1- THE FIMER GROUP AND REGULATION (EU) 2016/679
The FIMER Group, a corporate group formed of a set of companies directly or indirectly controlled by the parent company FIMER S.p.a. (hereinafter the " FIMER Group "), considers the protection of the personal data of its current and/or potential customers, suppliers, users and other internal and external interested parties (i.e. stockholders) to be of fundamental importance, ensuring that the processing of personal data, by any means, whether automated or manual, is performed in full compliance with the safeguards of the rights recognized by Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data (hereinafter the "Regulation") and any additional applicable rules on the protection of personal data.
The term personal data refers to the definition contained in article 4 in point 1) of the Regulation, meaning, “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (hereinafter the "Personal Data"). In particular, the FIMER Group, in pursuing its purposes, may acquire knowledge or request your Personal Data such as: your name and surname; email address; telephone number and postal address; Tax Code or VAT number; date of birth and other data that could make you identifiable.
The Regulation provides that, before proceeding with the processing of Personal Data (with this term should be understood, according to the definition contained in article 4 in point 2) of the Regulation, "any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction", (hereinafter referred to as the "Processing"), it is necessary that the person to whom such Personal Data belongs be informed of the purposes of the Processing, the manner in which the data will be processed as well as of any additional information required by law.
In the aforementioned context, the contents of this webpage of the site www.fimer.com/privacy-policy are therefore intended to provide you, in a transparent manner, with as much additional information as possible in addition to that included in the specific privacy policies to be provided pursuant to article 13 of the Regulation when collecting your Personal Data.
This privacy policy has therefore been prepared on the basis of the principle of transparency in order to cover all the elements required by articles 13 and 14 of the Regulation and is divided into single sections (hereinafter "Sections" and, individually, "Section"), each of them dealing with a specific topic, to make your reading faster, easier and more intuitive (hereinafter for simplicity, the contents of this webpage will be collectively referred with the term "Information").
SECTION 2 – THE FIMER GROUP COMPANIES – CONTROLLER AND JOINT CONTROLLERS OF THE PROCESSING
The companies of the FIMER Group that individually or jointly will process your Personal Data for one or more purposes,as provided in the specific privacy policy statement that will be given to you during the collection of Personal Data, shall be the following:
The aforementioned companies may each act individually as controller according to the definition provided in article 4 paragraph 7) of the Regulation, that is: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing of personal data", or, in some specific cases, to act as joint controllers, meaning "two or more controllers jointly determine the purposes and means of processing", as provided by article 26 of the Regulation. Accordingly, for the purpose of this privacy policy, each company of the FIMER Group will be defined individually as "Controller" or, jointly with other Group companies as "Joint Controllers".
You can contact the Controller and/or the Joint Controllers through the following means:
- by writing to the FIMER Group Privacy Office at the parent company FIMER S.p.a. with operating office in , Via J.F. Kennedy, 20871 Vimercate (MB)( CF 00813050150 - VAT 00695140962 );
- by sending an e-mail to the inbox GDPR@fimer.com to the kind attention of the Privacy Office of the FIMER Group ;
- by calling the following phone number: +39 039 98 981 and asking for the FIMER Group Privacy Office.
SECTION 3 - PURPOSE OF THE PROCESSING AND THE RELEVANT LEGAL BASIS
Each Controller, except for those specific cases of joint controllership listed below, may process your Personal Data for the following purposes:
- website registration: the Controller, in order to process your request for registration to one or more of our websites, must collect some of your Personal Data, as further specified within the data collection form. The Controller will process your Personal Data to allow you to access to your profile, participate in the initiatives promoted in the website, as well as take advantage of any other services offered from time to time.
Contractual legal basis and lawfulness for this specific processing (article 6 letter b) of the Regulation): the legal basis for the processing of your Personal Data shall be based on the contractual relationship established between you and the Controller at the time you accept the terms and conditions of the specific website;
- purchase of products and/or services: the Controller, in order to allow the purchase of its products and/or services, must collect some of your Personal Data, as better specified in the privacy policy statement provided by the Controller pursuant article 13 of the Regulation.
Contractual legal basis and lawfulness for this specific processing (article 6 letter b) of the Regulation): the Processing of your Personal Data will be conducted by the Controller to allow you to receive what has been ordered and purchased and therefore will be legally based on the contractual relationship entered into between you and the latter;
- request for information: the Controller, in order to follow up after a request for information received through one of the means present on its website, must process some of your Personal Data as required within the data collection form and/or as spontaneously provided by you.
Pre-contractual legal basis and lawfulness for this specific processing (article 6 letter b) of the Regulation): the Processing of your Personal Data will be conducted by the Controller to provide feedback relating to your request for information and will be legally based on the contractual relationship entered into between you and the latter;
- execution of the contractual relationship: the Controller, in order to give effect to the contractual relationship entered with you, as well as to fulfill its terms, must collect and process some of your Personal Data as requested within the specific contractual document;
Pre-contractual legal basis and lawfulness for this specific processing (article 6 letter b) of the Regulation): the Processing of your Personal Data will be carried out by the Controller to follow up after the execution of the specific contractual document and will be legally based on the contractual relationship entered into between you and the latter;
- fulfillment of legal obligations: the Controller, in order to fulfill any legal obligations, must collect and process some of your Personal Data as required, from time to time, by specific laws;
Legal basis and lawfulness for this specific processing (article 6 letter c) of the Regulation): The processing of your Personal Data will be carry out by the Controller to comply with legal obligations and will be based on the applicable law;
- direct marketing activities: the processing is necessary for the Controller to perform its promotional and/or marketing activities directed to you. Within this category are all activities directed to promote products, services, sold and/or offered by the Controller.
Legal basis and lawfulness for this specific processing (article 6 letter a) of the Regulation): the processing of your Personal Data will be carried out by the Controller and will be based on your free, express and unequivocal consent;
- promotional activities: the processing is necessary for the Controller to perform promotional activities through the use of the e-mail coordinates already provided by you during previous purchases or contractual relationships. This category includes those activities directed to promote products, services, sold and/or offered by the Controller that are in line with those you have already purchased.
Pre- contractual legal basis for this specific processing (article 6 letter f ) of the Regulation): The processing of your Personal Data will be conducted by the Controller and will be based on its legitimate interest to promote its products and services, even without requesting your consent and in any case up to such time when you object to this Processing as better explained in Recital 47 of the Regulation in which it is "considered legitimate interest the processing of personal data for direct marketing purposes". This will be possible following the Controller’s assessment that its legitimate interest to send direct marketing communications is not overridden by your fundamental interests, rights and freedoms that require the protection of Personal Data.
The purposes for processing your data described above are listed by way of example and are not exhaustive. The FIMER Group, based on the principle of transparency towards the data subject provided for by the Regulation, has adopted the approach in which your Personal Data will be processed for the specific purposes that will be illustrated to you in the in the extended and/or short format privacy policy that will be provided to you before the collection of Personal Data or at such time as provided in article 14, paragraph 3, of the Regulation.
The methods of contact aimed at direct marketing activities, upon your previous explicit consent, may be both automated (by way of example e – mail, instant messages, WhatsApp, cellphone, Applications) and traditional (by way of example telephone calls with operator, postal items). In any case, and as further detailed in Section 7, you can withdraw your consent at any time, even partially, for example by consenting only to traditional contact methods.
SECTION 4- PROCESSING UNDER JOINT CONTROLLERSHIP
In order to make specific processing activities more efficient for its customers/users while realizing their objectives, the companies of the FIMER Group identified in Section 2 of this Policy Statement have entered into a co-controllership arrangement pursuant to article 26 of the Regulation to jointly carry out the following purposes:
(i) direct marketing activities,
(ii) promotion activities,
(iii) management of the online platforms referred to the websites
For these purposes , the Joint Controllers have jointly determined the processing methods and, in a clear and transparent manner, the procedures to provide you with timely feedback when exercising your rights pursuant to articles 15, 16 , 17, 18 and 21 of the Regulation, as well as in those cases of portability of Personal Data covered by article 20 of the Regulation as better described in Section 1 of this Privacy Policy.
In order to ensure the proper administration and execution of the joint controllership arrangements, the Joint Controllers have identified the parent company FIMER S.p.A. as the entity to which assign specific processing activities and, with the execution of a separate written agreement, have appointed it processor in accordance with the provisions of article 28 of the Regulation.
SECTION 5 – SUBJECTS TO WHOM PERSONAL DATA MAY BE DISCLOSED
Your Personal Data may be disclosed to specific subjects considered recipients of such Personal Data, being understood as such those natural or legal persons, public authority, agency or another body, whether or not a third party, which receive personal data communications.
Accordingly, in order to correctly carry out all the Processing activities necessary to pursue the purposes referred to in this Privacy Policy, the following Recipients may be in a position to process your Personal Data:
- third parties that on behalf of the Controller or the Joint Controllers carry out part of the Processing and/or related activities instrumental to such processing. These subjects have been appointed as processors, i.e. natural or legal persons, public authority, agency or another body that processes Personal Data on behalf of the Controller;
- individuals, employees and/or consultants of the Controller or the Joint Controllers, to whom have been entrusted specific and/or additional Processing activities of your Personal Data. Specific instructions have been given to these individuals regarding the security and correct use of the Personal Data and are identified as persons authorized to process Personal Data under the direct authority of the Controller or the Processor;
- third parties carrying out processing activities and/or activities connected and instrumental to it as independent controllers, including but not limited to consultancy companies, freelancers, credit institutions, insurance companies, third-party corporations and/or part of the FIMER Group;
- when it is required by law or to prevent or repress the commission of an offense, your Personal Data may be disclosed to Public Entities or to the judicial Authority without the need that such be considered Recipients. The Regulation establishes, in fact, that public authorities that receive information of Personal Data as part of a specific investigation conducted in accordance with the law of the European Union or of the Member States are not considered Recipients .
SECTION 6 - PERSONAL DATA STORAGE PERIOD
One of the principles applicable to the processing of your Personal Data concerns the limitation of the retention period, governed by article 5, paragraph 1, point e) of the Regulation which provides that "Personal Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89, paragraph 1, subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject".
In light of this principle, your Personal Data will be processed by the Controller only for the period necessary to pursue the purposes referred to in Section 3 of this Privacy Policy. In particular, we will keep your Personal Data for a period of time equal to the minimum necessary, as indicated by Recital 39 of the Regulation, for example, if the legal basis of the processing is a contract entered into between you and the Controller, we will keep your data up to ten years from the termination of the contractual relationships between you and the Controller, subject to a further retention period which may be imposed or permitted by law as also provided for in Recital 65 of the Regulation.
With regard to the processing for the realization of the purposes referred to in this Privacy Policy and for which consent has been requested, the Joint Controllers may lawfully process your Personal Data until you communicate, in one of the ways provided for in this Privacy Policy, your willingness to withdraw your consent to one or all the purposes for which your consent has been requested. Any withdrawal of consent will de facto require the Joint Controllers to cease the processing of your Personal Data for these purposes.
SECTION 7 - OBJECTION TO THE PROCESSING AND WITHDRAWAL OF THE CONSENT PROVIDED
As required by the Regulation, if you have given your consent to the processing of your Personal Data for one or more purposes for which it has been requested, you can, at any time, withdraw it totally and/or partially without affecting the lawfulness of the processing based on the consent given before the withdrawal.
Furthermore, you can object, at any time, to the processing of your personal data for the following cases:
a) where processed for direct marketing purposes ;
or
b) for reasons related to your particular situation in those cases where your Personal Data are processed on the basis of a legitimate interest of the Controller, the Joint Controllers or third parties, unless subsist mandatory legitimate interests to proceed with the Processing that prevail over your interests, rights and freedoms or when the processing is necessary for the assessment, exercise or defense of a right in court.
The methods to withdraw your consent and to exercise the right to object are very simple and intuitive: just contact the Controller and/or the companies that are Joint Controllers and/or use the contact means listed in Section 2 of this Privacy Policy.
In addition to the above and for simplicity, if you receive advertising e-mail messages from the Joint Controllers that are no longer of your interest, simply click on the unsubscribe button located at the bottom of the message to avoid receiving any additional communications or, if such bottom is not present, use the additional contact channels made available by the Controller or by the Joint Controllers.
SECTION 8 - THE RIGHTS OF THE INTERESTED PARTIES
As required by the Regulation, you can exercise the following rights at any time with respect to the Controller and or the Joint Controllers:
- Right of access: pursuant to article 15 of the Regulation, you will have the right to obtain from the Controller and/or from the Joint Controllers confirmation as to whether or not your Personal Data is being processed, the access to such Personal Data and to the following information: a) the purposes of the Processing; b) the categories of Personal Data concerned; c) the Recipients or categories of Recipients to whom your Personal Data have been or will be disclosed, in particular if Recipients of third countries or international organizations ; d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right of the Data Subject to request the Controller and/or the Joint Controllers the rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing; f) the right to lodge a complaint with a supervisory authority; g) where the Personal Data are not collected from the Data Subject, any available information as to their source; h) the existence of an automated decision-making process, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such Processing for the Data Subject. All of this information can be found in this Privacy Policy which will always be available to you in the Privacy section of each of the Websites.
- Right of rectification: you can obtain, in accordance with article 16 of the Regulation, the rectification of inaccurate Personal Data that concerns you. Taking into account the purposes of the Processing, moreover, you will be able to update and/or supplement your Personal Data that is incomplete, also by providing a supplementary statement.
- Right to erasure: pursuant to article 17 of the Regulation, you can obtain the erasure of your Personal Data without undue delay and the Controller and/or Joint Controllers shall have the obligation to erase your Personal Data, when one of the following grounds apply: a) the Personal Data are no longer necessary in relation to the purposes for which there were collected or otherwise processed; b) you have withdrawn the consent on which the processing of your personal data is based and where there is no other legal ground for the processing; c) you objected to the processing pursuant to article 21, paragraph 1 or 2 of the Regulation and there is no longer any legitimate overriding grounds for the processing of your Personal Data; d) your Personal Data have been unlawfully processed; e) it is necessary to erase your Personal Data to comply with a legal obligation in Union or Member State law. In some cases, as provided for by article 17, paragraph 3 of the Regulation, the Controller and/or the Joint Controllers may not delete your Personal Data if the processing is necessary, for example, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, for archiving purposes in the public interest, scientific or historical research or statistical purposes, or for establishment, exercise or defence of legal claims.
- Right to restriction of processing: you can obtain restriction of the processing, in accordance with article 18 of the Regulation, if one of the following applies: a) you have contested the accuracy of your Personal Data (the restriction will continue for the period necessary for the Controller and/or Joint Controllers to verify the accuracy of such Personal Data); b) the processing is unlawful but you have opposed the erasure of your Personal Data having, instead, requested the restriction of its use; c) even if the Controller and/or the Joint Controllers no longer need your Personal Data for the purposes of the Processing, your Personal Data are required for the establishment, exercise or defence of legal claims; d) you have objected to the processing pursuant to Article 21, paragraph 1, of the Regulation pending the verification whether the legitimate grounds of the Controller and/or Joint Controllers override yours. When processing has been restricted, your Personal Data will only be processed, with the exception of storage, with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you, in any case, before the restriction is lifted.
- Right to data portability: you can, at any time, request and receive, in accordance with article 20, paragraph 1 of the Regulation, all your Personal Data processed by the Controller and/or by the Joint Controllers in a structured, commonly used and machine-readable format and to request its transmission to another controller without hindrance. In this case, it will be your responsibility to provide us with all the exact details of the new controller to which you intend to transfer your Personal Data by providing us with written instructions and authorization.
- Right to object: pursuant to article 21 of the Regulation, you can object, at any time, to the processing of your personal data a) for direct marketing purposes, including profiling to the extent that it is related to this direct marketing, or b) for reasons related to your particular situation, if your Personal Data are processed on the basis of the legitimate grounds of the Controller, of the Joint-Controllers or of third parties, unless there are binding legitimate grounds to proceed with the Processing which override your interests, rights and freedoms or that the Processing is necessary for the assessment, exercise or defense of a right in court.
To exercise all your rights as identified above, simply contact the Controller and/or the Joint Controllers in the manner indicated in Section 2 of this Privacy Policy.
Furthermore, you have the right to lodge a complaint with the supervisory authority: subject to your right to appeal to any other administrative or jurisdictional venue, if you believe that the processing of your Personal Data carried out by the Controller and/or by Joint Controllers infringes the Regulation and/or the applicable norms, you can lodge a complaint with the Supervisory Authority for the Protection of Personal Data or with any other competent supervisory Authority.
SECTION 9- PLACES OF PERSONAL DATA PROCESSING AND GUARANTEES ADOPTED IN THE EVENT OF TRANSFER ABROAD.
Your Personal Data will be processed by the Controller and/or by the Joint Controllers within the territory of the European Union.
If for reasons of a technical an/or operational nature it is necessary to make use of subjects located outside the European Union, we inform you right now that these subjects, when processing Personal Data on behalf of the Controller and/or the Joint Controllers, will be appointed Processors pursuant to and for the purposes of article 28 of the Regulation and that the transfer of your Personal Data to these subjects, limited to the performance of specific Processing activities, will be regulated in accordance with the provisions of the chapter V of the Regulation. Therefore, all necessary precautions will be taken in order to guarantee the most complete protection of your Personal Data basing
this transfer:
a) on adequate decisions regarding the recipient third countries expressed by the European Commission;
b) on standard data protection clauses adopted by the European Commission;
c) on the adoption of binding corporate rules.
In any case, you can request more details from the Controller and/or from the Joint Controllers if your Personal Data have been processed outside the European Union, requesting evidence of the specific safeguards adopted.