Regulation (EU) 2016/679 (hereinafter also "GDPR" or "Regulation") provides for the protection of natural persons in relation to the processing of personal data. According to this legislation, the processing of personal data referring to a subject, in particular to the data subject (hereinafter also the "Data Subject"), is based on principles of correctness, lawfulness and transparency, as well as of the protection of the privacy and rights of the Data Subject him/herself.
This is to inform you that pursuant to art. 13 et seq. of the GDPR, Fimer S.p.A., in its capacity as data controller (hereinafter also referred to as "Fimer S.p.A.", "Controller" or the "Company"), will carry out the processing of your personal data provided by you in compliance with the aforementioned legislation, with the utmost care, implementing effective management procedures and processes to ensure the protection of the processing. To this end, Fimer S.p.A., by using substantial and management procedures to safeguard the data collected, undertakes to protect the information provided, so as to prevent unauthorized access or disclosure and to ensure appropriate use of such information. In compliance with this premises, the following information is provided:
1) Personal data collected
Fimer S.p.A., as Controller, uses your personal data to operate at its best in exercising its activity. Therefore, you may be requested, even if only in part, to provide the following data (hereinafter also referred to as "Personal Data"):
a) personal biographical data, VAT number, business name, registered office, residence and domicile;
b) contact details (in particular mobile phone number and e-mail address), for technical assistance activities;
c) data to better define the relationship with our structure and to make our collaboration, operational efficiency and technical assistance more effective.
2) Personal Data storage periods
One of the principles applicable to the processing of your Personal Data concerns the limitation of the storage period, regulated by article 5, paragraph 1, point e) of the Regulation, which provides that "Personal Data is kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed; Personal Data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research or statistical purposes, in accordance with article 89(1), subject to implementation of appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject".
In light of this principle, your Personal Data will be stored for the entire duration of the relationship with our Company but, in any case, no longer than 2 years from the expiry of the warranty period of the products produced by the Controller, or, if the processing is aimed at commercial or promotional activities (as better specified in clause no. 3 below), for 60 months after it is collected.
If, during the course of the contractual relationship, we process data that do not concern administrative and/or accounting formalities, such data will be stored for the time necessary to achieve the purpose for which they were collected and will then be cancelled.
3) Processing purposes for which the Personal Data are intended
The main purpose of the processing of your Personal Data is to allow a regular establishment and/or development, as well as a proper administration, of the relationship specified in the premises. In particular, the processing has the following purposes:
A. customer management;
B. management of technical and commercial assistance to customers;
C. internal control services (safety and productivity of the products and services provided by Fimer S.p.A.);
D. participation in event/meeting/conference/webinar organized by Controller;
E. fulfilment of legal obligations, as well as to fulfil the administrative, insurance and fiscal obligations provided for by the current legislation and, also, to meet accounting and commercial purposes or, again, to regularly fulfil contractual and legal obligations arising from the legal relationship with the Data Subject;
F. management of direct marketing commercial activities, to be understood, by this term, as the performance of marketing activities aimed at promoting products, services, sold and/or provided by the Controller;
G. promotional activities, to be understood, with this term, the performance, through the use of the e-mail details provided by you in the context of previous purchases or contractual relationships, of promotional activities by the Controller. This category includes activities carried out to promote products, services, sold and/or provided by the Controller that are in line with those you have already purchased.
H. assessing the level of customer satisfaction.
The methods of contact aimed at direct marketing activities, as provided in point F. above, may be either automated (email, sms, mms, whatsapp, telegram) or traditional (telephone calls with operator, postal items). In any case, and as better specified below in clause n. 8, you may withdraw your consent, even partially, for example by consenting only to traditional contact methods.
4) Mandatory or optional nature of the provision of Personal Data and consequences of a possible refusal to provide such data
The provision of your data for the purposes referred to under paragraphs A., B., C., D. and E. of the above clause is mandatory, since it is necessary in order to carry out the activities indicated therein. Any refusal to provide the data in question will make it impossible for the Data Controller to fulfil its obligations or to provide the services requested, including those relating to technical assistance.
The consent to the processing of personal data for the purposes described in the subsequent paragraphs F. and H. is, however, optional and it will be carried out only with your prior consent, which must necessarily comply with the conditions set out in Article 7 of the Regulation, thus determining the lawfulness of the processing of your Personal Data.
With regard to the purpose referred to in point G. of clause no. 3 above, it should be specified that, pursuant to Article 6, paragraph 1, point f) of the Regulation, the Data Controller may carry out this activity based on its legitimate interest, regardless of your consent and, in any case, until your opposition to such processing as better explained in Recital 47 of the Regulation in which it is "considered a legitimate interest to process personal data for direct marketing purposes". This will be possible as a result of the assessments made by the Data Controller regarding the possible and possible prevalence of your interests, rights and fundamental freedoms over your legitimate interest.
5) Processing Methods
Pursuant to and in accordance with articles 13 et seq. of the GDPR, we hereby inform you that the Personal Data you provide will be recorded, processed and stored in our archives, both paper and electronic means, in compliance with the appropriate technical and organizational measures provided by art. 32 of the GDPR. These measures, however, due to the nature of the online means of transmission, cannot limit or totally exclude any risk of unauthorized access or dispersion of data. To this end, it is recommended that you periodically check that your computer is equipped with software devices adequate to protect network data transmission, both incoming and outgoing (such as updated antivirus systems) and that your Internet service provider has adopted adequate measures for the security of network data transmission (such as firewalls and antispam filters).
The processing of your Personal Data may consist of any operation or set of operations among those ones indicated in art. 4, first paragraph, sub-paragraph 2 of the GDPR.
The processing of Personal Data will be carried out, in any case, through the use of tools and procedures suitable to ensure their protection and confidentiality and may be carried out, directly and/or through delegated third parties, either manually by means of paper supports, or with the use of automated means or electronic means.
6) Communication and disclosure
Your Personal Data may be disclosed to specific subjects considered recipients of such Personal Data. In fact, Article 4, point 9) of the Regulation, defines the recipient of Personal Data as "the natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not" (hereinafter the "Recipients").
Accordingly, in order to correctly carry out all processing activities necessary to pursue the purposes referred to in this Informational Statement, the following Recipients may find themselves in a position to process your Personal Data:
- third parties that carry out part of the processing activities and/or activities connected and instrumental to such processing on behalf of the Controller. These subjects have been appointed as data processors, which, pursuant to article 4, point 8) of the Regulation, shall be understood as "the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (hereinafter the "Processor");
- individuals, employees and/or consultants of the Controller, who have been entrusted with specific and/or multiple processing activities of your Personal Data. Such third-party individuals have been given specific instructions on the security and correct use of Personal Data and are identified, pursuant to Article 4, point 10) of the Regulation, as "persons who under the direct authority of the controller or processor, are authorised to process personal data" (hereinafter the "Authorised Persons").
The above-mentioned operators will be provided only with the information necessary to provide the services commissioned and will be required to observe the confidentiality, prohibiting the use of the data provided for purposes other than those agreed upon.
- Where required by law or to prevent or repress the commission of a crime or offense, your Personal Data may be disclosed to public entities or judicial authorities without the need that such be considered Recipients. In fact, according to article 4, point 9) of the Regulation, "public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients".
7) Transfer of Personal Data abroad
Your Personal Data will be processed by the Controller within the territory of the European Union.
If, for technical and/or operational reasons, it is necessary to make use of third-parties located outside the European Union, we hereby inform you that such third-parties will be appointed as Processors pursuant to and for the purposes of article 28 of the Regulation and that the transfer of your Personal Data to such third-parties, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of Chapter V of the Regulation. Therefore, all necessary precautions will be taken in order to guarantee the fullest protection of your Personal Data, basing such transfer on: (a) adequate decisions regarding the recipient third countries expressed by the European Commission; (b) adequate guarantees expressed by the recipient third party pursuant to Article 46 of the Regulation; (c) the adoption of binding corporate rules.
8) Withdrawal of consent given by you
As provided for in the Regulation, if you have given your consent to the processing of your Personal Data for one or more purposes for which it has been requested, you may, at any time, withdraw it totally and/or partially without prejudice to the lawfulness of the processing based on the consent given before the withdrawal.
The procedures to withdraw your consent are very simple and intuitive, you only need to contact the Controller using the contact channels listed in this Information Statement and respectively in clause no. 11 below.
In addition to the above and for the sake of simplicity, if you were to receive e-mail messages that are no longer of interest to you, simply click on the unsubscribe button located at the bottom of the message to no longer receive any communications even through the additional contact channels for which your consent had been obtained (SMS, MMS, paper mail, telephone calls).
9) Rights referred to in Articles 15 et seq. GDPR
As provided for in Article 15 et seq. of the Regulation, you may access your Personal Data, request its rectification and updating, if incomplete or incorrect, request its erasure if it has been collected in violation of a law or regulation, and object to its processing for legitimate and specific reasons. In particular, here below you will find all your rights that you may exercise, at any time, against the Controller:
- Right of access: you will have the right, in accordance with article 15 of the Regulation, to obtain confirmation from the Controller as to whether or not your Personal Data is being processed and, if so, to obtain access to such Personal Data and the following information: a) the purposes of the processing; b) the categories of Personal Data concerned by the processing; c) the Recipients or categories of Recipients to whom your Personal Data has been or will be disclosed, in particular in case of Recipients from third countries or international organisations; d) where possible, the envisaged period for which the Personal Data will be stored or, if this is not possible, the criteria used to determine that period; e) the existence of the right of the Data Subject to request the Controller the rectification or erasure of Personal Data or to restrict the processing of Personal Data concerning you or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where Personal Data are not collected from the Data Subject, any available information as to their source; h) the existence of an automated decision-making process, including profiling and, at least in such cases, meaningful information on the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject.
- Right of rectification: in accordance with article 16 of the Regulation, you may obtain the rectification of your Personal Data that is inaccurate. Considering the purposes of the processing, you may also update and/or integrate your Personal Data that is incomplete, also by providing a supplementary statement.
- Right to erasure: in accordance with article 17 of the Regulations, you may obtain the erasure of your Personal Data without undue delay and the Controller shall have the obligation to erase your Personal Data, if one of the following grounds apply: a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) you have withdrawn the consent on which the processing of your Personal Data is based and where there is no other legal ground for their processing; c) you have objected to the processing pursuant to Article 21, paragraph 1 or 2 of the Regulation and there is no longer any compelling legitimate ground to process your Personal Data; d) your Personal Data has been processed unlawfully; e) it is necessary to erase your Personal Data in order to comply with a legal obligation by a Union or Member State law. In some cases, as provided for by article 17, paragraph 3 of the Regulation, the Controller is entitled not to delete your Personal Data if the processing is necessary, for example, for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing: you can obtain the restriction of the processing, in accordance with Article 18 of the Regulation, if one of the following applies: a) you have contested the accuracy of your Personal Data (the restriction will continue for the period necessary for the Controller to verify the accuracy of such Personal Data); b) the processing is unlawful but you have opposed to the erasure of your Personal Data requesting, instead, that its use be restricted; c) although the Controller no longer needs your Personal Data for the purposes of processing, your Personal Data are required to establish, exercise or defend a legal claim; d) you have objected to the processing pursuant to article 21, paragraph 1, of the Regulation pending the verification of whether the legitimate grounds of the Controller override yours. When processing has been restricted, your Personal Data will be processed, except for storage, only with your consent for the establishment, exercise or defence a legal claim or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you, in any event, before the restriction is lifted.
- Right to data portability: you can, at any time, request and receive, in accordance with Article 20, paragraph 1 of the Regulation, all your Personal Data processed by the Controller in a structured, commonly used and machine-readable format and/or request its transmission to another controller without hindrance. In this case, it will be your responsibility to provide us with all the exact details of the new controller to which you intend to transfer your Personal Data by providing us with written instructions and authorisation.
- Right to object: in accordance with article 21 of the Regulation, you can object, at any time, to the processing of your Personal Data a) if it is processed for direct marketing purposes or b) for reasons related to your particular situation, if your Personal Data is processed on the grounds of the legitimate interest of the Controller, unless there are compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is necessary to establish, exercise or defend a legal claim.
10) Identification details of the Holder
The company that will process your Personal Data for the purposes specified in clause no. 3 of this Information Statement and that, therefore, will act as data controller according to the relevant definition contained in Article 4 at point 7) of the Regulation, "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" is Fimer S.p.A. with operational headquarters in Via San Giorgio, 642, Terranuova Bracciolini, 52028 Arezzo.
11) Exercise of rights
To exercise all your rights as identified above in clause no. 9 above, simply contact the Controller in one of the following ways:
- by writing to the Privacy Office of Fimer S.p.A., at its operational headquarters in Via San Giorgio, 642, Terranuova Bracciolini, 52028 Arezzo;
- by sending an e-mail to the mailbox email@example.com to the kind attention of the Privacy Office of Fimer S.p.A..