1. Data Controller
Giesse SpA, VAT number 00581811205 with registered office at Via Tubertini 1 – 40054 Budrio (BO).
2. Categories of data processed
2.1 Data processed during the contractual relationship
The personal data provided by the contractual counterparty (“Data subject”) at the signing of the agreement with the Company and/or in the framework of the supplier homologation questionnaire (“supplier homologation questionnaire”) and/or in the framework of audits (“supplier meeting report”), such as by way of example the personal information, place of birth, residence, fiscal code and/or VAT number, telephone number/e-mail address, banking details and their subsequent variations as well as further data that will be provided by the Data subject or collected by the Company during the contractual relationship (“Personal Data” or ”Data”) are processed by the Company. All such information shall be deemed Personal Data pursuant to the applicable legislation as far as it directly or indirectly refer to identified or identifiable natural persons (for example, directors, employees, managers, collaborators, consultants of the contractual counterparty). For example the VAT number of a legal person does not fall within the definition of Personal Data.
2.2 Data processed during marketing activities
The personal data (“Personal Data” or “Data”) provided by the user (“Data subject”) or that the Company collects during his or her browsing on the Website, are processed by the Company.
Data provided by the Data subject: this mainly relates to the Data collected during the interactions with the Company through the forms in the Website or when subscribing to the Newsletter. This Data includes name, surname, e-mail address and telephone number.
Other Data processed: this mainly relates to the Data collected when browsing on the Website, such as IP address, the operating system of the browser used, the contents clicked and the webpages visited.
3. Purpose of the Processing, legal base and consequences for failing to provide the Data
3.1 Data processed during the contractual relationship
The Data are processed by the Company for the following purposes:
to fulfil legal and administrative obligations to which the Company is subject. A possible failure to provide the Personal Data for the fulfilment of the specified purposes will make impossible for the Company to start or continue the contractual relationship with us;
to sign and manage the contractual relationship with the Company. For this purpose, the Personal Data will be processed also in the context of the activities of: administration, accounting, contract management, services, billing/payments, auditing and certification of the mandatory/voluntary balance sheet, assignment or anticipation of credits, as well as to fulfil other obligations arising from the Agreement with the Company. The provision of Personal Data is necessary for the conclusion and the performance of the Agreement. A possible failure to provide the Personal Data for the fulfilment of the specified purposes, will make impossible for the Company to start or continue the contractual relationship with us.
The processing of the Personal Data may also take place to manage possible disputes or in the context of possible corporate events (sale of company or going concern) and in the execution of the due diligence exercise. Such possible processing could be carried out on the basis of a legitimate interest of the Company, which intends to safeguard its interest and rights as acknowledged by the applicable laws as well as carry out the most suitable business operations in order to improve the offered products and services.
Always on the basis of the legitimate interest of the Company, persons authorized by the Company may contact the interested persons in the context of the contractual counterparty, for purposes relating to the Agreement and to assess further possibilities of commercial collaboration, also in relation to specific characteristics of the contractual counterparty and of its staff.
3.2 Data processed during marketing activities
The Data are processed by the Company for the following purposes;
to allow Data subjects to be updated on our products, through (i) direct marketing of goods and services, (ii) the newsletter, (iii) the distribution of information material, (iv) the organization and promotion of events and (v) the sending of questionnaires relating to the degree of customer satisfaction;
to allow Data subjects to receive personalized information, and therefore tailored for their profile and interests;
to allow Data subjects to receive commercial communications referred to in letters a) and/or b) also from other companies of SchlegelGiesse group.
The processing of Data for the purposes set out under points a), b) and c) is optional, and is subject to consent by the Data subject. The possible failure to provide such Data will result in the impossibility to communicate any commercial initiative and offer from the Company and/or from the companies of SchlegelGiesse group to the Data subject, as well as to receive commercial information deemed relevant for his or her profile.
The processing of the Personal Data may also take place to manage possible disputes. Such possible processing could be carried out on the basis of a legitimate interest of the Company, which intends to safeguard its interest and rights as acknowledged by the applicable laws.
4. Processing modalities and Data retention period
4.1 Data processed during the contractual relationship
The data are processed mainly at the Company by electronic and manual means suitable to guarantee the security and confidentiality. In particular, they may be processed with the following modalities:
collection of data from the Data subject;
collection of data from registers, list of documents or public documents;
record and processing through traditional means (paper);
record and processing through IT means;
automated and non-automated organisation of the archives.
The Personal Data will be retained in accordance with applicable legal provisions, for as long as necessary to fulfil the purposes for which they are processed. The criteria to determine the retention period of the Data take into account the allowed processing period and the applicable tax laws, statute of limitations period and the nature of the legitimate interests where they constitute the legal basis of the process.
Pursuant to the applicable legislation, the Personal Data could be retained for a longer period than that originally provided, in case of eventual disputes or requests of the relevant Authorities.
4.2 Data processed during marketing activities
The communications for the purposes set out under paragraph 3.2 may be carried out by means of e-mail, sms, mms, mail as well as any other current and future communication mean, provided that the Data subject may object to the processing through one or all such means of communication.
Data are processed mainly at the Company by electronic and manual means suitable to guarantee security and confidentiality. In particular, they may be processed with the following modalities:
collection of data from the data subject;
record and processing on paper support;
record and processing on information technology support;
automated and non-automated organisation of the archives.
Data will be retained in accordance with currently applicable legal provisions, for as long as necessary to fulfil the purposes for which they are processed. Lacking specific rules which regulate the retention period for the purposes listed in this Policy, the Company will use Personal Data for the abovementioned marketing purposes for an appropriate period of time in accordance with the interests that the Data subject has shown in the promotional initiatives, such period being 5 years. In any case the Company will adopt any arrangement in order to avoid a use of the Data for an indefinite period of time, and from time to time will verify, in an appropriate manner, the existence of the Data subject interest in relation to the processing for marketing purposes, as specified above.
5. Data communication and transfer
The Personal Data will be made available to those authorized to process them within the Company only where necessary and for the purposes for which the processing is allowed.
5.1 Data processed during the contractual relationship
Solely for the purposes indicated, the Personal Data may be communicated by the Company to the competent Judicial Authorities, where necessary, and to the following categories of subjects:
bank and credit institutions;
tax advisors, auditors and accountants;
credit recovery companies;
companies that detect financial risks and that perform fraud prevention activities;
public administrations and supervisory and control Authorities;
car rental companies;
companies that provide IT services;
companies that provide security and surveillance services;
controlling companies and/or connected to the Company.
With reference to the Personal Data communicated to them, entities belonging to the categories listed above may operate, depending on the cases, as data processors (and in this case they will receive appropriate instructions from the Company) or as separate data controller. In the latter case, the Personal Data will be communicated only with the express consent of the Data subjects, except where the communication is mandatory or necessary pursuant to law or for the pursue of purposes for which the consent from the Data subject is not required.
Where this is instrumental for the pursue of the purposes set out under paragraph 3.1, the Data may be transferred abroad to companies having their headquarters both inside and outside the European Union. Some of this jurisdictions may not provide the same level of Data protection as provided by the laws of the country where the Data subject is resident. In this case, the Company undertakes to process the Date with the highest confidentiality entering into agreements, where necessary, that guarantee an appropriate level of protection and/or using standard contractual clauses approved by the European Commission.
5.2 Data processed during marketing activities
Solely for the purposes here indicated, the Data may be communicated by the Company to the competent Judicial Authorities, where necessary, and to the following categories of subjects:
companies that supply IT services;
marketing services suppliers;
controlling companies and/or associated companies.
Where this is necessary to pursue the purposes set out under paragraph 3.2, the Data may be transferred abroad to companies having their headquarters both inside and outside the European Union. Some of these jurisdictions may not provide the same level of Data protection as provided by the laws of the country where the data subject is resident. In this case, the Company undertakes to process the Data with the highest confidentiality entering into agreements, where necessary, that guarantee an appropriate level of protection and/or using standard contractual clauses approved by the European Commission.
6. Existence of an Automated Decision Process
There is no automated decision process in place relating with the Data.
7. Data subject’s rights
In any moment, the Data subject will be entitled to:
obtain from the Company the confirmation that a processing of his/her Personal Data is or is not in place and, in such case, obtain the access to the information referred to in article 15 of the GDPR;
obtain the rectification of the inaccurate Data about you, or, taking into account the purposes of the processing, the integration of the incomplete Data;
obtain the erasure of his/her Data, in presence of one of the grounds referred to in article 17 of the GDPR, where applicable.
withdraw in any moment the consent in the event such consent has been previously granted. The withdrawal of the consent does not affect the lawfulness of the processing based on the consent previously given;
obtain a limitation on the processing of his/her Data in the event one of the cases referred to in article 18 of the GDPR occurs;
refuse the processing of his/her Data, on grounds relating to his/her particular position, where applicable;
receive in a structured format, of common useand legible from an automatic device the Data previously provided that relate to him/her, as well as transmit such Data to another data controller, in the cases and limits referred to in article 20 of the GDPR.
The Company may request additional information before processing requests if it needs to verify the identity of the individual submitting them.
Pursuant to the GDPR, the Company is not authorized to charge costs for fulfilling one of the requests listed in this paragraph, unless they are manifestly unfounded or excessive, and in particular they are repetitive. In cases where an Interested Party requires more than one copy of their personal data or in cases of excessive or unreasonable requests, the Company may (i) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested; or (ii) refuse to act on the request. In these cases the Company will inform the Data subject of costs before processing the request.
Such rights may be exercised sending:
- a communication via e-mail to info.GDPR@SchlegelGiesse.com.
Without prejudice to any other administrative or jurisdictional action, the Data subject has also the right to lodge a complaint with a Data Protection Authority, where he/she deems that the processing of his/her data is carried out in violation of the GDPR. Further information are available on the website http://www.garanteprivacy.it.