General informative notice on the processing of customer and supplier data
pursuant to articles 13 and 14 of the EU Regulation 679/2016
El.En. s.p.a., with registered office at Via Baldanzese, No. 17 – 50041 Calenzano (FI) – Italy, TAX and VAT No. 03137680488, Tel. 055 8826807, e-mail firstname.lastname@example.org (herein after referred to as the “Data Controller”) intends to inform all customers and suppliers (hereinafter referred to as “Data Subject”), on the processing of their personal data, pursuant to the combined provisions of art. 13 of the Legislative Decree no. 196/2003 (“Privacy Code”) and of article 13 of European Regulation No. 679 of 2016 (“Privacy Regulation”).
Please note that, according to the Privacy Regulation, such processing shall be based on principles of correctness, lawfulness, transparency and the protection of your privacy and your rights.
- Purposes of processing
A) Without express consent (art. 6 b) and e) Privacy Regulation) for the following purposes:
- to provide information requested;
- to fulfil obligations required by law, rules, European regulations or authorities;
- to fulfil pre-contractual, contractual and fiscal obligations deriving from the business relationships entered into;
- to exercise the data controller’s rights (e.g. the right to legal defence in the event of non-fulfilment of contractual obligations);
- to facilitate the administrative/accounting management of the company;
- to facilitate the management of activities relating to the purchase of goods and services for business purposes;
- to facilitate the sale/hire/invoicing of products and/or the provision of services;
- to manage any complaints or disputes.
The processing has a legal basis related to the fulfilment of the contract between the parties, to compliance with the law and to the satisfaction of a request by the Data Subject concerned. Thus, the provision of data is mandatory for the purposes of initiating and managing contracts, and is necessary in order to satisfy any requests of the Data Subject. Refuse to provide such data may result in failed or partial performance of the contract, and/or failure to continue the contractual relationship.
B) Only with declared consent (art. 7 Privacy Regulation):
- to allow subscription to the data controller’s newsletter and any other services required;
- to carry out marketing activities such as the sending of promotional and advertising material about products and services offered by the Data Controller also by email, mms and text message;
- to carry out marketing activities such as the sending of promotional and advertising material about products and services offered by third parties (e.g. business partners; insurance companies; etc.).
Please note that providing data for the purposes describe in clause B) is optional and failure to provide them or to authorise their processing will preclude sending newsletters, commercial communications and/or advertising materials. In any case and at any time, you may revoke your consent.
Please be notified that if you are already one of our customer we may send commercial communications relating to the data controller’s services and products similar to those you have already used, subject to your dissenting (art. 130, clause 4 Italian Legislative Decree No. 196/2003).
- Processing methods and security measures
The processing of personal data will be based on correctness, lawfulness and transparency, protecting your privacy and your rights and will be done by appropriate means and procedures that guarantee security and confidentiality.
The processing methods of your personal data involve the use of manual and telematics tools, with logics that are appropriate to ensure an adequate level of security.
In particular, your personal data may be processed in the following ways:
- Outsourcing of processing operations;
- Creating profiles for customers and suppliers;
- Data collection during events and/or exhibitions;
- Processing with electronic calculators;
- Processing with paper files.
All processing takes place in accordance with the modalities laid down in articles 6 and 32 of the Privacy Regulation and through appropriate security measures.
- Policy on the retention of personal data
Data Controller, in accordance with the principles of legality, purpose limitation and data minimisation, pursuant to art. 5 of Privacy Regulation, saves and processes personal data for as long as necessary to fulfil the stated purposes. As a general principle, therefore, the personal information will be retained for the entire period of validity of the contractual relationship with the Data Subject. Brought down the contractual relationship and, with it, its processing purposes, the Data Controller shall be entitled to maintain further personal data, in whole or in part, for certain purposes, as specifically requested by explicit law provisions (for example the obligation to keep accounting records for a period of 10 years, provided for in art. 2220 c.c.) or to establish or defend a legal claim.
For the purposes of marketing personal data may be kept for a period of 24 months from 25 may 2018, unless renewal thereof (expect the opposition to receive further communications). The Data Controller shall, every two years from the data of publication of this notice, to request the renewal of consent.
- Optional or mandatory nature of consent
Providing data is necessary for the establishment, implementation and proper management of the contractual relationship and is also required for the fulfilment of legal obligations.
Therefore, the failure of personal data makes impossible to establish and execute the contract.
The provision of personal data for the purposes of art. 1.B) is optional. The Data Subject can decide not to give any information or to deny then the possibility to treat data already provided: in this case, he/she won’t get newsletters, marketing communications and advertising materials, relating to the services offered by the Data Controller. He/she will still have the right to get the services under art. 1.A).
- Access to personal data and to whom these can be communicated
Personal data may be brought to the attention of:
- Data Controller’s employees or collaborators, that are formally appointed and authorized to process and their receive opportune operational instructions in this regard;
- External companies and third parties which Data Controller may make use of in relation to the managements of the contractual relationship with customers and suppliers or for its own organisational needs and its activities (e.g. IT service suppliers, consultants, agents, etc.);
- Other companies of the El.En. Group.
Pursuant to art. 6 of the Privacy Regulation, without the express consent of the Data Subjects the Data Controller can disclose the personal data to the supervisory bodies, judicial authorities and all other persons to whom that kind of communication is required by law and to the accomplishment of the purposes of art. 3. These subjects will process personal data as autonomous Data Controllers.
Personal data will not be disseminated.
- Data transfer
Appropriate El.En. S.p.a. could transfer personal data collected through the Site to other companies of the El.En. Group or to third parties located in other countries, even outside the European Union, which does not offer the same level of protection of personal data. The European Commission puts the countries deemed “adequate”, namely those that preparing an adequate protection, in a separate list, which can be viewed at: https://www.garanteprivacy.it/home/provvedimenti-normativa/normativa/normativa-comunitaria-e-intenazionale/trasferimento-dei-dati-verso-paesi-terzi#1.
Transfers of personal data outside the European Union and to countries not belonging to the above list, will be carried out exclusively under specific agreements between El.En. S.p.a. and the companies involved, through the use of tools accepted by the European Commission.
- Rights of the Data Subject
Pursuant to articles 15-22 of Privacy Regulation, the data subject is entitled:
- To be inform of:
- The source of the personal data;
- The processing purposes and methods;
- The logic applied when data are processed using electronic equipment;
- The identity of the data controller, data processors and designated representative pursuant to article 5;
- The parties or categories of parties to whom the personal data may be communicated;
- To obtain:
- The updating, rectification or, where he/she wishes, the integration of the data;
- The cancellation, anonymization, or blocking of data processed unlawfully, including data that does not need to be retained for the purposes for which it was collected or subsequently processed;
- Certification that the activities mentioned above, including their content, have been notified to those to whom the data was disclosed, unless this requirement proves impossible or implies manifestly disproportionate measures with respect to the protected right;
- Data portability: the right to receive personal data in a structured, commonly used and automatically readable format, and to transmit such data to another data controller, only for cases where the processing is based on consent and for only data processed by electronic means;
- To oppose, in whole or in part:
- For legitimate reasons, to the processing of his/her personal data, even if it is pertinent for collection purposes;
- To the processing of his/her personal data for the purpose of sending advertising materials or for carrying out market researches or promotional communications.
To exercise your rights, simply contact the Data Controller by sending:
- To be inform of:
Your data will not be subjected to any form of automated processing.
- Data Controller, Data Processors and Data Protection Officer
The Data Controller is El.En. s.p.a., registered office in Via Baldanzese no. 17, 50041 Calenzano (FI), TAX e VAT No.03137680488, Tel. 055 8826807, e-mail email@example.com
The Data Protection Officer can be contacted at the following e-mail address: firstname.lastname@example.org.
The updated list of designated Data processors can be provided on request by the interested parties and/or users.
Last amendment 12 July 2018