PRIVACY NOTICE PURSUANT TO ART. 13 AND 14 OF THE EUROPEAN REGULATION FOR THE PROTECTION OF PERSONAL DATA NO. 2016/679/EU (GDPR)
1. RESPECT FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA, AS WELL AS THE UNRESTRICTED CIRCULATION OF SUCH DATA
Fedrigoni S.p.A., the data controller (hereinafter referred to as "Fedrigoni") gives great value to respecting the privacy of its interlocutors and is committed to safeguarding it by applying the provisions that European and Italian law establish in this regard. By means of this document, Fedrigoni intends to disclose the procedures for the collection and use of personal data released by the interested party, as well as the procedures and rules that regulate its application.
2. SCOPE OF THE PRIVACY NOTICE
This notice applies to all personal data that Fedrigoni acquires through the Web Order and E.Commerce channels, and owns and uses for the performance of its activities. In some cases, Fedrigoni may suggest links to third-party websites to complete its business information. This Notice does not, however, extend to such websites; this is why visitors are invited to read the rules on the processing of data applied by these companies, especially before entering personal data.
3. DATA SOURCE
Fedrigoni acquires personal data from the interested party or from third parties (e.g. from the managers of social network sites). The types of information may include personal data, in the case of an individual, company name, name (when it is an integral part of the business name of the interlocutor), address, telephone number, e-mail address, billing information and all data necessary for the good performance of the usual commercial transactions. Fedrigoni allows visitors of its websites to include information about other individuals or companies (e.g. recipients of goods) in their orders, if it deems it necessary. Fedrigoni applies the same treatment adopted for direct users to the data of such third parties, as indicated in the following paragraphs.
4. CONSENT TO THE PROCESSING OF PERSONAL DATA
Fedrigoni processes the data in accordance with the principles set out in art. 5 of the GDPR: 1. on the basis of the consent (art. 6, first paragraph, letter a); 2. for the execution of a contract in which the interested party is a party or the execution of pre-contractual conditions adopted at the request of the same interested party (art. 6, first paragraph, letter b). After giving consent, the interested party can revoke it at any time by sending an email to: firstname.lastname@example.org. Withdrawal of consent does not affect the lawfulness of the treatment based on consent before revocation (art. 7, paragraph 3).
Fedrigoni does not accept the consent of children under 16, unless collected from the parents or those who exercise parental authority.
5. DATA COLLECTION
The data collected can be differentiated on the basis of the methods of acquisition and their use.
Data collected automatically
While browsing, the following information that qualifies the visitor can be collected and stored in the site log files:
- Internet protocol (IP) address;
- Type of browser;
- Parameters of the device used to connect to the website;
- Name of the Internet service provider (ISP);
- Date and time of visit;
- Web page of origin and exit of the visitor (referral);
- Possibly, the number of clicks.
These data are also used to analyse user trends and collect data in aggregate form for managing and ensuring site security.
Data provided voluntarily
The website can collect data in case of voluntary request of a service by users, such as consulting, communication and purchasing services, as follows:
- name and surname;
- email address;
- address of residence;
- GST number and/or tax code;
- company and head office;
- geographical location.
These data, provided voluntarily by the User at the time of requesting the service or inserting the request, will be used exclusively for the provision of the service requested and processed only for the time necessary for the provision of the service or execution of the contractual relationship.
6. COMMUNICATION AND DISCLOSURE OF PERSONAL DATA
Fedrigoni undertakes not to disclose personal information in its possession. Companies, individuals and/or professionals who provide services to Fedrigoni (e.g. commercial services, management services, information systems management, insurance, banking or non-banking intermediation, factoring, shipment management, enveloping and sending correspondence, credit management and protection) and who, for this reason, are aware of the data acquired by Fedrigoni, have the obligation to maintain confidentiality on all this information and are not authorised to use them outside the scope for which they were communicated to them.
7. PURPOSE OF COLLECTION
The data obtained by Fedrigoni are used to perform its business in a correct manner, including, although not in an exhaustive form:
- promotional activities, collection for statistical purposes, sending correspondence, publications, catalogues and invitations; promotional initiatives on products and/or services; market surveys;
- contacts and negotiations prior to the conclusion of a contract; execution of a plurality of deeds or set of operations necessary for the fulfilment of contractual obligations;
- execution in public or private bodies of the obligations connected or related to the contract; execution of legal obligations.
8. DATA STORAGE PERIOD
The data storage period is that strictly necessary to perform the purposes of the processing indicated in the previous paragraph, and in any case to meet the legal obligations deriving from the activities themselves.
9. RIGHTS OF THE INTERESTED PARTY
With regard to the data provided, the interested party may exercise, with the data controller, the rights provided for in articles from 15 to 21 of the GDPR, reported below:
Art. 15 - Right of access of the interested party
The interested party has the right to obtain from the data controller confirmation that personal data concerning them is or is not being processed and if it is, to obtain access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data in question;
- the recipients or categories of recipients to whom personal data have been or will be communicated, in particular if recipients of third countries or international organisations;
- whenever possible, the storage period of the personal data provided or, if not possible, the criteria used to determine this period;
- the existence of the right of the interested party to ask the data controller to modify or delete personal data or limit the processing of personal data concerning them or to oppose their processing;
- the right to make a complaint to a supervisory authority;
- if the data were not collected from the interested party, all information available on their origin;
- the existence of an automated decision-making process, including profiling, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party;
- if personal data are transferred to a third country or to an international organisation, the existence of adequate guarantees pursuant to article 46 relating to the transfer (see below).
After doing so, the data controller must provide a copy of the personal data being processed without this damaging the rights and freedoms of others. In the event of further copies being requested by the interested party, the data controller can charge a reasonable fee based on the administrative costs. If the request is made through IT systems, and unless otherwise specified by the interested party, the information must be provided in a commonly used electronic format.
Art. 16 - Right of rectification
The interested party has the right to obtain from the data controller the correction of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.
Art. 17 - Right to cancellation (right to be forgotten)
The interested party has the right to obtain from the data controller the cancellation of personal data concerning them without undue delay and the latter has the obligation to cancel such data without undue delay if one of the following reasons exists:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the interested party revokes the consent on which the processing is based and there is no other legal basis for the processing;
- the interested party opposes the processing and there is no legitimate overriding reason to continue with the processing, or the interested party opposes processing for marketing purposes;
- personal data have been processed unlawfully;
- personal data must be deleted to fulfil a legal obligation under EU or Member Country law to which the data controller is subject;
If then the data controller disclosed personal data and is obliged to delete them, taking into account the available technology and implementation costs, the data controller must take reasonable measures, including technical ones, to inform other data controllers who are processing the data in question to delete any link, copy or reproduction of the interested party's personal data.
All of this does not apply to the extent that processing is necessary:
- for the exercise of the right to freedom of expression and information;
- for the fulfilment of a legal obligation that requires the processing envisaged or for the performance of a task performed in the public interest or in the exercise of public powers with which the data controller has been invested;
- for reasons of public interest in the public health sector;
- for storage purposes in the public interest, for scientific or historical research or for statistical purposes.
Art. 18 - Right of limitation of processing
The interested party has the right to obtain from the data controller to limit processing when one of the following situations exists:
- the interested party disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
- the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that their use be limited;
- although the data controller no longer needs it for processing purposes, personal data are necessary for the interested party to ascertain, exercise or defend a right in court;
- the interested party has opposed the processing pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
Once the processing is limited, personal data are processed, except for storage, only with the consent of the interested party or for the assessment, exercise or defence of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest of the EU or of a Member Country. The interested party who has obtained a limitation of processing has to be informed by the data controller before the limitation is revoked.
Art. 19 - Obligation to notify in case of rectification or cancellation of personal data or limitation of processing
The data controller is committed to communicate to each of the recipients to whom personal data have been transmitted any corrections or cancellations or limitations on the processing performed, unless this proves impossible or involves a disproportionate effort. The data controller must also inform the interested party of those recipients if requested.
Art. 20 - Right to data portability
The interested party has the right, without prejudice to the rights and freedoms of others, to receive, in a structured format, in common and readable form on an automatic device, the personal data concerning him supplied to a data controller and has the right to transmit such data to another data controller without hindrance by the data controller who previously provided them, in the event that:
- the processing is based on consent or on a contract;
- the processing is carried out by automated means.
In exercising this right, the interested party has the right to obtain direct transmission of personal data from one data controller to another, if technically feasible.
Art. 21 - Right of opposition
The interested party has the right to oppose at any time, for reasons connected with his particular situation, to the processing of personal data concerning them, including profiling The data controller must then refrain from further processing personal data unless the data controller can demonstrate the existence of binding legitimate reasons for proceeding with the processing, which prevail over the interests, rights and freedoms of the interested party or for the assessment, the exercise or the defence of a right in court.
If personal data are processed for direct marketing purposes, the interested party has the right to oppose at any time to the processing of personal data concerning them for such purposes, including profiling in so far as it is related to such direct marketing. Where personal data are processed for the purposes of scientific or historical research or for statistical purposes in accordance with article 89, paragraph 1, the interested party shall have the right to oppose to the processing of their personal data, unless the processing is necessary for the performance of a task in the public interest.
10. AUTOMATED DECISION-MAKING PROCESSES (ART. 22)
The interested party is not subjected to decisions based solely on automated processing, including profiling, which produce legal effects affecting them or which have a significant impact on them.
11. METHOD OF EXERCISING THE RIGHTS OF THE INTERESTED PARTY
To exercise the rights set out in the previous paragraph 7, the interested party can send a written communication to the Data Controller by ordinary mail or by e-mail.
The Data Controller will reply to the interested party in accordance with the provisions of art. 12 of the GDPR (Information, communications and transparent procedures for exercising the rights of the interested party). In particular, the data controller shall provide the interested party with regard to the action taken regarding a request pursuant to articles 15 to 22 without undue delay and, in any case, no later than one month after receipt of the request. This deadline can be extended by two months if necessary, taking into account the complexity and the number of requests. The data controller informs the interested party of this extension, and of the reasons for the delay, within one month of receiving the request.