Customer Privacy Policy

1. SUBJECT OF PRIVICY NOTICE

This information is provided pursuant to and for the purposes of Article 13 of the GDPR. Its purpose is to inform our clients about the processing of personal data collected during the course of commercial relationships established with our clients.

2. PRINCIPLES APPLICABLE TO PROCESSING ACTIVITIES

The processing of personal data is carried out in accordance with the principles set out in Article 5 of Regulation (EU) 2016/679, which are briefly summarized below:

• Lawfulness, fairness, and transparency of processing must be lawful, fair, and transparent to the data subject;
• limitation of the purpose of processing, including the obligation to ensure that any subsequent processing is not incompatible with the purposes for which the data was collected;
• data minimization personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
• accuracy and updating of data, including that data must be accurate and, where necessary, kept up to date, including timely correction or deletion of inaccurate data in relation to the processing purposes;
• storage limitation, personal data must be kept no longer than necessary for the purposes for which they are processed;
• integrity and confidentiality, appropriate security measures must be in place to ensure the protection of personal data.Fine modulo

3. DATA CONTROLLER

The Data Controller is:

Tesori del Matese S.r.l., con sede legale in Via Canonica, 99 – 86027 San Massimo (CB).

4. PURPOSE AND LEGAL BASIS OF THE PROCESSING.

Personal data are processed:

a. without the need of consent [Art. 6 letter B) GDPR], for the following purposes:

• to fulfil pre-contractual obligations;
• for contractual and tax services deriving from existing relationships;
• to comply with legal obligations, regulations, EU legislation, or orders issued by public authorities;
• to exercise the rights of the Data Controller, such as the right of defence in legal proceedings;

b. only with specific and explicit consent (art. 7 GDPR), for marketing purposes, including the sending of emails, mail and/or SMS and/or phone contacts, newsletters, commercial communications and/or advertising material relating to products or services offered by our company.

5. DATA RECIPIENTS

The personal data may be processed by:

• company employees and collaborators, acting in their capacity as persons authorized to process data (so-called “data processing appointees”), as well as by consultants appointed by the Data Controller who need to process Personal Data in order to perform their duties;
• external entities, operating as independent data controllers such as, by way of example, supervisory and control authorities and bodies and in general public or private entities entitled to request data;
• – external entities, appointed as data processors pursuant to art. 28 of the GDPR, to which adequate operating instructions are given: tax consultants, business consultants, companies supplying applications and web applications, software and applications for accounting and administration.

The complete list of Data Processors is available at the company headquarters listed in p.to 3.

6. PERIOD OF DATA RETENTION

Tesori del Matese will process personal data for the time necessary to fulfil the purposes described above and to comply with legal and/or tax obligations, and in any case:

• no longer than 10 years from the termination of the relationship for administrative purposes, as required by tax regulations;
• no longer than 2 years from the collection of data for marketing purposes.

7. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANIZATION

Personal data are stored, both in paper and electronic form, in the premises specifically used for the processing whitin our organization, and by the aforementioned external entities. All such locations are currently within the EU area, which is subject to the protections established by the GDPR.

8. PROFILING ACTIVITIES

The personal data collected are not subject to automated decision-making processes, including “profiling.”

9. 1. RIGHTS OF DATA SUBJECTS AND HOW TO EXERCISE THEM

Data subjects, in addition to the right to lodge a complaint with a supervisory authority, may exercise the following rights:

Art. 15 Right of access – The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her is being processed and, if so, to obtain access to the personal data and information regarding the processing.

Art. 16 Right to rectification – The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the completion of incomplete personal data, including by providing a supplementary statement.

Art. 17 Right to Erasure (Right to Be Forgotten) – The data subject has the right to obtain from the Data Controller the deletion of personal data concerning them without undue delay, and the Data Controller is obliged to erase personal data without undue delay.

Art. 18 Right to Restriction of Processing – The data subject has the right to obtain from the Data Controller the restriction of processing when one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for the period necessary for the Data Controller to verify the accuracy of such data;

b) the processing is unlawful and the data subject opposes the deletion of the personal data and requests restriction of its use instead;

c) although the Data Controller no longer needs the data for the purposes of processing, the personal data are necessary to the data subject for the establishment, exercise, or defense of a legal claim;

d) the data subject has objected to processing pursuant to Article 21(1) of the Regulation, pending verification of whether the legitimate grounds of the Data Controller prevail over those of the data subject.

Art. 20 Right to Data Portability – The data subject has the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data were provided.

When exercising their right to data portability, the data subject also has the right to have the personal data transmitted directly from one Data Controller to another, if technically feasible.

Art. 21 Right to Object – The data subject has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them, including profiling based on these provisions.

Art. 22 Right Not to Be Subject to Automated Decision-Making, Including Profiling – The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Rights may be exercised by submitting a request directly to the Data Controller, contactable at the addresses indicated in Section 3. The data subject may also lodge a complaint with the ITALIAN DATA PROTECTION AUTHORITY (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) or the EUROPEAN DATA PROTECTION SUPERVISOR (www.edps.europa.eu).

10. LEGAL/CONTRACTUAL OBLIGATIONS OR REQUIREMENTS NECESSARY FOR THE CONCLUSION OF A CONTRACT

The provision of data for the purposes referred to in Section 4_a is mandatory. In the absence of such data, the processing activities described cannot be carried out, thereby making it impossible to perform the services envisaged under the commercial relationship or to comply with the legal obligations. For marketing purposes as specified in Section 4_b, the provision of data is optional and is subject to specific consents, which may be withdrawn at any time.