EXTENDED INFORMATION PURSUANT TO ARTICLES 12, 13 AND WHERE NECESSARY 14 OF GDPR - REGULATION (EU) 2016/679 REGARDING THE PROTECTION OF PHYSICAL PERSONS, WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER GDPR)
The data controller refers, below, the information pursuant to articles 12, 13 and, where necessary, 14 of the GDPR regarding the processing of personal data supplied by the customer/interested party by completing and signing the contract to purchase products/services offered for sale by the data controller, spontaneously uploading personal data to this website (in particular by filling out forms) or by simply browsing it.
1. Data controller and contact data
The Data Controller is MAC3 SNC, with registered office in San Giusto Canavaese (TO), Via STRADA SAN GIORGIO CIGLIANO 5, P.I. 04419010014, tel. +39 3401728446, e-mail email@example.com
, web http://www.mac3snc.com
2. Principles applicable to the processing
In accordance with the provisions of the GDPR, the data controller constantly endeavours to ensure that personal data is:
- handled lawfully, correctly and transparently;
- collected for specified, explicit and legitimate purposes, and subsequently processed in ways that are not incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, if necessary, updated;
- kept for a period of time not exceeding the purposes for which it has been processed;
- processed, by means of appropriate technical and organisational measures, so as to ensure its security;
- processed, if by consensus, by a decision freely made by the customer/interested party, on the basis of a request presented in a manner that is clearly distinguishable from the rest, in an understandable and easily accessibly form, using clear and simply language.
The data controller shall take appropriate technical and organisational measures in order to ensure the protection of personal data from the design stage and to ensure that, by default, only the data necessary for each specific processing purpose is processed.
The data controller collects and holds in the utmost consideration indications, observations and opinions of the Customer/interested party transmitted to the above addresses, in order to implement a dynamic privacy management system that ensures effective protection of people, with regard to the processing of their data.
This policy is subject to change, in line with the evolution of regulations and technical and organisational measures successively adopted by the data controller; it is therefore recommended the customer/interested party periodically visit this section of the site, to view the updates and information in the text from time to time.
3. Methods of processing of personal data
The processing of personal data is done manually and electronically, with logic strictly related to the purposes set forth below and in any case, to ensure the security and confidentiality of the data.
4. Purposes of processing personal data
(4a) Purpose for which data processing is necessary
The personal data provided by the Customer/interested party is mainly processed for the execution of the Contract and credit management and, more generally, of the relationship arising from the Contract itself.
The provision of data in the contract or later, during the contractual relationship, for the purposes of processing is required; Therefore, any failure, partial or incorrect provision of such data makes it impossible to enter into and/or perform the contract and, for the Customer/interested party to take advantage of the products/services offered by the data controller, potentially exposing the Customer/interested party to liability for breach of contract.
The personal data provided by the Customer/interested party may also be processed if this is necessary to fulfil a legal obligation to which the data controller is subject, to safeguard the vital interests of the Customer/interested party or another physical person, for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the controller, or for the pursuit of the legitimate interests of the data controller or by third parties, provided that they do not outweigh the interests or fundamental rights and freedoms of the Customer/interested party; even in these cases, the provision of data is compulsory and therefore, any failure, partial or inexact data communication may expose the customer/interested party to any liability and penalties provided for by the legal system.
(4b) Additional purposes of processing as a result of specific and express consent of the customer / interested party
In addition to the processing purposes mentioned above, the personal data provided/acquired may be processed, subject to the consent of the Customer/interested party, to be expressed by selecting the "Grant consent" box on the Contract or on the Site (or using other applications social or web of the data controller), even for conducting market research and for commercial and promotional communications, via phone (even using the mobile phone number provided) and automated systems of contact (email, SMS, MMS, fax, etc.), the products/services of the Data Controller or Company Group to which the Data Controller possibly belongs.
The consent for the processing purposes referred to in this point (4b) is optional; therefore, as a result of any refusal, the data will be processed only for the purposes indicated in the previous point (4a), except as specified below with reference to the legitimate interests of the data controller or third parties.
5. Categories of personal data processed
The data controller mainly deals with identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, of a fiscal / billing nature, except for others) and, where provided commercial transactions, financial data (of a banking nature, in particular identifying current accounts, credit card numbers, except for others connected to the aforementioned commercial transactions).
The processing that the Data Controller performs, both for the execution of the Contract and for the express consent of the Client/interested party, does not generally regard particular categories of personal data known as sensitive (revealing racial or ethnic origin, political opinions, religious beliefs, state of health or sexual orientation, etc.), genetic and biometric data or so-called judicial data (relating to criminal convictions and crimes).
However, it cannot be excluded that the Data Controller, in order to perform the obligations deriving from the Contract, must retain and/or need to process the sensitive, genetic and biometric or judicial data of the Customer/interested party or third parties, of which the Customer/interested party has the right, as owner of the data processing; in the case in question, the processing by the Data Controller is carried out under the conditions and within the limits set out by the appointment of the same Data Controller or the representative of the Data Controller, by the Customer/interested party.
The Data Controller processes, as the Data Controller with respect to the site and, potentially, as a Data Controller to this representative (as mentioned above) by the Customer/interested party, also the so-called navigation data. The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified subjects, but, by its very nature, may allow the identification of the person concerned. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and web site addresses from which you are logged in or out, information about the pages visited by users within the site, time of access, stay on the single page analysis of internal path and other parameters relating to the user's operating system and computer environment. It is, therefore, information that, by its very nature, allows users to be identified through processing and associations with data held by third parties.
6. Source of personal data
The personal information that the Data Controller handles is collected directly by the Data Controller themselves from the Customer/interested party at the time of, and during, navigation of this website (or using other social or web applications run by the Data Controller), or even during their business, at the time of or subsequent to the signing of the contract, the execution of the same, or from public sources.
As specified above, the Data Controller, as the person in charge of this processing, in order to execute the obligations deriving from the Contract can store and/or process data, in particular navigation, potentially sensitive, genetic and biometric, judicial or third party data of the Customer/interested party which has been obtained by the Data Controller, with the prior consent of said third parties, at the time and during the navigation of the same third parties on the site (or other social or web applications related to the Data Controller).
7. Legitimate interests
The legitimate interests of the Data Controller or third parties may constitute a valid legal basis for processing, provided that they do not outweigh the interests or fundamental rights and freedoms of the Data Subject. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the Data Controller and the Data Subject in question, for example, when the Data Subject is a customer of the Data Controller. In particular, the legitimate interests of the Data Controller for the processing of the personal data of the Customer/interested party is established for the purposes of fraud prevention, direct marketing, to ensure the free movement of such data within the business group to which the Data Controller possibly belongs, or relating to traffic, in order to ensure the security of networks and information, namely the ability of a network or system to withstand unforeseen events or illegal acts that could compromise the availability, authenticity, integrity and confidentiality of data.
8. Circulation of personal data
(8a) Communication of personal data - categories of recipients
In additions to the employees and collaborators in various capacities of the Data Controller (who are authorised by the Data Controller to process the data under adequate written operating instructions, in order to ensure the privacy and security of data), some processing operations may also be carried out by third parties, to which the Data Controller entrusts certain activities, or parts thereof, functional to the purposes specified in point (4a), both in terms of contractual and legal obligations, among which deserve mention, in any case, inevitably, not limited to commercial and/or technical partners; companies providing banking and financial services; companies providing document storage services; debt collection companies; accounting auditing and certification companies; rating agencies; subjects that perform professional assistance and advice for the Data Controller; companies that carry out customer care operations; factoring companies, credit securitisation or otherwise transfer of debts; Group companies to which the Data Controller may belong; entities providing commercial information; IT services companies. The subjects belonging to the aforementioned categories process personal data as autonomous data controllers, or as data controllers, with reference to specific processing operations that are part of the contractual services that the same subjects perform for/in the interest of the Data Controller; to the controllers, the Data Controller provides adequate written operating instructions, with particular reference to the adoption of the minimum security measures, in order to guarantee the confidentiality and security of the data.
Some processing operations may be carried out by third parties, to whom the Data Controller entrusts certain activities, or part of them, also functionally to the purposes referred to in point (4b), among which deserve mention, in any case, inevitably, non-exhaustive commercial and/or technical partners; companies that provide institutional marketing services; advertising agencies; persons who provide assistance and advice with reference to competitions and prizes. The subjects belonging to the aforementioned categories process personal data as autonomous data controllers, or as data controllers, with reference to specific processing operations that are part of the contractual services that the same subjects perform for/in the interest of the Data Controller; to the controllers, the Data Controller provides adequate written operating instructions, with particular reference to the adoption of the minimum security measures, in order to guarantee the confidentiality and security of the data.
The list, subject to periodic updating, of the data processors with whom the Data Controller has relations is available upon written request to be sent to the headquarters of the Data Controller.
Personal data may also be communicated, upon request, to the competent authorities, in fulfilment of obligations deriving from mandatory laws.
(8b) Transfer of personal data to third countries
The personal data of the Customer/interested party may also be transferred abroad, both within European Union countries and to countries outside the European Union and, in the latter case, or on the basis of an adequacy decision, or within the framework and with the guarantees provided by the GDPR (therefore, in particular, in the presence of standard contractual clauses of data protection approved by the European Commission), or, outside of the aforementioned hypotheses, using one or more of the exceptions provided for by the GDPR (in particular by virtue of the explicit consent of the Customer/interested party, or for the execution of the Contract concluded by the Customer/interested party, or for the execution of a contract between the Data Controller and another natural or legal person on behalf of the Customer/interested party, in particular for the execution of activities requested by the Data Controller for the execution of the Contract concluded with the Customer/interested party. In the event of transfers of data to countries outside the European Union, the Customer/interested party is permitted, upon written request to be sent to the headquarters of the Data Controller, to ascertain the appropriate guarantees, which are the exceptions, which legitimise cross-border processing. It is understood, in the event of transfer of data to countries outside the European Union, that for every request concerning the data, even for the exercise of the rights recognised by the GDPR to the Customer/interested party, this will always be able to validly apply to the Data Controller.
9. Criteria for determining the retention period of personal data
For the purposes referred to in paragraph (4a) above, the retention period of personal data issued by the Customer/interested party, and their consequent potential treatment, coincides with the period of prescription of the rights/duties (legal, fiscal, etc.) deriving from the Contract: therefore 10 years, therefore, except for the occurrence of interruptive events of the prescription that could prolong, in fact, this period.
For the purposes referred to in paragraph (4b) above, the retention period of the data released by the Customer/interested party, and their consequent potential treatment, ends with the withdrawal of the consent previously issued by the Customer/interested party or, failing that, however, after one year from the termination of any relationship between the data controller and the Customer/interested party.
10. Rights of the Customer/interested party
The Data Controller acknowledges – and facilitates the exercise by the Customer/interested party – all rights provided by the GDPR, in particular the right to request access to your personal data and extract copies (Article 15 GDPR), rectification (Article 16 GDPR) and deletion of the same (Article 17 GDPR), the limitation of the processing that concerns them (Article 18 GDPR), to the portability of data (Article 20 GDPR, where the conditions are met) and to object to the processing that concerns it (Articles 21 and 22 GDPR, for the hypotheses mentioned therein and, in particular, to the processing for marketing purposes or that will result in an automated decision-making process, including profiling, which produces legal effects concerning them, where the conditions are met).
The Data Controller also recognises, likewise, to the Customer/interested party, if the processing is based on consent, the right to revoke such consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal. To do so, the Customer/interested party may unsubscribe at any time on the Website (or other social or web applications of the Data Controller, or by using the unsubscribe link at the bottom of any commercial communication received, or by contacting the Data Controller at the contact details listed above.
The Data Controller shall, in addition, inform the Customer/interested party of their right to complaint to the Data Protection Authority, as a supervisory authority operating in Italy, and to propose a judicial appeal against a decision of the Guarantor Authority, as against the Data Controller themselves and/or a representative of the Data Controller.
11. Security of systems and personal data
Taking into account the state of the art and implementation costs, as well as the nature, subject, context and purpose of the processing, as well as the risk in terms of likelihood and severity, to the rights and freedoms of individuals, the Data Controller shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services (including through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in the event of an physical or technical accident, and by adopting internal procedures aimed at testing, verifying and regularly assessing the effectiveness of the technical and organisational measures used.
In assessing the appropriate level of security, account shall be taken of the risks presented by the processing that derive, in particular, from the destruction, loss, modification, unauthorized disclosure or access, in an accidental or illegal way, to personal data, transmitted, stored or otherwise processed.
The Data Controller shall ensure that anyone acting under his/her authority and having access to personal data does not process such data if he/she is not instructed to do so by the Data Controller.
That said, the Customer/interested person acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the Data Controller is not liable for acts or facts of third parties that, despite the appropriate precautions taken, should have access to the systems without proper authorization.
12. Automated decision-making processes, including profiling
The Data Controller may perform automated processing, including profiling, in relation to the purposes referred to in paragraph (4b) above, to optimize the navigability of the Site (or the usability of other social or web applications of the data controller) and for improve the purchasing experience, except as specified above with respect to the rights of opposition and withdrawal of consent by the Customer/interested party.
Profiling is intended to mean any form of automated processing of personal data aimed at evaluating certain aspects relating to an individual, in particular to analyse or predict aspects concerning, for example, the personal preferences, interests or location of that person, in order to create profiles, i.e. homogeneous groups of subjects by characteristics, interests or behaviours.
The Data Controller does not carry out any automated processing which produces legal effects concerning the Customer/interested party or that significantly affect his person, unless this is necessary for the conclusion or performance of the Contract, authorised by law or based on the explicit consent of the Customer/interested party, in any case always recognising the latter the right to obtain human intervention, to express their opinions and challenge the decision.
DISCLOSURE UNDER ITALIAN LAW NO. 196/03 ON THE PROTECTION OF PERSONAL DATA
In accordance with articles 13 and 21 of Legislative Decree no. 196/2003 containing provisions for the protection of persons and other subjects regarding the processing of personal data, we confirm that your personal details, personal and identification data will be entered and recorded in our Company's archives.
We hereby inform you that your data will be handled according to the current regulations for administrative purposes, concerning the management of relations with you and/or for the fulfilment of legal obligations, with the possibility of eventual transfer abroad (even outside the European Union) where necessary.
Release of the data is compulsory to enable the aforementioned requested services to be provided. Any refusal to provide such data will make it impossible to provide the service.
In any case, your data, once collected, may be subject to cataloguing, processing, comparison, interconnection, communication, diffusion, deletion and distribution, in compliance with the provisions of the law.
Data handling will be carried out using electronic or computerised tools and instruments or in paper form.
In any case, processing will be carried out in a lawful, legitimate and proper manner, in compliance with the rules on security and confidentiality.
As per the commercial needs of our Company, your data may eventually be communicated within Italy or abroad, to our commercial employees (e.g. our branches, agents, representatives, etc.) or used to send you commercial offers and informative materials, or carry out interactive commercial communications.
The Data Controller is: MAC 3 snc of Dorma Antonello e C. Strada San Giorgio Cigliano 5, San Giusto Canavese (TO).
Rights of Data Subjects
Art. 7 of Legislative Decree 196/03.
1. The data subject has the right to obtain confirmation of the existence or not of any personal data concerning themselves, even if not yet recorded, and their communication in intelligible form.
2. The data subject has the right to obtain information:
a) data source;
b) purpose of the processing;
c) Processing logic;
d) identification details of the Owner and of the Managers;
e) of the subjects to whom the data can be communicated.
3. The data subject has the right to obtain:
a) the updating, correction or integration of the collected data;
b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data was collected or subsequently processed;
c) the certification that the operations in the previous points have been notified to those to whom the data was communicated or disclosed, except where such compliance is impossible or involves a manifestly disproportionate use of the methods with respect to the protected right.
4. The data subject has the right to object, in whole or in part:
a) for legitimate reasons, to the processing of personal data, pertinent for collection purposes;
b) to the processing of their personal data for the purpose of sending advertising material.