DATA PROTECTION POLICY
pursuant to and for the purposes of art. 13 of the EU Regulation 2016/679 (hereafter 'GDPR') concerning the protection of natural persons with regard to the processing of personal data.
Sodalis S.r.l., established in Milano, Via Solferino, n. 7, ZIP CODE 20121, P.IVA 04927660961, (hereafter “The Holder”), as the data controller, informs you that the personal data acquired, with reference to the established relationships, shall be processed in compliance with the aforementioned law.
In relation to the aforementioned treatments, the following information is also provided:
Brandcare EST 2014 SA, established in Alameda Fernão Lopes n. 16A 10º Andar 1495-190, Miraflores - e-mail: firstname.lastname@example.org - Tel. 00351 210 310 170.
DATA PROTECTION OFFICER
Mr. Stefano Modena, as Data Protection Officer in behalf of the Company of Brandcare EST 2014 SA - e-mail: email@example.com - Tel. 0371-758.1.
1. Object of the processing.
The Owner treats personal data, identification (in particular, name, surname, tax code, VAT number, email address, telephone number - hereafter, 'personal data' or even 'data') you have provided during the signing of this information.
2. Purpose of the processing
Your personal data are processed:
A. without your express consent pursuant to art. 6 letters b), e) GDPR 2016/679, for the following purposes:
- • to fulfil the obligations established by law, by community legislation, by a regulation or by an order of the Authority;
- • execution of the contract you have signed.
B. only with specific consent ex art. 7 GDPR 2016/679, for the following purposes:
- • management, verification and deepening of reports, complaints and disputes;
- • to give feedback to any request for information or to any complaints concerning the quality of the products (defects and faults);
- • to give feedback to any request for inform to implement any inherent, connected and/or instrumental activity aimed at implementing supervisory and / or information and / or quality profiles.
3. Nature of the data
The conferment of your personal data referred to in point 2 lett. A is mandatory, therefore, any refusal could result in a failure and / or in a partial execution of the contract and / or continuation of the relationship. The conferment of your personal data referred to in point 2 lett. B has an optional nature, therefore, its failure to issue may condition the correct exercise of the examination and verification of your requests. Furthermore, you may at any time exercise the rights referred to in point 9 lett. a), b), c), d), e), f), g), h), i).
4. Modalities of the processing
The processing of your personal data is carried out by the operations indicated in the art. 4, n. 2 GDPR 2016/679 and more precisely: collection and registration, organization, conservation, consultation, cancellation and destruction of data. The processing of your data will be based on the principles of correctness, lawfulness and transparency and can also be carried out through automated procedures designed to store, manage and transmit them and will take place through appropriate tools, as far as reason and state of the art, to ensure safety and confidentiality through the use of appropriate procedures that avoid the risk of loss, unauthorized access, illicit use and dissemination. Your personal data are subjected to both paper and electronic processing.
5. Data retention period
The Data Controller will process personal data for the time necessary to fulfil the aforementioned purposes and in any case not later than the maximum period of 10 (ten) years. After this deadline, the data will be destroyed or made anonymous.
6. Data access
The personal data processed by the Data Controller will not be disclosed, or will not be disclosed to indeterminate subjects, in any possible form, including that of their availability or simple consultation. Instead, they may be communicated to workers working for the Data Controller and to some individuals who work with them. Finally, it may be communicated to the persons entitled to access it by virtue of legal requirements, regulations and community regulations.
In particular, based on the roles and tasks performed, some workers have been entitled to process personal data, within the limits of their competences and in accordance with the instructions given to them by the Owner. The access to the data and / or the portability request will be fulfilled within the maximum term of 30 days, except for impediments and / or complexity in the execution. For the release of further copies of the personal data being processed, a fee will be charged based on the administrative costs incurred.
7. Recipients of the data
Even without your express consent pursuant to art. ex art. 6 lett. b) - c) and art. 13 lett. e) GDPR 679/2016, the Data Controller may communicate your data for the purposes indicated to Supervisory Bodies, Judicial Authorities, as well as to all other subjects, to whom communication is mandatory by law. As well as your data can be transmitted to, by way for example:
- - Agents or external figures who collaborate with the company;
- - Subsidiary and associated companies;
- - Service providers (IT system providers, cloud service providers, database vendors and consultants).
8. Data transfer
The management and storage of personal data will be carried out on servers located within the European Union belonging to the Owner and / or to third-party companies commissioned and duly appointed as Data Processors. Currently the servers are located in Italy. The data will not be transferred outside the European Union. In any case, it is understood that the Data Controller, where necessary, will have the right to move the server location to Italy and / or the European Union and / or non-EU countries. In this case, the Data Controller hereby ensures that the transfer of non-EU data will take place in accordance with the applicable legal provisions.
9. Rights of the interested party
As an interested party, You are the owner of the rights referred to in art. 15 and ss. of the GDPR 2016/679 and precisely the right:
- a) to request the data controller, to have access to personal data (article 15), i.e. confirmation of whether or not the processing of your personal data is being processed and, in this case, have access to the data;
- b) to demand, to the data controller, a correction (article 16), that is to obtain the correction and / or integration of the incorrect personal data concerning you;
- c) to ask the data controller to delete them (art. 17) or to obtain the cancellation of data concerning them without undue delay;
- d) to ask the data controller to limit the processing that concerns it (Article 18), i.e to obtain a confirmation that the processing of your personal data is limited to what is necessary for the storage purpose;
- e) to have the data portability (article 20) that is to obtain, in a structured common and legible format, your personal data;
- f) to object to their processing (article 21) or, at any time, to oppose, for any reason connected with your particular situation, the processing of your data;
- g) rights concerning the automated decision-making processes (article 22), i.e the right not to be subjected to a decision based uniquely on automated data processing without your explicit consent.
- h) to cancel (Article 17), i.e the right to obtain, in the cases provided for by the Regulations, the cancellation of Your personal data; Furthermore, at any time, you may revoke the consent on which the treatment carried out is based, on the achievement of the consent to the processing;
- i) to lodge a complaint with the Supervisory Authority (Article 77), i.e the right to appeal to the Authority in the event that it considers that the treatment concerning you is infringing the Regulation;
10. Data breach and notification to the Privacy Guarantor and / or communication of the violation to the interested party
In case of violation of personal data - to be understood as a breach of security that involves accidentally or in an unlawful manner the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed - in which the risk for the rights and freedoms of persons is to be considered probable and / or high, the Data Controller will notify the Privacy Guarantor without delay and in any case no later than 72 hours, giving a description of the nature of the data breach, including the number of data subjects and the categories of data concerned. The name and address of the DPO will also be indicated.
Procedure for the exercise of any right
You may exercise, at any time, the above rights by sending:
- • a registered letter to: Sodalis S.r.l., Viale Europa, n. 12, ZIP CODE 26855 – Lodi Vecchio (LO).
- • e-mail: firstname.lastname@example.org