Pursuant to Articles 12 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, “Regulation” or “GDPR”), and in general in compliance with the principle of transparency set out in the Regulation itself, the following information is provided on the processing of Personal Data (i.e. any information relating to an identified or identifiable natural person: “Data Subject”) carried out in connection with the use of the website www.maddalena.it (“Site”).
Therefore, this information concerns the processing of personal data carried out both during browsing and during any interaction of the user with Maddalena S.p.A., with communications or with the use of services, including through the restricted area.
In the event that the User uses links on the Site to interact with third parties (e.g. social media), the latter will act as Data Controllers of the User’s data processed by them, and the User is therefore invited to read the relative privacy policies that they are required to provide.
SUMMARY TABLE OF KEY INFORMATION
|Purposes (point 2)||Data categories (point 3)||Legal basis (point 4)||Duration (point 5)||Communications to parties other than employees or Data Processors (point 6)|
|Site operation and security (Cookies Policy)||Browsing data||Owner’s legitimate interest in business and security||No more than 24 hours||No|
|Contractual (contact and use of services on the Site)||General data such as personal details, contact details, reference company, login credentials, etc.||Need to implement pre-contractual measures at the request of the Data subject or to perform contracts to which the Data subject is a party. Legitimate interest in legal protection.||Limitations; If the request is not followed by the signing of a contract, personal data will be deleted within 24 months||No|
|Direct marketing||General data such as name, telephone number, email address||Consent||No later than 48 months after consent or its renewal||No|
For the processing of personal data carried out via cookies, please refer to the specific statement. [link]
- DATA CONTROLLER The data controller (i.e. the subject who determines the purposes and means for personal data processing) is Maddalena S.p.A. (hereinafter also the Data Controller) with registered office in via G.B. Maddalena, 2/4 33040 Povoletto (UD) Tax code no. 80008170302 and VAT no. IT00617140306. For contacts specifically related to the protection of personal data, including the exercise of the rights set out in point 8 below, we indicate in particular the email address: firstname.lastname@example.org to which we kindly ask you to address any requests you may have.
- PURPOSE OF THE PROCESSING Personal data may be processed for the following purposes:
- the proper operation and security of the Site (purposes of Site operation);
- name, surname, contact details, company details; products purchased/used or of interest; as well as, of course, the data relating to the credentials for the restricted area, access to it and the related services used.
- COMPULSORY OR NON-COMPULSORY PROVISION AND LEGAL BASIS FOR PROCESSING As mentioned above, the transmission of Browsing Data is incident to the use of the Site and the legal basis for Personal Data processing for the purpose of the Site’s operation is the relevant legitimate interest of the Data Controller in the carrying out of its business activity, also with reference to security and protection from abuse. The provision of the requested data in relation to the services of the Site and the information provided in contact communications by the User is optional and failure to provide such data will only result in the impossibility for the User to benefit from the services or for the Controller to provide the requested answers. The legal basis for the processing of such data is, pursuant to letter b) of Art. 6 GDPR, the need to follow up on User requests of a pre-contractual or contractual nature (e.g. requests for product information or estimates; configuration of purchased products). With regard to direct marketing purposes, the provision of personal data is optional and failure to provide it will have no consequences in relation to the contractual relationship or the possibility of using the services of the Site. Such processing is only carried out with the consent of the recipient (consent is also required for legal entities in this context), which is always revocable (see point 8 “Rights of the Data Subject” below) and forms the legal basis. It is specified that the withdrawal of consent or opposition to processing by automated contact methods (automated call or communication systems and with electronic communications by email, telefax, Mms or Sms-type messages or other) extends to traditional contact methods (paper mail, operator call), but the possibility of exercising this right only in part, by opposing, for instance, only the sending of promotional communications by automated systems, remains unaffected.
- DATA PROCESSING METHODS AND RETENTION PERIODS The processing will be carried out:
- through the use of manual and automated systems;
- by personnel specifically authorised and trained to carry out the relevant tasks;
- with the use of appropriate measures to guarantee data confidentiality and prevent access to the data by unauthorised third parties.
With a special reference to marketing purposes, note in particular that Personal Data will also be processed through:
- the use of automated call or communication systems;
- electronic communications by means of email, sms (Short Message Service) type messages, WhatsApp and instant messaging in general, push or other;
- the use of the telephone with operator and paper mail.
Browsing data is deleted – unless in case of unlawful activity – no later than 24 hours after its collection. For marketing purposes, data will be processed for a period not exceeding 48 months after consent has been given or renewed. Data relating to the services of the Site will be retained for the time necessary for the provision of the service and for checking that it has been carried out; therefore, normally data will not be retained beyond 6 months after the use of the service.
Data related to a contractual relationship will be retained for the duration of the contractual relationship and at the end – limited to the data necessary at that point – for the fulfilment of all possible legal obligations and for the protection requirements, including contractual ones, connected with or arising from it; therefore, normally data will not be retained beyond 10 years after the termination of the contractual relationship.
- DATA COMMUNICATION The data collected and processed may be communicated, exclusively for the purposes specified above, to:
- all persons to whom the right of access to such data is recognised by virtue of regulatory provisions;
- collaborators, suppliers of the Data Controller, as part of their duties and/or contractual obligations relating to the performance of the contractual relationship with the Data Subjects; Suppliers of the Controller include, by way of example, banking and credit institutions, insurance companies, legal advisers; shipping managers; software suppliers and related support; in particular, our software structure for the operation of the Site and related customer relations is also managed through Interlaced Srl, Active 121 srl and 2Aerp Srl, who act as our Data Processors. You may in any case request a complete and updated list of the persons appointed as Data Processors by contacting one of the persons listed below. The data is not subject to dissemination.
- PLACE OF DATA PROCESSING Personal Data will be processed within the European Union, and there is no intention to transfer it outside this territory.
- RIGHTS OF THE DATA SUBJECT The GDPR grants the Data Subject the exercise of the following rights with regard to personal data concerning him or her (the summary description is meant to be a guide; for the full enunciation of the rights, including their restrictions, please refer to the Regulation, and in particular Articles 15-22):
- access to personal data (the data subject has the right to obtain, free of charge, information about the personal data concerning him/her held by the Controller and the processing thereof, as well as to obtain a copy of such data in accessible format);
- rectification of personal data (upon indication by the data subject, correction or integration of personal data – not the expression of estimative elements – that are incorrect or inaccurate, even if they have become so because they have not been updated);
- erasure of personal data (right to be forgotten) (e.g. the data is no longer necessary in relation to the purposes for which it was collected or processed; it has been processed unlawfully; it must be erased in order to comply with a legal obligation; the data subject has withdrawn consent and there is no other legal basis for the processing; the data subject objects, if the conditions are met, to the processing);
- restriction of processing (in certain cases – contesting data accuracy in the time required for checking; contesting the lawfulness of the processing and opposing its deletion; need to be used for the data subject’s rights of defence, while they are no longer useful for the purposes of processing; if there is an objection to the processing, while the necessary checks are carried out – the data will be retained in such a way that it can be restored if necessary, but, in the meantime, it cannot be accessed by the Data Controller except in connection with the checking of the validity of the request for restriction made by the Data Subject, or with the consent of the Data Subject or for the establishment, exercise or defence of legal claims in court or to protect the rights of another natural person or legal entity or for reasons of substantial public interest of the Union or of a Member State);
- opposition in whole or in part, on grounds relating to the particular situation of the data subject, to processing carried out on the basis of legitimate interest; to object to processing for marketing or profiling purposes, you will not even need to justify your decision;
- data portability (where the processing is based on consent or on a contract and is carried out by automated means, the Data Subject shall, at his or her request, be provided with the personal data concerning him or her in a structured, commonly used and machine-readable format and may transmit such data to another Data Controller, without hindrance from the Data Controller to whom he or she has provided the data and, if technically feasible, may have such transmission carried out directly by the latter).
Moreover, where processing is carried out on the basis of consent (see point 4 above), it will be possible to revoke consent at any time, without this affecting the lawfulness of the processing carried out prior to revocation (as indicated in point 4 above, with reference to the processing of data for marketing purposes, consent may be revoked even for only one of the traditional or automatic methods of communication). The easiest way to express revocation of consent will be via the link at the bottom of our communications or the personal panel in the restricted area of the Site.
Moreover, the data subject has the right to lodge a complaint with the Italian Data Protection Authority if he/she considers that the processing concerning him/her violates the requirements of the data protection regulations; the Italian Data Protection Authority can be contacted via the contact details indicated on the Authority’s website “www.garanteprivacy.it”. In any event, we would like to have the opportunity to address any concerns of Data Subjects in advance. Data Subjects may use the email address email@example.com or the other contact details of the Data Controller indicated above for any clarification regarding the processing of their personal data and for the exercise of their rights, including the revocation of their consent.