Articles 13 and 14 of REGULATION (EU) no. 679/2016,
Legislative Decree no. 196/2003 amended by Legislative Decree no. 101/2018.
Dear Data Subject,
the undersigned KIOENE S.p.A., with registered office in Via Caltana, 55 – 35010 Villanova di Camposampiero (PD), Tax Code and VAT number 01359600283, as the “Data Controller” hereby informs you, in accordance with Articles 13 and 14 of Regulation (EU) no. 679/2016 (hereinafter referred to as “EU Regulation”), that your data will be processed as indicated below:
Subject of Processing
The Data Controller hereby informs you that your personal, identifying data (e.g. name, surname, company name, address, telephone number, e-mail address, bank and/or payment references, etc.) hereinafter referred to as “personal data” or simply as “data”, provided by you, also verbally, directly or via third parties, in connection with entering into a contractual relationship, may be processed in full compliance with the EU Regulation.The term “data processing” means any operation or set of operations concerning the collection, recording, organisation, storage, consultation, processing, amendment, selection, retrieval, comparison, use, inter-connection, blocking, communication, dissemination and destruction of data.
Nature of the data processed, Legal basis and Purpose of processing
Nature of the data processed. In connection with the contractual relationship or in connection with all preliminary stages prior to the completion of the contract, only “personal data” will be processed, such as:
- personal details (name, surname, etc.) address of residence and/or domicile and contact details (telephone, mobile phone, e-mail);
- data related to your professional qualification and role in the company
- bank details and/or data for payment purposes
Legal basis and purpose. Regulation (EU) no. 679/2016, Legislative Decree no. 196/2003 amended by Legislative Decree no. 101/2018.
The processing of your personal data, requested and/or provided, even verbally, is based on the provisions of Article 6 of Regulation (EU) no. 679/2016, upon your consent or in the legitimate interest of the Data Controller, also in order to defend his/her rights in any eventual disputes, as well as the execution of a contract to which you are a party or for the execution of pre-contractual measures (e.g. preparation of an offer, etc.) requested by you, and is necessary:
A) without your explicit consent (Article 6 of the EU Regulation) – primary purposes:
- for the execution of a contract to which the data subject is a party or for the execution of pre-contractual, contractual and fiscal measures, undertaken at the request of the data subject (Article 6, section 1, letter b);
- in order to comply with obligations prescribed by the Law, by a regulation, by EU legislation or by an order of the Supervisory Authority (e.g. regarding anti-money laundering) to which the Data Controller is subject (Article 6, section 1, letter c);
- for compliance with civil, accounting, fiscal and public safety regulations, in addition to the administrative management of the contractual relationship (invoicing, eventual document management, etc.) and for obligations, in any case, concerning the execution of the contract with appointed Professionals;
- to provide the data subject with the information he/she has requested about events, functions, courses and/or equipment;
- for sending notices of events, functions, courses, etc for which the data subject is registered;
- to exercise the rights of the Data Controller, such as the right to be defended in court proceedings;
- to pursue the legitimate interests of the Data Controller.
- for credit management;
- for statistical analysis, market research and quality control;
- for insurance management;
- for organising and holding events and meetings, also of a promotional nature;
- for technical assistance.
B) Only with your specific and distinct consent (Article 7 of the EU Regulation) – Secondary purposes – Promotional, advertising and marketing purposes.
The personal data collected for primary purposes may also be processed (along with other additional and optional contact information, such as e-mail addresses, mobile phone numbers, geographical addresses, which may be additionally requested of the data subject on registration forms) using automated/computerised methods, for the following purposes, which are specified below pursuant to the General Provision of the Guarantor of 4 July 2013 on Guidelines against spam: commercial promotion, advertising communication and marketing in the broadest sense.
By consenting to Processing for Marketing Purposes, the data subject specifically acknowledges the promotional, commercial and marketing purposes in the broadest sense of the term (including the consequent management and administrative activities) and explicitly authorises, once consent has been given in accordance with the procedures provided for, such processing, since the Data Controller may use means for Processing for Marketing Purposes, such as a telephone with operator intervention or other non-electronic means, not telematic or not supported by automatic, electronic or telematic systems and/or procedures, including manual contact methods and printed mail. The Data Controller may also use means for Processing for Marketing Purposes such as e-mail, fax, SMS, MMS, WhatsApp messages, social media (Facebook, etc.), automatic systems without operator intervention (e.g., e-mail, telephone, fax, SMS, MMS, etc.). ), automatic systems without operator intervention and similar, including electronic platforms and other telematic means.
In order to proceed with Processing for Marketing Purposes, it is mandatory to acquire specific, separate, explicit, documented, prior, informed, free and entirely optional consent.
Consequently, where the data subject decides to give specific consent, he/she must be informed in advance and be aware that the purposes of processing being pursued are of a specific commercial, advertising, promotional and marketing nature in the broadest sense. With a view to absolute transparency, we therefore inform you that the data will be collected and subsequently processed subject to specific consent:
- to send advertising and informative material (e.g. newsletters) of a promotional nature;
- to send commercial information; to carry out interactive commercial communications by printed, automated or electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. calls, WhatsApp messages, SMS, MMS), fax and any other computer channel (e.g. websites, mobile apps);
- to forward invitations to events, functions and meetings of an informative and promotional nature;
- to send updates on promotional initiatives or technical news about equipment, services, training or assistance and/or quality satisfaction surveys;
- to send commercial and/or promotional communications from third parties (e.g. associates, business partners, companies and/or physical or legal entities that collaborate with the Undersigned) by printed, automated or electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. calls, WhatsApp messages, SMS, MMS), fax and any other computer channel (e.g. websites, mobile apps).
By giving optional consent, the data subject specifically acknowledges and authorises such further possible secondary processing.
Processing methods – Existence of an automated decision making process, including profiling
The processing of your personal data is carried out by means of the operations specified in Article 4, section 2) of the EU Regulation and more precisely: the collection, recording, organisation, structuring, storage, adaptation or amendment, retrieval, consultation, use, communication by transmission, dissemination or any other form of making them available, comparison or inter-connection, restriction, deletion, destruction or blocking. Data processing will be based on the principles of fairness, lawfulness and transparency and may be carried out by manual, computerised and telematic means, on printed and/or digital media. Processing will be carried out in such a way as to guarantee the security and confidentiality of the data.
In the event of your explicit consent, your personal data (collected for the purposes specified in the previous points) will be processed for profiling purposes, in particular for creating your profile and/or for analysing your preferences, also by cross-referencing such personal data with other information collected via the profiling cookies you have accepted. Data thus processed may be used to send you specific commercial information and customised promotional initiatives.
The processing of your personal data for profiling purposes will take place using the means and in the manner specified above.
Data retention periods and other information
Processing will be carried out by automated and/or manual methods, in compliance with the provisions of Article 32 of the EU Regulation on security measures, by specifically appointed persons and in compliance with the provisions of Article 29 of the EU Regulation, as well as in accordance with the provisions of Article 130 of Legislative Decree. no. 196/2003 amended by Legislative Decree no. 101/2018.
We hereby inform you that, in accordance with the principles of lawfulness, limitation of purposes and minimisation of data, pursuant to Article 5 of the EU Regulation, subject to your free and explicit consent, your personal data will be kept for the period of time required to achieve the purposes for which they were collected and processed or until the specific consent of the data subject is withdrawn and, therefore:
- with reference to the primary purposes, the data will be kept for no longer than is strictly necessary for the fulfilment of legal and contractual obligations;
- with reference to the secondary purposes, the data processed for Marketing and Profiling purposes will be retained by us from the time the data subject has given his/her consent until that consent is withdrawn. If consent is withdrawn, the Data may no longer be processed for the aforementioned Marketing and Profiling purposes, but may still be retained for the purpose of handling any disputes and/or litigation. The Data retention period for Marketing and Profiling purposes provided by the Undersigned complies with local regulations, as well as with the provisions of the Italian Data Protection Authority.
The specifications of the retention periods for each category of data can be consulted at the company at the data subject’s request.The personal data provided are collected and subsequently processed for the needs connected with fulfilling the purposes for which they are provided and for meeting the legal and contractual obligations arising from them.Processing is carried out exclusively by the Data Controller or by the persons in charge of processing pursuant to Articles 28 and 29 of the EU Regulation, who operate using computer and telematic means with logic strictly related to the expressed purposes, and, however, in such a way as to ensure the security and confidentiality of the data. In accordance with the provisions of Article 5 of the EU Regulation, the data for processing are:
- processed lawfully, fairly and transparently with regard to the data subject (“lawfulness, fairness and transparency”);
- collected for specific, explicit and legitimate purposes and further processed in a way that is not incompatible with such purposes. Further processing of personal data for the purposes of archiving in the public interest, for scientific or historical research or statistical purposes is not, in accordance with Article 89, section 1, considered incompatible with the original purposes (” limitation of purpose”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“minimisation of data”);
- accurate and, where necessary, updated. Every reasonable step must be taken to ensure that any inaccurate data, as regards the purposes for which they are processed, are deleted or amended without delay (“accuracy”);
- stored in a format that permits the identification of data subjects for no longer than is necessary for the purposes for which the data are processed. Personal data may be retained for longer periods provided that such data are processed solely for archiving in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89, section 1, without prejudice to the implementation of appropriate technical and organisational measures required by the EU Regulation to safeguard the rights and freedoms of the data subject (“limitation of retention”);
- processed in such a way as to ensure appropriate security of personal data, including protection, by adequate technical and organisational measures, against unauthorised or unlawful processing and accidental loss, destruction or damage (“integrity and confidentiality”).
Your personal data will be processed “lawfully, fairly and transparently”, protecting your privacy and your rights.
Please note that in the absence of significant contacts for a period of ten years, or in the event of exercising the rights of the data subject provided for by the EU Regulation (e.g. the right to deletion/removal, limitation), personal data will be transferred to a special encrypted digital and/or printed format archive (protected archive). They will therefore be accessible only to the Data Controller or destroyed without leaving any copies, unless otherwise provided for by applicable law.A regular annual check will be carried out on the data processed and on the option of deleting them if they are no longer required for the envisaged purposes.
Access to data (categories of recipients to whom the data may be communicated)
We also inform you that the data collected will never be disseminated and will not be disclosed without your explicit consent, except for necessary communications that may involve the transfer of data to public bodies, consultants or other entities in order to fulfil fiscal and legal obligations or fulfil primary and secondary purposes (where authorised), subject to our letter of instruction imposing on them the obligation of confidentiality and security of personal data processing.
With reference to Article 13, section 1, letter (e) of the EU Regulation on personal data protection, we hereby indicate the data subjects or categories of subjects (duly identified and instructed) who may become aware of the user’s personal data in their capacity as data processors or persons in charge of processing, and we provide a list according to the categories below:
- Partners, employees and collaborators of the Data Controller in Italy and abroad, in their capacity as appointees and/or in-company data processors (e.g. commercial, technical, administrative, legal, press offices) and/or system administrators;
Your personal data may also be communicated to external subjects who are recipients of documents concerning you, in order to carry out the activities described above, and to external subjects who interact with the Undersigned, always and exclusively for activities related to the aforementioned purposes. These categories are:
A. Consultants (e.g. accountants and/or tax consultants and/or labour consultants) for aspects that may concern you and in accordance with the Law;
B. Companies operating in the IT sector (Data Centres, Cloud Providers, companies that provide IT services, including back-up and/or maintenance of equipment and software, including applications, etc.), including those based abroad, but, in any case, those always established and/or using equipment located in the European Union, for the purposes of data security and confidentiality;
C. Professionals and/or Companies operating in the field of occupational safety;
D. Consultants and Law firms for any eventual disputes;
E. Public administration bodies for carrying out institutional duties, within the limits established by the Law and regulations;
F. Social security and welfare institutions, and certifying bodies;
G. Insurance companies, as well as liquidators, consultants and experts appointed by them;
H. Company consultants;
I. Partner companies, and/or providers of services essential to the purposes specified in point 2 above;
L. Public authorities and administration bodies for purposes related to fulfilling legal obligations or to persons entitled to access them in accordance with legal provisions, regulations and EU legislation;
M. Banks, financial institutions or other entities to which the transfer of the aforementioned data is required for carrying out our operations in order to fulfil our contractual obligations towards you.
For the sake of brevity, a detailed list of such parties is available for you to view at our registered office.
Disclosure and transfer of data
Without the need for explicit consent (Article 6, letters b) and c) of the EU Regulation), the Data Controller may disclose your personal data for the purposes mentioned in the previous point 2.A) to supervisory bodies, judicial authorities, as well as to any parties to whom disclosure is required by Law to fulfil the aforementioned purposes.Such parties will process the data in their capacity as independent data controllers.During and after browsing, your data may be disclosed to third parties, in particular to:
Your data will not be disseminated.
Personal data are stored on devices located at the Data Controller’s registered office or at providers within the European Union. Data provided by you may be transferred to countries outside the EU, as we use external Data Processors who, in carrying out their services (such as the provision of e-mail boxes, other types of cloud services, or other kinds of services), may undertake such a transfer, also via their sub-processors.
Data may also be transferred to parties who provide the following services on behalf of the Undersigned or independently:
- the management and/or maintenance of websites and electronic and/or telematic tools used by the Company;
- the processing of statistical research and market research;
- the organisation and holding of events and meetings, also of a promotional nature;
- legal, tax, social security, accounting, organisational and commercial assistance;
- auditing operations.
In order to ensure the security of such transfers, we only use parties that offer the necessary guarantees to put in place appropriate technical and organisational measures so that the processing carried out complies with the provisions of Regulation (EU) no. 679/2016 (e.g., by assessing the presence of adequacy decisions or regulating the contractual relationship by using standard contractual clauses).
In any case, it remains clearly understood that, if necessary, the Data Controller reserves the right to transfer data, also to countries outside the EU. In this case, the Data Controller hereby guarantees that the transfer of data outside the EU will take place in compliance with the applicable provisions of Law, subject to the stipulation of standard contractual clauses (standard contractual clauses are available at the following link: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm) and to standard verifications foreseen by the European Commission (more specifically, the conditions set out in CHAPTER V of the EU Regulation will be respected).
Transfer to countries outside the EU will, in any case, be carried out in such a way as to provide appropriate and adequate guarantees pursuant to Articles 46 or 47 or 49 of Regulation (EU) no. 679/2016.
For data kept on the Data Controller’s own devices, and any data kept by providers, the Data Controller has put adequate technical and organisational measures in place to guarantee an appropriate level of security, in full compliance with the provisions of the EU Regulation.
Browsing: your browsing data may also be transferred, solely for the above-mentioned purposes, to the following countries:
Cookie Management: if you have any doubts or concerns about using cookies, you can always take action to prevent them from being set up and read, for example, by changing your privacy settings in your browser to block certain types of cookies.
If you prefer to act independently through your web browser’s preferences, you can find detailed information on the required procedure in your browser guide, as web browsers differ significantly from one another, and differences are often found even among different versions of the same browser.
Nature of data provision and the consequences of a refusal to reply
In such a case, failure to provide data will make it impossible to establish or continue the contractual relationship, to the extent that such data are necessary for us to properly perform the tasks related to the management of the contract.
The provision of data for the purposes mentioned in the previous “Point 2.B) – Secondary purposes” is, instead, optional. You may therefore decide not to provide any data or, subsequently, refuse, at any time, to allow the processing of data already provided.
Providing the Data Controller with personal data and granting consent to Processing for Marketing Purposes and consent to disclosure to third parties for Processing for Marketing Purposes for the purposes and in the manner set out above are entirely voluntary and optional (and, in any case, revocable without formality even after the service has been provided by sending an e-mail to the Undersigned (see point 10). Failure to provide such data will not result in any consequences other than not allowing the Data Controller or any third party to proceed with the aforementioned marketing processing or informing you directly about new products and technical services.
If you refuse to give your consent for marketing purposes, there will be no interference and/or consequence to your being able to access the Promotional Initiatives organised from time to time, but they will not be communicated directly.
Some information fields on the website may be marked with an (*) asterisk. Filling in these fields is mandatory when entering your personal data. If you fail to provide this information, you will not be able to use the service for which the information is requested.
Following receipt of a request to withdraw the consent given (opt-out), the Data Controller will promptly remove and delete the data from the databases used for Processing for Marketing Purposes and inform any third parties, to whom the data have been communicated, of the same purposes of deletion. The receipt of the request for cancellation will automatically be considered as confirmation that the data have been cancelled.
Rights of the data subject
In your capacity as a data subject, you have rights pursuant to Articles 15-22 of the EU Regulation, as listed below and more specifically the data subject has the right to:
- obtain confirmation of the existence and processing of his/her personal data, as well as a written (electronic) copy of such data in a clear and comprehensible form (the so-called “right of access”);
- obtain information about the purpose of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed and, where possible, the retention period;
- obtain the right to amend his/her data (the so-called “right to amendment”)
- obtain the deletion of his/her data (the so-called “right to be forgotten”);
- obtain restrictions on the processing of data (the so-called “right to restriction of processing”);
- obtain all available information on their origin if data are not collected from the data subject;
- obtain the portability of data, i.e. receive them from a data controller in a structured, commonly used and machine-readable format and transmit them to another data controller without hindrance ( the so-called “right to data portability”);
- object to the processing of personal data at any time, also in the case of processing for direct marketing purposes (the so-called “right to object”) We specifically and separately inform the data subject, as required by Article 21 of the EU Regulation, that if personal data are processed for direct marketing purposes, the data subject has the right to object, at any time, to the processing of his/her personal data for such purposes. If the data subject objects to such processing for direct marketing purposes, his/her personal data may no longer be processed for such purposes.
- object to an automated decision-making process concerning natural persons, including profiling;
- withdraw consent at any time without prejudice to the lawfulness of processing based on the consent given before withdrawal;
- lodge a complaint with a supervisory authority (Italian Data Protection Authority).There may be conditions or limitations on the data subject’s rights. It is therefore not certain that the data subject has the right to data portability in all cases. This depends on the specific circumstances of the processing operations.
Procedure for exercising rights
You may exercise your rights at any time by sending, without any formality, clear communication to that effect:
- a recorded delivery letter to the Undersigned (see the address in the letterhead);
- an e-mail to the address: email@example.com
Anything provided by the Data Controller that forms the basis of our contractual relationship with you does not include the intentional collection of personal information referring to minors. In the event that information about minors is inadvertently recorded, the Data Controller will delete it in a timely manner at the request of the data subject.
Personal data not obtained from the data subject
It may occur that the Undersigned is not the Data Controller to whom you have given your personal data but is the co-controller of the data or in charge of externally processing data, and has therefore subsequently received your data due to a contract between the parties. In this case, please note that the Undersigned will make every effort to ensure that you are informed and have given consent to processing. At any time, you may ask the Undersigned to provide the source of your data.
Data Controller and Data Processors
Below we provide information that needs to be brought to your attention, not only to comply with legal obligations, but also because transparency and fairness towards our customers is an essential part of our business.
Data Controller. The Data Controller for your personal data is KIOENE S.p.A., which is responsible for the lawful and correct use of your personal data. You may contact KIOENE for any information or request by telephone on +39 049 922 2311, or by e-mail to: firstname.lastname@example.org
D.P.O. (Data Protection Officer) You may also contact the Data Protection Officer to obtain information and forward requests concerning your data or report any inefficiencies or problems that you may encounter.
The Data Controller has appointed Mr Nicola Ghinello as the Data Protection Officer, who can be contacted as follows: Tel. +39 348 3165267, e-mail: email@example.com
Data Processors. An updated list of data processors is kept at the registered office of the Data Controller.
To contact us
KIOENE S.p.A. welcomes any comments regarding this privacy notice.
We suggest you contact us at the following address: firstname.lastname@example.org.