In compliance with the current personal data protection regulations, namely EU Regulation 2016/679 (also called “GDPR”) and, where applicable, the complementary national legislation, we wish to inform you about the processing of your personal data by the organization of each Joint Controller that will be based on the principles of correctness, lawfulness and transparency, as well as the protection of your privacy and the protection of your rights. This information notice is supplied in relation to the personal data provided by you, i.e. the person reading the notice.
a) Who are the Co-Owners of the treatment? How to contact them?
The co-owners of the treatment are:
- FontanaArte S.p.a. tax code 09632850963, who can be contacted at the address: firstname.lastname@example.org
- Driade S.r.l. , tax code 09712410969, who can be contacted at the address: email@example.com
- Italian Creation Group S.p.a. , tax code 08210880962, who can be contacted at the address: firstname.lastname@example.org
all with registered office in Alzaia Trieste, 49 20094 Corsico (MI)
- Valcucine S.p.a tax code 00407160936, contactable at the address:
email@example.com with registered office in via Luciano Savio ,11 33170 Pordenone (PN) below together the "Co-owners" and each individually the "Co-owner".
The “Co-owners” have agreed as better indicated in the rest of the text on the management of shared data for the purposes indicated below.
b) What are the purposes of data processing? What is the legal basis? How long is the data retention period? Below please find the purposes of data processing, the legal basis that legitimizes data processing and the retention period of your personal data:
|1. Customer management: to manage online registration, as well as for the management of contracts or requests for information, services, assistance, and related contractual and/or pre-contractual relationships, for the management of complaints and reports as well as for managing orders and purchases.||Execution of pre-contractual and contractual obligations||The data will be stored for the ordinary limitation period of the rights for accounting and/or tax reasons except for the further retention period according to legal provisions or, in the event of litigation, until its conclusion.|
|2. Sending of newsletters: only in case of your specific subscription request. You may unsubscribe at any time.||Execution of contractual obligations|
|3. Compliance with legal obligations: to comply with current legal obligations, which include company bookkeeping for both accounting and tax purposes, acts and obligations directed to the drafting of financial statements, as well as with provisions issued by legally empowered authorities.||Legal obligation compliance|
|4. Administrative/accounting management: to carry out administrative, financial, statistical and accounting operations connected to internal organizational needs, debt recovery and in general the protection of rights.||Legitimate interest in optimizing flows and internal organization and the protection of rights
|5. Statistical and commercial analysis: to carry out the collection and aggregate analysis activity of website usage data and purchase data to assess the performance of the company, define commercial strategies and improve the services and products offered, using aggregate statistics that do not concern the individual customer, also using business intelligence tools.||Legitimate interest to analyze the performance of the company with aggregate data|
|6. Promotion of similar Products or services: to allow each Joint Controller to promote and directly sell products or services similar to those you already purchased, using the email details you provided in the context of a previous purchase, provided that you do not exercise the right to object as detailed in the paragraph “What are your rights as a data subject?” below. You may exercise your right to object from the beginning or subsequently via the designated link at the bottom of any email with promotional content that will be sent to you.||Legitimate interest, in accordance with Article 13, paragraph 2 of Directive 2009/136/EC.||Personal data may be stored at most until you object, which may happen at any time.|
|7. Direct Marketing activities: to allow each Joint Controller to carry out on its own initiative, without your specific request, Marketing and promotional activities such as: advertising and promotional information, direct sales, market research, surveys aimed at evaluating the degree of customer satisfaction, commercial communications, newsletters and periodic publications, carried out on the initiative of the Joint Controller, through the use of all available means of communication, automated or not (such as: paper mail, telephone, your e-mail address, fax, sms, mms, chat, social networks and the like) for products and/or services provided by each Joint Controller and by Third Parties.||Consent||Personal data may be stored at most until the moment of your consent withdrawal or objection, which may happen at any time.|
|8. Profiling: to allow each Joint Data Controller to carry out automated processing aimed at analyzing certain personal aspects such as your preferences, your consumption habits, your purchases and online behavior, also in order to evaluate which offers may interest you and send you information material and customized offers selected on your interests, relating to the products and services offered by the Joint Data Controllers and third parties, through the use of all available means of communication, automated or not (such as: paper mail, telephone, e-mail, SMS, chat and notifications).||Consent||Personal data may be stored at most for 2 years, or until the moment of your consent withdrawal or objection, which may happen at any time.|
c)What is the legitimate interest that allows processing?
With regard to the legitimate interest for administrative/accounting Management purposes, it is related to the Joint Controller's need to carry out administrative and management operations, to correctly and efficiently manage operations, as well as to exercise rights recognized by law; instead, with regard to statistical and commercial Analysis, the legitimate interest is linked to the need of the Joint Controllers to organize their commercial activities, manage the supply of resources, and define commercial strategies; neither of the two interests affects the freedoms and fundamental rights of the data subject. In the case of Product Promotion or similar services, the legitimate interest is due to the desire of the Joint Controller to continue commercial relations with you and to improve your service and keep you updated on the developments of the offer.
d) Is it mandatory to provide data? What happens if you don't provide them?
The provision of your personal data for the purposes of (1) Customer Management and (2) Newsletters is a requirement for the conclusion of the contract and the provision of the requested services. The provision for the purpose of (3) Compliance with legal obligations is mandatory to comply with the legislation. Failure to provide data for these purposes makes it impossible to conclude the contract or to provide the services you requested. For the purposes of (4) Internal administrative management and (5) Commercial analysis, the provision is not mandatory but is strictly linked to the internal needs dictated by the legitimate interests of the Joint Controllers, which do not adversely affect the fundamental rights and freedoms of the data subjects, and in the event of failure to provide data, you may not be able to fully use the online services of the Joint Controllers. For the purpose of (6) Sending commercial communications similar to those of the purchased services or products, the provision is not necessary and in the lack of provision you simply will not receive such communications. For the purposes of (7) Direct Marketing and (8) Profiling, the provision is optional and not providing data for these purposes will mean that we will not be able to send you generalized and customized commercial communications.
e) Are the data transferred outside the EU?
Some of your personal data may be transferred abroad to locations outside the European Union. This transfer will in any case be carried out in compliance with the guarantees prescribed by the GDPR for this type of activity (articles 45 to 49). In particular, for example: towards companies located in Countries with recognized data protection guarantees comparable to those of the GDPR (Countries in the White List), or to companies with which specific contractual clauses for the protection of personal data or binding company rules approved by the Data Protection Authority have been signed. For further information, you may contact one of the Joint Data Controllers.
f) Who can access your data? Who do we disclose them to?
The personal data relating to the processing at issue, for the aforementioned purposes, may be communicated or disclosed:
to those within the organization of each Joint Controller who need them due to their duties or hierarchical position. These subjects are the persons authorized to process data under the direct authority of the Joint Controller;
to Public Administrations, security and inspecting authorities and, more generally, to subjects who have the right to access data according to specific legal provisions or measures issued by legally empowered authorities. to subjects whose activity is necessary for the execution of contracts to which you are a party or to fulfill requests before the conclusion of the contract (e.g.: goods delivery companies transporters, law firms, etc.) who act as independent controllers;
to third parties who carry out processing on behalf of the Joint Controller, related to the processing and the purposes described above, such as administrative, accounting, tax, information system management services. These subjects are authorized to process them as Data Processors in accordance with the provisions of Article 28 of the GDPR.
g) What are your rights as data subject?
The GDPR grants you the following rights in relation to your personal data; you may exercise these rights within the limits and in compliance with legal provisions:
- Right to access to your personal data (Article 15);
- Right to rectification (art. 16);
- Right to erasure (right to be forgotten) (Article 17);
- Right to restriction of processing (Article 18);
- Right to data portability (Article 20);
- Right to object (Article 21); the data subject has the right to object at any time, for reasons related to his/her particular situation, to the processing of personal data concerning him/her on the basis of legitimate interest, including profiling based on it. The Joint Controllers shall refrain from processing unless they prove the existence of compelling legitimate grounds for processing that prevail over the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of a right in court;
- Right to object to a decision based solely on automated processing (Article 22);
- Right to withdraw, at any time, the consent given, without prejudice to the lawfulness of processing based on consent before its withdrawal.
You may exercise these rights by sending a written request addressed to one of the Joint Data Controllers at the postal address or by e-mail, as detailed in point a) above. You also have the right to lodge a complaint with the Data Protection Authority(www.garanteprivacy.it), in case you deem the processing of your personal data to infringe the existing legislation (Article 77 GDPR) or wish to engage in legal proceedings (Article 79 GDPR).
h) How are personal data protected? Personal data shall be processed both with electronic tools and without the aid of electronic tools, using technical and organizational security measures appropriate to the nature of the data to ensure their integrity and confidentiality and protect them against the risks of unlawful intrusion, loss, alteration, or disclosure to third parties not authorized to process them.