in accordance with EU Regulation 2016/679 FERMOR SRL with offices in Viale del Lavoro, 2– 24050 Spirano (BG), VAT no. 04264100167, as data controller (“Data Controller”), would like to inform you, in accordance with EU Regulation no. 2016/679 (“GDPR”) that your data will be used in the following ways and for the following purposes: A. Data to be processed The Data Controller will process identifying personal data (e.g. name and surname, telephone number, e-mail address, payment details) – “Personal Data” or “Data” – provided by you when concluding each contract for the Data Controller’s services. B. Purposes of data processing Your Personal Data will be used: 1. Without your express consent, as indicated by Article 6, letters b) and e), GDPR, for the following Service Purposes:
·To conclude contracts for services provided by the Data Controller;
·To fulfil pre-contractual, contractual and tax obligations arising from relationships with you;
·To fulfil obligations set out by legislation, regulations, EU legislation or an order from the Supervisory Authority (e.g. with regard to anti-money laundering);
·To exercise the Data Controller’s rights (e.g. to defend legal action);
2. Only with your specific and clear consent (Article 7, GDPR) for the following Marketing Purposes:
·To send you, via e-mail, post and/or SMS and/or telephone, newsletters, commercial communications and/or advertising materials regarding products or services offered by the Data Controller, and customer satisfaction surveys regarding the quality of services;
·To send you, via e-mail, post and/or SMS and/or telephone, commercial and/or promotional communications from third parties.
C. Method of processing Your Personal Data will be processed using the operations set out in Article 4, paragraph 2, GDPR, and precisely: collection, recording, organisation, storage, consultation, processing or alteration, selection, retrieval, alignment, use, combination, restriction, disclosure, erasure or destruction of Data. Your Personal Data will be processed on both paper and electronic and/or automated form. The Data Controller will process the Personal Data for the time necessary to fulfil the purposes indicated above and in any case for no longer than 10 years from the termination of the relationship for Service Purposes and for no longer than 2 years from the collection of Data for Marketing Purposes. D. Access to data Your Data may be accessed, for the purposes set out in point C., by the Data Controller’s employees and contract workers, in their role as persons authorised to process data and/or internal processing managers and/or system administrators. E. Disclosure of data Without requiring express consent, see Article 6, paragraph 1, letters b) and c), GDPR, the Data Controller may communicate your Data for the purposes referred to in point B.1 to Supervisory Authorities, Law Enforcement Agencies, insurance companies for the provision of insurance services, and to all entities to which communication is legally necessary to fulfil the above purposes. These entities will process data in their role as independent Data Controllers. Your Data will not be publicly disclosed. F. Transfer of data Personal Data are held on servers located at the Data Controller’s operating premises, within the European Union. However, the Data Controller has the right to move these servers outside the European Union, where necessary. In this case, the Data Controller guarantees as of now that the transfer of Data outside the European Union will occur in compliance with applicable legal provisions, following stipulation of standard contractual clauses required by the European Commission. G. Nature of providing data and consequences of refusing to provide them Provision of Data for the purposes referred to in point B.1 is obligatory. If these Data are not provided, we cannot guarantee to provide you with the Services referred to in point B.1. Provision of Data for the purposes referred to in point B.2 is voluntary. You may therefore decide to not provide any Data, or to later revoke consent to process previously provided Data: in this case, you will not receive newsletters, commercial communications or advertising materials regarding the Services offered by the Data Controller. You will in any case continue to be entitled to receive the Services referred to in point B.1. H. Rights of data subjects As a Data Subject, you have the rights of access referred to in Articles 15-21, GDPR, that is, the right of access, the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to Data portability, the right to object, and the right to lodge a complaint with Garante [Italian Data Protection Authority]. Precisely, these rights are:
To obtain confirmation as to whether or not Personal Data concerning you exist, regardless of their being already recorded, and communication of these Data in intelligible form;
oThe origin of the Personal Data;
oThe purposes and methods of processing;
oThe logic applied where processing is carried out with the use of electronic means;
oDetails of the identity of the Data Controller, Data Processors and designated representatives, in accordance with Article 3, paragraph 1, GDPR;
oThe entities or categories of entity to which Personal Data may be communicated or who may become aware of the Personal Data in their role as designated representative within national territory, as Data Processors or persons authorised to process Data.
oData updated, rectified or, where necessary, supplemented;
oData erased, transformed into anonymous form or to have processing of data blocked where this is in violation of the law, including data for which conservation is no longer necessary for the purposes for which they were collected or subsequently processed;
oCertification that notification regarding the operations carried out, including their contents, have been sent to the entities to whom or which the Data were communicated or disclosed, unless this requirement is impossible to fulfil or involves a manifestly disproportionate effort compared with the right to be protected.
To oppose, totally or partially:
oThe processing of Personal Data concerning you, for legitimate reasons, even if they are pertinent to the purpose of collection;
oThe processing of your Personal Data for the purposes of sending advertising or direct sales material or to carry out market research or send communications of a commercial nature, through the use of automated calling systems without the intervention of an operator, as well as via e-mail and/or traditional marketing methods via telephone and/or post. It is noted that a Data Subject’s right to object as indicated in the previous paragraphs, for the purposes of direct marketing through the use of automated systems, also applies to traditional methods of communication, and that a Data Subject may also exercise the right to oppose only in part. Therefore, a Data Subject may decide to receive communications solely through traditional methods or rather solely through automated communications or neither of the two types of communication.