With this privacy information, which has been drawn up in accordance with articles 12 and 13 of European Regulation of 27 April 2016, no. 679 (hereinafter “GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the Data Controller GE.FI S.p.A wishes to provide its visitors – hereinafter the Data Subject/s – (in concise, transparent, intelligible and easily accessible format, using clear and simple language) all the information necessary to allow them to understand how their personal data will be processed following its entry on the website www.artigianoinfiera.it (hereinafter the “Website”).
1. Identification and contact details of the Data Controller
GE.FI S.P.A. based in Milan, Via Achille Papa n. 30, 02-31.911.901 – fax 02.31.911.920 – email: firstname.lastname@example.org
2. Contact details of the Data Protection Officer
In accordance with Rule 37 of Privacy Procedure, the Society have nominated a Data Protection Officer – “DPO”, reachable at email@example.com; by mail: Ge.Fi. Spa Viale Achille Papa, 30 20149 Milano
3. Purposes and legal basis of the processing.
The data provided by the Data Subject via operations carried out on the Website or provided by the same Data Subject to the website’s Data Controller, are processed as provided for by the GDPR for inclusion in the list of users/visitors who wish to receive the “L’Artigiano in Fiera” or Artimondo Magazine newsletters, in order to establish the Data Subject’s needs and to offer and manage any services requested, for administrative activities and to comply with specific obligations or duties provided for by law. The data may also be used for statistical extrapolations and for commercial and promotional communications, including in relation to Artimondo, without prejudice to the visitor/website user’s right to communicate at any time their wish to no longer receive such communications.
The legal basis for the above processing is to execute the relationship to which the data subject is a party and to comply with legal obligations. The Data Controller will also request consent for promotional and marketing purposes.
4. Recipients or categories of recipients to whom personal data may be disclosed.
Data will not be disclosed except in accordance with contractual and legal obligations, and may be communicated to third parties who operate on behalf of and for the Data Controller or to other group companies or commercial partners, solely to execute and manage the relationship and the activities and purposes described above, including promotional activities, for administrative operations, legal and contractual consultancy or in relation to legal obligations. Secretarial, accountancy and invoicing personnel, as well as staff responsible for the management and maintenance of processing systems may become aware of your personal data. Communication of your data to the above-mentioned individuals will nevertheless take place in compliance with the Data Subject protection rights provided for by the GDPR. Your name may be included in the Data Controller‘s telephone, fax and email directories and you may receive regular electronic or paper communications reserved for visitors/users. A list of potential data processors is available from the Data Controller.
5. Transfers of personal data to a third country or an international organisation with specification of any privacy guarantees.
The transfer of data outside the EU or to international organisations is not provided for. Should the need arise, the Data Controller will verify whether or not a European Commission adequacy decision exists that guarantees an adequate level of data protection.
6. Storage period of personal data or criteria used to determine such a period
Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed, in so far as this is compatible with legal obligations. The Data Controller has adopted a procedure for the storage of data: the minimum storage period is currently 10 years, also due to ordinary time barring periods.
7. Data Subject’s rights
The Data Controller wishes to inform you of the following rights:
- rights of access, rectification, erasure, restriction of processing, right to object;
Data Subjects may access their data at any time, request rectification where data are incorrect, request erasure of excessive data but not of data the Data Controller must keep by law, and may restrict access to data to certain individuals;
- right to data portability;
the Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly-used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided exclusively in cases provided for by art. 20 of GDPR;
- right to withdrawal of consent at any time:
the Data Subject shall have the right to withdraw his or her consent at any time, assuming responsibility for the impact of this (including suspension of delivery of the newsletter), without prejudice to the obligation for the Data Controller to continue to keep the personal data covered by this document where necessary to comply with a legal obligation or to perform a task carried out in the public interest or in connection with the exercising of official authority vested in the Controller.
- right to lodge a complaint with a personal data protection authority.
8. Obligatory or voluntary nature of providing requested data.
The provision of data is obligatory due to the nature of the contractual relationship established between the Data Subject and the Data Controller, with the exception of promotional activities and marketing (including direct), web marketing and telemarketing, using both traditional and electronic systems, which is voluntary.
9. Consequences of a refusal to reply.
If the Data Subject refuses to provide the obligatory data requested, the Data Controller reserves the right to evaluate the consequences of such a refusal, which do not necessarily fully preclude the stipulation or execution of the contract with the Data Subject, as long as the obligation to provide the data requested is not a legal requirement or is not absolutely essential for the proper functioning of the contractual relationship. In the latter case, if the Data Subject refuses to provide the data requested, the contract cannot be stipulated, whereas if this happens during the contract the relationship must be terminated. There are no consequences if data of a voluntary nature are not provided.
10. The existence of profiling activities or automated decision-making processes, the logic involved and the consequences for the Data Subject.
Where profiling activities are carried out on the Data Subject that are linked to marketing activities, these activities shall be carried out in accordance with the GDPR and the Data Subject may object at any time.