Information notice on personal data protection pursuant to articles 13 and 14 of Regulation (EU) 2016/679 concerning personal data protection (“Regulation”)
L’ITALIANA AROMI SRL, with its principal office in Via Lombardia 24, 20841 – Carate Brianza, Tax Code 00839040151 and VAT No. IT00696900968, in the person of its legal representative, Mr. Pietro Bruno Tirelli, phone number +39(0)362990053 – fax number +39(0)362991526, and in his capacity as DATA CONTROLLER of personal, sensitive or judicial data (“Data Processor”) pursuant to articles 13 and 14 of Regulation 679/2016, hereby provides the following information (“Privacy Information Notice”).
Personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data shall be processed according to the following principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality, in compliance with the rights, fundamental freedoms and dignity of data subjects.
Types of data, purposes and legal basis for processing data
Such personal data as provided in different manners, including customized forms, will be processed to fulfil any and all obligations relating to the request for information, products and services, and thus to manage the established business relationship and to pursue the purposes and goals under the request for a contract or professional relationship.
The data thus provided shall also be processed for the following purposes:
- managing payments and defaults of payment, if any (credit collection and litigation);
- determining, exercising or upholding any right of ours in legal claims;
- fulfilling legal obligations and complying with tax or accounting regulations (e.g. invoicing);
- subject to a prior specific and separate consent, carrying out commercial and marketing activities.
The data thus provided may be processed for the following reasons:
- this is necessary to perform the contract executed with our company, of which the data subject is an integral part;
- this is necessary to fulfil our legal and/or regulatory responsibilities – for example, in case of notification to authorities, government and/or regulatory agencies;
- this is necessary to start, carry on, or defend ourselves, in legal proceedings;
- this is necessary to take several different measures as provided for by the contract;
- when required, this is based on an explicit consent.
Mandatory or optional nature of data provision and consequences of refusal to provide data
Although provision of data is optional, it is necessary for the above purposes. If data processing is based on consent, such consent shall be deemed as necessary. Total or partial refusal to provide data or give one’s consent where necessary will make it impossible to pursue the relevant purposes.
Methods of data processing
Personal data will be processed with or without the aid of electronic, automated, computerized or telematic tools, in accordance with criteria strictly related to the above purposes. Personal data shall be processed lawfully, fairly and in compliance with the above regulation, through such means as to ensure security and confidentiality; personal data may also be processed through automated means for storing, managing and transmitting data.
Our company will store the data as long as required to fulfil legal, contractual and/or regulatory obligations. The storage period for information depends on the purpose for which the data are processed and the tools with which such information are processed. The criteria used to determine the storage period are the amount of time that is necessary to achieve the purpose of the processing, the amount of time necessary for the contractual relationship, the amount of time provided for by relevant applicable laws.
At the end of the storage period, the data will be erased or destroyed safely, if possible, or rendered anonymous.
Disclosure and dissemination of data
Data shall not be disseminated to any unknown parties. Whereas, if disclosure is necessary and/or useful four our business, data may be disclosed, in such manners and for such purposes as stated above, to external parties which process data in their capacity as independent data controllers or data processors belonging to any of the following categories:
- companies connected with us for technical reasons, laboratories, administrative, labour, tax, law and notary consulting firms, to fulfil legal obligations or ascertain, exercise or safeguard a right of ours in legal claims;
- suppliers of IT services;
- public and private bodies, following, for example, inspections, audits, management procedures, to fulfil legal obligations and/or comply with provisions established by public bodies (e.g. financial administration, policy bodies, judicial authorities).
The third-party subjects that process data on behalf of the DATA CONTROLLER are accurately selected and assessed, are properly and objectively experienced, skilled and reliable, and provide suitable guarantees in full compliance with current provisions concerning data processing, including the safety profile of the data. Under the regulation, these are formally appointed, through a specific agreement or a legal transaction in accordance with national laws, as data processors pursuant to article 28 of Regulation (EU) 679/2016, and are subject to contractual and regulatory obligations to maintain and ensure data confidentiality. Our company periodically checks that the DATA PROCESSORS have accurately performed the tasks assigned to them and keep providing suitable guarantees in full compliance with current provisions concerning the protection of personal, sensitive or judicial data. Furthermore, they will have access only to such information as required to perform their tasks.
The data may be disclosed to outside companies, formally appointed as DATA PROCESSORS, which are in charge of the supply of supporting services which involve processing the data, including professional IT and legal and credit collection services as well as services relating to the management and maintenance of IT systems and databases, including customers’ data, administrative and accounting services, and assistance services.
To obtain a list of such data processors, you can contact our organization by sending an email to email@example.com.
Furthermore, you can obtain and process the data of the data controller’s duly authorised employees and consultants, each within the limits of his or her functions and tasks and in accordance with such instructions as contained in the deed of appointment.
Specifically, the European Regulation provides that data subjects shall have the following rights:
Right of access by the data subject (Article 15)
Right of access to the data and to obtain a copy thereof: the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed. Under some circumstances, the data subject may request an electronic copy of the data.
Right to rectification (Article 16)
In the event that the data provided to us should be incorrect, the data subject shall have the right to obtain, without undue delay, the updating or rectification of inaccurate data concerning him or her.
Right to erasure, right to restriction of processing and right to be forgotten (Articles 17 and 18)
In some cases, the data subject shall have the right to obtain restriction of processing and/or erasure of the data. The data subject may submit the request at any time if such right is subject to legal rights or obligations; therefore, it may be necessary to store the data in question for a suitable period. If the request for erasure of data proves correct under the law, we will erase such data without undue delay.
Right to data portability (Article 20)
Based on certain assumptions, the data subject shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another data controller. Such common extension types as identified by competent authorities are allowed.
Right to object (Article 21)
The data subject shall have the right to object on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her. In such case, we shall no longer process the personal data unless compelling legitimate grounds for the processing override the personal, sensitive, judicial data or the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The data subject shall have the right to object, at any time, to processing of personal data concerning him or her for marketing purposes.
Right to lodge a complaint with a supervisory authority (Article 77)
Every data subject shall have the right to lodge a complaint with an Italian supervisory authority – for example, to request information concerning the exercise of their rights.
Withdrawal of consent
The data subject shall have the right to withdraw his or her consent at any time. The data subject may withdraw his or her consent for the purposes of processing his or her personal data, at any time, for commercial or marketing purposes as established or directly by sending an email to firstname.lastname@example.org. Any withdrawal shall be without prejudice to the lawfulness of processing as based on the consent given before the withdrawal thereof.
Exercise of rights
The data subject may exercise his or her rights at any time, by sending an email to: email@example.com.
In the event that any rights should be exercised, we may ask you to identify yourself before proceeding with your request.
For any request or information, or, in case of doubt, please contact us at: firstname.lastname@example.org.
We reserve the right to revise, modify and/or simply update, in full and/or in part, in any manner and/or at any time, without notice, this Privacy Notice – for example, following the modification of law provisions and/or regulations concerning the protection of personal, sensitive or judicial data. If that is the case, we will publish any significant change made to this Privacy Notice by sending up-to-date information to such addresses as contained in our database or getting in touch through the alternative communication channels available.
The required consent concerns the specific type of data and purposes for:
- processing data to submit offers and commercial messages, send advertising and/or promotional information material, marketing activities).
Specifically, data shall be processed for commercial and marketing activities through conventional methods (including paper mail, direct contacts), or through “automated” contact systems (for example, text messages, phone calls without operators, e-mail, social networks, other interactive applications).
The consent given for marketing activities through automated tools shall also apply to conventional contact methods. Although consent is optional, the lack of consent will prevent the Data Controller from processing the data for such purposes as stated therein, without prejudice to the main purpose.