Alltrad sas di Daniela Panero & C., with registered office in Torino (To) Corso Regina Margherita 95 (hereinafter, Alltrad), as Data Controller, hereby informs you, pursuant to and by effect of Arts 13 and 14 of EU Regulation No. 2016/679 (hereinafter, in short, “GDPR”) that your data will be processed with the following methods and for the following purposes.
1. Data Controller
The Data Controller is Alltrad.
The updated list of data processors is kept at the registered office of the Data Controller.
2. Scope of processing
The Controller processes personal identification data (for example, name, surname, company name, address, telephone number, e-mail address, bank and payment details, hereinafter “personal data” or “data“) communicated by you on concluding contracts for the services of the Controller.
3. Processing purposes
Your personal data is processed:
A) without your express consent (Art. 6 (b) and (e) of the GDPR), for the following Service Purposes:
– to conclude contracts for the services of the Controller;
– to fulfil pre-contractual, contractual and fiscal obligations deriving from agreements in place with you;
– to fulfil obligations laid down by legislation, regulations, EU regulations or by order of an Authority (such as on anti-money laundering);
– to exercise the rights of the Controller, for example the right to defence in court;
B) only subject to your specific and separate consent (Art. 7 of the GDPR), for the following Marketing Purposes:
– to send you, by e-mail, post and/or text message and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Controller and to survey the degree of satisfaction on service quality.
Please note that, if you are a customer of ours, we may send you communications and information relating to the services of the Controller and regulatory changes concerning you similar to those you have already used, unless you withdraw your consent.
4. Processing methods
Your personal data is processed by means of the operations indicated in Art. 4 (2) of the GDPR, i.e.: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, restriction, disclosure, erasure or destruction of personal data. Your personal data is subjected to both paper and electronic and/or automated processing.
5. Retention period
The Controller will process personal data for the time necessary to fulfil the aforementioned purposes and in any case for no more than 10 years from termination of the relationship.
6. Access to data
Your data may be made accessible:
– to employees and collaborators of the Controller;
– to third parties (professional firms, consultants, banks, insurance companies, etc.) that carry out outsourcing activities on behalf of the Controller, in their capacity as external data processors.
7. Data communication
Your data may be communicated without the need for express consent to judicial authorities, as well as to those parties to which communication is mandatory by law for the accomplishment of the intended purposes. These parties will process the data in their capacity as independent data controllers.
Your data will not be disseminated.
8. Data transfer
The personal data is stored on servers located in Italy, inside the European Union. It is nevertheless understood that the Data Controller, if necessary, shall have the right to move the servers also outside the EU. In this case, the Controller hereby ensures that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, subject to conclusion of the standard contractual clauses provided for by the European Commission.
9. Nature of provision of data and consequences of refusal to respond
The provision of data for the purposes referred to in Art. 6 (b) of the GDPR (performance of the contract) is mandatory. In its absence, we will not be able to guarantee the conclusion of the contract and the services rendered by the Controller.
The provision of data for the purposes referred to in Art. 6 (a) of the GDPR is, on the other hand, optional. You can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided.
10. Further information
In your capacity as data subject, pursuant to Art. 13 (2) of the GDPR, the Controller hereby informs you of the following rights:
a) right to request access to the data;
b) right to request the rectification, deletion and restriction of processing of data concerning you and to object to processing;
c) right to data portability;
d) right to lodge a complaint at any time with a supervisory authority;
e) right to know the possible consequences of failure to communicate personal data if communication of the same is a legal or contractual obligation or a necessary requirement for the conclusion of a contract;
f) right to know of the existence of an automated decision-making process or of profiling and to know significant information on the rationale used and the expected consequences of the processing.
11. Rights of the data subject
In your capacity as data subject, you have the rights referred to in Arts. 15 et seq. of the GDPR, and specifically the rights to:
a) obtain confirmation of the existence of personal data concerning you, even if not yet recorded, and communication of the same in an intelligible form (right of access of the data subject – Art. 15 of the GDPR);
b) obtain the rectification of inaccurate personal data concerning you without justified delay (right of rectification – Art. 16 of the GDPR);
c) obtain the erasure of personal data concerning you without justified delay (right to be forgotten – Art. 17 of the GDPR);
d) obtain restriction of processing (right to restriction of processing – Art. 18 of the GDPR) if:
- the data is inaccurate for the period necessary for the Controller to verify the accuracy of the data;
- the processing is unlawful and the data subject objects to erasure of the personal data and requests the restriction of its use;
- the personal data is required by the data subject for the establishment, exercise or defence of legal claims even though the controller no longer needs it;
- the data subject has objected to processing pursuant to Article 21 of the GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.
e) receive the personal data concerning you provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller without hindrance from the controller to which the personal data was provided (right to data portability – Art. 20 of the GDPR);
f) object at any time to the processing of data concerning the particular situation of the data subject if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority or for the legitimate interests of a data controller or third parties. If personal data is processed for direct marketing purposes, the data subject must have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge (right to object –Art. 21 of the GDPR);
g) the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (profiling – Art. 22 of the GDPR).
12. How to exercise the rights
You can exercise your rights at any time by sending:
– a registered letter to Alltrad sas di D.Panero & C. – Corso Regina Margherita 95 – 10124 Torino (To);
– an email to: firstname.lastname@example.org.
Furthermore, you can at any time lodge a complaint with the Personal Data Protection Authority, which can be contacted at email@example.com or via the website http://www.gpdp.it
This policy was last updated on 25/05/2018.