PERSONAL DATA PROTECTION NOTICE PURSUANT TO
EU REGULATION No. 679/2016 (the so-called 'GDPR')
- Data Controller
Esseti S.r.l., with registered office in via del Lavoro, 90, 40050 Argelato (BO), CF and VAT no. 00526061205 (hereinafter, "Data Controller" or "Esseti"), in its capacity as Data Processor, informs you pursuant to Articles 13 and 14 of EU Regulation no. 2016/679 (hereinafter, "GDPR") that the Data of natural persons residing in the European Union (hereinafter, "Customer" or "Data Subject"), of which the company came into possession during the performance of its activities, will be processed in the following manner and for the following purposes.
- Object of Treatment
The Controller processes personal data (e.g. first name, last name, tax code, email, telephone number, etc., hereinafter referred to as "personal data" or "data") acquired, even verbally, or communicated by the Data Subject when registering on the website and/or when subscribing to the Controller's newsletter service or when executing a contract to which the Data Subject is a party.
- Legal basis and Purpose of Processing
Personal data are processed:
- without the express consent of the Data Subject (Art. 6 lett. B of the GDPR), in order to achieve the corporate purpose of the Data Controller, in particular:
- fulfil pre-contractual, contractual and tax obligations arising from existing relations with the Customer;
- comply with obligations laid down by law, regulation, EU legislation or an order of the Authority;
- allow subscription to the newsletter service provided by the Controller and any further Services requested;
- exercise the rights of the Controller.
- subject to the specific consent of the Data Subject (Art. 6 lett. A of the GDPR), by means of specific and separate information, for the purposes indicated therein.
It should be noted that Esseti's customers may be sent commercial communications relating to the Controller's services and products similar to those from which the customer has already benefited, unless the data subject expressly disagrees.
- Modalities of Treatment
The processing of the Customer's personal data is carried out by means of the operations indicated in Article 4 no. 2 of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. Personal data are subject to both paper and electronic processing.
The Controller shall process personal data for the time necessary to fulfil the purposes set out in Art. 3 of this notice and in any case for no longer than 10 years from the termination of the relationship with the Customer. Data collected and not subject to storage determined by law will be kept for no longer than 2 years from the termination of the relationship with the Data Subject.
The data will also be processed in compliance with the principle of confidentiality and security, in particular, all technical, IT, organisational and procedural security measures will be taken so that the adequate level of data protection indicated in Article 32 of the GDPR is guaranteed.
- Data Access
The Customer's data may be made accessible for the purposes set out in Articles 3.A) and 3.B) of this notice:
- to employees and collaborators of the Controller, in their capacity as persons in charge and/or internal data processors and/or system administrators;
- to third parties (e.g. providers for the management and maintenance of the website, suppliers, credit institutions, professional firms, etc.) who carry out activities in outsourcing on behalf of the Controller, in their capacity as external data processors.
- Data Communication
Without the Customer's express consent (Art. 6 lett. b) and c) of the GDPR), the Data Controller may communicate the data for the purposes set out in Art. 3.A) of this information notice to Supervisory Bodies, Judicial Authorities as well as to all other subjects to whom the communication is compulsory by law or necessary for the fulfilment of the aforementioned purposes.
- Data Transfer
The management and storage of personal data will take place on the Data Controller's servers located within the European Union and/or third party companies appointed and duly appointed as Data Processors. The servers are currently located in Italy. The data will not be transferred outside the European Union. It is in any case understood that the Data Controller, should it become necessary, shall have the right to move the location of the servers to Italy and/or the European Union and/or non-EU countries. In this case, the Data Controller assures as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions by entering into, if necessary, agreements that guarantee an adequate level of protection and/or by adopting the standard contractual clauses provided for by the European Commission.
- Nature of Data Provision and Consequences of Refusal to Respond
The provision of data for the purposes set out in art. 3.A) of this information notice is compulsory. Failure to provide it will make it impossible for Esseti to continue its relationship with the Data Subject.
- Rights of the data subject
As a data subject, you have the rights set out in Articles 15 - 21 of the GDPR, namely the rights to:
- obtain confirmation of the existence or non-existence of personal data concerning him/her, even if not yet recorded, and their communication in intelligible form;
- obtain the indication:
- the origin of personal data;
- the purposes and methods of processing;
- the logic applied in the event of processing carried out with the aid of electronic instruments;
- the identification details of the owner, the managers and the designated representative;
- of the entities or categories of entity to whom or which the personal data may be communicated or who or which may become aware of them in their capacity as designated representative(s) in the territory of the State, data processor(s) or person(s) in charge of processing;
- updating, rectification or, when interested, integration of the data;
- the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
- certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
- object in whole or in part:
- for legitimate reasons to the processing of personal data concerning him/her, even if pertinent to the purpose of collection;
- to the processing of personal data concerning him/her for the purposes of sending advertising or direct sales material or for the performance of market research or commercial communications, through the use of automated calling systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or paper mail. It should be noted that the data subject's right to object, as set out in point b) above, for direct marketing purposes by automated means extends to traditional marketing methods and that, in any case, the data subject's right to object may also be exercised in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.
Where applicable, the Customer therefore has the rights set out in Articles 15-21 of the GDPR, namely the right of access, the right to rectification, the right to be forgotten, the right to restriction of processing, the right to data portability, the right to object, as well as the right to complain to a Supervisory Authority.
- Methods of exercising rights
The customer may exercise his rights at any time by sending:
- a registered letter with return receipt to Esseti S.r.l., via del Lavoro 90, 40050 Argelato (BO);
- an e-mail to firstname.lastname@example.org
- a PEC to the address email@example.com
The Owner's Services are not intended for minors under the age of 18 and the Owner does not knowingly collect personal information about minors. In the event that information about minors is unintentionally recorded, the Owner will delete it in a timely manner upon request of the person concerned.
- Owner, manager and appointees
The data controller is Esseti S.r.l. in the name of its legal representative.
The up-to-date list of data processors and persons in charge of processing is kept at the Data Controller's head office.
- Amendments to this Policy
This Policy is subject to change. We therefore recommend that you also regularly check this Policy on our website and refer to the most up-to-date version.