INFORMATION PURSUANT TO THE U.E. REGULATION. No. 2016/679 (so-called GDPR)
Dear data subject, i.e. the one to whom the personal data (including common, sensitive, judicial or cd. special data, henceforth for convenience referred to generically as personal data) refer, who will be in contact and will have negotiating relations with the undersigned data controller I inform you, that in accordance with the provisions of Articles 13 et seq. of EU Regulation no. 2016/679 (hereinafter also just “GDPR”), the personal data you provide to MONETTI SRL as a rule from the time of booking and request for services and until the termination of the same, will be processed in accordance with the above-mentioned legislation. To this end, I am providing you with the following information.
*
1.- THE IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
OWNER of the TREATMENT, that is, in the meaning of Art. 4 GDPR i.e. the one who decides on the purposes and means of the processing of personal data, is MONETTI SRL, c.f.-p.iva 01319680532, Strada dell’Airone 11C/11D, 58010 Albinia GR (Italy) tel. 0564 860877 email of the Data Controller: info@monetti.net – henceforth also referred to as just “the controller”.
*
2.- CONTACT DETAILS OF THE DATA PROTECTION RESPONSIBLE (DPO or DPO).
Since there is no legal obligation, the owner has NOT appointed a data protection officer (DPO)
*
3.- PERSONAL DATA PROCESSED, THE PURPOSES OF THE PROCESSING FOR WHICH THEY ARE INTENDED, METHODS OF PROCESSING AS WELL AS THE LEGAL BASIS OF PROCESSING
PERSONAL DATA PROCESSED and HOW WE COLLECT PERSONAL DATA.
The undersigned data controller has, as indicated in the visura, as its business object a business activity of:
manufacture, design, assembly, wholesale and retail trade of products related to security and emergency system components, automation and remote control units, pyrotechnic products, explosives and ancillary products, referring for the rest to the Chamber of Commerce’s visura.
WHEREAS, the clientele is mostly business enterprises in corporate form and therefore outside the scope of the GDPR, nevertheless, the undersigned owner wanted to make the data protection regulations his own.
The data we process is mostly obtained directly from you e.g. if you contact us directly by coming to our office or through our website, by e-mail or by phone through our hotline, in order to request information about our services or goods, if you buy one of our goods or services, e.g. through our website or our social media (Face book etc.); If you participate in an event organized by us; there are also data collected through Social where we also handle reviews. Newsletters, online questionnaires, website, remote the possibility of Wifi registration by asking to enter data are possible. Data about you may also be collected through the video surveillance system once it is installed.
If you are providing personal information on behalf of someone else, it is your responsibility to make sure, before even doing so, that the Data Subject has read this Privacy Policy. If you are under the age of 18, please do not provide us with any personal information except through the person who exercises parental authority over you.
WHAT DATA CATEGORIES WE COLLECT
Personal data are processed in a lawful and correct manner, inspired by the principles of necessity, correctness, lawfulness, transparency, protection of confidentiality, relevance and non-excessiveness or minimization of data with respect to the purposes of processing, without prejudice to the obligations of the data controller regarding confidentiality and professional secrecy, and their dissemination or communication is limited to the cases prescribed by current laws, regulations or EU legislation.
We process the data of the following individuals although not all of them qualify as data subjects according to the GDPR: Customers, Users, Suppliers, Employees, Collaborators.
In general, we process first name, last name, email address, residential address, domicile, telephone number, city, country, region, VAT number, tax code, bank data e.g. IBAN code in case of activation of payment methods e.g. ri.ba. etc.), payroll, data for billing including electronic billing, household, identity card, data of candidates who send their resume. No biometric, genetic or judicial data (in the meaning as defined in the GDPR) are processed.
USERS: Those who access the WEB services we offer (website and Facebook and other social if active); first name, last name, email address, phone number including cell phone, residential address.
SUPPLIERS: Business name, VAT number, iBan code, Address of the head office, Email address, phone number including cell phone number, Country,Region.
CUSTOMERS: First name, last name, e-mail address, residential address, phone number, city, country, region, VAT number, tax code, purchase history.
– EMPLOYEES and co-workers: office workers the owner processes their data e.g. recruitment/training/residency/medical certificates and they process the company’s data e.g. of coworkers and customers on documents and management; warehouse and direct counter sales employees have access to management and master records – accounting records of customers themselves so the owner processes their data and they process the company’s data; other employees only handle merchandise (we process their data but they don’t process company and customer data) – as for production employees, the owner processes their data e.g. hiring/training courses/residency/medical certificates, but they don’t come in contact with company data.
technicians for interventions: the owner processes their data and they come into contact with the basic data of our customers e.g.: residence, domicile and address.
In addition, at the time of purchase and entering into any financing, the following are further required: Iban code, pay stub, household, ID card, health card, driver’s license, tax documentation, etc.
User data on the web at the moment are collected di nomra for ecommerce, soft marketing and service improvement purposes, and retained due to legal obligation; customer data, such as payroll, ID, household, bank details, etc. are collected for the execution of sales contracts or (if required) financing. All other customer data are collected for legal obligation and service improvement; Supplier data are collected for legal obligation and internal functions necessary for the business.
With regard to the so-called sensitive or special data processed, apart from those of employees or collaborators to fulfill legal obligations, the undersigned owner may occasionally process health-related data concerning you and/or your children under 18 years of age, necessary to obtain, if provided for, facilities or discounts due to the presence of disability or incapacity also referred to in the known “Law 104” or in case of any claim for damages.
Trying to define what is now explained, here are the following categories of personal data that relate to you and/or your children under the age of 18 and may be collected through the various services and contact channels described in this Privacy Policy:
a) Contact details. – information pertaining to name, address, telephone number, data useful for issuing/shipping documents (invoices – ddt etc.), organizing interventions also at their homes, shipping of goods, email address, to contact them in order to organize interventions and for possible communications – reminders; internal notes to list communications made and answers/information provided by the customer himself; IP address (e.g. data for registration on the site and, if present, in case of using WIFI service).
(b) Payment data – Information related to your chosen payment systems, e.g., credit card number, ATM card number, IBAN identifier, etc., bank details for issuing orders or payment requests, ri.ba, including for outstanding balances to be settled.
(c) Complete Identification Data – information related to your identity, including social security number, residence, derived from identity documents by law provided for example Identity Card, Passport, Driving License, etc.
(d) Interests and preferences – information you provide to us about your interests, for our business purpose or ancillary services, if and when activated.
(e) Other personal data – optional information that you provide to us for the sole purpose of personalizing the service.
f) Site Use information about how you use our site, open or forward our communications, including information collected through cookies and other tracking technologies.
(g) Your account information – information to your account on our site.
h) Images – images depicting your person collected through photos and/or videos taken at events organized at us with your consent or through the video surveillance system that may have been installed.
i) Data related to your health status or other data belonging to special categories – information that you provide to us regarding some of your physical conditions (e.g., if you have a disability or if you have difficulty walking or if you are entitled to benefits under Law 104 provided for specific cases of disability/invalidity, etc.).
Therefore, within the limits of the purposes and modalities described in this Notice, information may be processed that can be considered as “Simple or common personal data,” in which your personal details, your bank details, your contact information (such as, for example, cell phone number; e-mail address, hereinafter, jointly, “Personal Data”) and as “Special Data” as they are characterized, according to the GDPR, by a particular nature; they refer, in fact, to your physical health and, more generally, are able to provide information about your health status.
For convenience of reference, within this Notice, the term “Personal Data” shall be understood to refer to all of your personal data, unless otherwise specified.
WHAT ARE THE PURPOSES AND LEGAL PREREQUISITES FOR PROCESSING YOUR PERSONAL DATA (PURPOSE AND LEGAL BASIS FOR PROCESSING)
Personal Data collected will be processed for the purposes and under the legal bases below:
| Purpose | Legal basis for processing |
| Categories a), b) (when relevant): for the management of your contractual relationship or to execute pre-contractual measures (such as, for example, request for information or request for quotation, provision of service). In this case, you are free to confer your Personal Data, including particular ones; however, failure to confer them (when essential to the performance of the contractual relationship) will not allow you to establish the aforementioned relationship and fulfill your request or obtain facilities | processing is necessary in connection with the performance of a contract to which you are a party – Art. 6 GDPR lett.b) |
| Category (c): for communications required by public security regulations or tax fulfillment. Failure to provide the data will result in the inability to provide the service on your behalf | processing is necessary for a legal obligation – art. 6 GDPR lett.c) |
| Categories d), e), f), g), (h) and i) in some cases with your specific consent, for personalization and improvement of the service with specific reference to your specific needs. Failure to provide data does not prevent the service but does prevent its customization and improvement. | Your consent and legitimate interest of the owner (ecommerce, marketing, satisfaction evaluation, service personalization, etc.) ART. 6, 7, 9 GDPR |
| Categories d), e), f), g), (h) and i) subject to your specific consent the fulfillment (and subsequent use) of surveys and to contact you, at the contact details provided, in order to verify the quality of the service rendered to you and your degree of satisfaction; these activities will, however, be contained and limited, in the spirit of discretion of our structure and the lack of consent prevents us from letting you know your degree of satisfaction. | Your consent and legitimate interest of the owner (as specified above) ARTICLES. 6,7, 9 GDPR |
| Categories (a), d), (e), (i) subject to your specific consent, to send you reminders and promotional communications; communications related to events organized by the owner or business partners (together, “marketing purposes”) these activities will, however, be contained and limited, in the spirit of discretion of our facility. Failure to consent or withdrawal of previously provided consent prevents us from contacting you in connection with our initiatives. | Your consent and legitimate interest of the owner (as specified above) ARTICLES. 6,7, 9 GDPR |
| Category a) to send you communications related to services for which, if you are already our customer, you have already shown interest and without prejudice to the possibility for you to object to these communications. However, this activity will be restrained and limited, in the spirit of discretion of our facility. Failure to consent prevents us from contacting you in connection with our initiatives. | Legitimate interest of the owner (as specified above) ARTICLES. 6 (also lett.f), 7, 9 GDPR |
HOW YOUR PERSONAL DATA IS PROCESSED
The processing of Personal Data will be carried out by manual, computerized or telematic means, suitable to guarantee their security and confidentiality and will be performed by personnel duly trained in compliance with the Applicable Regulations.
In addition to those cases where it is necessary to contact you for needs related to our business, where you consent to the processing of your data for other purposes indicated herein, you may be contacted by e-mail, text message, cell phone messaging or through any equivalent electronic means or by paper mail or operator call to any of the contact details provided. If you prefer to be contacted at only one or some of these contact details, you may make an express request by sending a request to the owner’s email address
If you give your consent, your Personal Data may be processed and stored beyond the legal deadline in a computerized customer relationship management archive as well as possibly stored in one or more special archives or databases of the company.
So the processing is aimed solely at the fulfillment of contractual and regulatory obligations, for the proper and complete performance of the service requested, received and related to activities or other services requested by you, including the administrative management of the various contractual obligations (e.g. preparation, enveloping, sending of correspondence and communications also in electronic format or via telephone including via cell phone and its messaging, etc.).
I remind you that under Art. 4 n. 2 GDPR data processing is any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction. Reference is also made to the regulations governing the owner’s business and governing related activities
*
4.- THE POSSIBLE RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA – therefore TO WHOM WE COMMUNICATE YOUR DATA.
Processing, in compliance with the provisions of GDPR 2016/679, may be carried out by:
– Owner’s personnel (e.g., employees or collaborators, etc.) specially appointed by the owner, who are also periodically trained in personal data protection; the appointed personnel will normally process only personal identification data and data related to payment for the service.
In any case, personal data may also be processed by
Customer and supplier data can be accessed by the accountant and the auditor (if appointed) for proper management of the company’s accounts. In the case of an electronic invoice, the data pass through an Interchange system (SdI), managed by the Revenue Agency that is also directly visible to the State Accounting Department, User data is communicated, through automated systems, to GOOGLE, which follows its own retention and privacy policy for processed data;
– third parties as specially identified external data processors such as third parties or companies that provide support services to the company’s activities, or to professionals with whom specific agreements have been signed pursuant to the Regulations or for support in the management of activities;
– there is also the trusted computer technician and of our management who can come in contact with your data in the operations of maintenance and revision of the computer system hardware and software and arrangement control of the back up copy; then there is the manager of the website who can view all the personal data left on the web by the person concerned; I remain at your disposal, upon your express request, to provide you with the name of the trusted computer technician, web agency as well as any additional external manager or processor indicated in this policy.
– We currently do not have a cloud manager but if there is an intention to do so in the future, we will choose one that is reliable and has servers in EU countries and complies with the privacy regulations under the GDPR.
– Your personal data will also be processed by external responsible third parties, e.g., the accountant, labor consultant, labor doctor, also in order to fulfill the obligations provided for in the tax and accounting field and in this case only common personal data will be provided; in addition, if requested, we will provide your data to those who will make the checks required by law.
– to Istat if required by law;
Your personal data may also be communicated by way of example to the following entities or categories of entities indicated below: Banking institutions for payment management; Financial administrations, private companies, professional firms (lawyers in the presence of litigation, etc.) or public or private entities in each case to fulfill regulatory obligations; lawyers, service companies, law firms for the protection of contractual rights. With regard to the payment of the holder’s fees, except in the case of cash (within the limits of the law), whether you use at your choice the bank transfer or bank check or credit card or ATM card, I inform you that in the case of using the pay pal service or booking and payment via the website or through the pos and in that case the data are processed exclusively and directly by the bank, and/or paypal; in any case it is possible that by providing your bank data, even just the Iban, it may emerge where you have your bank account, in which Agency etc., since the system of bank payments is so set up on the basis of laws and regulations without the holder having any decision-making power in this regard. In general, your personal data, which are processed for the above-mentioned purposes, may not be disclosed to third parties except when necessary or provided for by law, such as to Public Security or Judicial Authorities or when the prerequisites of the law exist; in other cases upon your express and free consent. Under no circumstances will personal data be disseminated (we usually refer to social etc.) without your consent.
– from browsing our site may emerge the history of services used, online browsing history, images of expenses incurred, acts pertaining to the person; in these cases your data such as first name, last name, address, date and place of birth, landline or cell phone number, credit card, email address, reason for stay, data to register for Wifi if activated by the owner, bank data of customers or agencies in case of return of deposits or erroneous charges are provided. The browsing history if not deleted by you as an internet user, remains with all your data if e.g. you use the Pc station.
5.- TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION
The data controller does not transfer personal data to a third country outside the European Union (moreover, not even to European Union member states) or to an international organization. In addition, your data will not be transferred either to European Union member states or to non-EU countries. If there is ever an intention to do so in the future, the owner will provide you with appropriate information and everything you need to be in line with current privacy regulations.
6.- RETENTION PERIOD OF PERSONAL DATA OR THE CRITERIA USED TO DETERMINE THIS PERIOD
Below is a table containing indications of the retention times (i.e., criteria for determining) of Personal Data, after which your data will be deleted; in general, personal data of customers and suppliers are retained for up to 10 years for the purpose of conducting the company’s business; personal data of the USER category are retained for 180 days for statistical and service improvement purposes and for possible commercial communications, but a longer period is allowed below, which is better indicated:
| Purpose |
Storage times |
|
Categories a), (b) (contract) |
For the duration of the relationship and 10 years thereafter also for tax and anti-money laundering purposes |
|
Category (c) |
The time prescribed by law |
|
Category d), e), f), g), h), (i), service improvement |
24 months after the end of the contract or service |
|
Category d), e), f), g), h), (i), check satisfaction |
24 months after collection, due to the possibility, frequent in practice, of further dealings with you, without prejudice to the possibility for the person concerned to change and/or revoke their wishes at any time regarding consent |
|
Category d), e), f), g), h), (i), marketing |
24 months from the end of your last relationship with us, due to the possibility, frequent in practice, of further relationships with you, without prejudice to the possibility for the person concerned to change and/or revoke their will at any time regarding consent |
Your personal data, subject to processing for the purposes indicated above, will be kept for the entire duration of the contractual relationship and, in compliance with civil and tax regulations, for the following ten years starting from the termination of the relationship.
With your express consent, including in your best interest, this owner is willing to keep your personal data for a period beyond the ordinary period, even more than ten years.
In any case, where applicable, data are retained for the time prescribed by current regulations.
7.- CONSEQUENCES OF NON-DISCLOSURE OF PERSONAL DATA OR REFUSAL TO PROCESS THEM
With regard to personal data whose processing is necessary and functional for the performance and fulfillment of the service and the contract to which you are a party or for the fulfillment of a regulatory obligation (e.g., those related to the keeping of accounting and tax records as well as e.g., for the proper application of security measures also for the electronic instruments of the owner), the failure to provide personal data or your refusal to process them makes it impossible to perfect or continue the contractual relationship itself. In cases, on the other hand, in which you decide not to provide consent for the so-called optional processing of your personal data, i.e. in cases in which the performance of the service and the contractual relationship is still allowed (e.g. processing by third party external managers, when “optional”, recalled above or sending advertising material, etc.), your data will be processed as you requested and therefore only the data necessary for the “basic” service and the performance of the contract will be processed. Therefore, in these cases you will not be able to take advantage of further services of our facility since, by not allowing information to be sent, you will not be aware of it. In cases where processing is based on consent, you have the right to revoke consent at any time, without, of course, affecting the lawfulness of the processing that took place (and was based on the consent given) before the revocation.
8.- RIGHTS OF THE DATA SUBJECT
You, as a data subject, may exercise, with reference to your personal data, the rights provided for in Articles 15 to 22 of the GDPR and which are handed over to you separately for further study and in general you have the right: – to see your data processed transparently (Articles 5 and 12 GDPR); – to receive information; – right to access your personal data; – right to obtain rectification or restriction of processing concerning you; – right to obtain deletion of your data (so-called right to be forgotten, under certain circumstances);
– Right to object to processing (by stopping the processing of your personal information); – Right to data portability (right applicable to data in electronic format), as governed by Art. 20 GDPR which allows, upon your request, to transfer your data from the undersigned to another controller designated by you in an electronic format readable by the new controller; data portability rights apply only to personal information that we have obtained directly from you and only where our processing is carried out in an automated manner, based on consent or the performance of a contract; – right to revoke consent at any time without affecting the lawfulness of the processing based on the consent prior to revocation; – right to lodge a complaint with the supervisory authority by addressing the competent Guarantor Authority ; for more details or templates you can consult the institutional website of the Privacy Guarantor www.garanteprivacy.it – right to request any information related to the processing of your data, including through the data processors at the headquarters of the owner. You can always ask us to : confirm whether we are processing your personal information, receive information about how we process your data, obtain a copy of your personal information, update or correct your personal information. Specifically on the right to object to processing, you have the right to request that we stop processing your personal information: -for marketing activities, -for statistical purposes, -where such processing is based on our legitimate business interests, unless we are able to demonstrate a legitimate ground for such processing or where the processing of your personal information is necessary to establish, exercise or defend a right in court.
Right to restrict processing; you have the right to request that we restrict the processing of your personal information: -when we are considering or are in the process of responding to a request from you to update or correct your personal information, -when it is no longer required or needed by us, but you wish us to retain the data to establish, exercise or defend a right in court, -when you have sent an objection to processing on the basis of our legitimate business interests and are awaiting our response to that request. Should we restrict the processing of your personal information pursuant to your request, we will notify you before involving you again in such processing.
SENDING REQUESTS RELATED TO THEIR RIGHTS:
your requests may be sent to the above email address; we will respond to all such requests within 30 days of receipt of the request, unless extenuating circumstances exist, in which case it may take up to 60 days for a response. We will notify you if we anticipate that our response may take longer than 30 days. However, some personal information may be excluded from these rights under applicable data protection laws. In addition, we will not respond to any request unless we are able to adequately verify the identity of the requester. We may charge you, when required by regulations, a reasonable fee for subsequent copies of the data you request. Right to withdraw consent: you have the right to withdraw your consent to any processing we conduct solely on the basis of your consent (such as sending direct marketing materials to your personal e-mail address). You may revoke your consent by contacting the above email address-Withdrawal of consent however does not affect the lawfulness of processing based on consent made prior to revocation.Our services do not target minors under the age of 18 and we do not knowingly collect data about them.
9.- EXISTENCE OF AUTOMATED DECISION MAKING, INCLUDING PROFILING
We do not use automated decision-making systems and do not resort to profiling i.e., that directed at using your personal data to analyze or predict aspects of your professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements, etc. (art.22 par. 1 and 4 GDPR).
GROSSETO, 05/24/2018 THE DATA CONTROLLER
MONETTI SRL
