EXTENDED INFORMATION ACCORDING TO ARTICLES 12, 13 AND, IF NECESSARY, 14 OF THE GDPR – REGULATION (EU) 2016/679 REGARDING THE PROTECTION OF NATURAL PERSONS, WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER GDPR)
The data controller discloses the information below pursuant to arts. 12, 13 and, if necessary, 14 of the GDPR relating to the processing of personal data provided by the Customer/data subject by completing and signing the Contract for the purchase of products/services offered for sale by the data controller, spontaneously uploading personal data on this website (especially by filling in forms) or by simply browsing it.
1. Data Controller and contact details
The data controller is Gea Luce s.r.l., with registered office in San Severo (FG) postcode 71016, Via Tardio, s.n. [no house number], VAT no. 01913370712, Ph. 0882 374954 , email info@gealuce.com, web www.gealuce.com (hereinafter the Website).
2. Principles applicable to processing
In accordance with the provisions of the GDPR, the data controller constantly strives to ensure that personal data are:
(a) processed in a lawful, fair and transparent manner;
(b) collected for specified, explicit and legitimate purposes, and subsequently processed in a way that is compatible with such purposes;
(c) adequate, relevant and limited to that which is strictly necessary with regard to the purposes for which they are processed;
(d) accurate and updated where necessary;
(e) kept for a period of time not exceeding the achievement of the purposes for which they are processed;
(f) processed, by appropriate technical and organisational measures, in such a way as to ensure their safety;
(g) processed, if by virtue of consent, by a decision freely taken by the Customer/data subject, on the basis of a request submitted in a way that is clearly distinguishable from the rest, in an understandable and easily accessible form, using simple and clear language.
The data controller shall take appropriate technical and organisational measures in order to ensure the protection of personal data from the design stage and to ensure that, by default, only the data necessary for each specific processing purpose are processed.
The Data Processor collects and takes as much consideration as possible of the indications, observations and opinions of the Customer/data subject transmitted to the above-mentioned contact details, in order to implement a dynamic privacy management system that ensures effective protection of people, with regard to the processing of their data.
1
This privacy policy may be modified, in line with the evolution of the reference legislation and of the technical and organisational measures that are gradually adopted by the data controller; the Customer/data subject is, therefore, requested to periodically visit this section of the Website, to view updates and the policy text from time to time.
3. Methods of personal data processing
The processing of personal data is carried out manually and with electronic tools, with logic strictly related to the purposes indicated below and, in any case, in order to guarantee the security and confidentiality of the data themselves.
4. Purposes for processing the Personal Data
(4a) Purposes for which data processing is necessary
The personal data provided by the Customer/data subject are mainly processed for the execution of the Contract and the management of the credit and, more generally, of the relationship arising from the Contract itself.
The provision of data in the Contract or later, during the contractual relationship, for the purposes of processing in question is mandatory; therefore, the failed, partial or incorrect conferment of such data makes it impossible to stipulate and/or execute the Contract and, for the Customer/data subject, to take advantage of the products/services offered by the data controller, potentially exposing the Customer/data subject to liability for breach of contract.
The personal data provided by the Customer/data subject may also be processed, if this is necessary, to fulfil a legal obligation to which the data controller is subject, to safeguard the vital interests of the Customer/data subject or another natural person, for the execution of a task of public interest or connected to the exercise of public authority vested in the data controller, or for the pursuit of the legitimate interest of the data controller or of third parties, provided that they do not take precedence over the interests or rights and fundamental freedoms of the Customer/data subject; even in these cases, the provision of data is mandatory and, therefore, the failed, partial or incorrect communication of the data may expose the customer/data subject to any liability and penalties provided for by the legal order.
(4b) Further purposes of the processing following specific and express consent of the Customer/data subject
In addition to the aforementioned processing purposes, the personal data provided/acquired may be processed, with the prior consent of the Customer/data subject, to be expressed by selecting the <<<GIVE CONSENT>> on the Contract or on the Website (or using other social or web applications of the data controller), including for carrying out market research and to carry out commercial and promotional communications, by telephone (including using the mobile number provided) and automated contact systems (email, SMS, MMS, fax, etc.), on products/services of the data controller or companies of the Group to which the data controller possibly belongs.
Consent for the purposes of processing referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed only for the purposes indicated in the previous point (4a), except
2
as specified below with reference to the legitimate interests of the data controller or third parties.
5. Categories of Personal Data processed
The data controller mainly processes identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, email addresses, tax/billing details, except for others) and, where commercial transactions are concerned, financial data (bank details, in particular identification of current accounts, credit card numbers, except for others related to the aforementioned commercial transactions).
The processing that the data controller performs, both for the execution of the Contract and after the express consent of the Customer/data subject, does not generally cover particular categories of personal data, known as sensitive (revealing the racial or ethnic origin, political opinions, religious beliefs, state of health or sexual orientation, etc.), genetic and biometric data or the so-called judicial data (relating to criminal convictions and crimes).
However, it cannot be excluded that the data controller, in order to perform the obligations deriving from the Contract, must preserve and/or need to process sensitive, genetic and biometric or judicial data of the Customer/data subject or third parties, that belong to the Customer/data subject, in his/her capacity as data controller; in consideration of the above, the processing by the data controller is carried out under the conditions in force and within the limits set by the same data controller responsible for the processing, by the Customer/data subject.
The data controller processes, as data controller with reference to the Website, and, potentially, as Data processor entrusted with it (in the terms referred to above) by the Customer/data subject, also the so-called navigation data. During their normal operation, the computer systems and software procedures implemented for the operation of this Website acquire certain personal data whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified persons, but which, by their very nature, might allow the data subject to be identified. This category of information includes geolocation data, IP addresses, type of browser, operating system, domain name and website addresses that were accessed or output, information on pages visited by users within the website, access time, time spent on the single page, internal path analysis and other parameters related to the operating system and the user’s computer environment. This information by its very nature might lead to the identification of users through processing and association with data held by third parties.
Both session cookies (which are not stored on the data subject’s computer and disappear when closing the browser) and persistent cookies, for the transmission of personal information, or in any case systems for the tracking of the data subjects may be used on the website.
6. Sources of personal data
The personal data that the data controller processes are collected directly by the data controller from the Customer/data subject at the time of, and during, browsing the Website (or using other social media or web applications of the data controller), or, even
3
by means of its own commercial activities, on the occasion of, or after, the signing of the Contract, during the execution of the same, or from public sources.
As specified above, the Data Processor, as the data controller appointed for this purpose, in order to perform the obligations arising from the Contract may store and/or process data which are in particular navigation, potentially sensitive, genetic and biometric or judicial, third parties’ data, which the Customer/data subject possesses, as data controller, acquired, with the consent of said third parties, at the time of, and during the navigation of the same third parties on the Website (or using other social or web applications related to the data controller).
7. Legitimate interests
The legitimate interests of the data controller or third parties may constitute a valid legal basis for processing, provided that the interests or rights and fundamental freedoms of the data subject do not prevail. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the data controller and the data subject concerned, for example when the data subject is a customer of the data controller. In particular, it is a legitimate interest of the data controller to process personal data of the Customer/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of the same data within the business group to which the data controller, if any, belongs, or relating to traffic, in order to ensure network and information security, that is the ability of a network or a system to withstand unforeseen events or illegal acts that could jeopardise the availability, authenticity, integrity and confidentiality of data.
8. Circulation of personal data
(8a) Communication of personal data – categories of recipients
In addition to the employees and collaborators in their various capacities of the data controller (who are authorised by the same data controller through appropriate written operating instructions, in order to guarantee the confidentiality and security of data), some processing operations may also be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, functional to the purposes referred to in point (4a), therefore, for the execution of contractual and legal obligations, among which, in any case, inevitably, not exhaustively the following can be mentioned: commercial and/or technical partners; companies that provide banking and financial services; companies that perform document archiving services; debt collection companies; accounting auditing and certification companies; rating agencies; subjects that provide professional assistance and advice for the data controller; companies that carry out customer care activities; factoring, credit securitisation companies or other credit transferee companies; Group companies to which the data controller may belong; subjects that provide commercial information; IT services companies. The subjects belonging to the aforementioned categories process the personal data as independent data controllers, or as processors with reference to specific processing operations that are part of the contractual services that the subjects perform in favour of/in the interest of the data controller; the data controller provides the data processors with adequate written operating instructions, with particular reference to the adoption of the minimum security measures, in order to guarantee the confidentiality and security of the data. Some processing operations may be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, including those functional to the purposes referred to in point (4b), among which however, inevitably, the following may be mentioned, not exhaustively: commercial and/or technical partners; companies that provide institutional marketing services; advertising agencies; subjects that provide assistance and consultancy with reference to competitions and prize operations. Subjects belonging to the aforementioned categories process personal data as autonomous data controllers, or as persons responsible for the processing, with reference to specific processing operations that are part of the contractual services that the same subjects perform in favour of/in the interest of the data controller; the data controller provides the data processor with adequate written operating instructions, with particular reference to the adoption of the minimum security measures, in order to guarantee the confidentiality and security of the data.
4
Some processing operations may be carried out by third parties, to whom the controller entrusts certain activities, or part of them, including functionally for the purposes referred to in point (4b), among which deserve to be mentioned, however, inevitably, not exhaustive: commercial and/or technical partners; companies that provide institutionally marketing services; advertising agencies; subjects who provide assistance and advice with regard to The subjects belonging to the aforementioned categories process personal data as self-employed controllers, or as data controllers, with reference to specific processing operations that fall within the contractual services that the subjects perform in favor of/in the interest of the controller; to the controllers the controller shall give appropriate written operating instructions, with particular reference to the adoption of minimum security measures, in order to be able to guarantee the privacy and security of data.
The list, subject to periodic update, of the controllers with whom the controller has relations is available upon written request to be sent to the premises of the controller.
Personal data may also be communicated, in the event of a request, to the competent authorities, in compliance with obligations arising from mandatory legal regulations.
(8b) Transfer of personal data to third countries
Personal data of the Customer/data subject can also be transferred abroad, both to European Union countries and to countries outside the European Union and, in the latter case, either based on an appropriateness decision, or in the context and with the relevant guarantees provided by the GDPR (therefore, in particular, in the presence of contractual clauses of data protection type approved by the European Commission), or, outside the hypotheses above, using one or more of the exceptions provided for by the GDPR (in particular, by virtue of the explicit consent of the Customer/data subject, or for the execution of the Contract concluded by the Customer/data subject, or for the execution of a contract stipulated between the data controller and another natural or legal person in favour of the Customer/data subject, in particular for the execution of activities requested by the data controller for the execution of the Contract concluded with the Customer/data subject). In case of transfers of data to countries outside the European Union, the Customer/data subject is allowed, upon written request to be sent to the headquarters of the data controller, to be informed about the appropriate guarantees, or the derogations, which legitimise cross-border treatment. It is understood that in cases of transfer of data to countries outside the European Union, for every request concerning the data, also for the exercise of the rights recognised by the GDPR of the Customer/data subject, the latter can always contact the data controller.
9. Criteria for determining the retention period of personal data
For the purposes referred to in point (4a) above, the retention period of personal data provided by the Customer/data subject, and the consequent potential treatment thereof, coincides with the period of limitation period of the rights/duties (legal, fiscal, etc.) deriving from the Contract: basically 10 years, therefore, except for the occurrence of events interrupting the prescription that could effectively extend this period.
5
For the purposes referred to in paragraph (4b) above, the retention period of the data provided by the Customer/data subject, and their consequent potential treatment, ends with the revocation of the consent previously given by the same Customer/data subject or, failing this, however, after one year from the termination of any relationship between the data controller and the Customer/data subject.
10. Rights of the Customer/Data Subject
The data controller acknowledges – and facilitates the exercise, by the Customer/data subject, of all rights provided for by GDPR, in particular the right to request access to his/her personal data and extract a copy thereof (Article 15 of the GDPR), the amendment (Article 16 of the GDPR) and the deletion of the same (Article 17 of the GDPR), the limitation to the processing that concerns him/her (Article 18 of the GDPR), the portability of data (Article 20 of the GDPR, if the conditions are met) and to oppose the treatment that concerns him/her (Article 21 and 22 GDPR, for the assumptions mentioned therein and, in particular, to the treatment for marketing purposes or which results in an automated decision-making process, including profiling, which produces legal effects that concern him/her, if the conditions are met).
The data controller also recognizes the Customer/data subject’s entitlement, if the processing is based on the consent, to revoke such consent at any time, without prejudice to the lawfulness of the treatment based on the consent given prior to the revocation. To do so, the Customer/data subject may unsubscribe at any time on the Website (or other social media or web applications of the data controller) or by using the appropriate link at the bottom of any commercial communication received, or by contacting the Data Controller at the contact details above.
The data controller also informs the Customer/data subject about the right to lodge a complaint with the Authority for the Protection of Personal Data, as a supervisory authority operating in Italy, and of judicial appeal against a decision of the Guarantor Authority and against the data controller and/or a data processor.
11. Security of systems and personal data
In light of the state of the art and the cost of their implementation, as well as the nature of the object, the context and the purpose of the processing, and the risk in terms of likelihood and severity, for rights and freedom of individuals, the data controller shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular by ensuring, on a permanent basis, confidentiality, integrity, availability and resilience of systems and processing services (including through the encryption of personal information whenever necessary) and the ability to restore timely data availability in case of physical or technical issues, and to adopt internal procedures designed to regularly test, verify and assess the effectiveness of the technical and organisational measures employed.
In assessing the appropriate level of security, risks deriving from processing shall be taken into account, in particular those deriving from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or accidental or illegal access to personal data transmitted, stored or otherwise processed.
6
The data controller shall ensure that anyone acting under its authority and having access to personal data processes such data only on instructions to do so by the data controller.
This being said, the Customer/data subject acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller is not liable for acts or doings of third parties who, despite the appropriate measures taken, may gain access to the systems without proper authorisation.
12. Automated decision-making processes, including profiling
The data controller may perform automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimise the navigability of the Website (or the usability of other social or web applications of the data controller) and to improve the purchasing experience, except for what is specified above with regard to the rights of opposition and revocation of consent by the Customer/data subject.
Profiling means any form of automated processing of personal data aimed at evaluating certain aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, the personal preferences, interests or location of that person, also in order to create profiles, i.e. groups of subjects that are homogeneous in terms of characteristics, interests or behaviour.
The data controller does not carry out any automated processing that produces legal effects affecting the Customer/data subject or that significantly affect his/her person, unless this is necessary for the conclusion or execution of the Contract, it is authorised by law, or it is based on the explicit consent of the Customer/data subject, in any case always recognising the entitlement of the latter to obtain human intervention, to express his/her opinion and to challenge the decision.