PROTECTION OF PERSONAL DATA
Relative to the information and personal data, hereinafter also “Data”, which concern the customer and/or the supplier (hereinafter also “Interested Party”), gathered or which will be gathered from them and/or from third parties by HSL S.r.l. with single member (hereinafter also Controller), or its employees in charge of the processing (hereinafter “Authorized Individuals”), the Controller provides the following disclosure.
Purpose and legal basis of the processing of the personal data
The purposes are i) to implement contracts concluded and/or which will be concluded with the interested party and to conduct pre-contractual activities, connected and/or instrumental to the conclusion and/or the implementation of the contracts and/or to respond to the requests of the interested party; in this case the legal basis of the processing is the implementation of pre-contractual measures adopted at the request of the interested party and the implementation of the contract concluded each time with the party; ii) fulfil obligations required by laws and/or regulations (e.g. accounting and fiscal requirements, administrative audits); legal basis of the processing is the fulfilment of a legal obligations which the Controller is subject to; iii) manage the relationship with customers and suppliers regarding aspects other than those sub points i) and ii), such as the internal organization of the activities functional to the active and passive supplies of products and/or services (e.g. for solvency checks, management loans and risk control – fraud, bankruptcies, etc.-, dispute management and credit collection/issuance, management financial and insurance services instrumental to the management of suppliers and management electronic payment instruments, production management, management telephone books); legal basis of the processing is the legitimate interest of the Controller to be able to process the Data in order to effectively and efficiently manage the aforementioned relationship and the relative internal and external organizational processes; iv) send, to the contact information of the Interested Party (e.g. Via telephone, e-mail, SMS or social network) commercial communications and in general communications relative to the activities performed by the Controller (e.g. Sending offers and/or if envisaged newsletters); in that case, the legal basis of the processing is the consent of the Interested Party, and also the legitimate interest of the Control to make his commercial activity known and to develop it; v) to send, to the data subject’s contact details (e.g. by email, telephone, SMS, or social networks), questionnaires, to be filled in anonymously and that shall then be anonymized and stored for statistical purposes, for an analysis by the Data Controller of the degree of customer satisfaction; in this case, the legal basis of the processing is the Data Controller’s legitimate, interest in order to manage its business in an efficient and effective manner.
Communication of the Data to the Controller and consequences of the failure to provide the information
The Data can be collected from the Interested Party or from third parties indicated by him or from public registers, public and/or private data banks – commercial information company, register of companies – and public and/or private websites or social networks which contain information that concern the interested party and which can, each time, be functional for the establishment and continuation of a contractual relationship that concerns the interested party; in this last case, the collection only concerns identification, contact, fiscal data relative to the Interested Party or internal contact persons of the customer or supplier (such as for example directors, executive officers, agents, employees), relative to the financial activity of the customer or supplier. The communication of the Data is merely intended as an option and not an obligation, however, it is necessary for the purposes of conducting the activities indicated, respectively, in the preceding letter a), in points i), ii) and iii). If the Data is not provided possible requests cannot be fulfilled and/or the contracts cannot be concluded and/or carried out with the interested party. Relative to the purposes provided in the preceding letter a), point iv) the failure to provide the Data and/or the failure to consent to the relative processing will only entail the Controller’s inability to send the relative communications (e.g. newsletters, commercial offers).
Categories of recipients of the Data
The Data, within the limits and exclusively for the purposes indicated above, may be learned and therefore be processed, in addition to the Controller and his Authorized Individuals appointed in writing for that purpose (such as for example employees, associate, interns, etc.), by companies controlled by the Data controller and or that control the latter, by external consultants/suppliers of the Controller (as for example consultants, professionals, companies that provide services to the Controller), officially appointed as outside managers, as well as their employees (authorized) to so the processing and any other subjects (e.g. Public Authorities, suppliers) who will process the Data and Outside Managers appointed by the Controller or independent controllers.
Transfer of the Data to a third Country
The Data may be transferred to countries outside the EU within the scope of the above mentioned purposes and only in compliance with the Regulation (therefore based on a decision of the European Commission of adequacy of the level of protection of the personal data guaranteed by the third party country or on the basis of adequate guarantees, pursuant to Arts. 45 and 46 of the Regulation), or, failing that, by way of example should it be necessary for the implementation of a contract between the Controller and the Interested Party or in favor of the latter or for the implementation of pre-contractual measures adopted at the request of the latter, or on the basis of the latter’s prior consent. In particular, for example, for the purposes of the aforementioned letter a) point iv), in order to manage external services, if active, (for sending the newsletter) the Data Controller uses the “MailChimp” service of The Rocket Science Group, LLC, 675 Ponce De Leon Ave, Suite 5000, Atlanta, Georgia 30308, and therefore, in the event of signing up to the newsletter service (if provided on the Data Controller’s website), the Data may be transferred and made known from the latter company, which adheres to the Privacy Shield (subject to the European Commission’s 2016/1250 adequacy decision), with which standard contractual clauses were signed in order to legitimize and guarantee non-EU transfer. Specifications in relation to the service which the owner uses to manage and send emails are available at the following links http://mailchimp.com/legal/terms/ and http://mailchimp.com/legal/privacy/.
Storage of the Data
i) The processing of the Data and documents for the purposes listed in the preceding letter a), points i), ii) and iii) will continue, respectively, for the time necessary to correctly implement the contracts concluded with the Interested Party and the fulfilment of the legal obligations which the Controller is subject to, and will be kept, filed, after their implementation and specifically for a period of 10 years, following the correct implementation of the contracts and the conclusion of the relative relationship (and the price due has been paid or the relative right prescribed); ii) the processing of the Data subjects’’ Data for the purposes listed in the preceding letter a) point iv) will continue as long as the newsletter service and commercial communications for marketing purposes is active, or until the Interested Party revokes their consent provided previously (which shall always be possible through the cancellation link provided in all emails), or until the Interested Party communicates his objection to further processing for the aforementioned purposes; iii) the processing of data for the purposes referred to in letter a) point v)shall continue until the customer satisfaction analysis service is active.
Furthermore, the interested party has the right to exercise the following rights (specifically described in Art. 15 to Art. 22 of the EU Regulation 6792016), by contacting without any particular formalities the Data Controller (at the e-mail address listed below):Ask the Data Controller to confirm that the personal data that concerns them is being processed or not and, in that case, obtain access to the Data; request its correction and/or supplement, cancellation or limitation of its processing; object to the processing; request its portability; revoke the consent if the processing is based on the consent provided previously without prejudicing the legality of the processing given before the revocation; file a complaint with a control authority; obtain all the information available on the origin of the Data and on the categories of Data, if it was not collected from the Interested Party; obtain information on the existence of an automated decision-making process, including profiling and, at least in those cases, significant information on the logic used, as well as the importance and consequences anticipated of that processing to the Interested Party; not be subject to a decision based solely on the automated processing, including profiling. HSL does not perform profiling activities except through a dedicated website, where specific privacy information is published, also for this purpose.
Circulation of the Data
The Data will not be circulated.
Processing methods of the Data
The processing of the Data will take place in a manner suitable for guaranteeing its safety and confidentiality and may be carried out with paper methods as well as through electronic or in any case automated instruments which permit its storage, management and transmission. The logics of the processing will be focused on making sure that the Data is processed securely, is always intact and available and is processed in compliance with the principles provided in the Regulation.
Control of the processing of my Data
The Data Controller is HSL S.r.l., with single member based in Trento, via dei Masadori no. 46. For any additional information and/or updates and/or changes in the data of the controller, the managers and/or the Authorized individuals and/or for any additional information, the Interested Party can consult the Controller’s internet site (http://www.exnovo-italia.com) and send any request to the following e-mail address email@example.com.