INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA
PURSUANT TO ART. 13 OF REGULATION (EU) NO. 2016/679
Pursuant to art. 13 of Regulation (EU) no. 2016/679 (hereinafter the «GDPR»), Velo Acciai S.r.l. (hereinafter «Velo» or the «Controller») informs you that personal data relating to your company (hereinafter the «Data Subject») and the natural persons acting on its behalf (hereinafter the «Data»), collected from the Data Subject or third parties, will be processed in accordance with the provisions of the GDPR and in accordance with the information notice below. It is understood that it is the responsibility of the Data Subject to inform the natural persons acting on its behalf of the processing of the Data referred to in this information notice and to request their consent, where necessary.
Data controller. Data processors.
The Data Controller is Velo Acciai S.r.l., with registered office in San Zenone degli Ezzelini (TV), Via San Lorenzo, n. 42 (e-mail firstname.lastname@example.org). The updated list of the data processors is available at the registered office of the Data Controller.
Purpose and legal basis of the processing. Legitimate interests pursued.
The Data will be processed:
- for the purposes of complying with the legal obligations vested upon the Controller;
- for the performance of contracts to which the Data Subject is a party or for the adoption of pre-contractual measures taken at the request of the Data Subject;
- for the establishment, exercise or defence of legal claims;
- to send commercial communications on products and services similar to those already purchased, without prejudice to the Data Subject’s right to object at any time.
The processing of the Data for the purposes under a) does not require the consent of the Data Subject as it is necessary to comply with the legal obligations to which the Controller is subject, pursuant to art. 6, para. 1 letter c) of the GDPR. The processing of the Data for the purposes under b) does not require the consent of the Data Subject as the processing is necessary for the performance of contracts to which the Data Subject is party or for the adoption of pre-contractual measures taken on its request, pursuant to art. 6, para. 1, letter b) of the GDPR. The processing of the Data for the purposes under c) and d) does not require the consent of the Data Subject as it is necessary for the pursuit of the legitimate interest of the Controller, pursuant to art. 6, para. 1, letter f) of the GDPR.
Conferment of Data and consequences in case of failure to provide them.
The provision of data for the purposes under a) and b) is optional, but necessary in order to fulfil legal and contractual obligations. The provision of data for the purposes under c) and d) is optional but necessary for the pursuit of the legitimate interests of the Controller mentioned above. In all these cases, failure to provide the Data will make it impossible for the Data Controller to establish and manage the contractual relationship with the Data Subject and carry out the activities related.
Recipients or categories of recipients.
The Data may be made accessible, brought to the attention of or communicated to the following subjects, who will be appointed by the Data Controller, as the case may be, as data processors or persons in charge of the processing:
- companies of the group to which the Controller belongs (parent companies, subsidiaries, affiliated companies), employees and/or collaborators in any capacity of the Controller and/or companies of the group to which the Controller belongs;
- private subjects, natural or legal persons, which the Data Controller uses to carry out the activities instrumental to achieving the aforementioned purposes or to whom the Data Controller is required to communicate the Data, pursuant to legal or contractual obligations.
In any case, the Data will not be disseminated.
Data retention period.
The Controller retains the Data for as long as necessary to fulfil the purposes for which they are collected, including for the purposes of satisfying any legal or tax requirements.
To determine the appropriate retention period for personal data, the Controller considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure.
By law the Controller has to keep basic information about its customers (including contact, identity, financial and transaction data) for ten years they cease being customers.
Rights of access, erasure, restriction and portability.
Data Subjects are entitled to the rights set out in Articles 15 to 20 of the GDPR.
By way of example, any data subject may:
- obtain confirmation as to whether or not personal data relating to him/her are being processed;
- where processing is ongoing, to obtain access to personal data and information relating to the processing and to request a copy of the personal data;
- rectify inaccurate personal data and integrate incomplete personal data;
- obtain, where one of the conditions laid down in Article 17 of the GDPR is satisfied, the erasure of personal data concerning him/her;
- obtain, in the cases provided for in Article 18 of the GDPR, the restriction of processing;
- receive his/her personal data in a structured format that is commonly used and machine-readable, and request their transmission to another controller if technically feasible.
Right of objection.
Every Data Subject has the right to object at any time to the processing of his/her personal data carried out for the purpose of pursuing a legitimate interest of the Data Controller.
In the event of opposition, such personal data will no longer be processed, unless there are legitimate reasons to carry out the processing that prevail over the interests, rights and freedoms of the data subject or for ascertaining, exercising or defending a right in a court of law.
Every Data Subject has the right to object to the processing of his or her personal data for direct marketing purposes.
Right to revoke consent.
In the event that consent is required for the processing of personal data, each data subject may, at any time, revoke the consent already given, without prejudice to the lawfulness of the processing based on consent given before the revocation.
Right to complain to the Data Protection Authority.
Any Data Subject may lodge a complaint with the Data Protection Authority in the event that he or she believes that his or her rights under the GDPR have been violated, in accordance with the procedures indicated on the Data Protection Authority ‘s website accessible at: www.garanteprivacy.it.