NOTICE ON PERSONAL DATA PROCESSING
FEDRIGONI S.p.A., as the Data Controller, attributes great value to respecting the privacy of its interlocutors and is committed to safeguarding it by applying the provisions that European and Italian law establish in this regard. The relevant European legislation on the protection of personal data is the European Parliament’s Regulation no. 2016/679/ EU of 27/04/2016 (GDPR). The content of the information to be distributed to interested parties is shown in articles 13 and 14 of the GDPR.
Personal data is any information concerning an identified or identifiable natural person, the so-called “interested party” (or “data subject”) considering that a natural person can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, data related to the location, an online identifier or one or more characteristic elements of their physical, physiological, genetic, psychic, economic, cultural or social identity.
Principles applicable to personal data processing
The Data Controller processes personal data in compliance with the principles established by the GDPR: lawfulness, correctness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity, confidentiality and lawfulness, informing the interested party that processing of the data is only permissible if and to the extent that there is at least one of the following conditions:
- the interested party has given their consent to processing their personal data for one or more specific purposes;
- processing is necessary to execute a contract that involves the interested party or to execute pre-contractual measures adopted on their request;
- processing is necessary to fulfil a legal obligation to which the data controller is subject;
- processing is necessary to safeguard the vital interests of the interested party or another natural person;
- processing is necessary to execute a task of public interest or one connected to the exercise of public powers vested in the data controller;
- processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, unless the interests or fundamental rights and freedoms of the interested party that require the protection of personal data prevail, particularly if the interested party is a minor.
Characteristics of personal data processing
The Data Controller can process personal data according to the characteristics indicated below:
|category of interested parties||purpose of processing||data processed||legal basis of processing||obligation or right to communicate data||consequences of failure to communicate data||maximum data storage period|
|potential customers; customers||commercial proposals||personal data; tax data; tel; e-mail; other contact details||pre-contractual activity||right||failure to receive information on products; failure to sign a contract||5 years|
|customers||commercial relations||personal data; tax data; tel; e-mail; bank references||contractual activity||obligation||failure to execute the contract||the time needed to manage the contract and any disputes|
|potential customers; customers; end users||general marketing: sending information messages, promotions and events on Fedrigoni products and services||personal data; tel; e-mail; other contact details||consent||right||failure to receive marketing communications||5 years|
|potential customers; customers||direct marketing: sending information messages, promotions and events on Fedrigoni products and services of interest||personal data; tel; e-mail; other contact details||legitimate interest of the Data Controller to offer products in which the interested party has expressed an interest||right||failure to receive marketing communications||5 years|
|potential customers; customers||direct marketing: sending product samples by ordinary mail||personal data; tel; e-mail||legitimate interest of the Data Controller to offer products in which the interested party has expressed an interest||right||failure to receive marketing communications||5 years|
|customers||customer satisfaction surveys on Fedrigoni products and services||personal data; tel; e-mail; other contact details||Legitimate interest of the Data Controller in making enquiries about customers’ satisfaction||right||failure to participate in the initiative||the time strictly needed to process responses|
|customers; potential customers; end users||market surveys and polls||personal data; tel; e-mail; other contact details||consent||right||failure to participate in the initiative||the time strictly needed to process responses|
|Customers, potential customers, end users||transfer of data to Fedrigoni Group companies for general and direct marketing purposes||personal data; tel; e-mail; other contact details||consent||Right||failure to transfer data to Fedrigoni Group companies||for the expected time for the purpose the information was collected|
If the processing is based on consent, the interested party can revoke it at any time, without prejudice to the legality of the processing based on the consent given prior to the revocation.
Where consent is requested for the direct offer via internet of goods or services to minors, processing the minor’s personal data is lawful if the minor is at least 16 years old.
Authors of personal data processing
|Authors of processing||purpose of processing|
|Employees of the Data Controller or any third parties appointed by the Data Controller||pre-contractual and contractual relationships;|
possible marketing activities
|Employees of the Data Controller or any third parties appointed by the Data Controller||updating and maintenance of the management systems, software, websites|
Transfer of personal data to other countries
The Data Controller can transfer personal data to recipients in countries outside the EU, as long as they ensure an adequate level of protection in accordance with the GDPR.
An interested party who decides to access external sites through the Data Controller’s website (i.e. social networks) is subject to the guarantees and data processing methods of the operators of such sites.
Rights of the interested party
The interested party has the following rights versus the Data Controller:
- the right to obtain the information foreseen in art. 13 if the personal data is held by the same Data Controller;
- the right to obtain the information foreseen in art. 14 if personal data is not held by the same Data Controller;
- right of access (art. 15);
- right of rectification (art. 16);
- right to cancellation (so-called “right to be forgotten”); (art. 17);
- right to restrict processing (art. 18);
- the right by which the Data Controller has to communicate to each of the recipients to whom personal data have been transmitted any corrections, cancellations or restrictions on processing that have been implemented, unless this proves impossible or involves a disproportionate effort. On request, the Data Controller informs the interested party about such recipients (art. 19);
- right to data portability (art. 20);
- right of opposition (art. 21);
- right to know if the interest party is subject to a decision based solely on automated processing, including profiling, which produces legal effects that concern them or that significantly affect their person (art. 22);
- right to receive notification of a breach of personal data (art. 34).
To exercise these rights, the interested party can send an e-mail to firstname.lastname@example.org or a registered letter to: FEDRIGONI S.p.A. Via E. Fermi, 13/F – 37135 Verona (I).
The data controller will give the interested party information on the action taken with regard to a request without undue delay and, in any case, no later than one month after receipt of the request. This deadline can be extended by two months if necessary, taking into account the complexity and the number of requests. The Data Controller informs the interested party of this extension, and of the reasons for the delay, within one month of receiving the request.
The interested party can also lodge a complaint with a European Supervisory Authority (see the references of the European supervisory authorities in https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm)
References of the Italian Data Protection Authority:
Piazza di Monte Citorio, 121, 00186 Roma. Tel. +39 06 69677 1; fax +39 06 69677 785.
e-mail: email@example.com; website: http://www.garanteprivacy.it
Data Controller: Fedrigoni S.p.A., Via E. Fermi, 13/F – 37135 Verona (I) Tel. +390458087888