To whom it may concern,
ITAL G.E.T.E. S.r.l., with registered office in Via C. M. Maggi 2, 20154 Milano (MI), Tax Code and VAT no. IT07606970155, e-mail: firstname.lastname@example.org, PEC address: email@example.com (henceforth, “ITAL G.E.T.E.” or the “Data Controller”), in the person of the legal representative pro tempore on its capacity as Controller of the personal data that you or other third-parties have communicated (verbally, via e-mail, via the website, exchanging of business cards etc.) is delighted to present this notice, under arts. 13 and 14, GDPR (in short, the “Information Notice”).
INFORMATION NOTICE as required by Arts. 13 and 14 of the GDPR.
- Identity and contact details of the Data Controller
ITAL G.E.T.E. S.r.l., with registered office in Via C. M. Maggi 2, 20154 Milan (MI), Tax Code and VAT no. IT07606970155, e-mail: firstname.lastname@example.org, PEC address: email@example.com in the person of its pro tempore legal representative
- Purposes of the processing for which the personal data are intended as well as the legal basis for the processing
Your personal data are processed:
(I) without the need for your consent (under art. 6 lett. b), c) and f) of the GDPR), for the following purposes:
- to fulfil any pre-contractual and contractual obligations arising from any contractual relations entered into (provider of goods);
- to fulfil the obligations established by law, by a regulation, by national or EU legislation or by an order of the Public Authorities, Judiciary Authorities and supervisory bodies that the Data Controller is obliged to observe;
- to exercise the rights of the Data Controller, for example the right of defence in court.
(ii) with the need for your consent (under art. 7 of the GDPR), for the following purposes:
- to organise commercial events and services, also using social networks (e.g. Instagram) and relative formalities regarding entrance to Italy (e.g., Visa application forms etc.);
- recording and retention of information concerning such activities.
Collection of personal data for the purposes indicated in par. (i) above is mandatory. Refusal to allow collection of said data will make it impossible for the Data Controller to process the contract and fulfil its contractual obligations.
Collection of personal data for the purposes referred to in par. (ii) is optional, whereby you are entitled to deny your consent, and withdraw the possibility to process the data supplied in the past at any moment in time.
- Categories of processed personal data
In accordance with art. 4, no. 1, GDPR for “personal data” and within the scope of the purposes indicated in paragraph 2) above, only personal data will be processed concerning, for example, name and surname, tax code, date of birth, VAT number, residence, domicile, passport number and/or other identity document, location of the workplace, email or PEC address, telephone and fax number, and, where appropriate, employer company, role and/or position within the company etc.
In accordance with the principle of minimisation provided in article 5, paragraph 1, GDPR, you therefore undertake to refrain from sending personal data to the Data Controller, unless they are strictly necessary for the performance of contractual and/or commercial activities. In this latter case, personal data must be sent to the Data Controller in anonymous format, i.e. by using pseudonyms, as expressly foreseen by the GDPR.
If, for the purposes of the contractual relationship with a legal person (henceforth the “Customer”), it becomes essential to process personal data in addition to those of the legal representatives and/or contact persons of the same, and the same can not be acquired anonymously or by using pseudonyms, the Customer declares and guarantees to legitimately process, in accordance with the GDPR, all personal data communicated to the Data Controller during the course of the contract and, in particular, declares to have provided to the Data Subjects adequate information in which the possibility to provide personal data to third-party companies is expressly mentioned and to have obtained any necessary consent for such purposes. The Customer also undertakes to inform its own employees and/or collaborators that this Information Notice can also be accessed on the website https://italgete.it/privacy-policy/ so that the same can be provided by the Data Controller to the Data Subjects under arts. 13 and 14 of the GDPR.
- Personal data recipient categories
Your personal data may be made accessible for the purposes illustrated in par. 2 above to:
- to employees and collaborators of the Data Controller in their capacity as persons authorised to process such data;
- to third-parties (for example, providers for the management and maintenance of the website, suppliers, credit institutes, professional firms etc.) who conduct outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
- to judicial or supervisory authorities, public administrations, bodies and organisations (national and foreign);
The updated list of the Data Processors and designated processing officers shall be filed and retained at the seat of the Data Controller.
- Storage and transfer of personal data abroad
The management and storage of personal data takes place on servers located in Italy at the Company’s registered office and on servers inside the European Union owned and/or made available to the Data Controller, or third-parties duly appointed and nominated as Data Processors. Such data are not transferred outside Europe, unless specific transactions require the same.
Your personal data will not be subject to dissemination.
- Duration of data retention
Your personal data collected for the purposes indicated in par. 2(i) above, shall be processed and retained for the entire duration of any contractual relationships in force; such data shall be retained for the applicable terms of duration according to the laws in force, from the date of cessation of the contract, however caused.
Your personal data collected for the purposes indicated in par. 2(ii) above, shall be processed and retained for the time required to fulfil such purposes and, in any case, for no longer than 5 years from the date on which the Data Controller receives the consent of the Data Subject.
- Rights of the data subject
Pursuant to the provisions of Chapter III Section I of the GDPR, you are entitled to exercise the rights indicated therein, and in particular:
- to access your personal data;
- to obtain rectification or erasure of your personal data or restrictions on the processing of the same. In the case where an erasure request is submitted, the Data Subject also has the right to oblige the Data Controller – taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform the data processor in charge of the processing of the personal data, that the data subject has requested the erasure of any links to, or copy or replication of his or her personal data;
- to object to the processing of the same;
- to request data portability;
- to withdraw your consent, as and where foreseen, at any moment in time, as long as it shall not affect the lawfulness of the processing based on the conferred consent before the withdrawal;
- to lodge a complaint with the supervisory authority.
You are entitled to exercise such rights by sending an email request to the privacy referent at: firstname.lastname@example.org
- Processing methods
Your personal data is processed using the methods indicated in art. 4 no. 2) of the GDPR – with or without the use of automated processes and refer to, more specifically: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, comparison, interconnection, restriction, erasure or destruction of personal data.
The personal data of the Data Subject shall be processed using traditional (forms, records etc.) and electronic methods. In any case, the logical and physical security and, more generally, the confidentiality of the same shall always be guaranteed.
Granting consent (pursuant to art. 7 GDPR)
The undersigned Data Subject,
declares to have read the content of the Information Notice you provided pursuant to art. 7 GDPR, and to have received a copy of the same; the Data Subject also declares, in reference to:
- to the processing of his or her personal data to organise commercial events and services, also using social networks (e.g. Instagram) and relative formalities regarding entrance to Italy (e.g., Visa application forms etc.) and the storage and retention of the information related to such activities (par.2 (ii), a. and b. of the Information Notice)
Directive (EU) 2016/679 endorsed by the European Parliament and European Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data (in short, the “Regulation” or the “GDPR”.