(Articles 13 -14, EU Regulation no. 2016/679 and the Italian law in force)
Italian Creation Group S.p.A. with registered office in Corsico, Via Alzaia Trieste 49, VAT no. 08210880962, as the Data Controller, assisted by the following Co-Data Controllers: Valcucine S.p.A. with headquarters in Pordenone, Via Luciano Savio 11, contact e-mail: firstname.lastname@example.org; FontanaArte S.p.A. with headquarters in Corsico, Via Alzaia Trieste 49, contact e-mail: email@example.com; Driade S.r.l. with headquarters in Corsico, Via Alzaia Trieste 49, contact e-mail: firstname.lastname@example.org; pursuant to and for the purposes of Articles 13 -14 of EU Regulation no. 216/679 and of the Italian law in force, informs you that your personal data will be processed according to the following procedures, purposes and legal bases:
1. Purpose of processing
The Data Controller processes:
• the common and contact data (e.g. name, surname, ID document, fiscal code, address, e-mail, telephone number) of its Customers/Suppliers and authorised staff, as well as payment data (information regarding methods of payment e.g. credit card) communicated at the time of drawing up and concluding contracts for services provided, and after the form has been filled in on the website: www.fontanaarte.com, which is essential for requesting information related to the services provided, or data communicated at the time of subscribing to the Newsletter service;
• data related to the preferences and interests of visitors to the website (in particular, the content accessed, services and functions used, connection times, traffic data, navigation data on the websites and social profiles of the Data Controller, business partners or third parties, as well as the IP address, devices and connectivity used), also collected by means of cookies and metadata;
• the common personal data of the Data Controller's employees/collaborators (e.g. name, surname, domicile, contact details etc.), data indicating the health/ability or not to perform specific tasks, affiliation with trade unions, religious or political beliefs, as well as any legal data communicated at the time of drawing up the work contract and/or managing the work relationship;
• data belonging to the Data Controller's employees/collaborators on social networks (e.g. interests, partnerships, skills etc.), data relating to the presence of employees/collaborators in the company also collected via badges, as well as data pertaining to the use of the company's IT tools (e-mails, research history, phone calls etc.) collected during surveys of the security of tools and company information;
• data regarding applicants for a job in the pre-recruitment phase and/or former employees on social networks (personal opinions, habits, interests, etc.)
2. Purposes and legal bases of processing
The processing of the aforesaid personal data may take place for:
A) the purpose of fulfilling a contract, which is legitimate since its legal basis requires:
- the execution of the contract or fulfilment of contractual obligations;
- the fulfilment of pre-contractual, contractual and fiscal obligations arising from existing relations;
- the fulfilment of obligations imposed by legislation, regulations, EU legislation or orders from a regulatory Authority (for example, regarding anti-money laundering);
- exercising rights (for example, the right to legal defence);
B) marketing purposes, which is legitimate since its legal basis involves explicit consent to:
- receiving via e-mail, mail and/or text messages and/or telephone contacts or newsletters, informative and commercial messages and/or advertising materials about the products or services offered and surveys on the degree of satisfaction with the quality of services;
- receiving, via e-mail, mail and/or text message and/or telephone contacts, commercial, informative and/or promotional messages from third parties (e.g. business partners).
C) direct marketing purposes, which is legitimate since its legal basis involves the legitimate interest of the Data Controller to:
- send commercial messages relating to services and products similar to those already used.
D) profiling purposes, which is legitimate since its legal basis involves consent to:
- legitimise the analysis, also in an automated way, of preferences and interests (e.g. the use of content and services, including those purchased, the functions used, connection times, traffic data, etc.) and allow commercial offers (via letters, telephone calls, e-mails, text messages, MMS messages, notifications and newsletters) of services, contents, initiatives and customised offers;
E) the purpose of protecting company security, which is legitimate since its legal basis involves legitimate interest in
- protecting information systems and company information, both confidential and non-confidential;
- defending rights in legal proceedings.
3. Processing procedure
Personal data will be processed in printed-paper and digital format. The processing of data will be based on the principles of correctness, lawfulness and transparency and may also be carried out with the assistance of automated methods in order to store, manage and transmit data using appropriate tools, thus ensuring security and confidentiality and employing appropriate procedures that avoid the risk of loss, unauthorised access, misuse or disclosure.
4. Communication of personal data
Personal data will not be disclosed but may be communicated to Co-Data Controllers, Authorised personnel and /or Data Managers (e.g. persons who oversee the IT system - the system administrator; companies and/or professional studios that provide assistance, consultancy on accounting, administrative, fiscal, legal, tax and financial matters (accountants, job consultants, lawyers etc.); persons working in the legal sector, opposing parties and related defenders, arbitration boards and, in general, to all those public bodies (INPS, INAIL, INL etc.) and private bodies (funds, pension and health schemes, trade unions etc.) to whom communication is required for the proper execution of the contract. The updated list of Data Managers is kept at the Data Controller's registered office and made available on the website.
5. Data storage times
The Data Controller keeps processed personal data for the purpose of executing a contract for the time required to manage the contractual obligations and, in any case, for no longer than 10 years; personal data processed for marketing purposes (including indirect) and/or customer satisfaction surveys are kept for no longer than 24 months from the receipt of consent; personal data processed for profiling purposes is kept for no longer than 12 months from the acquisition of consent; data relating to navigation logs is kept for 3 months ; data processed to defend a right will be kept for the time reasonably required for such purposes and for the time in which such a claim can be pursued. After the above-mentioned storage times have expired, data will be rendered anonymous and processed for aggregate and anonymous statistical analysis.
6. Data transfer
Personal data may also be disclosed to the Data Controller's offices and/or to other related/associated companies in and/or out of the EU, who, as Co-Data Controllers have signed an agreement with the Data Controller. These offices – with a special focus on those established in non-EU countries - have been given specific operating instructions via contractual clauses in order to guarantee that data will be processed in compliance with the principles set out in EU Regulation no. 2016/679 also in a non-EU country.
The Data Controller reserves the right to use cloud-based services, undertaking to select service providers from those who provide adequate guarantees, as provided for in Art. 46 of EU Regulation no.2016/679.
7. Rights of data subjects
You are entitled to ask the Data Controller for access to data concerning you, for their correction or deletion, the integration of any incomplete data, the limitation of processing; to receive the data in a structured format that is commonly used and readable by an automatic device; to withdraw any consent given regarding the processing of your data at any time and to object, in whole or in part, to the use of such data; to lodge a complaint with the regulatory Authority and exercise your other rights in compliance with Articles 15 - 22 of EU Regulation no.2016/679.
8. Procedure for exercising your rights
You may exercise your rights at any time by sending an e-mail to the Data Controller at the following address: email@example.com or by lodging a complaint with a regulatory Authority. If you are no longer interested in our notifications and would like to cancel your subscription to the Newsletter, you may do so by clicking the "unsubscribe" link at the bottom of each e-mail sent or by sending an e-mail to the following address: firstname.lastname@example.org. To opt out from receiving promotional e-mails, please follow the instructions or send an e-mail to the following address: email@example.com.
9. Changes to updates
The Data Controller