Personal data processing
In accordance with the aforementioned Law, data processing shall be based on the principles of fairness, lawfulness, and transparency, protecting your privacy and your rights.
Data Protection Officer
Vicenzi S.p.A, pursuant to art. 37 of the GDPR, designated Lawyer Roberto Vasapolli Data Protection Officer (DPO), who can be contacted at the following e-mail address: firstname.lastname@example.org
Purposes of data processing and legal basis
Depending on the needs expressed from time to time by the user accessing the various sections of the Website (and with the exception of special rules and information notices for individual operations involving the provision of specific personal data, published from time to time on the Website), the purposes of personal data processing are indicated below, i.e. the personal data provided directly by users by filling in online forms or by using links to directly access the e-mail address relating to the service requested, or the personal data acquired automatically by browsing (please see the section “Categories of Personal Data subject to processing” below) (hereinafter, “Personal Data”):
- To reply to requests received directly (Customer Service “contact” web form); this processing may also involve the sending of “transactional” e-mails, the purpose of which is related to the procedure to confirm that your requests have been received. Legal basis for processing: to perform pre-contractual measures (Art. 6(1)(b))
- To reply to requests for offers/information regarding the supply of products sold by Vicenzi S.p.A.; this processing may also involve the sending of “transactional” e-mails, the purpose of which is connected to the procedure to confirm receipt of your requests. Legal basis for processing: to perform pre-contractual and/or contractual measures (Art. 6 (1)(b))
- With the user’s consent and until said consent is withdrawn, to carry out marketing activities regarding the products and services of the undersigned company, using the e-mail address provided to us (subscription to the newsletter). Legal basis for processing: consent (Art. 6(1)(a))
- The need to ascertain, exercise or defend a right in court. Legal basis for processing: legitimate interest (Art. 6(1)(f))
- To manage and perform legal obligations (accounting, administrative, tax, etc.). Legal basis for processing: fulfilment of a legal obligation (Art. 6 (1)(c))
Data processing means any operation or set of operations performed with or without the aid of electronic or automated means, concerning the collection, recording, organisation, storage, processing, modification, extraction, comparison, use, disclosure, dissemination, interconnection, blocking, deletion, destruction, and selection of data.
Personal Data shall mainly be processed in automated form but also on paper, with logic strictly related to the above purposes, using the databases and electronic platforms managed by the Data Controller or by third parties appointed as Data Processors (for the updated list, users can contact the Data Controller at the address indicated) and/or integrated computer systems and/or websites owned or used by Vicenzi S.p.A.. The Data Controller has adopted appropriate technical and organisational security measures to protect users against the risk of loss, abuse, or alteration of Data. In particular, it uses the protected data transmission protocols known as HTTPS. In addition, it stores user data on servers located in Europe. Servers are subject to an advanced, daily backup and disaster recovery system.
Duration of processing
Any data provided shall only be stored for the amount of time necessary to fulfil the purposes for which said personal data are processed, or for a longer period, for purposes permitted by law, and shall in any case be deleted without undue delay.
For purposes relating to information requests: in relation to the type of request, for the time necessary to fulfil the legal obligation of data retention and/or for any other legal requirements. For general requests, a maximum of 12 months. For newsletter subscriptions, a maximum of 24 months from the last interaction (for example, when you open the e-mail containing our newsletter).
Where data are processed
Personal Data are mainly processed at the headquarters of the Data Controller and/or in the places where the Data Processors are located. For further information, users can contact the Data Controller as described above.
The nature and methods of providing Personal Data
Provision of personal data is optional, however, failure to provide data will make it impossible to process your request and/or sign you up to the newsletter and/or allow you to use the services available on the Website requiring registration. Personal Data can be provided by filling in the appropriate fields in the various sections of the Website or by sending requests via e-mail where required.
Categories of Personal Data subject to processing
In addition to the Personal Data provided directly by users (such as name, surname, address, e-mail address, etc.), when connecting to the Website, the computer systems and software procedures used to operate the Website automatically and indirectly provide and/or acquire certain information that could constitute personal data, which must be transmitted in order to use internet communication protocols (including, but not limited to, so-called “cookies” (as better specified below), “IP” addresses, domain names of the computers used by those connecting to the Website, the “Url” addresses of the resources requested, the time of the request to the server, navigation on the Website.
Categories of persons who may become aware of users’ Personal Data
Employees or collaborators of the Data Controller may be made aware of Personal Data. These individuals, operating under the direct authority of the Data Controller, process data and are appointed as data processors or individuals authorised to process data in accordance with Articles 24-29 of European Reg. 2016/679. System administrators may also be made aware of Personal Data and these individuals shall receive adequate operating instructions in this regard from the Data Controller; the same shall be done – under the responsibility of the Data Processors appointed by the Data Controller – with regard to employees or collaborators of said Data Processors. The Data Processors, appointed by the Data Controller, may be third-party companies or other parties that carry out outsourcing activities on behalf of Vicenzi S.p.A. (for example, but not limited to, parties appointed to provide services regarding assistance, communication, promotion and sale of products and/or services, IT service providers, managers and/or developers of websites or applications contained therein, managers of electronic platforms, partners).
Scope of disclosure or dissemination of users’ Personal Data
Employees or collaborators of the Data Controller may be made aware of Personal Data; these individuals, operating under the direct authority of the Data Controller, process data and are authorised to do so; system administrators may also be made aware of Personal Data and shall receive adequate operating instructions from the Data Controller.
Data Processors appointed by the Data Controller may also be made aware of Personal Data, as may third-party companies or other parties that carry out outsourcing activities on behalf of Vicenzi S.p.A. (for example, but not limited to, parties appointed to provide services regarding assistance, communication, promotion and sale of products and/or services, organisation and management of competitions, IT service providers, managers and/or developers of websites or applications contained therein, managers of electronic platforms, transport companies, customer service management companies).
Transfer of users’ Personal Data outside the EU
The Data Controller may transfer your Personal Data outside the European Economic Area, in which case the transfer shall be carried out by the Data Controller subject to drawing up Standard Contractual Clauses with suppliers of servers and/or services in compliance with the templates provided by the European Commission, or checks into whether the external data processor is registered with the “Privacy Shield” system.
The website contains virtually no information aimed directly at minors. Minors must not provide any information or personal data. Only adults are to take part in the competitions that may be present on the website.
Social Network Plugins
The collection and use of information by such third parties is governed by their respective privacy policies to which you are kindly requested to refer.
Users may exercise their rights under Articles 16-21 of European Reg. 2016/679 (Right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object). Finally, users may also lodge a complaint with the data protection authority [in Italy: Autorità Garante per la protezione dei dati personali], if necessary, or they may contact said authority to request information on how to exercise their rights under European Regulation 2016/679. More specifically:
- The right of access: to obtain confirmation as to whether or not personal data concerning them are being processed and to gain access to said data and specific information (e.g. the purposes of the processing, the categories of data concerned, the recipients to whom the data will be disclosed);
- The right to rectification: to have inaccurate data concerning them corrected without undue delay. In this case, the controller shall be obliged to provide notification of this correction to all recipients to whom the data have been sent, unless this involves a disproportionate effort
- The right to erasure: to obtain the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay where certain grounds apply (e.g. the personal data are no longer necessary in relation to the purposes for which they were collected; the data subject withdraws consent; data must be erased to fulfil a legal obligation). In this case, the data controller shall be obliged to provide notification of this erasure to all recipients to whom the data have been sent, unless this involves a disproportionate effort
- The right to restriction of processing: it is possible to obtain from the data controller restriction of processing, for example, allowing only storage and excluding any other use, under certain circumstances (e.g. if the processing is unlawful and the data subject opposes the erasure of the personal data; the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data, etc.). In this case, the controller shall be obliged to provide notification of this restriction of processing to all recipients to whom the data have been sent, unless this involves a disproportionate effort
- The right to data portability: to have any personal data provided returned and to send them to others, or to request that they are sent from one data controller to another, if technically feasible
- The right to object: to object at any time to processing for purposes of public interest or legitimate interest; for marketing purposes; for scientific, historical, or statistical research.
Data subjects may lodge a complaint with the data protection authority [in Italy: ‘Autorità Garante per la protezione dei dati personali’]: www.garanteprivacy.it), if necessary, or they may simply contact said authority for information on how to exercise their rights under EU Reg. 2016/679.