Information on the processing of data
Regulation (EU) 2016/679 (‘General Data Protection Regulation’), hereinafter ‘GDPR’, refers to the protection of natural persons with regard to the processing of personal data and the free movement of such data. According to this legislation, the processing of personal data referring to a person, specifically to be defined as ‘data subject’, is based on the principles of correctness, lawfulness and transparency, as well as the protection of the confidentiality and rights of the data subject. This is to inform you, in compliance with the aforementioned regulation, that in relation to the relationship that you have with our organisation, in your capacity as Client/Supplier/Candidate, our organisation is in possession of certain data relating to you, which have been acquired, even verbally, directly or through third parties who carry out operations concerning you or who, in order to comply with your request, acquire and provide us with information.
Pursuant to the GDPR, as this information relates to you, it must qualify as ‘personal data’ and must therefore benefit from the protection provided by the provisions of the aforementioned Regulation. Specifically, according to the legislation, you are the data subject who benefits from the rights set out to protect your personal data. Pursuant to Articles 13 and 14 GDPR, our structure, as Data Controller, will proceed to process the personal data you have provided in compliance with the regulations, with the utmost care, implementing effective management procedures and processes to guarantee the protection of your personal data. To this end, the undersigned, using material and management procedures to safeguard the data collected, undertakes to protect the information communicated, in such a way as to prevent unauthorised access or disclosure, as well as to maintain the accuracy of the data and also to ensure the appropriate use thereof. In accordance with this premise, the following information is provided.
The Data Controller is: ACM S.p.A., with registered office in Via Pradone 48/54, 26010 Cremosano (CR); Tel: +39 0373 71382; email: [email protected]
External companies with whom a contractual relationship has been established, and who need to receive your personal data in order to fulfil these agreements, will act as Data Processors. In order to find out who the Data Processors are, should they be appointed, and in order to find out who will be appointed for this function in the future, any data subject may send a letter of request to the Data Controller at the above address. It should be noted that the aforementioned Data Processors are not responsible for processing requests to exercise the rights of data subjects under Articles 15 et seq. of the GDPR. This activity is carried out exclusively by the undersigned in its capacity as Data Controller.
Processing without the need for the consent of the data subject
Please note that the writer, even without your consent, will be entitled to process your personal data if this is necessary to
– fulfil an obligation laid down by law, regulation or Community legislation
– perform obligations arising from a contract to which you are a party or to fulfil, prior to the conclusion of the contract, your specific requests.
Your express consent is also not required when the processing
a) relates to data taken from public registers, lists, deeds or documents that can be accessed by anyone, without prejudice to the limits and methods that the laws, regulations or Community legislation establish for the accessibility and publicity of the data, or relates to data relating to the performance of economic activities, processed in compliance with the legislation in force on business and industrial secrecy
b) it is necessary for the protection of life or physical safety of the data subject or of a third party (in this case, the data controller is required to inform the data subject of the processing of personal data by means of the information notice even after the processing itself, but without delay. In this case, therefore, consent is given following the presentation of the information notice);
c) with the exclusion of dissemination, it is necessary for the purposes of carrying out the defensive investigations referred to in Law no. 397 of 7 December 2000, or, in any case, to assert or defend a right in a court of law, provided that the data are processed exclusively for such purposes and for the period of time strictly necessary for their pursuit, in compliance with the applicable legislation on business and industrial secrecy
d) with the exclusion of disclosure, it is necessary in the cases identified by the Garante, on the basis of the principles enshrined in the law, to pursue a legitimate interest of the data controller or of a third party recipient of the data, also with reference to the activity of banking groups and subsidiaries or affiliated companies, provided that the fundamental rights and freedoms, dignity or a legitimate interest of the data subject do not prevail.
Data required by the company
The undersigned, as Data Controller, uses your personal data in order to operate its business to the best of its ability. You may be asked, even partially, for the following data
– personal data, tax code, VAT number, name, registered office, residence and domicile and contact data;
– data relating to the contractual relationship descriptive of the type of contract, as well as information relating to its execution and necessary for the fulfilment of the contract itself
– accounting data relating to the economic relationship, sums due and payments, their periodic development, and a summary of the accounting status of the relationship;
– data to make the relationship with our structure more defined and our collaboration and operational efficiency more effective;
– data relating to: Your employees and/or collaborators, information on your profession or your company.
Data provided voluntarily by the user
Through the Site it is also possible to send requests and communications using the addresses and contact forms indicated therein. The provision of such data is compulsory, as it is necessary to reply to the requests sent as well as to contact the sender in order to obtain clarifications on what has been reported. In particular, personal data are provided by users for the purpose of using the services of the Site.
Users are identified at the time
– the sending of requests for information and communications through the addresses and contact forms indicated on the Site. In this case, the Data Controller shall process the sender’s contact data necessary to reply, as well as all the personal data included in the communications.
– the sending of communications for marketing purposes regarding products and/or services by ACM S.p.A in its own interest or in the interest of other companies, subject to express consent o the collection of Curriculum Vitae through spontaneous applications or in response to open positions or through the company’s Social Networks. By way of example but not limited to, personal and identifying data are collected, such as name, surname, address, telephone number, e-mail account, data relating to education, course of study and previous professional experience, as well as personal image where included in the CV and other data included in the letter/email of presentation where attached. Spontaneous applications and applications via the ‘work with us’ section are possible.
The data collected will be kept for the entire duration of the relationship or collaboration with our organisation and for 10 years from the date of termination of the relationship. If, during the contractual relationship, data not inherent to the administrative-accounting fulfilments connected with it are processed, such data will be kept for the time necessary to achieve the purpose for which they were collected and then deleted. The retention time of such data will be communicated to you with specific information at the time of collection.
Compulsory or optional nature of providing data and consequences of refusal
It should be noted that data essential for the performance of the contractual relationship, as well as data necessary to comply with the obligations provided for by laws, regulations, EU rules, or provisions of Authorities empowered to do so by law and by supervisory and control bodies, must be mandatorily provided to the undersigned. Data that are not essential for the performance of the contractual relationship shall be qualified and considered as additional information and their provision, if requested, is optional. Your refusal to provide such data, however, will result in our structure being less efficient in conducting relations with third parties. In the event that “sensitive data or data the processing of which presents specific risks” are essential for the conduct of the relationship or for the performance of specific services as well as legal obligations, the provision of such data will be mandatory and since their processing is only permitted with the prior written consent of the data subject (ex Art. 9 and 10 GDPR), you must also consent to their processing.
Pursuant to Art. 12 et seq. of the GDPR, we inform you that the personal data that you communicate to us will be recorded, processed and stored in our archives, on paper and electronically, in compliance with the appropriate technical and organisational measures referred to in Art. 32 of the GDPR. The processing of your personal data may consist of any operation or set of operations among those indicated in Article 4, paragraph 1, no. 2 of the GDPR. Personal data will be processed using instruments and procedures that guarantee security and confidentiality and may be carried out, directly and/or through delegated third parties, either manually on paper or by means of computerised or electronic tools. For the purposes of the proper management of the relationship and the fulfilment of legal obligations, the data may be included in the Controller’s own internal documentation and, if necessary, also in the records and registers required by law.
Activities possibly outsourced
The Data Controller, in the course of its business, may occasionally request other operators to perform certain services on its behalf, such as, for example, processing services or other services; services necessary for the performance of the operations or services requested; shipments and deliveries; accounting records; administrative activities. Should the operator delegated by the Data Controller to perform certain activities be a company that performs payment, collection and treasury services, banking and financial intermediation, the following services may be performed: bulk processing relating to payments, bills, cheques and other securities; transmission, enveloping, transport and sorting of communications; archiving of documentation; financial risk detection; fraud control; debt collection. The above-mentioned operators shall only be provided with information necessary for the provision of the commissioned services and shall be required to respect confidentiality, prohibiting the use of the data provided for a purpose other than that agreed. Operators who are not our data processors will be appointed as personal data processors (pursuant to Art. 28 GDPR) and will process the data to the extent strictly necessary to provide the commissioned service and exclusively for that purpose; they will also ensure that their processors have signed a confidentiality agreement. With regard to aspects not indicated in this information notice, these subjects will have to provide specific information on the processing of personal data carried out by them.
Transfer of personal data abroad
The data you provide will only be processed in Italy and in San Marino. If, during the contractual relationship, your data is processed in a non-EU country, the rights attributed to you by EU law will be guaranteed and you will be promptly notified thereof.
The legal bases of processing
In order for the processing to be lawful, we make use of the legal bases under Article 6 GDPR. We will collect and use your Personal Data in the following situations:
– if their use is necessary for the performance of a contract or contracts signed by you or the taking of measures requested by you before entering into a contract. Such contracts might include, for example, the conditions of participation in a course/seminar or agreements entered into for the provision of services;
– where our use of your personal data is in our legitimate interest or that of the organisation with which we have shared such data and we have ensured that your rights in this regard are adequately protected.
– where the use of your personal data is, in our opinion, necessary in order to comply with a legal or regulatory obligation to which we are subject;
– in a limited number of circumstances, if we consider it necessary in order to protect someone’s safety or vital interests;
– in certain circumstances where we consider it necessary for public interest purposes;
Purposes of the processing for which personal data are intended
The main purpose of the processing of your personal data that the undersigned intends to pursue is to enable the regular establishment and/or evolution, as well as the proper administration of the relationship specified in the preamble. In particular, the purposes of the processing are as follows
– administrative-accounting purposes, specifically the fulfilment of tax or accounting obligations;
– customer management (administration of customers; administration of contracts, orders, shipments and invoices; control of reliability and solvency)
– litigation management (breach of contract; warnings; settlements; debt collection; arbitration; litigation);
– internal control services (of safety, productivity, quality of services, integrity of assets);
– management of commercial and marketing activities (market analysis and surveys);
– promotional activities;
– customer satisfaction surveys.
Personal data will also be processed for the fulfilment of legal obligations, for the fulfilment of insurance obligations, or in order to regularly fulfil contractual and legal requirements arising from the legal relationship with the person concerned.
Furthermore, the data provided may also be used to contact the person concerned in the context of market research regarding products or services or in the context of offers or commercial campaigns. In any case, the data subject may freely choose not to give his or her consent for such purposes and may also indicate the manner in which he or she may be contacted or receive commercial information.
Scope of knowledge of your data
The following categories of persons, appointed as data processors or persons in charge of processing by the writer, may become aware of your data
a) employees or collaborators generally assigned to:
– Internal protocol and secretarial offices;
– Employees or collaborators generally employed in: Internal protocol and secretarial offices; Persons in charge of surveys and services and maintenance and assistance to the services provided to you;
– Accounting and invoicing clerks;
– Service marketing clerks;
– Customer satisfaction surveyors; Fraud and fraud prevention officers;
– Marketing clerks;
– Offices, services and branch offices;
– External mailroom clerks;
b) Consultants appointed for advice, assistance or services to our structure;
c) Managers and directors;
d) Members of supervisory bodies;
e) Our agents, representatives and distributors.
Personal data may also be disclosed to parties affiliated with the writer, as indicated in the paragraph entitled “Method of processing”. The writer may delegate to such subjects the performance of certain fulfilments or the performance of particular acts due to the execution of the relationship with the data subject.
Communication and dissemination
Your data may be communicated, this term being understood to mean giving knowledge of it to one or more specific persons, by the writer outside the company in order to implement all necessary legal and/or contractual fulfilments. In particular, your data may be communicated to
a) other companies of the Group, including parent, subsidiary and associated companies; b) Public Bodies or Offices or control authorities in accordance with legal and/or contractual obligations
c) banks and/or credit institutions for the management of payments deriving from the contractual relationship.
Your data may be communicated by the writer
– to subjects who can access them by virtue of provisions of the law, regulations or Community legislation, within the limits provided for by these rules;
– to subjects who need access to your data for purposes auxiliary to the relationship that exists between you and our structure, within the limits strictly necessary to carry out the auxiliary tasks (for example, credit institutions and forwarding agents)
– to our consultants and/or professionals, to the extent necessary to carry out their duties with us or their organisation, subject to the appointment of a person in charge who imposes a duty of confidentiality and security.
In any case, your data will not be communicated except to operators assigned to perform acts relating to the fulfilment of relations that may arise with the Interested Parties to whom the data refer.
The writer will not indiscriminately disseminate your data, or in other words, will not make them known to unspecified subjects, even by making them available or consulting them. The writer regards as precious the trust shown by the interested parties who have consented to the processing of their personal data and therefore undertakes not to sell, rent or lease the personal information to others.
Rights of data subjects
Each data subject has a series of rights, provided for and protected by the GDPR in Art. 15 et seq. Pursuant to Art. 15 GDPR, you have the right to obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet recorded, and to request access to it. The exercise of the rights is subject to the verification of the identity of the interested party, through delivery of the identity document, which will not be kept by the writer, but only consulted in order to verify the legitimacy of the request.
You have the right to access, by requesting a copy, the personal data concerning you, and to the following information
(a) the purposes of the processing;
(b) the categories of personal data being processed
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if the recipients are established in third countries or if they are international organisations
(d) where possible, the period for which the personal data will be retained or, if this is not possible, the criteria used to determine that period
(e) where the data are not collected from the data subject, all available information as to their origin
(f) the existence of an automated decision making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
If the data is transferred to a third country or international organisation You have the right to be informed about the existence of adequate safeguards pursuant to Article 46 of the GDPR.
You also have the right to request rectification if necessary (i.e. the right to have inaccurate data concerning you rectified and incomplete data supplemented). In certain circumstances, you have the right to ask us to restrict the processing concerning you (i.e. the right to obtain the marking of the data stored with a view to restricting its processing in the future) or to delete the data in whole or in part or to request that it be provided to you in a commonly used electronic format so that it can be shared with other organisations (the right to ‘Personal Data Portability’). Where you have consented to the use of your personal data by us, you may revoke this consent at any time; if you wish to do so, please contact us at the address below. Revocation of consent does not affect the lawfulness of the processing based on the consent before revocation. You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that are processed for the performance of a task carried out in the public interest or in the exercise of official authority or in the pursuit of a legitimate interest. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of data concerning you carried out for such purposes, including profiling, insofar as it is related to such direct marketing. Serenissima S.p.A. shall do its utmost to respect your wishes, however, certain regulations, especially those relating to security or administrative regulations, may hinder the fulfilment of your request or even make it impossible.
To exercise the above rights, you may contact our Data Controller at [email protected] or by calling +378 0549 876611.
The Data Controller will reply to you within 30 days of receiving your formal request. We remind you that in the event of a violation of your personal data, you may lodge a complaint with the competent authority: “Garante per la protezione dei dati personali”.