INFORMATION ON THE PROCESSING OF PERSONAL DATA
Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and Law 171/2018;
The Regulation (EU) 2016/679 (“General Data Protection Regulation”), hereinafter ‘GDPR’, and Law 171/2018 refer to the protection of individuals with regard to the processing of personal data, as well as the free movement of such data. According to this legislation, the processing of personal data referring to a person, specifically to be defined as ‘data subject’, is based on the principles of correctness, lawfulness and transparency, as well as protection of the confidentiality and rights of the data subject. This is to inform you, in compliance with the aforementioned norm, that in relation to the relationship that you have with our structure, as a Client/Supplier/Candidate, our organization is in possession of certain data relating to you, which have been acquired, even verbally, directly or through third parties who carry out operations concerning you or who, in order to meet a request of yours, acquire and provide us with information. Pursuant to the GDPR and L.171/2018, since this data refers to You, it must be acknowledged as personal data and therefore it must be granted the protection established by the aforementioned Regulation. Specifically, according to the regulations, you are the data subject who benefits from the rights placed on the protection of your personal data. Pursuant to Articles 13 and 14 GDPR and L.171/2018, our facility, as Data Controller, will process the personal data you provide in compliance with the regulations, with the utmost care, implementing effective management procedures and processes to ensure the protection of the processing of your personal data. To this end, the writer, using material and management procedures to safeguard the data collected, undertakes to protect the information disclosed, so as to prevent unauthorized access or disclosure, as well as to maintain the accuracy of the data and also to ensure the appropriate use of the same. In observance of this premise, the following information is provided:
- IDENTITY AND CONTACT DETAILS
The Data Controller is the writer: SIT GROUP S.p.A., with registered office in Strada del Sabattino 51, 47896, Faetano, Republic of San Marino; Tel: +378 0549 876611; fax: +378 0549 996444; email: firstname.lastname@example.org
The external companies with which a contractual relationship has been established, which in order to fulfill such agreements need to receive your personal data, play the role of Data Processors. In order to know the Data Processors, should they be appointed, and to know the persons who will be appointed in the future for said function, any interested party may send a letter of request to the Data Controller, at the above address. It is intended to clarify that the aforementioned Data Processors are not in charge of processing requests for the exercise of the rights of data subjects under Articles 15 et seq. of the GDPR and Law 171/2018. This activity is carried out exclusively by the writer in its capacity as Data Controller.
REPRESENTATIVE ESTABLISHED IN THE TERRITORY OF THE STATE
The Representative of the Data Controller established in the territory of the State is SITITALIA S.p.A., having its registered office in Via Giuseppe Pierini, 14/16, 61122, Pesaro (PU); tel: 0721 20511; email: email@example.com
- PROCESSING WITHOUT THE NEED FOR THE CONSENT OF THE DATA SUBJECT
Please note that the writer, even without your consent, will be entitled to process your personal data if this is necessary to:
– fulfill an obligation required by law, regulation or EU legislation;
– perform obligations arising from a contract to which you are a party or to fulfill, prior to the conclusion of the contract, specific requests of yours.
Your express consent is also not required when the processing:
- a) relates to data from public registers, lists, deeds or documents that are knowable by anyone, without prejudice to the limits and methods that laws, regulations or Community legislation establish for the knowability and publicity of the data, or relates to data relating to the performance of economic activities, processed in compliance with current legislation on business and industrial secrets;
- b) it is necessary for the protection of life or physical safety His or a third party (in this case, the owner is obliged to bring to the knowledge of the processing of personal data to the person concerned by means of the information even after the processing itself, but without delay. In that case, therefore, consent is given following the presentation of the information notice);
- c) with the exclusion of diffusion, it is necessary for the purposes of carrying out the defensive investigations referred to in Law No. 397 of December 7, 2000, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for such purposes and for the period strictly necessary for their pursuit, in compliance with current legislation on business and industrial secrecy;
- d) with the exclusion of diffusion, it is necessary in the cases identified by the Guarantor, based on the principles enshrined in the law, to pursue a legitimate interest of the owner or a third party recipient of the data, also with reference to the activity of banking groups and subsidiaries or affiliated companies, if the fundamental rights and freedoms, dignity or a legitimate interest of the data subject does not prevail.
- PERSONAL DATA COLLECTED
DATA REQUESTED BY THE COMPANY
The writer, as Data Controller uses your personal data to operate as best it can in the exercise of its business. You may be asked, even partially, for the following data:
o personal data, tax code, VAT number, name, registered office, residence and domicile and contact data;
o data related to the contractual relationship descriptive of the type of contract, as well as information related to its execution and necessary for the fulfillment of the contract itself;
o accounting type data relating to the economic relationship, amounts due and payments, their periodic performance, summary of the accounting status of the relationship;
o data to make the relationship with our structure more defined and our cooperation and operational efficiency more effective;
o data related to: Your employees and/or collaborators, information about your profession or your company.
DATA VOLUNTARILY PROVIDED BY THE USER
Through the Site it is also possible to send requests and communications using the addresses and contact forms indicated therein. The provision of such data is mandatory, as it is necessary to respond to the requests sent as well as to re-contact the sender in order to obtain clarifications regarding what has been reported. In particular, personal data are provided by users for the purpose of using the services of the Site.
Users are identified at the time:
o of sending requests for information and communications through the addresses and contact forms indicated on the Site. In this case, the Data Controller will process the sender’s contact data necessary to respond, as well as all personal data included in the communications.
o of the sending of communications for marketing purposes regarding products and/or services by Sit Group S.p.A in its own interest or that of other companies, subject to express consent.
o of the collection of Curriculum Vitae through spontaneous application or in response to open positions or through the company’s Social Networks. By way of example but not limited to, personal biographical and identifying data such as first name, last name, address, telephone number, e-mail account, data relating to education, course of study and previous professional experience, as well as personal image where included in the CV and other data included in the cover letter/email where attached are collected. Spontaneous application and application through the “work with us” section is possible.
- RETENTION PERIODS
The data collected will be kept for the duration of the relationship or collaboration with our organization and for 10 years from the date of termination of the relationship. If, during the course of the contractual relationship, data are processed that are not inherent to the administrative-accounting fulfillments related to it, such data will be kept for the time necessary to achieve the purpose for which they were collected and then deleted. The retention times of such data will be communicated to you with specific information at the time of collection.
- COMPULSORY OR OPTIONAL NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF REFUSAL
It should be noted that data essential for the performance of the contractual relationship must be obligatorily conferred to the writer, as well as the data necessary to fulfill the obligations provided for by laws, regulations, community norms, or by provisions of Authorities legitimized to do so by law and by supervisory and control bodies. Data that are not essential for the performance of the contractual relationship shall be qualified and considered additional information and their provision, if requested, is optional. Your refusal to provide such data, however, will result in less efficiency of our structure in carrying out relations with third parties. In the event that “sensitive data or the processing of which presents specific risks” is essential for the conduct of the relationship or for the performance of specific services as well as legal obligations, the provision of such data will be mandatory, and since their processing is only permitted with the prior written consent of the person concerned (ex articles 9 and 10 GDPR and L.171/2018), you must also consent to their processing.
- METHODS OF PROCESSING
Pursuant to and in accordance with Articles 12 et seq. of the GDPR and L.171/2018, we inform you that the personal data that you communicate to us will be recorded, processed and stored in our archives, paper and electronic, in compliance with the appropriate technical and organizational measures referred to in Article 32 of the GDPR and Article 33 of Law 171/2018. The processing of your personal data may consist of any operation or set of operations among those indicated in art. 4, paragraph 1, no. 2 of the GDPR and art.2, paragraph 1, letter B) of Law 171/2018. The processing of personal data will take place through the use of tools and procedures suitable to guarantee their security and confidentiality and may be carried out, directly and/or through delegated third parties, either manually by means of paper media, or through the use of computer or electronic tools. The data, for the purposes of the proper management of the relationship and the fulfillment of legal obligations, may be included in the Owner’s own internal documentation and, if necessary, also in the records and registers required by law.
- ACTIVITIES THAT MAY BE OUTSOURCED
The Data Controller, in the course of its business, may occasionally request other operators to perform certain services on its behalf, such as, for example, processing or other services; services necessary for the performance of the operations or services requested; shipments and deliveries; accounting records; administrative activities. If the operator delegated by the Holder to perform certain activities is a company that performs payment, collection and treasury services, banking and financial intermediation, the following services may be performed: massive processing related to payments, bills, checks and other securities; transmission, enveloping, transportation and sorting of communications; archiving of documentation; detection of financial risks; fraud control; debt collection. The above operators will only be provided with information necessary for the provision of the commissioned services and will be required to respect confidentiality, prohibiting the use of the data provided for a purpose other than that agreed upon. Operators who were not our appointees for the processing of personal data will be appointed as Personal Data Processors (pursuant to Article 28 GDPR and 29 of L.171/2018) and will process the data to the extent strictly necessary to provide the commissioned service and exclusively for that purpose; they will also ensure themselves that their appointees have signed a confidentiality agreement. With regard to aspects not indicated in this notice, these parties will have to provide specific information on the processing of personal data carried out by them.
- TRANSFER OF PERSONAL DATA ABROAD
The data you provide will be processed only in Italy and San Marino. If, in constancy of contractual relationship, your data are processed in a non-EU state, the rights attributed to you by EU regulations will be guaranteed and you will be promptly notified.
- THE LEGAL BASES OF THE PROCESSING
In order for the processing to be lawful, we make use of the legal bases ex art. 6 GDPR and art.5 L.171/2018. We will collect and use your Personal Data in the following situations:
– where the use of it is necessary for the performance of a contract(s) you have entered into or the taking of measures you have requested prior to entering into a contract. Such contracts might include, for example, conditions of participation in a course/seminar or agreements signed for the purpose of providing services;
– where our use of your personal data is in our legitimate interest or that of the organization with which we have shared such data and we have ensured that they and your rights in this regard are adequately protected.
– where the use of your personal data is in our opinion necessary in order to comply with a legal or regulatory obligation to which we are subject;
– in a limited number of circumstances, if we consider it necessary in order to protect someone’s safety or vital interests;
– in certain circumstances, should we deem it necessary for purposes of public interest;
- PURPOSE OF THE PROCESSING FOR WHICH YOUR PERSONAL DATA IS INTENDED
The main purpose of the processing of your personal data that the writer intends to pursue is to allow a regular establishment and/or evolution, as well as a proper administration of the relationship specified in the introduction. In particular, the purposes of the processing are as follows:
– administrative-accounting purposes, specifically the fulfillment of fiscal or accounting obligations;
– customer management (administration of customers; administration of contracts, orders, shipments and invoices; control of reliability and solvency);
– litigation management (breach of contract; warnings; settlements; debt collection; arbitration; litigation);
– internal control services (of safety, productivity, quality of services, integrity of assets);
– management of business and marketing activities (market analysis and surveys);
– promotional activities;
– customer satisfaction survey.
Personal data will also be processed to fulfill legal obligations, to fulfill insurance obligations, or even to be able to regularly fulfill contractual and legal requirements arising from the legal relationship with the data subject.
The data provided may also possibly be used to contact the data subject as part of market research regarding products or services or as part of offers or commercial campaigns. The data subject may in any case freely choose not to give consent for such purposes and also indicate the manner in which he or she may be contacted or receive commercial information.
- SCOPE OF KNOWLEDGE OF YOUR DATA
The following categories of individuals, appointed as data processors or persons in charge of processing by the writer, may become aware of your data:
- a) employees or collaborators generally assigned to:
– Internal protocol and secretarial offices;
– Persons in charge of surveys and performance of services and maintenance and support of the services provided to you;
– Accounting and billing clerks;
– Service marketing clerks;
– Customer satisfaction survey clerks; Fraud and fraud prevention clerks;
– Marketing clerks;
– Offices, services and branch offices;
– External mail stuffing clerks;
- b) Consultants assigned for advice, assistance or services to our facility;
- c) Executives and directors;
- d) Members of supervisory bodies;
- e) Our agents, representatives and distributors.
Personal data may also be known by parties affiliated with the writer, indicated in the paragraph titled “Methods of processing.” The writer may delegate to such parties the performance of certain tasks or the performance of particular acts due for the execution of the relationship with the data subject.
- COMMUNICATION AND DISSEMINATION
Your data may be communicated, meaning by this term the giving of knowledge to one or more determined subjects, by the writer outside the company to implement all the necessary legal and/or contractual fulfillments. In particular, your data may be communicated to:
- a) other companies in the Group, including parent, subsidiary and associated companies;
- b) Public Bodies or Offices or control authorities in accordance with legal and/or contractual obligations;
- c) banking and/or credit institutions for the management of payments arising from the contractual relationship.
Your data may be communicated by the writer:
– to subjects who can access the same by virtue of a provision of law, regulation or EU legislation, within the limits provided for by these rules;
– to subjects who need access to your data for purposes auxiliary to the relationship that exists between you and our structure, within the limits strictly necessary to carry out the auxiliary tasks (credit institutions and forwarding agents are mentioned as examples);
– to subjects of our consultants and/or professionals, to the extent necessary to carry out their duties at our or their organization, subject to the appointment of a responsible person imposing the duty of confidentiality and security.
In any case, your data will not be communicated except to operators assigned to the execution of acts concerning the fulfillment of relations that may intervene with the Interested Parties to whom the data refer.
The writer will not indiscriminately disseminate your data, or in other words, will not give knowledge of them to unspecified subjects, even by making them available or consultation. The writer regards as valuable the trust shown by the data subjects who will have consented to the processing of their personal information and therefore undertakes not to sell, rent or lease the personal information to others.
- RIGHTS OF DATA SUBJECTS
Each data subject enjoys a series of rights, provided for and protected by the GDPR and L.171/2018 in articles 15 et seq. Pursuant to art. 15 GDPR and L.171/2018, you have the right to obtain confirmation of the existence or otherwise of a processing of personal data concerning you, even if not yet registered, and to request access to it. The exercise of the rights is subject to ascertaining the identity of the interested party, through delivery of the identity document, which will not be kept by the writer, but only consulted in order to verify the legitimacy of the request.
You have the right to access, by requesting to extract a copy, the personal data concerning you, and the following information:
- a) the purposes of the processing;
- b) the categories of personal data being processed;
- c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if the recipients reside in third countries or if international organizations are involved;
- d) when possible, the expected period of retention of personal data or, if this is not possible, the criteria used to determine this period;
- e) if the data are not collected from the data subject, all available information on their origin;
- f) the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
If the data is transferred to a third country or international organization You have the right to be informed about the existence of adequate safeguards in accordance with Article 46 of the GDPR and L.171/2018.
You also have the right to request rectification when necessary (i.e., the right to have inaccurate data concerning you corrected and incomplete data supplemented). Under certain circumstances, you have the right to ask us to restrict processing concerning you (i.e., the right to obtain the marking of the data stored with the aim of restricting its processing in the future) or to delete the data in whole or in part or to request that it be provided to you in a commonly used electronic format so that it can be shared with other organizations (the right to “Personal Data portability”). Where you have consented to our use of your Personal Data, you may revoke that consent at any time; should you wish to do so, you may contact us at the address below. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal. You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that are processed for the performance of a task carried out in the public interest or in connection with the exercise of official authority or in pursuit of a legitimate interest. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of data concerning you that is carried out for such purposes, including profiling, insofar as it is related to such direct marketing. Sit Group will make every effort to comply with your wishes, however, certain regulations, especially security or administrative regulations, may hinder the fulfillment of your request or even make it impossible.
To exercise the above rights, you may contact our facility “Data Controller” at firstname.lastname@example.org or by calling +378 0549 876611.
The Data Controller will respond to you within 30 days of receiving your formal request. We would like to remind you that in case of a violation of your personal data, you may lodge a complaint with the competent authority: Guarantor of personal data protection.