[Version 8 February 2019]
Information on data processing
Article 29 of EU Regulation 2016/679 and 2 quaterdecies of Legislative Decree 196/2003
Dear Student, we wish to inform you that Legislative Decree 196/2003 ("Code regarding the protection of personal data") and the subsequent EU Regulation 2016/679 provide for the protection of persons and other entities regarding the processing of personal data.
A Door to Italy Srl, with registered office in Genoa, Via SS Giacomo e Filippo 19, VAT No. 04669890875
(hereinafter "Data Controller"), as data controller, informs you pursuant to Article 13 of Legislative Decree No. 196 of 30/06/2003 (hereinafter "Privacy Code") and Article 13 of EU Regulation No. 2016/679 (hereinafter "GDPR") that your data will be processed in the following manner and for the following purposes:
- Subject of Processing The Data Controller processes the personal identification data (e.g. first name, surname, company name, address, phone number, e-mail address, bank and payment details – hereinafter "personal data" or just "data") that you provide when stipulating a service contract with the Data Controller.
- Purposes of processing Your personal data is processed:
A) without your express consent (Article 24, letters (a), (b), and (c) of the Privacy Code and Article 6, letters (b) and (e) of the GDPR) for the following Service Purposes:
• To stipulate contracts for the services provided by the Data Controller
• To fulfil pre-contractual, contractual, and tax obligations deriving from existing relationships with you
• To manage administration, accounting, order, shipping, billing and service activities
• To fulfil the obligations provided for by law, by a regulation, by EU legislation or by an order of the Authority (such as in the matter of anti-money laundering); GDPR/May 2018
• To exercise the Data Controller's rights, e.g. the right to legal defence
B) Only with your specific and distinct consent (Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following marketing purposes:
• To send you newsletters, commercial information and/or advertising material on products or services offered by the Data Controller via e-mail, post and/or text messages and/or telephone contact, and to conduct surveys on your level of satisfaction with the quality of services provided
• To send you commercial information and/or advertising material from third parties (e.g. business partners, insurance companies, etc.) via e-mail, post and/or text messages and/or telephone contact.
We inform you that if you are already a customer of ours, we may send you commercial communications relating to the Data Controller's services and products similar to those you have already used, unless you withhold your consent (Article 130, paragraph 4 of the Privacy Code).
- Processing methods Your personal data is processed using the methods indicated in Article 4 of the Privacy Code and Article 4, paragraph 2 of the GDPR, and more precisely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of data. Your personal data is subject to both paper and electronic and/or automated processing. The Data Controller will process the personal data for the time necessary to fulfil the aforementioned purposes and in any case for no more than 5 years from termination of the relationship for Service Purposes and for no more than 2 years from the collection of data for Marketing Purposes.
- Access to data Your data may be rendered accessible for the purposes referred to in Article 2A) and 2B):
• To the Data Controller's employees and collaborators or companies of the Card Protection Plan Group in Italy and abroad, in their capacity as appointees and/or internal processors and/or system administrators
• To third-party companies or other entities (e.g. credit institutes, professional firms, consultants, insurance companies, etc.) which perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processing managers
- Data communication Without the need for express consent (pursuant to Article 24, letters (a), (b), and (d) of the Privacy Code and Article 6, letters (b) and (c) of the GDPR), the Data Controller may communicate your data for the purposes referred to in Article 2A). Without prejudice to communications and disclosures carried out in order to meet legal obligations, your personal data may be communicated in Italy and/or abroad to:
- Professionals and consultants, consulting companies, factoring companies, credit institutions, credit recovery companies, credit insurance companies, commercial information companies, companies operating in the transport sector;
- Public and private bodies, including after inspections or verifications such as, for example: Financial Administration, Tax Police Organs, Judicial Authorities, Italian Exchange Office, Labour Inspectorate, Local Health Authority, Social Security Institutions, Chamber of Commerce, etc.; your data will not be disseminated.
- Data transfer Personal data is stored on servers located in Genoa, within the European Union.
In any case, it is understood that the Data Controller, if necessary, shall have the right to move the servers, including outside the EU. In this case, the Data Controller guarantees from now on that transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to entering into the standard contractual clauses provided for by the European Commission.
The Data Controller reserves the option to use cloud-based services and, in such cases, the service providers will be selected from those which provide the appropriate guarantees, as set out in Article 46 of the GDPR 679/16.
- Nature of data provision and consequences of refusal to respond The provision of data for the purposes referred to in Article 2A) is mandatory. In its absence, we cannot guarantee the services outlined in Article 2A).
The provision of data for the purposes referred to in Article 2(B) is, on the other hand, optional. You can, therefore, decide not to provide any data or to subsequently deny the possibility of processing data provided earlier. In this case, you will not be able to receive newsletters, commercial communications or advertising material concerning the services offered by the Data Controller. However, you will still be entitled to the services referred to in Article 2A).
- Rights of the data subject In your role as data subject, you are guaranteed the rights set out in Article 7 of the Privacy Code and Article 15 of the GDPR, specifically, the right to:
1. Obtain confirmation whether or not personal data concerning you exists, even if not yet recorded, and its communication in intelligible form;
2. Obtain indication of: a) the origin of personal data; b) the purposes and methods of processing; c) the logic applied in the case of processing carried out with the aid of electronic instruments; d) the identification data for the data controller, the data processors and the representative designated pursuant to Article 5, paragraph 2 of the Privacy Code and Article 3, paragraph 1 of the GDPR; e) the entities or categories of entities to which the personal data may be communicated or which can learn about it as appointed country representatives, managers or appointed processors;
3. Obtain: a) the updating, rectification or, when relevant, integration of data; b) the deletion, transformation into anonymous form or blocking of unlawfully processed data, including that which does not need to be kept for the purposes for which the data was collected or subsequently processed; c) attestation that the operations as per letters a) and b) were made known, including their content, to those to whom the data was communicated or disclosed, except where this is impossible or involves a commitment of resources which is clearly disproportionate to the protected right;
4. Object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if relevant to the purpose for which it was collected; b) to the processing of personal data concerning you for the purpose of advertising material or direct sales, or to carry out market research or commercial communication, through the use of automated calling systems without human intervention, by e-mail and/or through traditional marketing methods by phone and/or post.
Please note that, with regard to direct marketing through automated methods, the data subject's right to object, as set out in point b) above, is extended to traditional methods, and that the data subject is able to exercise their right to object, even partially. Hence, the data subject may decide to receive only communications using traditional methods, or only automated communications, or neither of the above. Where applicable, you are also guaranteed the rights set out in Articles 16-21 of the GDPR (right of rectification, right to be forgotten, right to restrict processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.
- How to exercise your rights You may exercise your rights at any time by sending:
• a registered letter with acknowledgement of receipt to A Door To Italy - Via SS Giacomo e Filippo 19 - 16121 Genoa (GE)
• or alternatively a PEC (certified e-mail) to email@example.com
- Data controller, data manager and data processors The Data Controller is A Door to Italy Via SS Giacomo e Filippo 19.
The updated list of data managers and data processors is kept at the Data Controller's registered office.