pursuant to art13 European Regulation 2016/679
Pursuant to current legislation on the protection of individuals and other subjects with regard to the processing of personal data, as well as the free circulation of such data, and, in particular, pursuant to art13 of the 2016/679 European Regulation (hereinafter GDPR) and of the art13 DLgs196/2003 (Privacy Code), as far as in force, and ssmmand ii., in relation to the personal data that the Data Controller will enter or possess, we inform you of the following.
- Owner of the processing of personal data and Data Protection Officer
The data controller is Exept Srl (cf/pIva 01721020095), with registered office in Milan, Via Felice Casati, 20, contact details via email email@example.comContact details of the Data Protection Officer firstname.lastname@example.org
- Personal data subject to processing
For the purposes of establishing and executing the assignment and the professional relationship, personal , common data, as per art4, no1), GDPR and special categories of personal data pursuant to art9, paragraph 1, GDPRThe personal data collected may be, by way of example and not limited to:name, surname, place and date of birth, tax code, nationality, residential and/or domicile address, telephone numbers, email and certified e-mail, extreme identity documents, contact details of supporting current accounts, data relating to the physical and anthropometric characteristics of a person, such as height, weight, forearm size, etc.The source from which the personal data originates can be the interested party himself, third parties or can come from sources accessible to the public
- Purpose and legal basis of the processing of personal data
The processing of the data received may be aimed at:a) the establishment of a contractual relationship with the Data Controller, including pre-contractual measures, as well as the correct and complete execution of the contract itself, concerning:
retail and wholesale trade, including by correspondence, in telematic or remote form, import and export, deposit and representations of:
- cycles and motorcycles of any type and quality;
- sports and fitness equipment, clothing and articles of any type and quality
- parts, components and spare parts of the above products, as well as accessories for the products themselves;
- b) the purposes related to the obligations established by laws, regulations and community legislation, as well as by provisions issued by Authorities legitimated by the law or by supervisory or control bodies (for example in the field of anti-money laundering, taxation, etc. ); c) direct marketing, or promotion and sale of products and services of the data controller, performed directly by the data controller, by sending advertising material, telephone contacts and any other form of communication through automated processes (such as, but not limited to) , sending e-mails, sms, mms, advertising through social networks, etc.) or non-automated (for example, sending paper correspondence, promotional telephone calls with operator, ..)d) communication and/or transfer of personal data to third parties for the purpose of promoting and/or selling products and/or services, with or without automated methods; e) sending newsletters also through automated or IT toolsThe treatment referred to in the purposes set out in letters a) and b) find their legal basis in the fulfillment of a legal obligation, regulation or other act having the value and force of law and in the obligations deriving from the conferment and execution of the contract of which the interested party is a party, including any pre-contractual measuresThe treatment referred to in the purposes set out in letters c), d), e) find their legal basis in the expression of the free, informed and explicit consent of the interested party.
- Methods of data processing.
The data processing will be carried out by the data controller and/or by his appointees, in strict compliance with the principles set out in articles5 and ssGDPR, (in particular, the principles of lawfulness, correctness, transparency, accuracy, purpose and processing limitation, data minimization), by means of the operations or set of operations indicated by current legislation and, in particular, by art4 GDPR, concerning the collection, registration, organization, structuring, storage, use, adaptation or modification, consultation, processing, selection, extraction, comparison or interconnection, blocking, communication and communication by transmission, dissemination or any other form of making available, limitation, cancellation and destruction of dataThe aforementioned operations may be carried out with or without the aid of automated processes and the data may be stored both in paper, electronic, centralized, decentralized archives.The systems used for data processing are configured, already originally, in order to minimize the use of the dataFollowing periodic checks, the data controller will verify the accuracy, updating, strict relevance, adequacy and non-excess of the data collected with respect to the obligations and purposes of the processing for which they were collected.The data will be processed in such a way as to guarantee adequate security of the same, including the protection, through the adoption of adequate technical and organizational measures, from unauthorized, illicit treatments or from loss, destruction, modification, unauthorized disclosure. , from accidental damage, as well as from unauthorized access, to personal data transmitted, stored or otherwise processed, even in the case of processing through remote communication tools.
- Data retention
The data processing will take place, in the cases provided for by the current provisions of law or the GDPR, subject to the expression of free, specific and explicit consent of the interested party, and, in particular, having regard to the particular data provided for by art9 GDPR (which may be processed only with the free and explicit written consent of the interested party), for the time strictly necessary and not exceeding the achievement of the purposes for which the data were collected and processed, except for the fulfillment of the obligations envisaged. by Laws (for example, in the field of anti-money laundering), regulations and community legislation, as well as by provisions issued by Authorities legitimated by the Law or by supervisory or control bodies, or for statistical purposes, it being understood that, in such cases , adequate technical and organizational security measures will be implemented to protect the rights and freedoms of the data subjectPersonal data which does not need to be kept, or is no longer required, in relation to the purposes indicated, will be deleted or irreversibly transformed into anonymous form .
- Data retention time
The retention time of personal data varies according to the purpose of the data processingIn relation to the purpose set out in letter a) referred to in point 3, the data are kept for the period of time strictly necessary and not exceeding the achievement of the purposes for which the data were collected and processed.In relation to the purpose set out in letter b) referred to in point 3, the data retention times are set at ten years and, in any case, for the period of time strictly necessary for the purposes and fulfillment of the obligations established by Laws, regulations and by community legislation, as well as by provisions issued by Authorities legitimated by the Law or by supervisory or control bodiesIn relation to the purposes set out in letters c) d) e) , the interested party has the right to withdraw his consent at any time and with methods similar to those provided for its conferment, without consequences, other than the failure to process the data for these purposesPersonal data of a fiscal/accounting nature will be kept for the ten years following the end of the fiscal year following that of competence, to deal with any assessment and/or dispute of a fiscal nature.In the event that the owner has to act or defend himself in a judicial or extrajudicial way, the personal data that must necessarily be used for this purpose will be kept until the full settlement, judicial or extrajudicial, of the dispute.
- Existence of an automated decision-making process, including profiling
The owner does not adopt any automated decision-making process, including profiling, pursuant to current legislation and, in particular, pursuant to art.22, paragraphs 1 and 4, of the GDPR.
- Provision of data, refusal to provide data
and refusal or withdrawal of consent
In relation to the purposes expressed in point 3, letters a) and b), the provision of data and consent to processing are mandatory , being a legal or contractual obligation or a necessary requirement for the conclusion and/or execution of the contract; any refusal will not allow the Data Controller to conclude or execute the contract of which the interested party is a partyIn case of legal obligations, then, any refusal would make it impossible for the Data Controller to establish relations with the interested party and could have the obligation to make reportsIn relation to the purposes set out in letters c), d), e), the provision of data and consent to the processing are optional , therefore the refusal does not imply the impossibility for the Data Controller to fulfill the services covered by the relationship and the the interested party has the right to withdraw his consent at any time, and without consequences, other than the failure to process personal data for these purposesIn any case, the interested party has the right to withdraw consent to the processing of personal data in relation to the purposes set out above, or only to some of them, at any time, without thereby affecting the lawfulness of the processing based on the consent given before revocation.
- Communication of data and recipients of communication of personal data
Personal data will not be communicated (with this term meaning the disclosure of it to one or more specific subjects) without the explicit consent of the interested party, unless the communication is necessary for the fulfillment of a legal obligation.In such cases, the personal data may be communicated for the purposes referred to in point 3 to all those subjects, public or private, to whom the communication is necessary by law and/or necessary and functional for the correct fulfillment of the purposes indicated in the point 3 and/or in any case strictly connected and relevant to the assignment (for example, employees of the Owner, accountant, webmaster, IT service manager, retailers, couriers, banks, insurance companies, etc.)The interested party, at any time, upon written request to be sent to the data controller, at the registered office indicated in point 1, may have an updated and complete list of the recipients of the communication of their personal dataAll the subjects listed above, recipients of the communication of personal data pursuant to art4, paragraph 9 GDPR, with the exception of employees, will process personal data as independent data controllers or data processors.
- Dissemination of data
Personal data will not be disseminated, with this term meaning giving them knowledge to indeterminate subjects in any way, including by making them available or consulting.
- Transfer of data abroad
Personal data will not be transferred for the purposes referred to in point 3, to countries of the European Union and to third countries with respect to the European Union.If for technical and/or operational reasons it becomes necessary to make use of subjects located outside the European Union, or it becomes necessary to transfer some of the data collected to technical systems and services managed in the cloud and located outside the Union European Union, the treatment will be regulated in accordance with the provisions of art44 and following of EU Regulation 679/2016 and authorized on the basis of specific decisions of the European UnionAll necessary precautions will therefore be taken in order to guarantee the widest protection of the data subject's personal data.
- Rights of the interested party.
The current provisions of the law, and, in particular, Articlesfrom 15 to 23 of the GDPR, give the interested parties the exercise of specific rights .
Therefore, within the limits and under the conditions provided for by the aforementioned legislation, the data controller recognizes and guarantees to the interested party the exercise of the following rights:
- ask for confirmation of the existence or not of personal data in the owner's archives
- access personal data in the owner's archives and all information relating to the law and the GDPR;
- request the correction, updating, integration and cancellation of personal data, if incomplete or incorrect, as well as to oppose their processing for legitimate and specific reasons;
- obtain the correction of inaccurate personal data without undue delay;
- obtain the cancellation of personal data without undue delay, if one of the reasons referred to in art17, paragraph 1, GDPR (cd"Right to be forgotten");
- obtain the limitation of the processing of personal data if one of the reasons referred to in art18, paragraph 1, GDPR;
- obtain the portability of the data or personal data, i.e. receive it/s from the holder in a structured format, commonly used and readable by an automatic device and/or transmit them to another holder without impediments, or obtain the direct transmission of the personal data or data from the data controller to another data controller, within the limits and in the manner provided for by art20 GDPR;
- withdraw consent to the processing of personal data, in particular where provided pursuant to art6, paragraph 1, letter a) or art9, paragraph 2, letter a), GDPR, in relation to the aforementioned purposes or only to some of them, at any time and with methods similar to those provided for its conferment, without thereby compromising the lawfulness of the treatment based on consent loaned before revocation;
- object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is connected to direct marketing;
- oppose an automated decision-making process relating to natural persons, including profiling, and obtain human intervention from the owner, to express their opinion and contest the decision;
- oppose the processing of personal data for scientific or historical research purposes or for statistical purposes, unless the processing is necessary for the performance of a task of public interest;
- receive information relating to the action taken regarding the exercise of one or more of the rights listed above, or the effects arising from the exercise of one or more of the aforementioned rights, without undue delay and, in any case, at the latest within one month of receipt of the request itself (term, if necessary, possibly extendable by two months in the cases provided for by law and by art12, paragraph 3, GDPR);
- lodge a complaint with a supervisory authority;
- propose judicial appeal;
Except in the event that the processing is unlawful or violates the principles set by current legislation, the exercise of the rights listed above by the interested party must be relevant and motivated, and may not imply the revocation of the consent given or the deletion of data. provided for the conclusion or execution of the contract or for the fulfillment of a legal obligation, referred to in point 3, insofar as and as long as personal data are necessary for these purposesThe European Union or the Italian State may limit the scope of the obligations and rights of the owner and of the interested party, referred to above, pursuant to and for the purposes of art.23 GDPRThe rights in question, with the exception of the right to lodge a complaint or appeal, may be exercised by means of a written request addressed to the Data Controller at the addresses and contacts indicated in point 1For anything not expressly mentioned in this information, express reference is made to the provisions of the law in force and, in particular, to the GDPR.