Privacy notice for the processing of personal data
In accordance with the provisions of the General Data Protection Regulation no. 679/2016 (“GDPR”) Exein S.p.a. (“Exein”) as data controller informs you of the following regarding the processing of your personal data pursuant to art. 13 of EU Regulation 2016/679 on the protection of personal data (“Regulation”).
- a) Data will be processed solely in relation to contractual needs and to the consequent fulfilment of the legal and contractual obligations arising therefrom, and for the purposes of the effective management of business relationships. The provision of data is mandatory for all that is required by contractual and legal obligations; any refusal to provide or subsequently process such data may result in Exein being unable to enter into the contractual relationships;
- b) Your data may also be used for the extraction of statistical information, so as to guarantee the best service to consumers and the best after-sales support, in order to improve the provision of our services, and for sales and marketing purposes, in order to keep you up-to-date on the latest service announcements and invite you to events and exclusive pre-sales. The provision of data for the above purposes is optional. Refusal to provide data will not therefore have any repercussions on the data subject or on the enforcement of our existing contractual relations;
- d) data will be processed fairly and lawfully and, in any case, in compliance with the aforementioned regulation, by means of suitable technical and organizational tools that ensure appropriate security and confidentiality of the data;
- e) Processing is carried out by expert appointed staff by paper, computer, electronic and any other type of means deemed technologically suitable for safeguarding the data subject’s rights and freedoms;
- f) the data will be stored in the filing systems and competent offices of Exein.;
- g) without prejudice to communications and disseminations made in compliance with legal obligations, the data may be disclosed to: banks, post offices or other mail delivery companies, credit institutions and debt collection companies, insurance companies, consultants, self-employed professionals, IT maintenance companies, training bodies, and in any case to all third parties identified for the purposes listed above and for the enforcement of our existing contractual relations.
- h) Data will be processed and retained for the duration of established contractual relationships and, in specific cases, also thereafter, so as to guarantee fulfilment of all legal obligations;
- i) data will be processed within and, where appropriate, outside the European Union. The Data Controller hereby ensures that any transfer of data outside the EU will take place in accordance with applicable legal provisions and with the safeguard requirements of the GDPR.
With regard to the data itself, you may exercise the rights envisaged by articles 15 to 22 of EU Regulation 2016/679 (a copy of which is annexed hereto). In more detail, data subjects have the following rights in relation to the processing to which their personal data is subject:
- Right of access;
- Right to rectification;
- Right to restrict processing and right to erasure;
- Right to data portability.
- Right to make a complaint to a supervisory authority;
These rights may be exercised by sending written notice to the Data Controller, Lady Exein s.r.l., with registered office at via del Velabro 5/a – 00186 – Rome – Italy
RIGHTS OF THE DATA SUBJECT (ART. 15 TO 22 OF EU REGULATION EU 2016/679)
Article 15 – Data subject right of access
1. Data subjects have the right to obtain confirmation as to whether their personal data is being processed and if so, to access their personal data and the following data:
- a) the purposes for which the personal data is being processed;
- b) the categories of personal data concerned;
- c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- d) where possible, the retention period for storing the personal data or, where this is not possible, the criteria used to determine the retention period;
- e) the existence of the data subject’s right to submit a request for the rectification or erasure of personal data, or for the restriction of processing of their data or to object to the processing thereof;
- f) the right to lodge a complaint with a supervisory authority;
- g) all available information on the source of the personal data, if the data is not collected from the data subject directly;
- h) the existence of automated decision-making, including profiling pursuant to art. 22, paragraphs 1 and 4, and, in these cases at least, meaningful information of the logics used, as well as the significance and the envisaged consequences of such processing for the individual.
2. Where personal data is transferred to a third country or international organization, the data subject has the right to be informed of the existence of appropriate safeguards within the meaning of article 46 in the relation to the transfer.
3. The data controller provides a copy of the personal data processed. If the data subject requests further copies, the data controller can charge a reasonable fee towards the administrative costs incurred in fulfilling the requests. If the data subject makes a request electronically, the information is provided in a commonly used electronic format, unless the data subject requests otherwise.
4. The right to obtain a copy pursuant to paragraph 3 must not adversely affect the rights and freedoms of others.
Article 16 – Right to rectification
Data subjects have the right to have inaccurate personal data rectified without undue delay. Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed, which may also involve the provision of a supplementary statement.
Article 17 – Right to erasure (“right to be forgotten”)
1. Data subjects have the right to have their personal data erased by the data controller without undue delay and the data controller is obliged to erase the personal data without undue delay, in the event of one of the following:
- a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- b) the data subject withdraws consent to the processing pursuant to article 6, paragraph 1a) or article 9, paragraph 2a), and this is the only legal basis for processing;
- c) the data subject objects to the processing of their data within the meaning of article 21, paragraph 1, and there is no overriding legitimate interest to continue the processing, or objects to processing within the meaning of article 21, paragraph 2;
- d) the personal data has been processed unlawfully;
- e) the data must be erased to fulfil a legal obligation envisaged by the European Union or by the Member State to whom the data controller is subject;
- f) the personal data has been collected in relation to the provision of the information society services pursuant to article 8, paragraph 1.
2. If the data controller has made the personal data public and is required, within the meaning of paragraph 1, to erase the data, while taking into account the available technology and the implementation costs, the controller must take reasonable steps, including technical measures, to inform other data controllers who are processing the personal data, of the data subject’s request for the erasure of all links to, copies or replication of their data.
3. Paragraphs 1 and 2 do not apply if processing is necessary for the purposes of:
- a) the exercise of the right of freedom of expression and information;
- b) compliance with a legal obligation that requires the processing envisaged by the European Union or by the Member State to whom the data controller is subject or performance of a task carried out in the public interest or the exercise of public powers vested in the data controller;
- c) for public health purposes in the public interest in compliance with article 9, paragraphs 2h) and 2i), and with article 9, paragraph 3;
- d) for archiving purposes in the public interest, scientific or historical research or for statistical purposes in compliance with article 89, paragraph 1, to the extent in which the right pursuant to paragraph 1 is likely to render impossible or seriously impair the achievement of that processing; or
- e) for the establishment, exercise or defense of a legal claim.
Article 18 – Right to restrict processing
1. Data subjects have the right to request that data controllers restrict the processing of their personal data in the following circumstances:
- a) the data subject contests the accuracy of their personal data for the period of time required for the data controller to verify the accuracy of the data;
- b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests that its use be restricted instead;
- c) the data controller no longer needs the data for processing purposes, the data subject needs the personal data to establish, exercise or defend a legal claim;
- d) the data subject has objected to the processing within the meaning of article 21, paragraph 1, pending the establishment of whether the legitimate grounds of the data controller override those of the data subject.
2. If processing has been restricted under paragraph 1, such personal data, with the exception of storage, will only be processed with the data subject’s consent or for the establishment, exercise or defense of a legal claim or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing under paragraph 1, is informed by the data controller before said restriction is lifted.
Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
The data controller informs each recipient to whom the personal data has been transmitted of any rectification, erasure or restriction of processing carried out under article 16, article 17, paragraph 1, and article 18, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about such recipients on the data subject’s request.
Article 20 – Right to data portability
1. Data subjects have the right to receive the personal data provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit such data to another data controller without hindrance from the data controller that provided the personal data, where:
- a) the basis for processing is consent within the meaning of article 6, paragraph 1a), or of article 9, paragraph 2a), or performance of a contract within the meaning of article 6, paragraph 1b); and
- b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transmission of personal data from one controller to another, if technically feasible.
3. The exercise of the right pursuant to paragraph 1 of this article shall be without prejudice to article 17. This right does not apply to the processing necessary for performing a task in the public interest or for the exercise of the official authorities vested in the data controller.
4. The right pursuant to paragraph 1 must not adversely affect the rights and freedoms of others.
Article 21 – Right to object
1. Data subjects shall have the right to object, at any time, for reasons relating to their particular situation, to the processing of their personal data within the meaning of article 6, paragraphs 1e) and 1f), including profiling, based on these provisions. Data controllers shall stop further processing the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing is for the establishment, exercise or defense of a legal claim.
2. Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of their personal data, including profiling data associated with such direct marketing, for such purposes, at any time.
3. If the data subject objects to processing for direct marketing purposes, the personal data is not processed for such purposes.
4. The right pursuant to articles 1 and 2 is brought explicitly to the data subject’s attention and is presented clearly and separately from any other information no later than at the time of first communication with the data subject.
5. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise their right to object by automated means that utilise technical specifications.
6. Where personal data is processed for scientific or historical research or statistical purposes under article 89, paragraph 1, the data subject has the right, for reasons in connection with their particular situation, to object to the processing of their personal data, unless the processing is necessary for the performance of a task for reasons of public interest.
Article 22 – Automated individual decision-making, including profiling
1. Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, if the decision produces legal effects concerning them or, similarly, significantly affects them.
2. Paragraph 1 does not apply if the decision:
- a) is necessary for entering into or performance of a contract between the data subject and the data controller;
- b) is authorized by Union law or by the law of the Member State to which the data controller is subject, which also lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests;
- c) is based on the data subject’s explicit consent.
3. In the cases pursuant to paragraphs 2a) and 2c), the data controller shall take appropriate measures to safeguard the rights of data subjects, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
4. Decisions pursuant to paragraph 2 are not based on the special categories of personal data pursuant to article 9, paragraph 1, unless article 9, paragraph 2a) or 2g) applies, and suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests are in place.