Basic Privacy Statement Customers - SISMA

Basic Privacy Statement – Customers

 

Who is the data controller?

Sisma S.p.A. hereinafter referred to as the Data Controller

Address: Via Industria 1, (36013) Piovene Rocchette (VI)

Tel.:

Email: privacy@sisma.com

Who is the Data Protection Officer?

DPO

dpo@sisma.com

Who are the recipients?

external data processors and any additional data controllers and/or joint controllers

o   consultants involved in administrative and accounting management

o   IT consultants

o   Group companies to which the Data Controller belongs.

 

What will be done with your personal data?

Personal data will be processed:

The data will be processed on the basis of:

The personal data concerning you are:

for execution and management of the contract

·               activities planned upon agreement of the contract

·               contract/relationship established

·               fulfilment of activities resulting from the relationship established and regulated for the market sector of the data controller

·               fulfilment of obligations resulting from the established relationship, such as (accounting and exercise of rights dependent on the contract)

o   name, surname

o   tax code

o   VAT number

o   telephone number

o   address

o   email

o   landline and/or mobile phone number

 

for assistance activities

for archiving and retention

for communication to recipients and/or third parties depending on the contractual relationship and the obligations deriving from it

·               legitimate interest of the data controller or third parties and recipients

for the fulfilment of IT security obligations

·               legitimate interest of the data controller or third parties and recipients

o   email address

dedicated platforms access log

for marketing activities concerning the services of the Data Controller

·               consent

o   name, surname

o   address

o   landline and/or mobile phone number

o   email

 

 

 

The following personal data were not provided directly by you

name, surname

tax code or VAT number,

place and date of birth,

physical and electronic address,

landline and / or mobile phone number

 

What is the origin of the personal data not provided by you?

lists and registers kept by public authorities or under their authority or similar bodies based on specific national and/or international legislation;

 

You can exercise the right of complaint to the competent Authority and the other rights provided for by arts. 15 et seq. of the European Regulation (EU) 2016/679 at any time.

 

For more information, see the complete report in the privacy section of the website www.sisma.com or contact us at privacy@sisma.com.

 

 

Giving consent

If you have received this information report and have understood its content, the Data Controller will ask if you consent to the processing of your personal data

 

for the sending of advertising material aimed at sales, or for carrying out market research or opinion polls, for promotional and commercial communications or to propose information and/or the acquisition of services by email, text message, telephone contact with or without an operator of by ordinary mail.

 

  • Yes, I give my consent
  • No, I don’t give my consent

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Full privacy statement – customers

 

About us and what we do with your personal data

Sisma S.p.A., with registered office in Via Industria 1, (36013) Piovene Rocchette (VI) (hereinafter also the Data Controller), in its capacity as data controller, is concerned with the confidentiality of your personal data and guarantees that they will be protected against any event that may put them at risk of breach.

To this end, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that could affect the processing of your personal data.

 

The Data Controller has appointed a Data Protection Officer (DPO) who you can contact if you have questions about the policies and practices adopted: dpo@sisma.com

 

How does Sisma S.p.A. collect and process your data?

The Data Controller collects and/or receives information about you, such as:

  • name, surname
  • tax code
  • VAT number
  • telephone number
  • address
  • email
  • landline and/or mobile phone number

 

The personal information concerning you will be processed for:

1) the management of the contractual relationship and the consequent obligations, including regulatory requirements

The processing of your personal data takes place to carry out the preliminary activities and consequent to the management of the contractual relationship established, for the management of payments, the handling of complaints, as well as for the fulfilment of any other obligation deriving from the contract, such as registration and retention of your personal data.

The obligations that the Data Controller must fulfil depending on the contract and specific regulations governing it, are, inter alia, those of:

  • keeping the accounts.

Your personal data is also processed to prevent fraud, including contractual. Finally, your data (such as landline and/or mobile phone number and electronic address) will be processed to provide you with assistance on the services covered by the contract.

Your personal data may also be used to forward specific communications and information relating to contractual obligations or deadlines, how the service is provided or any business operating needs. Without prejudice to the principles of necessity, relevance and non-surplus, these notices may be made on paper, by telephone (landline or mobile number with direct, pre-recorded and/or text message) or electronic means (email).

The specific data relating to your state of health will be processed – subject to your express consent – with all the necessary guarantees including those that require pseudonymisation, aggregation and/or encryption.

 

Your personal data is also collected from third parties such as:

  • lists and registers kept by public authorities or under their authority or similar bodies based on specific national and/or international legislation;

 

2) for communication to third parties and recipients

The processing of your personal data takes place depending on the contract and the obligations, including legal and/or regulatory, deriving from it.

Your data will not be disclosed to third parties recipients for their own purposes unless:

  1. you give your authorisation;
  2. it is necessary for the fulfilment of the obligations depending on the contract and the rules of law that govern it (e.g. for the defence of your rights, for reporting to the supervisory authorities, etc.);
  3. the communication is made to IT consultants, consultants involved in the administrative and accounting management or companies of the Group to which the Data Controller belongs.

 

3) for marketing activities concerning the services of the Data Controller

The processing of your personal data takes place to offer you services in addition to those referred to in the service to which you have subscribed, or even improved or more suited to your needs and, for the purpose, to send you advertising material. The processing of your data (such as name, surname, address, landline and/or mobile phone number, email) may take place by:

  • email;
  • text message;
  • telephone contact even without an operator;
  •  

The processing in question can be carried out if:

  1. you give your consent for use of the data, also with reference to the methods of communication, both traditional and automated, with which the processing takes place;
  2. if the processing is carried out through contact with a telephone operator, you are not enrolled in the register of objections referred to in Presidential Decree no. 178/2010;
  3. if you have not objected to the processing and/or if it is the case, you have not specifically and separately objected to sending the communications through traditional methods and/or through automated means.

 

4) for IT security purposes

The Data Controller processes, also through its suppliers (third parties and/or recipients), your personal data, to the extent strictly necessary and proportionate to guarantee the security and ability of a network or the servers connected to it to withstand, at a certain level of security, unforeseen events or unlawful or malicious actions that compromise the availability, authenticity, completeness or confidentiality of the personal data stored or transmitted.

For these purposes, the Data Controller has set up procedures to manage personal data breaches.

 

What happens if you do not provide your data?

If you do not provide your personal data, the Data Controller will not be able to carry out the processing related to the management of the contract and the services connected to it or the obligations that depend on them.

The Data Controller intends to carry out some processing in relation to certain legitimate interests that do not affect your right to confidentiality, such as those that:

  • make it possible to prevent IT incidents and give notification to the supervisory authority or notify users, if necessary, of the breach of personal data;
  • allow communication to third parties/recipients for activities related to those of contract management.

What happens if you do not give your consent to the processing of personal data for marketing purposes (direct, research and market surveys) of the Data Controller?

The processing of your personal data will not take place for these purposes; this will not affect the processing of your data for the main purposes, nor for that for which you have already given your consent, if requested.

 

How and for how long are your data stored?

How?

Data processing is carried out through hard-copy or IT procedures by specifically authorised and trained internal parties. They are allowed access to your personal data to the extent and to the limits necessary to perform the processing activities that concern you. The data belonging to particular categories are processed separately from the others, also by means of pseudonymisation or aggregation methods that do not allow you to be easily identified.

The Data Controller periodically checks the tools through which your data are processed and the security measures envisaged for them, which require constant updating; it checks to ensure, including through the parties authorised to process the data, that personal data that do not need to be processed are not collected, processed, archived or retained; it checks to ensure that the data are retained with the guarantee of completeness and authenticity and they are effectively used for the purposes of the processing.

Where?

The data are stored in hard copy, IT and remote archives located within the European economic area. Your personal data may be transferred to the following non-EU countries – with full assurance of the guarantees provided for by European legislation:

– USA, existence of adequacy decision, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016, pursuant to Directive 95/46/EC of the European Parliament and of the Council, on the adequacy of the protection offered by the regime of the EU-US Privacy Shield [notified under number C (2016) 4176].

– MEXICO: existence of standard contractual clause no. 27 December 2004 no. 50071/2004.

– TURKEY: existence of standard contractual clause no. 27 December 2004 no. 50071/2004.

– RUSSIA: existence of standard contractual clause of 5 February 2010 no. 2010/87.

– CHINA: existence of standard contractual clause of 5 February 2010 no. 2010/87.

 

How long?

The personal data processed by the Data Controller are kept for the time necessary to carry out the activities related to the management of the contract with the Data Controller and up to ten years after its conclusion (art. 2946 of the Italian Civil Code) or from when the rights that depend on it may be asserted (pursuant to art. 2935 of the Italian Civil Code); as well as for the fulfilment of obligations (e.g. tax and accounting) that remain even after the termination of the contract (art. 2220 of the Italian Civil Code), for which the Data Controller must retain only the data necessary to fulfil said obligations. This is without prejudice to cases in which the rights deriving from the contract are to be asserted in court, in which case your data, and only those necessary for these purposes, will be processed for the time necessary for this reason.

The personal data processed by the Data Controller for marketing purposes (direct, research and market surveys) will be retained for 24 months by the Data Controller unless you withdraw the consent you have given and/or unless you object to the processing.

However, this is without prejudice to your right to object to processing based on legitimate interest at any time for reasons related to your particular situation.

 

What are your rights?

In essence, you, at any time, and free of charge and without special charges or formalities for your request, can;

  • obtain confirmation of the processing carried out by the Data Controller;
  • access your personal data and find out about their origin (when the data are not obtained from you directly), the purposes and scope of the processing, the data of the parties to whom they are communicated, the retention period of your data or useful criteria to determine it;
  • withdraw consent at any time if this constitutes the basis of the processing. In any case, the withdrawal of consent does not affect the lawfulness of the processing based on the consent given before the withdrawal itself;
  • update or rectify your personal data so that they are always precise and accurate;
  • delete your personal data from databases and/or archives, including Data Controller backups if, inter alia, they are no longer necessary for the purposes of the processing or if this is assumed to be unlawful, and always if the conditions set out under the law apply; and in any case if the processing is not justified by any other equally legitimate reason;
  • restrict the processing of your personal data in certain circumstances, for example where you have contested the accuracy, for the period necessary for the Data Controller to verify their accuracy. You must also be informed, in a reasonable time, of when the suspension period has been completed or the cause of the restriction of the processing has ceased, and therefore the limitation itself has been revoked;
  • obtain your personal data, if received and/or otherwise processed by the Data Controller with your consent and/or if their processing takes place on the basis of a contract and with automated tools, in electronic format also in order to transmit them to another data controller.

The Data Controller must do so without delay and, in any case, at the latest within one month of receiving your request. The deadline may be extended by two months, if necessary, taking into account the complexity and number of requests received by the Data Controller. In such cases, the Data Controller will inform you of the reasons for the extension within one month of receiving your request.

For any further information and in any case to send your request, you must contact the Data Controller at privacy@sisma.com.

 

How and when can you object to the processing of your personal data?

For reasons relating to your particular situation, you can object to the processing of your personal data at any time if it is based on a legitimate interest or if it concerns the processing of personal data whose contribution is subject to your consent, by sending your request to the Data Controller at the address privacy@sisma.com.

You have the right to delete your personal data if there is no legitimate reason overriding the one that gave rise to your request, and in any case if you objected to the processing.

 

How can you lodge a complaint?

Without prejudice to any other administrative or judicial action, you can lodge a complaint with the competent supervisory authority, i.e. the authority that carries out its duties and exercises its powers in Italy, where you have your habitual residence or work, or if not in Italy, in the Member State where the breach of Regulation (EU) 2016/679 occurred.

Any update of this privacy statement will be communicated to you promptly and by appropriate means and will also be communicated to you if the Data Controller continues to process your data for purposes other than those referred to in this information report before proceeding and in time to give your consent if necessary.