About us and what we do with your personal data
Sisma S.p.A., with registered office in Via Industria 1, (36013) Piovene Rocchette (VI) (hereinafter also the Data Controller), in its capacity as data controller, is concerned with the confidentiality of your personal data and guarantees that they will be protected against any event that may put them at risk of breach.
To this end, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that could affect the processing of your personal data.
The Data Controller has appointed a Data Protection Officer (DPO) who you can contact if you have questions about the policies and practices adopted

How does Sisma S.p.A. collect and process your data?
The Data Controller collects and/or receives information about you, such as:

• name, surname
• tax code
• VAT number
• telephone number
• address
• email
• landline and/or mobile phone number

The personal information concerning you will be processed for:
1) the management of the contractual relationship and the consequent obligations, including regulatory requirements
The processing of your personal data takes place to carry out the preliminary activities and consequent to the management of the contractual relationship established, for the management of payments, the handling of complaints, as well as for the fulfilment of any other obligation deriving from the contract, such as registration and retention of your personal data.
The obligations that the Data Controller must fulfil depending on the contract and specific regulations governing it, are, inter alia, those of:

• keeping the accounts.

Your personal data is also processed to prevent fraud, including contractual. Finally, your data (such as landline and/or mobile phone number and electronic address) will be processed to provide you with assistance on the services covered by the contract.
Your personal data may also be used to forward specific communications and information relating to contractual obligations or deadlines, how the service is provided or any business operating needs and for the sending of promotional messages containing offers similar to those related to the contracted service (so-called soft spam). Without prejudice to the principles of necessity, relevance
and non-surplus, these notices may be made on paper, by telephone (landline or mobile number with direct, pre-recorded and/or text message) or electronic means (email).

• Your personal data is also collected from third parties such as:
  -lists and registers kept by public authorities or under their authority or similar bodies based on specific national and/or international legislation;

2) for disclosure to third parties and recipients
The processing of your personal data occurs in accordance with the contract and the obligations, including legal and/or regulatory ones, arising therefrom.
Your data will not be disclosed to third parties/recipients for their own purposes unless:

• She gives permission for it;
• is necessary for the fulfillment of obligations arising from the contract and from the laws that govern it (for example, for the defense of your rights, for reporting to the supervisory authorities, etc.);
• the communication is made to IT consultants, consultants involved in administrative and accounting management, and companies of the Group to which the Data Controller belongs.

3) for marketing activities related to the Data Controller’s services
Your personal data is processed to offer services in addition to those you have subscribed to, or to improve or better meet your needs, and to send you advertising material. Your data (such as name, surname, address, landline and/or mobile telephone number, email address) may be processed for:

• e-mail;
• sms;
• telephone contact even without an operator;
• paper mail.

The treatment in question can be carried out if:

• you give your consent to the use of your data also with reference to the communication methods, both traditional and automated, with which the processing takes place;
• if, in the event that the processing is carried out through contact with a telephone operator, you are not registered in the register of objections pursuant to Presidential Decree no. 178/2010;
• if you have not objected to the processing and/or if, where applicable, you have not specifically and separately objected to the sending of communications through traditional methods and/or through automated means.

4) For IT security purposes
The Data Controller processes, including through its suppliers (third parties and/or recipients), your personal data to the extent strictly necessary and proportionate to ensure the security and ability of a network or the servers connected to it to withstand, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity, and confidentiality of personal data
stored or transmitted.
To these purposes, the Data Controller has established procedures for managing data breaches.
What happens if you do not provide your data?
If you do not provide your personal data, the Data Controller will not be able to process the data related to the management of the contract and the related services, nor will it be able to fulfill the obligations that depend on them.
The Data Controller intends to carry out certain processing based on certain legitimate interests that do not compromise your right to privacy, such as those that:

• they allow for the prevention of cyber incidents and the notification to the supervisory authority or communication to users, if necessary, of the personal data breach;
• allow communication to third parties/recipients for activities related to contract management.

What happens if you do not consent to the processing of your personal data for marketing purposes (direct marketing, research, and market research) specific to the Data Controller?
Your personal data will not be processed for these purposes; this will not affect the processing of your data for the primary purposes, nor for those for which you have already given your consent, if required.
How, where and for how long is your data stored?
How
Data processing is carried out using paper or computerized procedures by specifically authorized and trained internal personnel. These personnel are granted access to your personal data to the extent and within the limits necessary to carry out the processing activities concerning you. Data belonging to special categories are processed separately from other data,
including through pseudonymization or aggregation methods that do not allow for easy identification.
The Data Controller periodically verifies the tools used to process your data and the security measures implemented therefor, which it ensures are constantly updated. It verifies, also through authorized data processors, that no unnecessary personal data is collected, processed, archived, or retained. It also verifies that the data is stored with guarantees of integrity and authenticity and that it is used for the purposes of the processing actually performed.

Where
The data is stored in paper, computer, and electronic archives located within the European Economic Area. Your personal data may be transferred to the following non-EU countries, fully complying with the guarantees required by European legislation:

• USA, existence of adequacy decision, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield [notified under document C(2016) 4176].
• MEXICO: existence of standard contractual clause no. 27 December 2004 no. 50071/2004.
• TURCHIA: sussistenza di clausola contrattuale standard n. 27 dicembre 2004 n. 50071/2004.
• RUSSIA: existence of standard contractual clause of 5 February 2010 n. 2010/87.
• CHINA: Existence of standard contractual clause of 5 February 2010 n. 2010/87.

For Google hosting services, the following guarantees are ensured pursuant to Articles 45 et seq. of the GDPR:

• application of the Data Privacy Framework;
• standard contractual clauses;
• adequacy decision.

How long
The personal data processed by the Data Controller is retained for the time necessary to complete the activities related to the management of the contract with the Data Controller and for up to ten years following its conclusion (Article 2946 of the Italian Civil Code) or from when the rights deriving from it can be asserted (pursuant to Article 2935 of the Italian Civil Code), as well as for the fulfillment of obligations (e.g., tax and accounting obligations)
that remain even after the conclusion of the contract (Article 2220 of the Italian Civil Code). For these purposes, the Data Controller must retain only the data necessary to fulfill them. This does not affect the cases in which rights deriving from the contract are asserted in court, in which case your data, only those necessary for such purposes, will be processed for the time strictly necessary to achieve them.
The personal data processed by the Data Controller for marketing purposes (direct marketing, research, and market surveys) will be retained by the Data Controller for 24 months unless you withdraw your consent and/or object to the processing.
Your right to object at any time to processing based on legitimate interest for reasons related to your particular situation remains unaffected.
What are your rights?
In essence, you may, at any time and free of charge and without any particular charges or formalities for your request;

• ottenere conferma del trattamento operato dal Titolare;
• access your personal data and know their origin (when the data is not obtained directly from you), the purposes and aims of the processing, the data of the subjects to whom they are communicated, the period for which your data will be stored or the criteria used to determine it;
• withdraw consent at any time, if it forms the basis for the processing. However, withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal;
• update or rectify your personal data so that it is always accurate and up-to-date;
• Delete your personal data from the Data Controller’s databases and/or backup archives if, among other things, they are no longer necessary for the purposes of the processing or if the processing is deemed unlawful, provided that the legal requirements are met; and in any case, if the processing is not justified by another equally legitimate reason;
• Restrict the processing of your personal data in certain circumstances, for example, if you have contested its accuracy, for a period of time necessary for the Data Controller to verify its accuracy. You must also be informed, within an appropriate timeframe, when the suspension period has expired or the reason for the restriction of processing has ceased to exist, and the restriction has therefore been lifted;
• obtain your personal data, if received and/or otherwise processed by the Data Controller with your consent and/or if their processing takes place on the basis of a contract and with automated tools, in electronic format also for the purpose of transmitting them to another Data Controller.

The Data Controller shall proceed in this manner without delay and, in any case, no later than one month after receiving your request. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests received by the Data Controller. In such cases, the Data Controller will inform you within one month of receiving your request and provide you with the reasons for the extension.
For any further information and to submit your request, please contact the Data Controller at privacy@sisma.com.
How and when can you object to the processing of your personal data?
For reasons relating to your particular situation, you may object at any time to the processing of your personal data if it is based on legitimate interest or if it concerns the processing of personal data subject to your consent, by sending your request to the Data Controller at privacy@sisma.com.
You have the right to have your personal data erased if there is no legitimate reason that prevails over the reason for your request, and in any case if you have objected to the processing.
Who can I complain to?
Without prejudice to any other administrative or judicial action, you may lodge a complaint with the competent supervisory authority, or the authority that carries out its duties and exercises its powers in Italy, where you have your habitual residence or place of work, or, if different, in the Member State where the violation of Regulation (EU) 2016/679 occurred.
Any updates to this policy will be communicated to you promptly and using appropriate means. You will also be notified if the Data Controller will proceed with the processing of your data for purposes other than those referred to in this policy before proceeding and in time to provide your consent, if necessary.