About us and what we do with your personal data
Sisma S.p.A., with registered office in Via Industria 1, (36013) Piovene Rocchette (VI) (hereinafter also the Data Controller), in its capacity as data controller, is concerned with the confidentiality of your personal data and guarantees that they will be protected against any event that may put them at risk of breach.
To this end, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that could affect the processing of your personal data.

The Data Controller has appointed a Data Protection Officer (DPO) who you can contact if you have questions about the policies and practices adopted: dpo@sisma.com
How and why does the Data Controller collect and process your personal data?
The Data Controller collects and/or receives information about you, such as:

  • name, surname
  • tax code or VAT number
  • place and date of birth
  • address
  • email
  • telephone number
  • identification code
  • current account number
  • data relating to criminal convictions and/or offences exclusively in the case of litigation

The personal data concerning you will be processed for the following purposes:

1) the management of the contractual supply relationship and the consequent obligations, including regulatory

Purpose Legal basis

– the management of the contractual relationship in all its phases, from negotiations to its definition, whatever the cause

– monitoring and updating of supply conditions and/or services and assignments

– registration, invoicing and accounting

Carrying out contractual and pre-contractual activities

Adempimento di obblighi di legge e dipendenti dal contratto e dal rapporto instaurato, quali, tra gli altri, quelli discendenti da:

– Presidential Decree n. 633/1972 and subsequent amendments.

– Presidential Decree n. 600/1972 and subsequent amendments.

– Code of Ethics of the Owner

Fulfillment of economic, financial and social reporting obligations

Your data may also be collected from third parties such as, for example:

    • other data controllers, for example companies in the Group to which the Data Controller belongs;
    • IT service provider.

I dati che La riguardano possono essere ottenuti mediante la consultazione di:

  • lists kept by public or equivalent bodies or under the control of the public authority on the basis of specific national legislation.

2) for communication to third parties and for dissemination

Purpose Legal basis

comunicazione a terzi quali:

– società del Gruppo a cui appartiene il Titolare

– Suppliers possibly involved in administrative and accounting management

IT consultants

– Public bodies

Carrying out contractual and pre-contractual activities

Fulfillment of obligations arising from the contract

Compliance with legal obligations, including those deriving from:

– Presidential Decree n. 633/1972 and subsequent amendments.

– D.P.R. n. 600/1972

Fulfillment of transparency and economic-social reporting obligations

The Data Controller does not transfer your personal data abroad (non-EU countries). Your personal data may be disseminated and disclosed through the Data Controller’s websites, where lists of suppliers and consultants are published in accordance with the Code of Ethics and the obligations of transparency and economic-social reporting.
Disclosure and disclosure concern the categories of data whose transmission and/or disclosure are necessary for the performance of the activities and purposes pursued by the Data Controller in managing the established relationship. The relevant processing does not require the data subject’s consent if it is required by law or to fulfill obligations arising from the contractual relationship,
or if another exclusion applies (in particular, application of the provisions of the Code of Ethics and/or the Data Controller’s legitimate interest), expressly provided for or dependent on the laws and regulations applied by the Data Controller, or through third parties identified as data processors;

3) for IT security activities

Purpose Legal basis

– control and monitoring of the services displayed online and on the platforms belonging to the Data Controller and made available to you also by virtue of the activities carried out on behalf of the Data Controller (access to reserved areas, websites, email inbox, administration of the systems in use, etc.)

– implementation of procedures for detecting and notifying personal data breaches

Carrying out activities dependent on the established relationship

Fulfillment of legal obligations (detection and notification of data breach events)

Legitimate interest

How, where and for how long is your data stored?
How
Data processing is carried out using paper or computerized procedures by specifically authorized internal personnel. These personnel are granted access to your personal data to the extent and within the limits necessary to carry out the processing activities concerning you.
The Data Controller periodically verifies the tools used to process your data and the security measures implemented for them, which are constantly updated. It verifies, also through authorized personnel, that no personal data is collected, processed, archived, or retained that is unnecessary or whose processing purposes have been fulfilled. It verifies that the
data is stored with guarantees of integrity and authenticity and that it is used for the purposes of the processing actually performed.
The Data Controller guarantees that the data, even after verification, is found to be excessive or irrelevant and will not be used, except for the possible retention, in accordance with the law, of the deed or document containing it.
Where
The data is stored in paper, computer, and electronic archives located within the European Economic Area, and adequate security measures are ensured. Your personal data may be transferred to the following non-EU countries, fully complying with the guarantees required by European legislation:
• USA, existence of an adequacy decision, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield [notified under document C(2016) 4176];

  • MEXICO: existence of standard contractual clause no. 27 December 2004 no. 50071/2004;
  • Türkiye: existence of standard contractual clause no. 27 December 2004 no. 50071/2004;
  • RUSSIA: existence of standard contractual clause of 5 February 2010 n°2010/87;
  • CHINA: existence of standard contractual clause dated 5 February 2010 n°2010/87.

How long
Your personal data is retained for the time necessary to complete the activities related to the management of the contract you have entered into with the Data Controller and for the related obligations, including legal obligations.
In particular:

identification data and data relating to relationship management

Duration of the contractual relationship

The following are saved:

– termination of the contract (for any reason)

– purposes that continue beyond the conclusion of the contract (e.g., accounting, art. 2220 of the Italian Civil Code)

– the limitation periods: from five to ten damages from the definition of the relationship and in any case from the moment in which the rights deriving from it can be exercised (articles 2935, 2946 and 2947 of the Civil Code)

Without prejudice, furthermore, to any dispute which may entail an extension of the aforementioned terms, for the time necessary to pursue the relevant purpose.

Computer data (system and network access logs and/or IP addresses). The retention period depends on the presumed and/or detected risk and the resulting detrimental consequences, without prejudice to measures to anonymize the data or limit its processing.
In any case, the data must be retained (starting from the time of knowledge/detection of the risk event or data breach) for the time necessary to notify the supervisory authority of the detected data breach through the procedures implemented by the Data Controller and, in any case, to remedy the breach.

Once all the purposes that justify the retention of your personal data have been exhausted, the Data Controller will take care to delete them or make them anonymous.
What are your rights?
Your rights allow you to always have control over your data.
Your rights are:

  • access;
  • rectification;
  • cancellation;
  • limitation of processing;
  • opposition to processing;
  • portability.

In essence, you can, at any time and free of charge and without any particular charges or formalities for your request:

  • obtain confirmation of the processing carried out by the Data Controller;
  • access your personal data and know their origin (when the data is not obtained directly from you), the purposes and aims of the processing, the data of the subjects to whom they are communicated, the period for which your data will be stored or the criteria used to determine it;
  • update or rectify your personal data so that it is always accurate and up-to-date;
  • Delete your personal data from databases and/or backup archives if, among other things, they are no longer necessary for the purposes of the processing or if the processing is deemed unlawful, provided that the legal requirements are met; and in any case, if the processing is not justified by another equally legitimate reason;
  • Restrict the processing of your personal data in certain circumstances, for example, if you have contested its accuracy, for a period of time necessary for the Data Controller to verify its accuracy. You must also be informed, within an appropriate timeframe, when the suspension period has expired or the reason for the restriction of processing has ceased to exist, and the restriction has therefore been lifted;
  • obtain your personal data, if their processing is carried out on the basis of a contract and with automated tools, in electronic format also for the purpose of transmitting them to another Data Controller.

The Data Controller shall proceed in this manner without delay and, in any case, no later than one month after receiving your request. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests received. In such cases, the Data Controller will inform you and explain the reasons for the extension within one month of receiving your request.
For any further information and to submit your request, please contact the Data Controller at privacy@sisma.com.
How and when can you object to the processing of your personal data?
For reasons relating to your particular situation, you may object at any time to the processing of your personal data if it is based on legitimate interest by sending your request to privacy@sisma.com.
You have the right to have your personal data erased if there is no legitimate reason that prevails over the reason for your request.
Who can I complain to?
Fatta salva ogni altra azione in sede amministrativa o giudiziaria, può presentare un reclamo all’autorità garante per la protezione dei dati personali, a meno che Lei non risieda o non svolga la Sua attività lavorativa in altro Stato membro. In tale ultimo caso, o in quello in cui la violazione della normativa in materia di protezione dei dati personali avvenga in altro Paese dell’UE, la competenza a ricevere e conoscere il reclamo sarà delle autorità di controllo ivi stabilite.
Ogni aggiornamento della presente informativa Le sarà comunicato tempestivamente e mediante mezzi congrui e altrettanto Le sarà comunicato prima di procedervi e in tempo per prestare il Suo consenso se necessario.

Il numero seriale o il numero Matricola
si trovano in una targhetta applicata sulla
macchina. Inizia con OR per le macchine a catena e per L o LS per le macchine laser.

Di seguito alcuni esempi: