IDS S.p.A., with headquarters at Via Valletta San Cristoforo 28/10, 17100 Savona (SV), Italy; Italian tax code 00316290105 and VAT no. IT00786780098 (hereinafter the “Controller”), as controller, hereby informs you pursuant to article 13 of Italian Legislative Decree no. 196 of 30/6/2003 (hereinafter the Italian “Data Protection Code”) and article 13 of Regulation (EU) 2016/679 (hereinafter the “GDPR”) that your data will be processed with the following methods and for the following purposes:
1. Data Subject to Processing
The Controller processes identifying and non-sensitive personal information (more specifically name, surname, tax code, VAT number, email address, telephone number – hereinafter referred to as “personal information” or “data”) provided by you when signing up to the Controller’s website or subscribing to the newsletter service offered by the Controller.
2. Purposes of the Processing
Your personal data will be processed:
A) Without your explicit consent (article 24, a, b, c of the Data Protection Code and article 6, b, e of the GDPR), for the following purposes involved with providing services:
– Allowing you to register on the website
– Managing and maintaining the website
– Allowing you to sign up to the newsletter service provided by the Controller, and any further services you may request
– Complying with precontractual, contractual and tax obligations deriving from existing relationships with you
– Complying with obligations set out in law, regulations, EC regulations or an order from the authorities
– Preventing or discovering fraudulent activity or abuse which is damaging to the website
– Exercising the rights of the Controller, for example the right to defend itself in court
B) With your explicit consent only (articles 23 and 130 of the Data Protection Code and article 7 of the GDPR), for the following marketing purposes:
– Sending you newsletter emails, marketing communications and/or advertising material on products and/or services offered by the Controller
Please note that if you are an existing customer, we may send you marketing communications relating to products and services of the Controller equivalent to those you have already purchased, unless you explicitly request otherwise (article 130 para. 4, Italian Data Protection Code).
3. Methods of Processing
The processing of your personal data is performed via the operations specified in article 4 of the Data Protection Code and article 4 (2) of the GDPR, more specifically: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of the data. Your personal data may undergo processing both on hardcopy and via electronic/automated means.
The Controller will process your personal data for the time required to fulfil the purposes outlined above, and in any case for no longer than 10 years from the termination of the relationship for the purposes of providing services, and for no more than 2 years from collection for marketing purposes.
4. Access to Data
Your data may be made accessible for the purposes under articles 2.A) and 2.B):
– To employees and contractors of the Controller or companies of IDS S.p.A. of which the Controller is part, as internal Processors and/or processing personnel and/or system administrators
– Companies of the group (COMPANY) of which the Controller is part (for example, for supporting activities in the client feasibility study, for technical management activities of the project) or to third parties (for example website management and maintenance providers, suppliers, credit institutes, professional practices etc.) which carry out outsourced activities on behalf of the Controller, as external Processors.
5. Disclosure of Data
Without your explicit consent (pursuant to article 24 a), b), d) of the Data Protection Code and article 6 b) and c) of the GDPR), the Controller may disclose your data for the purposes under article 2. A) to supervisory bodies, judicial authorities and all other parties to whom such disclosure is mandatory by law for fulfilment of the specified purposes. Your data will not be disseminated.
6. Transfer of Data
Your data will be managed and stored on servers located within the European Union belonging to the Controller and/or third companies duly assigned and nominated as Processors. These servers are currently located in Italy. The data will not be subject to transfer outside the European Union. It shall be understood in any case that the Controller retains the right, where necessary, to move the servers within Italy and/or the European Union and/or to third countries. In such a case, the Controller guarantees that such transfer of data to third countries (outside the EU) will take place pursuant to applicable legal provisions, drawing up, where necessary, agreements guaranteeing an adequate level of protection and/or adopting the standard contractual clauses specified by the European Commission.
7. Nature of Provision of Data and Consequences of Refusal to Respond
Providing data for the purposes under article 2.A) is mandatory. Without them, it will not be possible to register you on the site or provide the services under article 2.A).
Providing data for the purposes under article 2.B), on the other hand, is optional. You may therefore decide not to provide any data or to subsequently refuse the possibility to process data already previously provided: in this case, it will not be possible for you to receive newsletters, marketing communications and advertising materials relating to the services offered by the Controller. In any case, you will continue to have a right to the services under article 2.A).
8. Rights of the Data Subject
As Data Subject, you have the rights laid out in article 7 of the Italian Data Protection Code and article 15 of the GDPR; more specifically, you have the right to:
i. Receive confirmation of the existence or otherwise of your personal data, even if not yet recorded, and communication of such data in intelligible format
ii. Receive information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the case of processing with the aid of electronic devices; d) identifying details of the Controller, Processor and designated representative pursuant to article 5 para. 2 of the Italian Data Protection Code and article 3 para. 1, GDPR; e) of the parties or categories of parties to whom the personal data may be disclosed or who may come to have knowledge of it as designated representative in the country, as Processors or processing personnel;
iii. Request: a) updates to, correction of or, when it concerns you, supplementation of the data; b) deletion, anonymisation or blocking of data processed in violation of the law, including those which it is not necessary to retain in relation to the purposes for which the data were gathered or subsequently processed; c) certification that the operations under a) and b) have been notified to the parties to whom the data have been disclosed or disseminated, including as regards their content, with the exception of cases in which fulfilment of this proves impossible or would lead to the use of means manifestly disproportionate to the right being protected;
iv. Object, partially or completely, to: a) processing of personal data relating to you for legitimate reasons, even if such data is pertinent to the purpose for which it was gathered; b) to processing of personal data relating to you for the purposes of sending advertising or direct sales material, or for the performance of market research or marketing communications, through the use of automated calling systems without the use of an operator, via email and/or via traditional marketing methods via telephone and/or post. Note that the Data Subject’s right to object outlined in point b) above, for direct marketing purposes using automated means extends to traditional ones, and the Data Subject nevertheless retains the possibility to exercise their right to object even only in part. As such, the Data Subject may decide to receive only communications via traditional media, or only automated communications, or else neither of the two types of communications.
Where applicable, they also have the rights laid out in articles 16-21 GDPR (right to correction, right to be forgotten, right to limitation of processing, right to data portability, right to object), as well as the right to make a complaint to the Data Protection authority.
9. Method of Exercising Rights
You can exercise your rights at any time by sending:
– A registered letter with return receipt to IDS S.p.A, Via Valletta San Cristoforo 28/10, 17100 Savona (SV), Italy;
– En email to firstname.lastname@example.org
This site and the services of the Controller are not for the use of persons under the age of 18, and the Controller does not intentionally collect personal information relating to minors. In the event that information on minor persons were inadvertently recorded, the Controller will delete such information in a timely manner upon user request.
11. Controller, Processor and processing personnel
The Controller is (…)
The updated list of Processors and assigned processing personnel is held at the Controller’s premises.
12. Modifications to this Policy
This Policy is subject to change. We therefore recommend that you check this Policy on a regular basis and refer to the latest up-to-date version.