Privacy Policy

PRIVACY POLICY

Articles 12 et seq. of Regulation (EU) 2016/679 (GDPR)

 

RECITALS

In compliance with the provisions of EU Regulation 2016/679 (hereinafter called GDPR), we provide below information on the processing of personal data given by the data subject with regard to the latter’s relations with the Companies belonging to the Zucchetti Group, which are to be construed as Zucchetti Spa and its subsidiaries or affiliates or associated companies and companies controlling the latter (hereinafter referred to as the Companies). This notice is given in accordance with Article 13 of the GDPR.

 

1. IDENTITY AND CONTACT INFORMATION

For the purposes of this policy, the Companies may act as Data Controllers pursuant to Article 4 GDPR or as Joint Data Controllers pursuant to Article 26 GDPR.

The list of the Joint Data Controllers can be found below: (https://www.zucchetti.it/website/cms/societa-del-gruppo.html / https://www.zucchetti.it/website/cms/zucchetti-mondo.html)

The Joint controller agreement is available upon request, by sending an email to ufficio.privacy@zucchetti.it.

You can contact the Companies at: via Solferino n. 1 – 26900 Lodi (LO),   tel: ++39 0371/5941; email: ufficio.privacy@zucchetti.it.

 

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)

The Data Protection Officer is Mario Brocca, tel. ++39 0371/5943191, email: dpo@zucchetti.it; certified email address: dpogruppozucchetti@gruppozucchetti.it.

For more information on any other Data protection officers you can reach out to ufficio.privacy@zucchetti.it.

 

3. PURPOSE OF PROCESSING, LEGAL BASIS AND DATA STORAGE PERIOD

 

Purpose	Type of data processed	Legal Basis	Role Group Company	Storage period
(a) Pre-contractual/contractual Provide information on marketed products and services, if requested by the data subject; execution of existing contractual relationships.	Master data and contract data; data necessary for the execution of the contractual relationship.	Execution of a contract of which you are a party or pre-contractual measures taken at the request of the data subject; legal fulfilments and obligations. Art. 6 co. 1(b) and (c) GDPR	Data controller	According to legal regulations.
(b) Direct marketing Sending, by automated means of contact (email and instant messaging) and traditional means (operator-assisted telephone calls and regular mail), advertising materials, newsletters, promotional and commercial communications related to products and/or events and/or related training courses, as well as market studies and statistical analysis and customer satisfaction surveys.	Master data and contact information	Consent (required by contract or specific request); (optional and revocable at any time) Art. 6 co. 1(a) GDPR If the data subject has not given consent for the sending of commercial communications by automated means, he or she may still receive them through traditional means, if he or she has not expressed dissent through ordinary means and/or the Public opt-out registry.	Joint controllers	Until consent for that purpose is withdrawn and/or five years have passed since the expression of consent.
(c) Marketing on already customers Sending communications related to contracted products/services and/or similar products/services to those already contracted (newsletters, webinars, events, training activities	Master data and contact data; on the company you belong to and role held	Legitimate interest Art. 6 co. 1(f) GDPR	Joint controllers	Until consent is withdrawn
(d) Indirect marketing Disclosure of data to business partners/third parties so that they can make you the recipient of marketing communications.	Master data and contact information.	Consent (required by contract or specific request) (optional and revocable at any time) Art. 6 co. 1(a) GDPR	Joint controllers	Until consent for that purpose is withdrawn and/or five years have passed since the last interaction with the Joint Controllers.
(e) collection and publication of contents: generation of case histories and publication on social networks, newspapers, magazines and websites of images, videos, reviews, evaluations and other content that the data subject may freely decide to share with the Joint Controllers, as well as on any other media used (as provided for in the individual consents requested from time to time).	Master data; pictures, sounds, company you belong to, professional experience role, nickname, social networks profile	Consent (optional and revocable at any time) Art. 6  Co. 1(a) GDPR	Joint controller	Until consent for that purpose is withdrawn and/or five years have passed since the last interaction with the Joint Controllers.
(f) If necessary , to ascertain, exercise, or defend the rights of joint controllers in court.	Master data and contact data, data necessary for the execution of the contract.	Data controller	Titolare del trattamento	For as long as necessary to exercise rights in court.
(g) Registration on Internet Portals.	Master data and contact data, on the company you belong to and job position held	Express consent	Joint controller	Five years since the last interaction
(h) Service purposes on purchased products and services.	Master data, contact data, personal data according to the product/service contracted.	Execution of a contract of which you are a party (to solve faults and malfunctions). Legitimate interest (for analysis aimed at service improvement).	Data controller	Five years since the last interaction

 

*Upon deletion, the data may be retained for an additional period of up to one year, according to the companies’ information system backup storage policies.

 

4. MANDATORY NATURE OF DATA PROVISION

The data subject must provide the Companies with the data necessary for the performance of the contractual relationship, as well as the data necessary to fulfil obligations under laws, regulations, EU rules, or provisions of Authorities empowered to do so by law and supervisory and control bodies (referred to in purposes a) and f) above).

Data that are not essential for the performance of the contractual relationship are categorised and considered supplementary, and their provision by the data subject, if requested, is optional and subject to consent. The consent provided may be withdrawn by the data subject at any time by writing an email to: ufficio.privacy@zucchetti.it. Such withdrawal will in no way affect the lawfulness of processing based on the consents given before withdrawal.

 

5. PROCESSING METHODS

Personal data shall be recorded, processed, and stored in the Companies’ paper and electronic archives in compliance with the appropriate technical and organisational measures set forth in Article 32 of the GDPR. The processing of the data subject’s personal data may consist of any operation or set of operations among those indicated in Article 4, paragraph 1, point 2 of the GDPR.

Personal data will be processed through the use of appropriate tools and procedures to ensure their security and confidentiality, directly and/or through delegated third parties, either manually by means of paper media, or by means of computer or electronic tools. The data, for the purpose of proper management of the relationship and fulfilment of legal obligations, may be included in the Companies’ internal documentation and, if necessary, also in the records and registers required by law.

The personal data of the data subject may be processed by employees of the Companies’ corporate departments for the pursuit of the aforementioned purposes. These employees have been expressly authorised to process and have received appropriate operating instructions pursuant to Article 29 GDPR.

 

6. CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The data subject’s personal data may be communicated to and processed by external parties operating as autonomous data controllers pursuant to Articles 4 and 24 GDPR such as, by way of example, authorities and supervisory and control bodies and in general public or private parties entitled to request the data and/or to parties operating as Data Processors pursuant to Article 28 GDPR, such as, by way of example, consulting companies and/or professional firms and/or professionals, e.g. legal, tax and insurance companies. The data may also be disclosed by the Companies to their business partners/concessionaires for the fulfilment of activities related to the performance of the contract or for the performance – by them – of commercial actions. The list of business partners to which data may be disclosed can be found at: Partners

 

7. DATA TRANSFER TO NON-EU COUNTRIES

Data provided by the data subject will be processed only in countries located within the European Union. If the data subject’s personal data are processed in a non-EU state, the rights granted to the data subject under EU law will be guaranteed and the data subject will be promptly notified.

 

8. RIGHTS OF THE DATA SUBJECT

Pursuant to Articles 15 et seq. of the GDPR, the data subject may exercise the following rights:

1. access: confirming or not confirming that the processing of the data subject’s personal data is taking place and the right to access it; requests that are manifestly unfounded, excessive or repetitive cannot be satisfied;
2. rectification: correcting/obtaining the correction of personal data if incorrect or outdated and completing them if incomplete;
3. erasure/right to be forgotten: obtaining, in some cases, the deletion of the personal data that has been provided; this is not an absolute right, since the Companies may have legitimate or legal reasons for withholding them;
4. limitation: data shall be stored, but can neither be processed nor processed further in the cases envisaged in the regulations;
5. portability: moving, copying or transferring data from the Companies’ databases to third parties. This applies only to data provided by the data subject for the performance of a contract or for which consent and express consent has been given and processing is carried out by automated means;
6. objecting to direct marketing;
7. withdrawing consent at any time in the event that the processing is based on consent.

Pursuant to Article 2-undicies of Leg. Decree 196/2003, the exercise of the rights of the data subject may be delayed, limited or excluded by giving a reasoned notice without delay, unless such notice would adversely affect the purpose of the limitation, for such time and to the extent that this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject, so as to safeguard the interests referred to in subsection 1, letters a) (protected money laundering interests), e) (the conduct of defensive investigations or the exercise of a right in court) and f) (the confidentiality of the identity of the employee who reports wrongdoing of which he/she has become aware as a result of his/her office). In such cases, the rights of the data subject may also be exercised through the Italian Data Protection Authority in the manner set forth in Article 160 of the same Decree. In such a case, the Data Protection Authority shall inform the data subject of having carried out all the necessary checks or of having carried out a review, as well as of the data subject’s right to appeal.

It should also be noted that – prior to processing requests – the Companies may check the identity of the data subject in order to assess the legitimacy of the request that has been received.

With a view to exercising these rights, the data subject may contact the Joint Controller Companies or autonomous Data Controllers in relation to the areas defined above at ufficio.privacy@zucchetti.it or by contacting 0371/594.3191 or by sending a message to Ufficio Privacy Zucchetti, via Solferino n. 1 – 26900 Lodi.

The Companies will reply within 30 days of receiving the formal request sent by the data subject.

It should be noted that, in the event of a breach of the data subject’s personal data, the data subject may file a complaint with the competent authority: “Data Protection Authority.”

 

 ZUCCHETTI GROUP COMPANIES