EXTENDED DISCLOSURE PURSUANT TO ARTICLES 12, 13 AND, WHERE NECESSARY, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER, THE GDPR)
Hereinafter, the Controller sets out the Disclosure pursuant to articles 12, 13 and, where necessary, 14 of the GDPR on the processing of personal data provided by you, the Customer/Data Subject, by filling in and signing the Contract to purchase products/services offered for sale by the Data Controller, where you spontaneously enter in personal data through this website (specifically by filling in forms) or simply by browsing the site.
- Controller and contacts
The Controller is INDUSTRIAL PACK s.r.l., with registered office in Via San Donato 82, Bologna (BO), Italy, VAT no. IIT03764581207, tel.+39 051-000000, firstname.lastname@example.org, website https://www.industrialpack.it
- Principles applied to processing
In line with the provisions of the GDPR, the Controller shall constantly ensure that the personal data are:
processed lawfully, fairly and in a transparent manner;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
stored for a period of time not exceeding the achievement of the purposes for which they are processed;
processed, through technical and organisational measures, in a manner that guarantees their security;
processed, where based on consent, as a result of a decisions freely taken by the Customer/Data Subject, based on a request submitted in a manner which can be clearly distinguished from the rest, in an easy to understand and easily accessible manner, using simple, clear language.
The Controller shall implement appropriate technical and organisational measures to ensure the protection of personal data from the design state, and to guarantee that, on a pre-set basis, only the data necessary for each specific purpose of processing are processed.
The Controller shall collect and take the utmost account of the instructions, observations and opinions of the Customer/Data Subject send to the addresses shown above, for the purpose of implementing a dynamic privacy management system that ensures the effective protection of people, with regard to the processing of their data.
This Disclosure may be changed, in line with the evolution of the reference regulations and the technical and organisational measures adopted over time by the Controller. Therefore, your are asked to periodically visit this section of the Site, to view updates and the Disclosure in force at all times.
- Methods of processing of the personal data
Personal data is processed manually or using electronic tools, with approaches strictly correlated with the purposes indicated below and, in any event, in a manner that guarantees their security and confidentiality.
- Purposes of processing of the personal data
(4a) Purposes for which data processing is necessary
The personal data provided by the you, the Customer/Data Subject, are mainly processed to execute the Contract and manage receivables and, more generally, the relationship deriving from the Contract.
You must provide the data in the Contract or subsequently, during the contractual relationship, for the purposes of the processing in question. Therefore, if you do not provide that data, partially provide it or provide incorrect data, it will be impossible to enter into and/or execute the Contract and for the Customer/Data Subject to use the products/services offered by the Controller, potentially exposing the Customer/Data Subject to liability for breach of contract.
The personal data provided by the Customer/Data Subject may also be processed if this is necessary to fulfil a legal obligation to which the Controller is subject, to protect the vital interests of the Customer/Data Subject or other natural person, for the performance of a task carried out in the public interest or in the exercise of an official authority that the Controller is vested with, or to pursue the legitimate interest of the Controller or third parties, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. Also in these cases, you must provide the data and, therefore, if you do not provide that data, partially provide it or provide incorrect data, you, you, the Customer/Data Subject, may be exposed to the possible liability and sanctions provided by the legal system.
(4b) Additional purposes of processing following the specific, express consent of the Customer/Data Subject
In addition to the above purposes of processing, the personal data provided/acquired may be processed, after obtaining the consent of the Customer/Data Subject, to be expressed by checking the <> box in the Contract or on the Site (or using other social media or web apps of the Controller), also for conducting market surveys or commercial or promotional communications, by telephone (also using the mobile phone number provided) and via automated contact systems (email, text messages, fax, etc.) regarding products/services of the Controller or companies in the Group to which the Controller may belong.
The consent for the purposes of processing under this point (4b) is optional. Therefore, should you deny such consent, the data will be processed only for the purposes indicated in point (4a) above, save for that specified below with regard to the legitimate interest of the Controller or third parties.
- Categories of personal data processed
The Controller mainly processes identification/contact data (name, surname, addresses, type and number of ID documents, telephone numbers, email addresses, physical address/billing address, save for others) and, where commercial transactions are envisaged, financial data (banking details, specifically current account numbers and credit card numbers, save for others connected with said commercial transactions).
The processing that the Controller carries out, both for the performance of the Contract and by virtue of the express consent of the Customer/Data Subject, generally will not regard special categories of personal data, known as sensitive data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or sexual orientation, etc.) or genetic or biometric data or judicial data (relating to criminal convictions and offenses).
Nonetheless, for the purpose of fulfilling obligations deriving from the Contract, the Controller may need to store and/or process sensitive data (genetic, biometric or judicial data) of the Customer/Data Subject or third parties, which the Customer/Data Subject holds in the role of Controller. In this case, the Controller shall process the data in accordance with the conditions and within the limits of the Controller’s appointment as Processor by the Customer/Data Subject.
In the role of Controller in relation to the Site, and, potentially, in the role of Processor assigned to such operations (pursuant to the above terms) by the Customer/Data Subject, the Controller shall also process browsing data. During their normal operation, the IT systems and software procedures set up to operate the websites acquire certain personal data, whose transmission is implicit in the use of internet communications protocols. This information is not collected for the purpose of being associated with identified subjects, but, due to its nature, could make it possible to identify the Data Subject. This category of information includes geolocation data, IP addresses, browser types, operating system, domain names and URLs of websites used for access or exit, information on the pages visited by users within the site, time of access, time spent on a single page, analysis of the internal browsing process and other parameters relating to the user’s operating system and IT environment. Thus, this is information which, due to their nature, make it possible to identify users, through processing and association also with data held by third parties.
Cookies may be used on the Site, both session cookies (which are not stored on the Data Subject’s computer and disappear when the browser is closed) and persistent cookies, for transmitting personal information, or, also, systems for tracking data subjects.
- Source of the personal data
The personal data that the Controller processes are directly collected by the Controller from the Customer/Data Subject at the time those subjects access, and while they browse the Site (or use other social or web apps of the Controller), or, also through its salespeople, at the time of or subsequent to entering into the Contract, in the performance thereof or from public sources.
As specified above, as the assigned Processor, the Controller, in order to fulfil the obligations deriving from the Contract, may store and/or process data, specifically browsing data, also potentially including sensitive, genetic, biometric or judicial data, of third parties, held by the Customer/Data Subject as the Controller, acquired, after obtaining the consent of those third parties, at the time those third parties access or while they browse the Site (or use other social or web apps connected with the Controller).
- Legitimate interests
The legitimate interests of the Controller or of a third party may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. In general, such legitimate interest could exist for example where there is a relevant and appropriate relationship between the Controller and the Data Subject, in situations such as where the Data Subject is a customer of the Controller. Specifically, the following constitute the Controller’s legitimate interest for processing personal data of the Customer/Data Subject: for the purpose of fraud prevention, for direct marketing purposes, to ensure the free circulation of that data within the business group to which the Controller may belong, or relating to traffic, in order to guarantee the security of networks and information, meaning the ability of a network or system to resist accidental events or unlawful actions that may compromise the availability, authenticity, integrity or confidentiality of the data.
- Circulation of the personal data
(8a) Communication of the personal data – categories of recipients
In addition to employees and various types of workers of the Controller (who are authorised by the Controller to carry out processing by virtue of suitable written operating instructions, in order to guarantee the confidentiality and security of the data), several processing operations may be carried out also by third parties, to which the Controller assigns certain activities or part thereof, for the purposes of point (4a), therefore, in execution of both the contractual obligations as well as legal obligations. These include, inevitably by way of example and not a complete list: business and/or technical partners; companies that provide banking and financial services; companies that provide document archiving services; credit recovery companies; auditing and financial statement certification firms; ratings agencies; parties which provide professional support and consulting to the Controller; companies that perform customer care services; factoring companies, companies that perform securitisation or other assignment of receivables; companies in the Group to which the Controller belongs; parties that provide business intelligence and IT services companies. The parties in the above categories shall process the personal data in the role of autonomous controllers, or as processors, with regard to specific processing operations that form part of the contractual services that those parties execute in favour/in the interest of the Controller. The Controller shall provide suitable written operating instructions to the processors, with specific regard to the adoption of minimum security measures to guarantee the confidentiality and security of the data.
Certain processing operations may be carried out by third parties to which the Controller assigns certain activities or part thereof, also for the purposes of point (4b). These include, inevitably by way of example and not a complete list: business and/or technical partners; companies that provide business marketing services; advertising agencies and parties that provide support and consulting on competitions and prize contests. The parties in the above categories shall process the personal data in the role of autonomous controllers, or as processors, with regard to specific processing operations that form part of the contractual services that those parties execute in favour/in the interest of the Controller. The Controller shall provide suitable written operating instructions to the processors, with specific regard to the adoption of minimum security measures to guarantee the confidentiality and security of the data.
By way of written request to be sent to the Controller’s registered office, you can obtain the periodically updated list of the Processors with which the Controller conducts business relationships.
The personal data may also be communicated, in the event of request, to the competent authorities, in fulfilment of obligations deriving from binding rules of law.
(8b) Transfers of personal data to third countries
The personal data of the Customer/Data Subject may also be transferred abroad, both to countries in the European Union and to those outside the European Union. In the latter case, the transfer shall take place based on an adequacy decision, or under adequate guarantees provided for by the GDPR (therefore, specifically, where there out standard data protection clauses approved by the European Commission), or, where one of the cases above does not apply, applying one or more of the derogations provided for by the GDPR (in particular, by virtue of the specific consent by the Customer/Data Subject, or to execute the Contract entered into by the Customer/Data Subject, or to execute a contract entered into by the Controller with another natural or legal person in favour of the Customer/Data Subject, specifically to execute the services assigned to such person by the Controller for the purpose of executing the Contract entered into with the Customer/Data Subject). In the case of transfers of data to countries outside the European Union, following written request to be sent to the Controller’s registered office, you, the Customer/Data Subject, have the right to be informed of the adequate guarantees, or the derogations, that legitimise the cross-border processing. It is understood, in the event of transfers of data to countries outside the European Union, that, for each request pertaining to the data, also to exercise the rights granted by the GDPR to the Customer/Data Subject, you may always validly contact the Controller.
- Criteria for determining the period of storage of the personal data
For the purposes set out in point (4a) above, the period of storage of the personal data provided by the Customer/Data Subject, and their resulting potential processing, shall equal the statute of limitations of the rights/duties (legal, tax, etc.) deriving from the Contract: thus, generally 10 years, save for the occurrence of events that interrupt the statute of limitations, which could effectively extend said period.
For the purposes set out in point (4b) above, the period of storage of the personal data provided by the Customer/Data Subject, and their resulting potential processing, shall end with the revocation of the consent provided in advance by the Customer/Data Subject or, lacking such revocation, once one year has passed from the termination of all relationships between the Controller and the Customer/Data Subject.
- Rights of the Customer/Data Subject
The Controller recognises – and shall facilitate the exercise by the Customer/Data Subject – of all the rights provided for in the GDPR, specifically: the right to access his or her personal data and obtain a copy thereof (art. 15 GDPR), the right to rectification (art. 16 GDPR) and erasure thereof (art. 17 GDPR), the right to restriction of processing of their own data (art. 18 GDPR), the right to data portability (art. 20 GDPR, where conditions apply) and to object to processing of personal data concerning him or her (articles 21 and 22 GDPR, for the cases mentioned therein, in particular, to processing for marketing purposes or which translates into an automated decision-making process, including profiling, which generates legal effects that regard the data subject, where the conditions apply).
The Controller also recognises the Customer/Data Subject, where the processing is consent-based, the right to revoke said consent at any time, without harming the lawfulness of the processing based on the consent provided prior to revocation. To do this, you may unsubscribe from the Site at any time (or from other social or web apps of the Controller) or use the specific link at the bottom of each marketing communication received, or contact the Controller at the addresses shown above.
The Controller also informs you, the Customer/Data Subject, or your right to submit a complaint to the Personal Data Protection Authority, as the supervisory authority operating in Italy, and to initiate legal action, both through a decision by the Personal Data Protection Authority and against the Controller and/or a Processor.
- Security of systems and personal data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, specifically ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services (also through the encryption of personal data, where necessary) and the ability to restore the availability of the data in a timely manner in the event of a physical or technical incident, and adopting a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.
In assessing the appropriate level of security account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
The Controller shall take steps to ensure that person acting under its authority who has access to personal data does not process them except on instructions from the Controller.
That being said, the Customer/Data Subject acknowledges that no security system guarantees absolute protection in terms of certainty. Therefore, the Controller shall not be liable for acts or wrongdoing by third parties who, despite the adequate precautions adopted, may unlawfully access the systems without the required authorisations.
- Automated decision-making processes, including profiling
The Controller may carry out automated processing, including profiling, for the purposes set out in point (4b) above, to optimise the Site browsing experience (or the usability of other social or web apps of the Controller) and to improve the purchasing experience, save for that specified above with regard to the Customer/Data Subject’s right to object and revoke consent.
Profiling shall mean any form of automated processing of personal data evaluating specific aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, the data subject’s personal preferences, interests or location, as well as to create profiles, i.e. homogeneous groups of subjects by characteristics, interests or behaviour.
The Controller shall not carry out any automated processing that produces legal effects concerning the Customer/Data Subject or that similarly significantly affects him or her, save for that required to enter or perform the Contract, both authorised by law or based on the explicit consent of the Customer/Data Subject, in any case, always granting the Data Subject the right to obtain human intervention, express his or her opinion and object to the decision.