- Object of processing
The Controller collects three types of data:
- Data communicated by the User
The optional, explicit and voluntary sending of messages to the addresses indicated on the Site entails the acquisition of the sender’s contact data (such as name, surname, e-mail address, telephone or fax number, etc.), as well as any further personal data included in the communication and in the attached documentation.
This data is processed in order to follow up on the requests submitted by the Data Subject. To this end, the provision of certain data is compulsory and any refusal to provide such data may result in a failure to respond to the data subject’s request for the sending (also) of informative material.
The receipt of newsletter or other commercial or marketing communications is, instead, optional and is subject to separate consent.
- Navigation data
It is possible to access the Site and view its contents, including the news published, without being required to provide any personal data. However, the computer systems and software used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected in order to be associated with identified interested parties, but, also by its nature could allow the identification of the Interested Party, through processing or association.
This category includes the IP addresses or domain names of the computers used by users accessing the Site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, etc. These data are used to obtain anonymous statistical information on the use of the Site (such as, in particular, the number of accesses) and to check its correct functioning. No directly identifying information is processed in this process.
- Purpose of the processing
The personal data of the Interested Party who navigate on the Site will be lawfully processed by the Data Controller in accordance with the provisions of Article 6 of the Regulation for the following processing purposes:
- a) Legal obligations, the personal data provided by the Interested Party will also be processed in order to comply with legal obligations, including those of an accounting, administrative and regulatory nature, provided for by current legislation. For such purposes, the personal data of the Data Subject may be transmitted to the competent Authorities, including control Organizations.
- b) Management of responses, the personal data provided by the User may be processed in order to handling requests for information sent to the Data Controller through the section named “Contact us for information” of the Site, as well as – for CVs only – for recruitment purposes.
- c) Sending of commercial information and newsletters, the data provided by the Data Subject may be used for marketing purposes, i.e. for commercial communications concerning the sending of promotional and advertising material. In this case, the data of the Interested Party are collected with the explicit consent of the User, by means of a specific flag/check.
- Legal basis of the processing and consequences in the event of non-consent
The processing of the User’s data is legitimate and is based:
- For the purposes referred to point 2, letter a), on the fulfilment of legal obligations to which the Data Controller is subject (pursuant to article 6, co 1, letter c of the Regulation);
- For the purposes referred to point 2, letter b), on the performance of the services provided through the Site and requested by the User (pursuant to art. 6, co. 1, letter b of the Regulation);
- For the purposes of point 2, letter c) above, on the express consent of the User (pursuant to art. 6, co. 1, letter a of the Regulation).
The provision of personal data is strictly necessary for the purposes of carrying out the activities referred to in point 2, letter b) above, and the refusal of the User to provide and process such data prevents the processing of requests for information or the provision of services offered by the Data Controller.
With reference to the purposes of the processing referred to in point 2, letter c), consent to the processing of personal data is optional and may be expressed by checking the appropriate box at the bottom of the form to be filled in.
Failure to consent will only imply the impossibility to receive informative and promotional communications (including “newsletter”) from Euroma Group s.r.l..
The data subject may, in any case, revoke any consent given for the purposes described in point 2, letter c) c), by contacting the Data Controller at the contact details given in article 8, or via the link at the bottom of any promotional e-mail sent by Euroma Group.
- Processing methods
The Controller will process personal data through the operations indicated in Article 4 no. 2), of the GDPR, including collection, recording, storage, consultation, processing, modification, extraction, interconnection, blocking and deletion. The Data Subject’s personal data are processed mainly in electronic form and through automated systems and will be processed lawfully, fairly and with the utmost confidentiality, in compliance with the minimum security measures as set out in the GDPR.
The data will not be subject to public dissemination or to any fully automated decision-making process.
The data relating to the IP address will only be processed anonymously and for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning.
- Communication of data
The data subject’s personal data may be communicated and processed, for the purposes set out in Article 3 above, by:
- employees and/or collaborators of the Data Controller in Italy and abroad (EU), in their capacity as authorised and/or internal data processors and/or system administrators, who are authorised and/or appointed for this purpose to process the personal data of the User;
- legal entities or natural persons acting as external data processors, carrying out activities in outsourcing, appointed by the Data Controller or data processors of Euroma Group s.r.l. (including entities entrusted with communication, marketing, advertising, promotions and sales of products, IT service providers, partners, credit institutions, professional firms).
An up-to-date list of the data processors and persons authorised to process data is kept at the registered office of the Data Controller.
- Storage and Data Transfer
The management and storage of personal data will take place on servers located within the European Union of the Data Controller and/or third party companies appointed and duly appointed as data processors.
Should the need arise to transfer abroad – to countries outside the European Union – the data collected for the purposes set out in point 2 above, such transfer will take place to countries that offer an adequate level of data protection, as established by specific decisions of the European Commission (https://www.garanteprivacy.it/Regolamentoue/trasferimenti-di-dati-verso-paesi-terzi-e-organismi-internazionali) or in any case in the presence of adequate guarantees of protection and safeguards required by the Regulation, by concluding data transfer contracts containing appropriate safeguard clauses and guarantees for the protection of personal data, so-called “standard contractual clauses”, also approved by the European Commission. In the absence of such safeguards, the transfer will only take place for the execution of pre-contractual and contractual measures in favour of the Data Subject under the conditions and within the limits of the provisions of Article 49 of the Regulation.
The Data Controller will process personal data for a limited period of time, which varies according to the type of purpose and activity for which the data is to be processed. Once this period has expired, personal data will be permanently deleted or in any case irreversibly anonymised.
In particular, personal data shall be stored in compliance with the following terms and criteria
- for the purposes referred to in point 2, letters a) and b), the Data Controller shall process personal data for the time necessary to fulfil the legal obligations or as required and in any case for no longer than 10 years from the provision of the service requested; the Data Controller shall update the data already provided and/or renew, upon expiry, its consent to processing, including the storage of data in the Data Controller’s databases;
- for the purposes of point 2, letter c), User’s data will be used until it is deleted by the Interested Party and in any case no later than 5 years from the sending of the last communication containing commercial communications.
IP address data will be deleted immediately after processing.
- Rights of the Data Subject
The User, in his or her capacity as Interested Party, is the holder of the rights referred to in Article 15 of the GDPR. More precisely:
- he/she has the right to obtain confirmation of the existence or non-existence of personal data concerning him/her, even if not yet recorded, and their communication in intelligible form;
- has the right to be informed: (a) of the origin of the personal data; (b) of the purposes and methods of the processing; (c) of the logic applied in the event of processing carried out with the aid of electronic instruments; (d) of the identification details of the data controller, data processors and representatives; (e) of the entities or categories of entity to whom or which the personal data may be communicated or who or which may get to know data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing;
- Furthermore, the Interested Party has the right to obtain: (a) the updating, rectification or, where interested therein, the integration of the data; (b) the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed (c) certification to the effect that the operations as per letters (a) and (b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
- Lastly, the User has the right to object, in whole or in part: (a) on lawful grounds, to the processing of personal data concerning him/her, even if pertinent to the purpose of collection; (b) to the processing of personal data concerning him/her for purposes not provided for in Article 2.
Also in accordance with Articles 15 et seq. of the GDPR, the User has the right (a) to request, at any time, access to his or her personal data, their rectification or erasure, and the restriction of processing in the cases provided for by Article 18 of the GDPR; (b) to obtain in a structured, commonly used and machine-readable format the data concerning him or her, in the cases provided for by Article 20 of the GDPR. At any time, he/she may revoke pursuant to Article 7 of the GDPR the consent given; lodge a complaint with the competent supervisory authority pursuant to Article 77 of the GDPR if he/she considers that the processing of his/her data is contrary to the legislation in force.
The User may formulate a request to object to the processing of his/her personal data pursuant to Article 21 of the GDPR in which he/she shall give evidence of the reasons justifying the objection. In this case, the Data Controller reserves the right to evaluate the request, which would not be accepted in the event of the existence of compelling legitimate grounds to proceed with the processing that prevail over the interests, rights and freedoms of the Interested Party.
- Communications and methods of exercising the rights of the User
The User, in his or her capacity as Interested Party, may at any time exercise his or her rights as set out in the previous article by sending
- a registered letter with return receipt to: EUROMA GROUP srl, Calderara di Reno (BO), via Cavour n. 5;
- an e-mail to the PEC address: firstname.lastname@example.org.
Furthermore, if the User should consider that the processing violates the Privacy Law, he/she may lodge a complaint with the Italian Data Protection Authority, or contact the same Authority to request information.
- Social buttons
The Owner uses social buttons on the Site. These are “digital buttons”, i.e. links connecting directly with the Social Network platforms configured in each individual “button”. By clicking on such links the Data Subject will be able to interact directly with the accounts (social pages) of the Data Controller.
The managers of the Social Networks, to which the buttons refer, are autonomous data controllers and reference is made to the individual privacy policies of the various Social Network platforms for the methods for managing and deactivating the relative cookies.
- Data Protection Manager.
The Data Controller communicates that it has appointed Annalisa Callarelli, lawyer, as data protection manager, who can be contacted at the following addresses: email@example.com; firstname.lastname@example.org.
Last update: June 2022.