In accordance with articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and in conformity with Legislative Decree no. 196 dated 30 June 2003 and subsequent amendments and additions made by Legislative Decree no. 101 dated 10 August 2018, Divin Porcello di Sartoretti Massimo & C. S.a.s., in its capacity as Data Controller, in the person of its pro-tempore legal representative, hereby informs you of the purposes and ways of processing the personal data collected, their context of communication and disclosure, as well as the type and provision, and more specifically the following.
Your common personal data, subject to processing, in the possession of the controller or that will be subsequently requested or received from third parties are necessary. They are the result of processing data provided by you when you registered for the services of Divin Porcello di Sartoretti Massimo & C. S.a.s., and will be used for:
1.1. without your express consent (art. 6 letters b) and e) of the GDPR, for the following Service purposes:
• to execute services requested by you, as advertised within the context of the website www.divinporcello.it;
• for the fulfilment of obligations imposed by the law, by a regulation, by an EU standard or by order of an official authority (such as for example on matters of money laundering);
• to exercise the Data controller’s rights, for example the right of legal defence;
• to complete the sale of products selected by you and to fulfil the contract agreed with you, as well as to exercise our relative rights, including in a court of law;
• to manage the services associated with your purchase including in the after sales period (e.g. Customer Services).
• to perform, either directly or indirectly, checks on the methods of payment chosen by the user for the purpose of preventing insolvency, fraudulent activity or to comply with the laws on money laundering applicable each time.
1.2. only subject to your specific and separate consent (art. 7 of the GDPR and subsequent amendments and additions and art. 130 of Legislative Decree 196/2003), for the following Marketing Purposes:
• to send you via e-mail, post, text messages or by telephone contact, newsletters, marketing communications and/or advertising material on products or services offered by the Data Controller and feedback surveys on the quality of the services;
• to send you via e-mail, post, text messages or by telephone contact, marketing communications and/or promotions from third parties (for example, business partners, insurance companies);
• to carry out market research, including via email, regarding products and services offered by the Data Controller. You are informed that if you are already our customer, we may send you marketing communications for the Data Controller’s services and products similar to those you have already used, unless you withdraw your consent (art. 130 c. 4 of Legislative Decree 196/2003 and subsequent amendments and additions).
Your personal data are processed with automated means and/or using paper by persons duly appointed to do so, and more specifically by the operations stated in art. 4 of the Privacy Code and art. 4 no. 2) of the GDPR and precisely collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, alignment or combination, restriction, erasure or destruction. Your personal data are processed on paper as well as by electronic and/or automated means.
You are also informed that the personal data provided by you will be processed in compliance with the ways indicated in GDPR 2016/679, namely:
1. processed lawfully, fairly and in a transparent manner;
2. collected and recorded for specified, explicit and legitimate purposes;
3. accurate and, if necessary, updated;
4. pertinent, complete and not excessive in relation to the formalities of the processing.
3. Communication and disclosure
Your personal data may be processed by employees of Divin Porcello di Sartoretti Massimo & C. S.a.s. for the purposes stated in point 1) above. These employees, appointed as Persons in charge of processing, will receive adequate training and operating instructions from Divin Porcello di Sartoretti Massimo & C. S.a.s. and will operate under the direct authority of the designated Data Processor. Divin Porcello di Sartoretti Massimo & C. S.a.s. may also communicate personal data to third parties belonging to the following categories: organisational, administrative, accountancy and taxation services, but only when this is essential in order to fulfil the obligations taken on by the parties:
• public authorities and supervisory and control bodies;
• persons who perform services of collecting, handling and processing data necessary for the purposes required in the contractual relationship with customers;
• insurance companies;
• credit reference agencies;
• persons whose job it is to gauge the level of customer satisfaction;
• persons who carry out filing and data entry services;
• persons involved in processing purchase orders, during both the sales and after-sales phases, such as – by way of example – companies who take care of sending out catalogues by post, customer services and email service providers.
In such cases the uses of third parties, data controllers in their own right, will take place in accordance with the principle of fairness and the legal provisions. The data collected are not subject to disclosure by Divin Porcello di Sartoretti Massimo & C. S.a.s.
4. Transfer of data
Personal data are stored on servers located inside the European Union. Nevertheless, the Controller has the right to move the servers outside the EU if necessary. In this case, the Controller gives his assurance from this moment henceforth that the transfer of data outside the EU will take place in compliance with the applicable laws, after having stipulated the standard contractual clauses prescribed by the European Commission.
5. Failure to provide correct information
Providing data for the purposes stated in art. 1.1 is obligatory. Without this, we cannot guarantee the services stated in art. 1.1. Providing data for the purposes stated in art. 1.2 is instead optional. You can therefore decide not to provide any data or later withdraw your consent for the processing of data already provided: in this case, you will not receive any newsletters, marketing communications or advertising material pertaining to the services offered by the Controller. You will however be entitled to the services stated in art. 1.1.
6. The data subject’s rights
In your capacity as data subject you have the rights listed below, which you may exercise by sending a specific request to the Data controller and/or the Data Processor.
Art. 15 – Right to access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information on the processing.
Art. 16 – Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Art. 17 – Right to erasure (right to be forgotten)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data without undue delay.
Art. 18 – Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d. the data subject has objected to processing pursuant to Article 21 (1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Art. 20 – Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Art. 21 – Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of article 6 (1), including profiling based on those provisions.
Art. 22 – Right not to be subject to automate individual decision-making, including profiling.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The data subject shall additionally have the right to revoke the consent given for the processing of his or her personal data, as well as having the right to make a complaint to a supervisory authority if the data have been unlawfully processed. Rights may be exercised by contacting the data controller directly at the address below.
7. Data controller
The Data controller is Divin Porcello di Sartoretti Massimo & C. S.a.s., a company subject to Italian law, with registered office at Frazione Cresta, 11 – 28855 Masera (VB) in the person of its pro-tempore legal representative. An updated list of internal and external persons in charge of processing may be consulted by submitting a written application to the registered office.
8. Data retention period
Your data will be stored for a period of time no longer than is necessary for the purposes indicated above. In particular, your personal data will be stored for the entire duration of the contract entered into for the supply of our services and also for a subsequent period:
• within the terms set by the applicable laws;
• within the terms prescribed by legislation and by the regulations that demand data be retained (for example tax declarations);
• within the period necessary to protect the rights of the Data Controller in the event of any disputes regarding the supply of our services.
Divin Porcello di Sartoretti Massimo & C. S.a.s. has identified the risks that could compromise privacy and has put in place procedures, and technical and organisational measures, including of a physical nature, designed to safeguard your personal data and to prevent its destruction, loss, improper use or unauthorised communication.
9. Provision of data and the consequences of refusing to answer
In accordance with the applicable laws on the processing of personal data, the processing of certain of the aforementioned data does not require consent because they are collected to comply with legal obligations or to fulfil contractual obligations. In accordance with art. 7 of Legislative Decree 196/2003 and subsequent amendments and additions introduced by Legislative Decree 101/2018, in line with the GDPR 2016/679, the processing of certain types of personal data requires the data subject’s express consent to processing. Providing the details and the relative consent for data processing therefore become obligatory in order to comply with contractual and legal obligations including outside the EU. Refusal to supply the information will necessarily mean the cessation of any kind of relationship by not giving consent for the processing of personal data to be processed.
Based on its own legitimate interests to improve services and products offered to customers, the website will send customers emails containing communications, promotions, discounts, requests for feedback or updates. Customers are free to object to receiving such communications at any time (for example, by clicking on the link inside the emails).