Information on the processing of personal data of the users visiting the web sites (Italian data protection authority)
EXPOSERVICE S.R.L., in the person of the legal representative Alessandro Sanesi, based in Prato (PO) Italy – Via Schio, 40 VAT registration number 02080390970, is constantly committed to adopt technical and organisational solutions aimed at ensuring the highest standards with regard to legality, security and protection on the processing of personal data.
For this purpose, are implemented the General Regulation on data protection of European Union (hereinafter “GDPR” acronym for General Data Protection Regulation) and other legal provisions including, in particular, dispositions about personal data protection Code (hereinafter “Privacy” or “Code”).
1. Who is the controller of data processing?
EXPOSERVICE S.R.L., based in Prato (Po) Italy – Via Schio, 40 VAT registration number 02080390970, is the controller of personal data processing according to GDPR and the Code.
2. What data can we process?
Personal data are any kind of information regarding any individual or identifiable natural person (hereinafter “Data”). Regarding preparation, conclusion and execution of the contract between end-user and Exposervice S.R.L., your Data are treated within the limits of what is permitted by law, taking into account particularly the principle of Data minimisation.
This concerns in particular:
- Information You Give Us: you provide most such information when you request a price offer or when you apply for a contract (hereinafter “Contract”), namely during contract execution. Depending on the type of contract you are requesting for, you might supply us with such information (following list is not exhaustive but it is considered by way of example): name, surname, address and phone numbers, email addresses, profession, status, date and place of birth, citizenship, account information and fiscal code/ID number. Transfer of above mentioned Data is necessary condition to conclude the Contract with Exposervice S.R.L; absence of these Data may result in the failure to resolve the Contract and the impossibility for Exposervice S.R.L. to provide requested services and products.
- Information from Other Sources: in the initial phase of the Contract, may be used also personal Data provided by other third parties. These Data include, for example, some Data from private or public databases evaluating the creditworthiness (as, for example, Central Risk Authority by the Banca d ’Italia/Italian Bank, and other systems to evaluate own credit standing) and other third parties and database, as the Interbank Alarm Headquarter - the non-payment Computerized Repository and public system SCIPAFI for fraud prevention and identity theft prevention.
- Particular categories of personal Data: “particular categories of personal Data” means information about ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as generic Data, biometric Data with the aim to identify uniquely one defined natural persona, health data, sexual life or sexual preferences.
3. On what legal basis will be treated Your Data?
You Data will be treated exclusively when permitted by legal provisions. In particular, Your data will be treated on the basis of articles 6 and 9 of GDPR and on the basis of the consent to article 7 GDPR, and also in accordance with provisions of the Code:
- Consent to (art. 6(1) paragraph 1(a), art. 7 GDPR, and, when applicable, art. 9(2) (a): Data will be treated only after your prior, free and express consent. You have the power to revoke the consent at any time and this shall take effect for the future.
- Execution of a contract or pre-contractual measures (art. 6(1) paragraph 1(b) GDPR): your Data are needed to conclude your contract with Exposervice S.R.L. and execute the same contract.
- Conformity to legal obligations (art. 6(1) paragraph 1(c) GDPR): Exposervice S.R.L. is subject to a number of legal requirements. Data must be treated to grant the appropriate conformity to these obligations.
- Protection of legitimate interests (art. 6(1) paragraph 1(f) GDPR): Exposervice S.R.L. will treat these Data in order to safeguard own interests, if these interests are not prevailing in fact.
4. Purpose of the Data processing.
Your Data will be treated exclusively for purposes regarding data protection. These purposes are:
- purposes approved by You in advance
- Data processing with the aim to execute our Contract
- execution of pre-contractual measures at your request
- fulfilment of contractual obligations (included those legal dispositions established by competent authorities)
- safeguard of our legitimate interests or legitimate interests of third parties, except in the case your interests are prevailing on them
- exercise of our rights and fulfilment of the obligations on laws regarding social security and protection
- assessment, execution or defence of a right or legal claim
- for relevant public interest reasons
- marketing and advertising, in particular direct marketing activities.
Inter alia, Your Data will be treated for specific purposes stated below. We please you to note that this is not a complete and exhaustive list of single purpose, but clarifies with many examples above mentioned purposes.
4.1 Data processing purposes regarding the Contract
We have to treat your Data above all to execute the Contract concluded with you. We will treat your Data, in the context of this Contract to perform following tasks/activities:
- Development of offers: in order to offer one or more preventives, evaluable according to your needs, we need to treat some of your personal Data.
- Decision about Contract execution: in order to decide about Contract conclusion with you under certain conditions, we have to consider and treat your Data, as well as eventual other information related to relationships with companies connected to Exposervice S.R.L.. This information will be compared with information in the archives of same companies. We also have to consider your credit rating, in order to establish whether or not to grant specific conditions (deferred payments).
- Contact you in relation to the Contract: We need your personal information before and during the whole Contract in case we have to contact you for reasons related to it.
- Contract management: contract management activities include operation, amendment, execution and update of our agreements; purposes for example, are connected to payments and collections.
- Debt collection: we are allowed to collect debts, according to the Contract signed with you. In order to complete these activities, we will treat your Data, in particular for debts to clear.
- Contract execution operations: we will treat your Data, if the Contract with you will be executed, with or without advance notification. During this process, we may contact you to discuss terms related to Contract execution.
4.2 Data processing purposes subject to consent
In certain cases, we treat your Data only if you have expressed your consent.
- Market researches: we do market researches regarding our costumer interests, in order to propose them interesting and targeted offers. This includes, for example, satisfaction studies on our services. In the context of market researches, we exclusively treat – whenever possible – anonymous and aggregate Data. For mentioned activities, we may treat your personal Data.
- Marketing and Advertising: if you have already expressed your consent, we will treat your Data to inform you about any offer which may be of your interest and we will contact you using communication channel which you have previously authorized.
- Costumer profiling for marketing purposes: we treat personal Data to create costumer profiles using statistical methods. Based on costumer profile you will receive communications targeted on your interests, as, for example, customized invitations or free entrances for particular occasions or events.
4.3 Data processing purposes to respect legal obligations
We are subject to a number of legal obligations. If necessary, your personal Data will be treated to grant conformity to mentioned requirements.
- Data security: Data security is a relevant legal obligation. If needed, we will treat your Data in the context of essential measures to evaluate and ensure Data security, for example simulating a cyber-attack.
- Administrative, accounting and fiscal purposes: Exposervice S.R.L. will treat your Data also to manage your Contract with administrative, accounting and fiscal purposes
- Internal compliance purposes: respect of any regulation or legal disposition that we have to respect and that we want to respect.
- Legal counsel purposes: your Data may be processed in case of legal actions, if this is required.
4.4 Data processing purposes based on legitimate interests
Your Data are processed in order to safeguard Exposervice S.R.L. legitimate interests, except in the case your interests prevail on them.
5. How long will we keep your data?
6. How long will we keep your data?
In accordance with Article 5, co. 1, letter e of GDPR, we will keep your Data only for the time required to process them for mentioned purposes. If we will treat Data for other purposes, they will be automatically deleted or saved in a format that does not allow to come to direct conclusions regarding your identity, as soon as last specific purpose would have been processed.
At a time when we won’t need personal Data of the user any more, we will cancel or delete them securely. We will also evaluate if and how reduce in the time, personal Data in use and if we can anonymize personal user Data so that they cannot be associated to the same user or identify him/her; in this case we can use Data without notice.
Generally, in accordance with than expected regarding record-keeping for accounting purposes and general rules related to ordinary period of prescription of contractual actions, Data related to Contract will be deleted, once the period of 10 years (as required by law) has expired.
7. How secure is information about me?
We will process your personal Data on the basis of security obligations related to Data processing treatment, in accordance with art. 32 GDPR. Technical and organizational measures have been adopted in order to grant an accurate level of protection, aimed to stem the risk of use of these Data in an illegal way. These measures respect IT standards on international level and are constantly subject to scrutiny.
8. Does Exposervice S.R.L. share the information it receives?
We will share your Data with third parties for purposes listed in this reporting. During communication and transfer of your Data, we will always adopt appropriate actions to grant that your Data are treated, protected and transferred in accordance with laws obligations. The updated list of third parties, identified as “autonomous holders” and “responsible” is available by Exposervice S.R.L. legal address as indicated above. A copy of this list can be provided by making a written request to Exposervice S.R.L.
Third parties are, in particular, external providers of services – included IT services – external consultants or staff in the following contests:
- bagging, sorting and transmission of communications for costumers, as well as storage and Data conservation
- provision and operation of administrative procedure and computer systems, communication networks, protection and safety systems
- costumer care activities and assistance to contractual counterparties
- debt collection services and collateral activities like contacts and telephone communications and reminders
- activities involving expertise, audit function and budget
- activities of business information carried out by external companies with legal authorization and respecting existing legislation
- professional advise service and assistance
Exposervice S.R.L. will appoint third Parties of the Data processing, in case related conditions will be determined and will bind these Parties to keep information about your Data confidentially.
8.1 Data processing in extra-UE countries
We won’t transfer Data out of the European Union. If this will be necessary, treatment will be operated respecting European protection standards.
9. Your personal rights and your right to complaint to the supervisory authority.
As user, you will be able to exercise some rights towards us in accordance to GDPR and other dispositions that can be applied to Data protection with specific mention to the Code. Following paragraph includes explanations related to Your rights with the meaning of GDPR and the Code.
9.1 Rights of data subjects
You, as data subject, have in particular following rights with the meaning of GDPR and towards Exposervice S.R.L.
- Right of access by the data subject (art.15 GDPR): the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the categories of personal data concerned, the purposes of the processing, the recipients or categories of recipient to whom the personal data have been or will be disclosed. You can receive a free copy of your Data (object of the Contract). In case of other copies we reserve the right to request a payment.
- Right to rectification (art. 16 GDPR): the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (art. 17 GDPR): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her where one of the following law conditions are effective:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing;
- the personal data have been unlawfully processed
- except that the processing is necessary for:
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- for assessment, exercise or defence of a right or a legal claim
- Right to restriction of processing (art. 18 GDPR):
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
- Right to data portability (art. 20 GDPR)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller
- Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Right to request a copy of protection measures (art. 13 GDPR)
Information to be provided where personal data have not been obtained from the data subject – if applicable
- Right to revoke consent at any time (art. 13 GDPR) – if treatment is consent-based – without prejudicing the operation lawful and based on the consent expresses before the revocation, sending the appropriate request to the address below or through the technical modalities available in Exposervice S.R.L. for the same treatment.
9.2 Fulfilment deadline in relation to users rights
We try to respond within 30 days to users requests. This period may be longer for reasons related to appropriate rights of the user and based on the complexity of the request.
9.3 Limitation related to information communication to interested parties
We may not be able to provide appropriate information on your Data based on law dispositions. We will clarify reasons of our refusal in case this may occur.
9.4 Complaint by the supervisory authority
If you have evaluated Exposervice S.R.L. feedback as not exhaustive, you have the right to complaint by the supervisory authority regarding Data protection, in accordance with art. 77 GDPR.
Here the link: http://www.garanteprivacy.it/web/guest/home/footer/contatti
10. Legal References
Complete text of GDPR here: http://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32016R0679
National legal disposition here: www.garanteprivacy.it
11. Changes in this reporting about personal data processing
We will inform you as soon as possible, in case of changes regarding this text.
For eventual requests regarding your rights, please contact Exposervice S.R.L: